RSA: Vision of Secure Virtualization and Trusted Cloud. RNDr. Ivan Svoboda, CSc. RSA, The Security Division of EMC

RSA: Vision of Secure Virtualization and Trusted Cloud RNDr. Ivan Svoboda, CSc. RSA, The Security Division of EMC

Agenda About RSA Virtualization and Cloud Computing (definitions) RSA / EMC: our experience with cloud Virtualization and Cloud: Risks, Security and Compliance Virtualization and Cloud: RSA security solutions

Meeting our Customers Challenges Secure Access for Increased Mobility & Collaboration Manage Risk and Threats Throughout Enterprise Prove Compliance Consistently & Affordably Secure Virtualization & Cloud Computing 3 How?

How We Do It System for Managing Security, Risk and Compliance Governance, Risk & Compliance Archer egrc Suite Policy Management Risk Management Incident Management Compliance Management Enterprise Management Authentication SecurID Adaptive Auth Auth. Manager Express Identity Security Access / Provision Access Manager Federated Identity Mgr Fraud Prevention Fraud Action Transaction Monitoring efraud Network Data Security Data Loss Prevention DLP Cisco IronPort Network Partners Endpoint Partners Encryption & Tokenization DPM App DPM DC BSAFE Tokenization Microsoft RMS Monitoring / Audit / Reporting SIEM Network Analysis / Forensics envision NetWitness

RSA, The Security Division of EMC Leader 1 st Authentication Data Loss Prevention Leader Web Fraud Detection Leader SIEM Leader egrc

How We Do It System for Managing Security, Risk and Compliance GRC: Risk/ Policy Management RSA Archer Analyze / Discover (Data, Threats) RSA DLP, FraudAction, NetWitness Enforce Controls RSA Encryption, Authentication, Access control, Transaction Monit Log / Report / Audit RSA envision

RSA Komplexní přístup k řešení bezpečnosti Governance, Risk & Compliance Archer egrc Suite Policy Management Risk Management Incident Management Compliance Management Enterprise Management Authentication Identity Security Access / Provision Fraud Prevention Data Security Data Loss Prevention Encryption & Tokenization Network / System Security Cisco Microsoft VMware Monitoring / Audit / Reporting SIEM (envision) NAV (NetWitness)

8 Virtualizace a cloud computing

The Opportunity Enterprise The Public IT Cloud Has Many Has Broad Challenges Appeal Enterprise IT Public Cloud Complex Expensive Inflexible Siloed Simple Low Cost Flexible Dynamic Infrastructure Over Time, Enterprise IT Will Evolve Towards Public Cloud Ideals Copyright 2010 EMC Corporation. All rights reserved. 9

The Opportunity: The Journey to the Cloud The Private Cloud is a Logical First Step Enterprise IT Private Cloud Public Cloud Trusted Controlled Reliable Secure Simple Low Cost Flexible Dynamic Infrastructure 70% Will Spend More On Private Cloud through 2012 - Gartner DC Conference 2009 Copyright 2010 EMC Corporation. All rights reserved. 10

The Opportunity: The Journey to the Cloud Hybrid Virtualize Cloud: Everything, Utilize Service Standardize Provider & Automate Infrastructure Enterprise IT Private Cloud Public Cloud Virtualization Converged Infrastructure Automation Federation GRC Infrastructure as-a-service Infrastructure Hybrid Cloud Copyright 2010 EMC Corporation. All rights reserved. 11

Securing the Journey to The Private Cloud IT Production Lower Costs Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% 15% Platinum Gold Visibility into virtualization infrastructure privileged user monitoring access management network security Security Compliance Information-centric security Risk-driven policies IT and security operations alignment Secure multi-tenancy Verifiable chain of trust

RSA / EMC: naše zkušenosti s cloudem a virtualizací 13

RSA / EMC: naše zkušenosti s virtualizací 14

RSA / EMC: naše zkušenosti s cloudem Žijeme cloudem Jsme na cestě k privátnímu cloudu (přes 75% virtualizace) Používáme public cloud aplikace (např. CRM) Jsme dodavatelem řešení pro cloud: VCE (VMware, Cisco, EMC) RSA: řešení bezpečnosti pro VCE (Vblock) Dodáváme bezpečnost providerům cloudu Verizon, CSC, AT&T, Poskytujeme řešení SaaS Adaptivní autentizace Transakční monitoring 3D Secure Máme vizi bezpečného cloudu Jsme členy CSA (Cloud Security Alliance) Uvedli jsme řešení Cloud Trust Authority 15

EMC IT s Journey to the Private Cloud IT Production Efficiency % Virtualized Business Production Quality of service IT-as as-a-service Agility Development, test and IT-owned applications We are here 75% 86% 100% 40% 30% 15% Mission-critical applications Run IT as a business 2004-08 2009-10 2011+ Copyright 2010 EMC Corporation. All rights reserved. 16

