Trend Micro End to End Security Protection by Steve Quane

8/8/2019 Trend Micro End to End Security Protection by Steve Quane

1/30

1 Copyright 2010 EMC Corporation. All rights reserved.

End to End Protection for

Virtualised & Cloud Environments


2/30

Copyright 2009 Trend Micro Inc.

Why virtualization matters

Speed and Business Impact

Expertise and Performance

Massive Cost Reduction


3/30


15% 30% 70%

85%

Stage 1Consolidation

DC Consolidation

- Non-mission criticalbase applications

- Standardized hypervisor- Simple VM Management

Public and private cloud

- Multi-hypervisor-Virtualized storage

-Multi-tenancy-Workload Management

-Dedicate or Burst to public

Stage 3Private > Public Cloud

Mission critical applications&

Endpoint Control

- Performance becomes critical-API and advanced

management useVDI sampling

-Enhanced Compliance controls

Servers

Desktops

Stage 2Expansion & Desktop

GET TECHIE

Typical Customer Virtualization Evolution


4/30


By far, the number one concern aboutcloud services is security .-- Frank Gens, IDC, Senior VP & Chief Analyst


5/30

Copyright 2009 Trend Micro Inc. 5

Phase 1 Security Challenge

Perimeter- only (Outside -in) approach together

with rapid virtualization have created less secureapplication environments

Through 2012, 60% of virtualized servers will be less secure thanthe physical servers they replace.

Addressing the Most Common Security Risks in Data Center Virtualization Projects Gartner, 25 January 2010


6/30


Phase I: The virtual datacenter is verydynamic !

6

Hypervisor

Inter-VMattacks PCI Mobility Cloud Computing

New Challenges Require a New Security Architecture


7/30


Virtual Machines Need Specialized Protection

Same threats in virtualized servers

as physical.

New challenges:1. Instant-on/Dormant VMs

2. Resource contention

3. VM Sprawl

4. Inter-VM traffic

5. vMotion

7


8/30


Virtualization Security FoundationSecure the workload

App3

OS3

VM3

App1

OS1

VM1

Hypervisor

VM & NetworkSecurity Integration

Self-secured workloadApp FW, IPS, AV


9/30


Customers most common Phase I concern:Instant-on or unmanaged VMs & Patching

Determines missing patches and existing vulnerabilities Operating System

Common desktop applications

Recommends set of lightweight, fast-to-deploy filters Virtually patches the vulnerabilities

Zero-Day protection

Reports on attempts to exploit vulnerabilities

Removes filters as soon as the patch is deployed

Virtual patch endpoints until patch is readyWithout exposing them to exploits


10/30


Deep SecurityInside -out Protection Model for Physical,Virtual and Cloud Computing

De-Militarized Zone (DMZ)

Mission Critical ServersBusiness Servers

FirewallIPS Firewall

NIPSIPS

Firewall

File Integrity

Monitoring

Log Inspection

IDS / IPS

Trend Micro Deep Security Provides A Secure

Container for Applications and Data


11/30


15% 30% 70%

85%


DC Consolidation





Endpoint Control




Servers

Desktops

Hybrid andselected public cloud


-Workload Management-Burst to public


GET TECHIE



12/30


Phase 2: Security Challenge

Virtually unaware traditional security

architectures eliminate the benefits of VDI andvirtualized mission-critical applications


13/30


Phase II Server Performance

13

App

OS

ESX Server

App

OS

App

OS

VMsafe APIs

Security VM

Firewall

IDS / IPSAnti-VirusIntegrity

Monitoring

Protect the VM by inspection of virtual components Unprecedented security for the app & data inside the VM Complete integration with, and awareness of, vMotion,

Storage VMotion, HA, etc.


14/30


Phase II: Securing virtual desktops (VDI)

Malware risk potential: Identical to physical desktops Same operating systems Same software Same vulnerabilities Same user activities

=> Same risk of exposing corporate and sensitive data

New challenges, unique to VDI: Identify endpoints virtualization status

Manage resource contention CPU Storage IOPs Network


15/30


FILEREPUTATION

WEBREPUTATION

Phase II: Cloud-client architecture

Threat Collection

Partners

ISPs Routers Etc.

