GLOBAL SPONSORS - germany.emc.com · Moderne Infrastruktur. ... Data center virtualization layer....
Transcript of GLOBAL SPONSORS - germany.emc.com · Moderne Infrastruktur. ... Data center virtualization layer....
GLOBAL SPONSORS
GLOBAL SPONSORS
Moderne InfrastrukturVMware SDN NSX Networking and GDPRChristoph AltherrSystems Engineer – NSX Specialist
© Copyright 2017 Dell Inc.3
Agenda
• SDN – VMware SW-Defined Data Center (SDDC)
• GDPR – Why and What
• Facing GDPR requirements
• VMware NSX – Network and Security Virtualization
• VMware AppDefence – Validating good (intended) behavior
SDNVMware SW-Defined DataCenter(SDDC)
© Copyright 2017 Dell Inc.5
We built them with a problem in mind and it is very difficult to
adapt them to a different situation,
new arms or tactics…
Ever wondered why we are not building
traditional fortresses anymore?
The ever changing landscape
We built them with a problem in mind and it is very difficult to
adapt them to a different situation,
new arms or tactics…
© Copyright 2017 Dell Inc.6
What is Software-Defined Data Center (SDDC)?
Hardware
Software
Data center virtualization layer
Pooled compute, storage, and network capacityVendor independent, best price/performance/serviceSimplified configuration and management
Intelligence in SoftwareOperational model of VM for data centerAutomated provisioning and configuration
© Copyright 2017 Dell Inc.7
Virtualizing the NetworkDecoupling Applications from Infrastructure
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
VMVM
VMVM
APPVMVM
VMVM
APPVMVM
VMVM
APP
Topology IndependenceApplication agility without regard to the underlying physical topology
Network and Security Virtualization PlatformAligning a ubiquitous networking and security platform to the application
Pooled Data Center CapacityMaximizing utilization and offering complete flexibility
GDPRGeneral Data Protection Regulation
© Copyright 2017 Dell Inc.9
Why GDPR?
Personal data has significant economic impact
1 Trillion € by 2020
9 of 10 Europeansare concerned by mobile apps collecting their datat without their consent
7 Europeans out of 10Source: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm
are concerned by potential use that companies can make of the information disclosed
© Copyright 2017 Dell Inc.10
What is GDPR?
• Name: General Data Protection Regulation
• Purpose: To replace existing national Data Protection legislation enacted by various EU member-states (28 different laws and regulations) under the EU Data Protection Directive with a single, unified regulation for protecting Personal Data
• Scope: The regulation to all organizations established in the EU and outside of the EU if they either offer goods or services to EU data subjects or monitor the behavior of EU data subjects
• New or enhanced rules:– Right «to be forgotten»: Individuals have a right to have personal data deleted and to prevent processing in
specific circumstances [NOTE: Not a ‘new’ rule but broader expansion of right to deletion] :– Easier access to One’s data: Existing right of access expanded to include more categories and it must be
free (i.e. individuals cannot be charged an admin fee as previously allowed under national law).– Right to data portability: New right to transfer between controllers (i.e. easier for individuals to transfer
personal data from one IT environment to the other)– The right to know when one’s data has been hacked: New breach reporting requirements - controller to
notify regulators and data subjects within 72 hours if ‘high’ riskSource: http://europa.eu/rapid/press-release_IP-12-46_en.htm
Any organization who fails to comply with the GDPR could face severe penalties!
© Copyright 2017 Dell Inc.11
Why GDPR is challenging for organizations?
The challenge for organizations facing the GDPR is that:
data is everywhere these days
• and processed through all types of apps,
• stored in various places and
• accessed from all sorts of devices!
Data being so ubiquitous makes it very difficult to control, raising accountability and transparency concerns for IT staff and end users
© Copyright 2017 Dell Inc.12
Devices
Infrastructure
Apps Traditional Apps Cloud-Native AppsAPP APP APP APP APP APP
The World We Must SecureSecurity: The Last One Invited to the Party
APP APP APPAPP APP APP
APP APPAPP APP APP
APP
ManagedClouds
PrivateClouds
PublicClouds
APP
“We Need to Secure All of This”
Virtualized Compute, Storage, Networking
APP APP APPAPP APP APP
APP APPAPP APP APP APP
© Copyright 2017 Dell Inc.13
Switzerland – Data Protection ActNews
Source: https://www.ejpd.admin.ch/ejpd/de/home/aktuell/news/2017/2017-09-150.html
Facing GDPR requirements?How VMware supports your organization
© Copyright 2017 Dell Inc.15
Mapping GDPR to NSX Capabilities
• Co-branded whitepaper “Product Applicability Guide for the European GDPR” authored by 3rd party Assessor, Coalfire Systems Inc.’s concludes:• VMware NSX can be used to dynamically control where workloads can send and receive data and
support a micro-segmentation architecture• Used ISO framework to validate VMware NSX products mapping to GDPR requirements
NSXISO27001GDPR
© Copyright 2017 Dell Inc.16
VMware and GDPRBest Practices and Requirement Mapping
© Copyright 2017 Dell Inc.17
How can VMware NSX support GDPR?