Self -Service IT Portal Deliver IT as a Service Define Service Catalog, Publish to Self-service IT Portal Service Catalog Policy/SLAdriven Management Availabilit y Security Performan ce Cost 99.99% High 0.2ms $500K Application Service Catalogue VMware vcloud Director 17 Infrastructure Service Catalogue EMC UIM Platinum Gold Silver Bronze Copyright 2010 EMC Corporation. All rights reserved.

www.emc.com/emcit EMC IT Journey to the Private Cloud: A Practitioner's Guide http://www.emc.com/collateral/software/white-papers/h7298-it-journey-private-cloud-wp.pdf Copyright 2010 EMC Corporation. All rights reserved. 18

Jaká jsou doporučení ostatních? US Government CIO (Kundra): 25% of Fed IT Spend on Cloud Services NIST: Guidelines on Security and Privacy in Public Cloud (800-144 Draft) Cloud Security Alliance: Cloud Assesment Initiative Fraud-as-a-Service running in cloud Trojans as a Service 19

Virtualizace a cloud computing: problémy bezpečnosti a souladu 20

Hlavní změny na cestě ke cloudu Enterprise IT Private Cloud Public Cloud Trusted Controlled Reliable Secure Virtualizace Důvěra Simple Low Cost Flexible Dynamic Infrastructure Availabilit y Security Private Cloud Performan ce Cost 99.99% High 0.2ms $500K

Hlavní změny na cestě ke cloudu: krok 1 Dohled (SIEM, DLP, GRC, ) Bezpečnost virtualizace / privátní cloud Virtual Datacenter 1 Virtual Datacenter 2 DMZ PCI HIPAA Test Dev Síťová bezpečnost Fyzická Firma A bezpečnost DMZ ERP FW, AV, IDS, IPS, VPN, AAA, HR

Hlavní změny na cestě ke cloudu: krok 2 Důvěra (Trust = Visibility + Control) Bezpečnost cloudu Dohled (SIEM, DLP, GRC, ) DMZ PCI Bezpečnost virtualizace / privátní cloud Virtual Datacenter 1 HIPAA Virtual Datacenter 2 Test Dev Fyzická bezpečnost Síťová bezpečnost DMZ Firma A HR ERP FW, AV, IDS, IPS, VPN, AAA,

Hlavní změny na cestě ke cloudu: důvěra = SLA? Enterprise IT Private Cloud Public Cloud Virtualizace Důvěra = SLA? Infrastructure Private Cloud Availability Security Performance Cost 99.99% High 0.2ms $500K

Examples: Security at SalesForce.Com

Examples: Security at Google

Examples: Security at Cloud - examples Does XXXX give third parties access to my organization's data? XXXX does not share or reveal private user content such as email or personal information with third parties except as required by law, on request by a user or system administrator, or to protect our systems. These exceptions include requests by users that XXXX support staff access their email messages in order to diagnose problems; when XXXX is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of XXXX, its users and the public.

Enabling Trust in the Cloud Enterprises Cloud Service Providers Security & Compliance Visibility & Reporting Identities Information Workload Private Cloud Hybrid Cloud Public Cloud https://cloudsecurityalliance.org/

Examples: CSA questions (1) Compliance - Independent Audits: Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports? Compliance - Third Party Audits: Do you permit tenants to perform independent vulnerability assessments? Data Governance - Secure Disposal: Do you support secure deletion (ex. degausing / cryptographic wiping) of archived data as determined by the tenant? Data Governance - Information Leakage Do you have controls in place to prevent data leakage or intentional/accidential compromise between tenants in a multi-tenant environment? Do you have a DLP solution in place for all systems which interface with your cloud service offering? Data Governance - Risk Assessments Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status?)

Examples: CSA questions (2) Information Security - Baseline Requirements: Do you have documented information security baselines for every component of your infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, etc?) Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? Information Security - Segregation of Duties : Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering? Information Security - Encryption Key Management: Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you maintain key management procedures? Information Security - Incident Management Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? Do you have a DLP solution in place for all systems which interface with your cloud service offering? Information Security - Incident Reporting Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

Our Customers Are Asking Themselves Can I ensure my virtualized business critical applications are running in a secure and compliant environment? How do I centrally manage compliance across mixed VMware and physical IT environments? Can I respond more quickly to security events in my virtual environment? How do I begin to assess hybrid and public cloud service providers?

Virtualizace a cloud computing: RSA řešení bezpečnosti a souladu 32

Je to bezpečné? A je to v souladu? Běžná odpověď provozovatele IT: ANO! Na bezpečnost velmi dbáme Máme implementovánu spoustu firewallů, Dodržujeme zákony. Prošli jsme auditem Vidíte dovnitř? Kde jsou Vaše data, kdo k nim přistoupil, co se stalo Můžete změřit compliance? Jaká je aktuální realita (technická konfigurace)? Co přesně je/není splněno? Můžete to dokázat/reportovat?

