Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Rob Randell, CISSP, CCSK

Principal Systems Engineer – Security Specialist

Agenda

• Security Perspective on Customer Journey to the Cloud

• Whiteboard Overview of How Virtualization and Cloud Affect Datacenter Security

• How to Secure our Cloud and Make it Compliant

• Network Security and Secure Multi-tenancy in the Cloud

Security Perspective On Customer Deployment Architectures

Physical deployments are still considered to be most secure and remain in all enterprises

Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ)

Mixed trust clusters typically have the M&M security model, blocking important asset migration to them

Private cloud is an extension of the mixed trust deployment, with more automation and self service

Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments

Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance

AIR GAPPED

PODS

MIXEDTRUST

CLUSTERS

ON-PREMISEPRIVATE CLOUD

DEDICATEDPRIVATE“CLOUD”

(eBay, CSC)

PUBLICMULTI-TENANT

CLOUD(Terremark, EC2)

1

2

3

4

5

1 2 3 4 5

0

0 PHYSICAL

4

Segmentation of applications, servers

• VLAN or subnet based policies • Interior or Web application Firewalls• DLP, application identity aware policies

VLAN 1

VLANs

The Datacenter needs to be secured at different levels

Cost & ComplexityAt the vDC Edge

• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks Keep the bad guys out• Perimeter security device (s) at the edge• Firewall, VPN, Intrusion Prevention• Load balancers

End Point Protection• Desktop AV agents, • Host based intrusion• DLP agents for privacy

Perimeter Security

Internal Security

End Point Security

5

Simple Definition of a Virtual Datacenter

VMware vSphere

DMZ

Tenant 1App1 App2 DMZ

Tenant 2App1 App2 DMZ

Tenant …App1 App2

•The isolated and secured share of a virtualized multitenant environment. •Like a physical datacenter shares the Internet for interconnectivity, the tenants of a cloud (public or private) share the local network within the private datacenter or in the service providers network, and also like a physical datacenter, each tenant also has their own private, isolated, and secured virtual networking infrastructure.

6

Securing virtual Data Centers (vDC) with legacy security solutions

Legacy security solutions do not allow the realization of true virtualization and cloud benefits

VIRTUALIZED DMZ WITH FIREWALLS

APPLICATION ZONE DATABASE ZONEWEB ZONE

ENDPOINT SECURITY

INTERNAL SECURITY

PERIMETER SECURITY

Internet

vSphere vSphere vSphere

•Air Gapped Pods with dedicated physical hardware

•Mixed trust clusters without internal security segmentation

•Configuration Complexityo VLAN sprawl o Firewall rules sprawlo Rigid network IP rules without resource context

• Private clouds (?)

Platform Sec.

Secure the Underlying Platform FIRST

Use the Principles of Information Security• Hardening and Lockdown

• Defense in Depth

• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges

• Administrative Controls

For virtualization this means:• Harden the Virtualization layer

• Setup Access Controls

• Secure the Guests

• Leverage Virtualization Specific Administrative Controls

What Auditors Want to See:• Network Controls

• Change Control and Configuration Management

• Access Controls & Management

• Vulnerability Management

Protection of Management Interfaces is Key

Segment out all non-production networks

• Use VLAN tagging, or

• Use separate vSwitch (see diagram)

Strictly control access to management network, e.g.

• RDP to jump box, or

• VPN through firewall

9

vSwitch1

vmnic1 2 3 4

Production

vSwitch2

VMkernel

Mgmt Storagevn

ic

vnic

vnic

vCenter IP-based Storage

Other ESX/ESXi hosts

Mgmt Network

ProdNetwork

VMware vSphere 4 Hardening Guidelineshttp://www.vmware.com/resources/techresources/10109

