VMware NSX Networking and GDPR - dellemc.com · GLOBAL SPONSORS VMware NSX Networking and GDPR Erik...

GLOBAL SPONSORS

VMware NSX Networking and GDPR

Erik BussinkNSX System EngineerVCP #67, VCIX-NV, CISSP, [email protected]

© Copyright 2017 Dell Inc.2

Agenda

• VMware Software Defined Data Center (SDDC)

• GDPR – Why and What

• Facing GDPR requirements

• VMware NSX – Network and Security Virtualization

• vRealize Network Insight – Transformative Operations for NSX based SDDC

• VMware AppDefense – Validating good (intended) behavior


Ever wondered why we are not

building traditional fortresses anymore?

The ever changing landscape

We built them with a problem in mind

and it is very difficult to adapt

them to a different situation, new

arms or tactics…


What is Software-Defined Data Center (SDDC)?

Hardware

Software

Data center virtualization layer

Pooled compute, storage, and network capacityVendor independent, best price/performance/serviceSimplified configuration and management

Intelligence in SoftwareOperational model of VM for data centerAutomated provisioning and configuration


Virtualizing the NetworkDecoupling Applications from Infrastructure

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

VMVM

VMVM

APPVMVM

VMVM

APPVMVM

VMVM

APP

Topology IndependenceApplication agility without regard to the underlying physical topology

Network and Security Virtualization PlatformAligning a ubiquitous networking and security platform to the application

Pooled Data Center CapacityMaximizing utilization and offering complete flexibility


Why GDPR?

Personal data has significant economic impact

1 Trillion € by 2020

9 of 10 Europeansare concerned by mobile apps collecting their datat without their consent

7 Europeans out of 10Source: http://europa.eu/rapid/press-release_MEMO-14-186_en.htm

are concerned by potential use that companies can make of the information disclosed


What is GDPR?

• Name: General Data Protection Regulation

• Purpose: To replace existing national Data Protection legislation enacted by various EU member-states (28 different laws and regulations) under the EU Data Protection Directive with a single, unified regulation for protecting Personal Data

• Scope: The regulation to all organizations established in the EU and outside of the EU if they either offer goods or services to EU data subjects or monitor the behavior of EU data subjects

• New or enhanced rules:– Right «to be forgotten»: Individuals have a right to have personal data deleted and to prevent processing in

specific circumstances [NOTE: Not a ‘new’ rule but broader expansion of right to deletion] :– Easier access to One’s data: Existing right of access expanded to include more categories and it must be

free (i.e. individuals cannot be charged an admin fee as previously allowed under national law).– Right to data portability: New right to transfer between controllers (i.e. easier for individuals to transfer

personal data from one IT environment to the other)– The right to know when one’s data has been hacked: New breach reporting requirements - controller to

notify regulators and data subjects within 72 hours if ‘high’ riskSource: http://europa.eu/rapid/press-release_IP-12-46_en.htm

Any organization who fails to comply with the GDPR could face severe penalties!


Why GDPR is challenging for organizations?

The challenge for organizations facing the GDPR is that:

data is everywhere these days

• and processed through all types of apps,

• stored in various places and

• accessed from all sorts of devices!

Data being so ubiquitous makes it very difficult to control, raising accountability and transparency concerns for IT staff and end users


Devices

Infrastructure

Apps Traditional Apps Cloud-Native AppsAPP APP APP APP APP APP

The World We Must SecureSecurity: The Last One Invited to the Party

APP APP APPAPP APP APP

APP APPAPP APP APP

APP

ManagedClouds

PrivateClouds

PublicClouds

APP

“We Need to Secure All of This”

Virtualized Compute, Storage, Networking

APP APP APPAPP APP APP

APP APPAPP APP APP APP


LPDNews

Source: https://www.ejpd.admin.ch/ejpd/fr/home/aktuell/news/2017/2017-09-150.html

Facing GDPR requirements?How VMware supports your organization


Mapping GDPR to NSX Capabilities

• Co-branded whitepaper “Product Applicability Guide for the European GDPR” authored by 3rd party Assessor, Coalfire Systems Inc.’s concludes:• VMware NSX can be used to dynamically control where workloads can send and receive data and

support a micro-segmentation architecture• Used ISO framework to validate VMware NSX products mapping to GDPR requirements

NSXISO27001GDPR


VMware and GDPRBest Practices and Requirement Mapping


How can VMware NSX support GDPR?