Endpoint

Gateway

SaaS/Managed

Cloud

Management

Off Network

Messaging

Threats

EMAILREPUTATION


16/30


CLOUD-CLIENT ARCHITECTURE Speeds protection

In-the-cloud technologies are constantly updated Frees resources

Offloads growing patterns to the cloud

Phase II: Light and Lean ArchitectureSmart Protection Network

GLOBAL THREAT INTELLIGENCE Correlated

Integrates web, email, and file reputation databases Instant feedback

Immediately updates using global feedback loops

WEB

FILE

EMAIL


17/30


The 9 -AM problem Multiple users log in and download updates at the same time

AV-Storms, Scheduled scans Adds significant load to the endpoint Multiplied by number of VMs

Cumulativesystem loadExisting Endpoint Security Induces

Resource Contention and LimitsDesktop Virtualization Benefits

Phase II: IT Environment ChangesChallenge: Resource Contention with VDI


18/30


Phase II Security has to have VDI-Intelligence

Detects whether endpoints are physical or virtual With VMware View With Citrix XenDesktop

Serialize updates and scans per VDI-host Controls the number of concurrent scans and updates per VDI host Maintains availability and performance of the VDI host Faster than concurrent approach

Leverages Base-Images to further shorten scan times Pre-scans and white-lists VDI base-images Prevents duplicate scanning of unchanged files on a VDI host Further reduces impact on the VDI host

Can be done agentlessly as well


19/30


OfficeScan 10.5 has VDI-intelligence

With OfficeScan 10.5, you can run more than double the number of desktop images per host without sacrificingsecurity

Investment in OfficeScans VDI plug -in pays for itself: In less than 3 months with 1000 users*

In less than 2 months with 2500 users*

*: assuming average cost of $8000 per VDI server and the deployment of standard endpoint secur

You no longer have to choose betweenSecurity and Return On Investment


20/30


Summary of Phase II Solutions

Light and lean agents when deep visibilityis required Using cloud-client architecture

Agent-less option for application & serverperformance Using virtualization APIs

Architecture optimizes performance acrossentire infrastructure Processes are virtually -aware across CPU, network,

and storage

Trend Micro Confidential11/26/2010 20


21/30


15% 30% 70%

85%


DC Consolidation





Endpoint Control




Servers

Desktops

Hybrid andselected public cloud


-Workload Management-Burst to public


GET TECHIE



22/30


Phase III: Virtualized Storage and Multi-tenancyCreates Data Protection Nightmares

Classification 11/26/2010 22

Perimeter

Public andPrivate

CloudDatacenter

Strong perimeter securityNo shared CPU

No shared networkNo shared storage

Weak perimeter securityShared CPU

Shared networkShared storage

Traditional outside -in approach is inadequate in an

inside -out cloud world full of strangers

Hypervisor

C o m p an

y1

A p p2

A p p1

A p p 3

A p p1

A p p2

A p p 3

A p p4

A p p 5

A p pn

C o m p an

y2

C o m p an

y 3

C o m p an

y4

C o m p an

y 5

C o m p an

yn

Hypervisor


23/30


The Public Cloud:Who Has Control? How Secure is the Data?

Servers Virtualization &Private Cloud

Public CloudPaaS

Public CloudIaaS

End-User (Enterprise)Service Provider

Public CloudSaaS

23Trend Micro Confidential 11/26/2010

Hypervisor

C o m p an

y1

A p p2

A p p1

A p p 3

A p p1

A p p2

A p p 3

A p p4

A p p 5

A p pn

C o m p an

y2

C o m p an

y 3

C o m p an

y4

C o m p an

y 5

C o m p an

yn

Hypervisor

Data

Shared CPUShared networkShared storage

Company


24/30


Phase 3: Security Challenge

How do I protect data in a virtualized and multi-tenant storage environment (private, hybrid, or

public cloud) ?


25/30


SecureCloud: Enterprise ControlledData Protection for the Cloud

25

Patent pending Trend Micro technology enablesenterprises to retain control of data in the cloud



26/30


All Phases: Architecture Security ChallengeHow do I bring it all together in a manageable way

across virtualized, private and public cloudenvironments?


27/30


A New Security Architecture For A New EraAll environments should be considered un-trusted

Usersaccess app

Image ensures datais always encrypted

and managed

Host defendsitself from attack

EncryptedData

Encryption keyscontrolled by you

DC1, LAN 1

Cloud 2, LAN 1

Data

Cloud 1, LAN 2

DC2, LAN 2

Data

Public CloudDatacenter

Data


BenefitsFacilitates movement between

datacenter & cloudDelivers security compliancethrough encryptionEnables portability between serviceprovidersEnsures private data in public cloud


28/30


29/30


ANSWER: YES, BUT ONLY WITH ABETTER -THAN-PHYSICAL CLOUD

SECURITY ARCHITECTURE

Back to the question: To Virtualize or not ?


Speed and Business Impact

Expertise and Performance

Massive Cost Reduction


30/30


Thank you

For visiting the Trend Micro Carnival

Trend Micro End to End Security Protection by Steve Quane

Documents

Transcript of Trend Micro End to End Security Protection by Steve Quane