• Security by design and by default: NSX provides zero-trust security model inside Datacenters and clouds
– Micro-segmentation tightens the security to the VMs and enables east-west traffic inspection without additional traffic engineering or redirection
• Minimizing risk: Security-groups allow building adaptive, application centric security policy where VMs will land, immediately once they are provisioned, and inherit their FW rules in accordance to applications requirements
• Real-time Security Level monitoring: Network and guest introspection will help to monitor the VM security posture and dynamically move enforce quarantine Security-group if compromised
• Data Privacy Impact Assessment: NSX vRealize Network Insight and vRealize Operations will help organizations to build their Data Privacy Impact Assessment by delivering a realisticsecurity overview on the whole Datacenters
• Encrypting data in motion: NSX Edge provides IPSec, L2VPN and SSL VPN tunneling to usersand partners outside datacenters
https://blogs.vmware.com/euc/2017/09/accelerate-towards-gdpr-compliance.html
VMware Network and Security Virtualization
© Copyright 2017 Dell Inc.19
“VMware NSX is to networkingwhat VMware ESXi is to compute.”
© Copyright 2017 Dell Inc.20
VMware NSXGround-breaking Use Cases
© Copyright 2017 Dell Inc.21
Provisioning Security Services is hardClassic physical zoning approach
© Copyright 2017 Dell Inc.22
Every modern Cyber Security Breachhas something in common…
…the attacker!Once inside, they were most often able to move freely in the victim's DC network!
© Copyright 2017 Dell Inc.23
Problem: Data Center – Network SecurityPerimeter Security & Zoning has proven insufficient, micro-segmentation is operationally infeasible
Internet
Data center Perimeter
Insufficient
Internet
Data center Perimeter
Operationallyinfeasible
Zone1 Zone2
Zone3
© Copyright 2017 Dell Inc.24
VDS dvPG2 (VLAN-backed)
VM4 VM5 VM6
Insufficient Security ZoningVMs in dvPGs (distributed virtual Port Group)
vSphere Distributed Switch
Physical network
VDS dvPG1 (VLAN-backed)172.16.10.11
VM1
172.16.10.12
VM2
172.16.10.13
VM3
© Copyright 2017 Dell Inc.25
VDS dvPG2 (VLAN-backed)
VM4 VM5 VM6
VMware NSX – Micro-SegmentationVMs in dvPGs (distributed virtual Port Group)
vSphere Distributed Switch
Physical network
VDS dvPG1 (VLAN-backed)172.16.10.11
VM1
172.16.10.12
VM2
172.16.10.13
VM3
© Copyright 2017 Dell Inc.26
VDS dvPG2 (VLAN-backed)
VDS dvPG1 (VLAN-backed)
NSX LS2 (VXLAN-backed)
NSX LS1 (VXLAN-backed)
VM4 VM5 VM6
VMware NSX – Micro-SegmentationVMs in LSs (Logical Switches)
vSphere Distributed Switch
172.16.10.11
VM1
172.16.10.12
VM2
172.16.10.13
VM3
Physical network
192.168.0.50 192.168.100.50 192.168.200.50
© Copyright 2017 Dell Inc.27
NSX Distributed FirewallingMicro-segmentation
• Each VM can now be its own perimeter
• Policies align with logical groups
• Prevents threats from spreading
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
© Copyright 2017 Dell Inc.28
NSX Distributed FirewallingMicro-segmentation
Source: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-microsegmentation.pdf
AppDefence
© Copyright 2017 Dell Inc.30
• Highly complex and noisy• Limited context – requires a lot of inputs• Manual effort to confirm valid threat
Pitfalls of the current modelFocused on chasing malicious behavior
© Copyright 2017 Dell Inc.31
• Highly complex and noisy• Limited context – requires a lot of inputs• Manual effort to confirm valid threat
Pitfalls of the current modelFocused on chasing malicious behavior
It’s time for a new modelFocused on validating good (intended) behavior
• Simpler and smaller problem set• Better signal-to-noise ratio• Actionable and behavior-based
alerts and responses
© Copyright 2017 Dell Inc.32
Hypervisor
IT provisions a new app
1
VMworld AppDefenceVisibility and context into application lifecycle
Automated collection of intended state across app lifecycle
IT provisions a change to the app
3
Running StateAppDefensenotes the change
4
Intended StateAppDefensecollects intended state of the app
2
AppDefense
NSX
Insert security into DevOps process
Source: https://www.vmware.com/products/appdefense.html