• Security by design and by default: NSX provides zero-trust security model inside Datacenters and clouds– Micro-segmentation tightens the security to the VMs and enables east-west traffic inspection without

additional traffic engineering or redirection

• Minimizing risk: Security-groups allow building adaptive, application centric security policy where VMs will land, immediately once they are provisioned, and inherit their FW rules in accordance to applications requirements

• Real-time Security Level monitoring: Network and guest introspection will help to monitor the VM security posture and dynamically move enforce quarantine Security-group if compromised

• Data Privacy Impact Assessment: NSX vRealize Network Insight and vRealize Operations will help organizations to build their Data Privacy Impact Assessment by delivering a realisticsecurity overview on the whole Datacenters

• Encrypting data in motion: NSX Edge provides IPSec, L2VPN and SSL VPN tunneling to usersand partners outside datacenters

https://blogs.vmware.com/euc/2017/09/accelerate-towards-gdpr-compliance.html

VMware Network and Security Virtualization


VMware NSXGround-breaking Use Cases


Problem: Data Center – Network SecurityPerimeter Security & Zoning has proven insufficient, micro-segmentation is operationally infeasible

Internet

Data center Perimeter

Insufficient

Internet

Data center Perimeter

Operationallyinfeasible

Zone1 Zone2

Zone3


VDS dvPG2 (VLAN-backed)

VM4 VM5 VM6

Insufficient Security ZoningVMs in dvPGs (distributed virtual Port Group)

vSphere Distributed Switch

Physical network

VDS dvPG1 (VLAN-backed)172.16.10.11

VM1

172.16.10.12

VM2

172.16.10.13

VM3



VM4 VM5 VM6

VMware NSX – Micro-SegmentationVMs in dvPGs (distributed virtual Port Group)


Physical network

VDS dvPG1 (VLAN-backed)172.16.10.11

VM1

172.16.10.12

VM2

172.16.10.13

VM3




NSX LS2 (VXLAN-backed)

NSX LS1 (VXLAN-backed)

VM4 VM5 VM6

VMware NSX – Micro-SegmentationVMs in LSs (Logical Switches)


172.16.10.11

VM1

172.16.10.12

VM2

172.16.10.13

VM3

Physical network

192.168.0.50 192.168.100.50 192.168.200.50


NSX Distributed FirewallingMicro-segmentation

• Each VM can now be its own perimeter

• Policies align with logical groups

• Prevents threats from spreading

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

Insidefirewall

Finance EngineeringHR


NSX Distributed FirewallingMicro-segmentation

Source: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-microsegmentation.pdf

vRealize Network Insight


Security Policy AutomationMicro-Segmentation

• Discover vCenter and NSX constructs (folders, clusters, vlans, security tags)

• Automated Security Groupings Based on vCenter and NSX Constructs, Workload Characteristics, Ports, Common Services

• Recommended Security Policies / Firewall Rules (Zero-Trust Model)

• See Network Traffic Per Host, Per VM• Export as CSV


Plan Security – Services & Flows in VLAN

If you Click Here


If you Click Here

Then Click Here

Plan Security – Firewall Rule Recommendations

AppDefense


• Highly complex and noisy• Limited context – requires a lot of inputs• Manual effort to confirm valid threat

Pitfalls of the current modelFocused on chasing malicious behavior


• Highly complex and noisy• Limited context – requires a lot of inputs• Manual effort to confirm valid threat

Pitfalls of the current modelFocused on chasing malicious behavior

It’s time for a new modelFocused on validating good (intended) behavior

• Simpler and smaller problem set• Better signal-to-noise ratio• Actionable and behavior-based

alerts and responses


Hypervisor

IT provisions a new app

1

VMworld AppDefenseVisibility and context into application lifecycle

Automated collection of intended state across app lifecycle

IT provisions a change to the app

3

Running StateAppDefensenotes the change

4

Intended StateAppDefensecollects intended state of the app

2

AppDefense

NSX

Insert security into DevOps process

Source: https://www.vmware.com/products/appdefense.html


“VMware NSX is to networkingwhat VMware ESXi is to compute.”

VMware NSX Networking and GDPR - dellemc.com · GLOBAL SPONSORS VMware NSX Networking and GDPR Erik...

Documents

Transcript of VMware NSX Networking and GDPR - dellemc.com · GLOBAL SPONSORS VMware NSX Networking and GDPR Erik...