More Power

LessPower

SuperCloud Admin

CloudNetworking

Admin

CloudServer Admin

Tenant A Admin

VM Admin VM Admin

Tenant B Admin

VM Admin VM Admin

Tenant C Admin

VM Admin VM Admin

CloudStorage Admin

Separation of Duties Must Be Enforced

11

Air Gapped Design – Costly and Inefficient

Company Z

Firewall

Load Balancer

Switch

Company YCompany X

Aggregation

Access

Internet

L2-L3 Switch

Firewall

Load Balancer

L2-L3 Switch

Firewall

Load Balancer

L2-L3 Switch

Switch Switch

vSpherevSphere vSpherevSphere vSpherevSphere

VPN Gateway VPN Gateway VPN GatewayRemoteAccess

12

VLAN 1002VLAN 1001

VLAN1000

Multi-tenancy – Physical Firewall and VLAN

Company ZCompany YCompany X

Access-Aggregation

Internet

L2-L3 Switch

VMware vSphere + vShield

PG-X (vlan1000) PG-Y (vlan 1001) PG-Z (vlan 1002)

PG-Z

PG-X Port group Company X n/w

PG-Y Port group Company Y n/w

Port group Company Z n/w

Legend :

Port group to VM Links

VLAN 1000

VLAN 1001

VLAN 1002

VLAN 1000 VLAN 1001 VLAN 1002

Virtual to Ext. Switch Links

Firewalls

vDS/vSS

13

Multi-tenancy Virtualization Aware

Company ZCompany YCompany X

Access-Aggregation

Internet

L2-L3 Switch

VMware vSphere + vShield

PG-X(vlan1000) PG-Y(vlan1000) PG-Z(vlan1000)

PG-Z

PG-X Port group Company X n/w

PG-Y Port group Company Y n/w

Port group Company Z n/w

Legend :

PG-C External uplink Port group

PG-C(vlan100)

Internal Company Links

External Up Link

Infrastructure VLAN (VLAN 1000)

VLAN1000 VLAN1000 VLAN1000

vShield Edge VM

Provider VLAN (VLAN 100)

vDS to Ext. Switch Links

Traffic flow not allowed

vDS

14

Virtual Datacenter 2

ESX Hardening

Cluster ACluster B

VMware vSphere + vCenter

Enforce Microsegmentation Inside the vDC

Protect applications against Network Based Threats• Application-Aware Full Stateful

Packet Inspection FW

• Control on per-VM/per vNIC level

• See VM-VM traffic within the same host

• Security groups enforced with VM movement

CIS & PCI

Virtual Datacenter 1

DISA & PCIDatabase

AppWeb

15

Offload Endpoint Based Security Functions with VM Introspection Techniques

Improves performance and effectiveness of existing endpoint security solutions • Offload Functions

• AV• File Integrity Monitoring• Application Whitelisting

16

Virtualized Security and Edge Services

Internal Security and Compliance

Endpoint Security

Edge/Perimeter ProtectionElastic LogicalEfficient

AutomatedProgrammable

Security as a Service

Cloud Aware Security

• Micro-segmentation• Discover and report regulated

data in the Datacenter and Cloud

• Secure the edge of the virtual datacenter

• Security and Edge networking services gateway

• Efficient offload of endpoint based security into the cloud infrastructure – i.e.- anti-virus and file integrity monitoring

17

Continuous and Automated ComplianceOngoing Change and Compliance Management Understand Pervasive Change Capture in-band and out-of-band changes Are you still Compliant?

• Remediate

• Exceptions

Fit within current enterprise change mgmt workflow process

Protect against vulnerabilities Hypervisor-based anti-virus provides

superior protection Patch Management guards against

known attacks Software provisioning tied to compliance Day to day vulnerability checks

Deployed from Gold Standard

CompliantState

NoncompliantState

CompliantState

Mark asException

Remediate(RFC Optional)

Planned Change

Unplanned Change

18 Confidential

Conclusion

• The Cloud Had Great Benefits and like any Technology its Associated Risks

• These Risks Can Be Mitigated With Proper Controls

• The Classic Principles of Information Security Should be Applied

• Key Architecture Decisions must be made for Security

• Tools Designed for the Cloud Must Be Utilized

Questions?Rob Randell, CISSP, CCSK

Principal Security and Compliance Specialist