Securing the Journey to The Cloud IT Production Lower Costs Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% 15% Platinum Gold Secure multi-tenancy, Verifiable chain of trust Security Compliance, information-centric security, risk-driven policies, IT and security operations alignment Visibility into virtualization infrastructure, privileged user monitoring, access management, network security

Bezpečnost virtuálního a cloudového prostředí VMware: síťová bezpečnost vshield, vcloud Director Virtual firewalls, application protection, RSA: dohled, compliance SIEM, DLP, GRC, Authentication, envision, DLP, Archer, SecurID,

RSA Sada řešení (nejen) pro virtuální prostředí Ochrana identit, řízení přístupu Silná dvoufaktorová a multifaktorová autentizace pro uživatele a administrátory Ochrana citlivých dat před jejich únikem (DLP) Na úložištích, na síti, na virtuálních desktopech Bezpečnostní monitoring celé virtualizované infrastruktury Kompletní SIEM řešení plnící roli Security Operations Center Audit a zajištění shody s legislativou a interními předpisy měření/prokazování compliance : VMware (virtuální i fyzická infrastruktura, privátní cloud) Cloud (compliance podle CSA)

RSA Sada řešení (nejen) pro virtuální prostředí Compliance (GRC) Archer egrc Suite VMware Cloud Identity Security Access / Fraud Authentication Provision Prevention Data Security Data Loss Encryption & Prevention Tokenization Monitoring / Audit / Reporting SIEM (envision)

RSA Solution for VMware View RSA Archer Compliance Dashboard VMware Infrastructure RSA DLP for protection of data in use RSA SecurID for remote authentication Active Directory Clients Validated with Vblock VMware View Manager RSA SecurID for ESX Service Console and vma VMware vcenter RSA envision log management for VMware vcenter & ESX(i) VMware View RSA SecurID RSA DLP Active Directory

RSA Sada řešení (nejen) pro virtuální prostředí Compliance (GRC) Archer egrc Suite VMware Cloud Identity Security Access / Fraud Authentication Provision Prevention Data Security Data Loss Encryption & Prevention Tokenization Monitoring / Audit / Reporting SIEM (envision)

Visibility and Monitoring: RSA envision Consolidated event log management, analysis, and reporting Allows for cross-environment correlation Collects logs from the VMware stack VMware vshield VMware vcenter VMware ESX/ESXi VMware View Manager VMware vcloud Director VMware Collector for RSA envision leverages VMware API s RSA envision Can pull logs from multiple vcenters!

Use Case Scenarios Protecting Management Console Applying Patch to Production System Lost Laptop Unauthorized Administrator

Scenario Apply Patch to Production System - Before Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc Is the test Is this A common an way to apply 1 Clone patches virtual is to try environment Who them accessed out in a the test environment Was the VM 3 Apply environment authorized Patch 2to Test production Patch data environment in the test destroyed after In a virtual This sufficiently is world difficult protected you and can time-consuming clone the system, in a production data and all procedure? environment? it was used? environment, & controlled? but very easy in a virtual environment

Scenario Apply Patch to Production System - After Production Datacenter HR Application Server VM PATCH Test Environment HR Application Server VM PATCH HR Database Server VM HR Database Server VM HRDB Name, SSN, DoB, etc HRDB Name, SSN, DoB, etc 3 Apply 1Patch Clone 2to virtual Test production Patch environment environment VM Cloned VM Cloned Patch Applied RSA envision can log the administrative activity from vcenter, like the VM being cloned RSA envision Patch Applied Patch Applied VM Deleted If this is out of policy If the test we environment can alert a security is properly protected, analyst then it will also be monitored by RSA envision

Use Case: Monitoring events in the virtual datacenter

RSA Sada řešení (nejen) pro virtuální prostředí Compliance (GRC) Archer egrc Suite VMware Cloud Identity Security Access / Fraud Authentication Provision Prevention Data Security Data Loss Encryption & Prevention Tokenization Monitoring / Audit / Reporting SIEM (envision)

Use Case: Reducing Risk of VM Theft RISK Securing virtual infrastructure is often a check list of best practices. Hardening VMware environment is complex and difficult to verify. What can I do to limit the risk of VM theft from my datacenter? Need to take preventative steps that limit access to VM file, such as: Disable Datastore Browser Limit Storage User Access Limit use of service console Use least privileged role concept for system and data access

Use Case: Reducing Risk of VM Theft SOLUTION Archer has built in control procedures to check for VM file access and other best practices From a centralized console security and IT ops can easily see if controls enforce policy Solution identifies VMware devices, assesses configuration status, and informs responsible administrator EnVision monitors to ensure security events not disrupting compliance posture Results: Security and compliance best practices directly aligned with regulations and company policies are implemented and verified

Cycle of Compliance: RSA Solution for Cloud Security and Compliance RSA Securbook Discover VMware infrastructure Define security policy Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manage security incidents that affect compliance RSA envision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards RSA Archer egrc Remediation of non-compliant controls Manual and automated configuration assessment Solution component automatically assesses VMware configuration and updates Archer

Mapping VMware Security Controls to Regulations and Standards Authoritative Source Regulations (PCI-DSS, etc.) 10.10.04 Administrator and Operator Logs CxO RSA Archer egrc Control Standard Generalized security controls CS-179 Activity Logs system start/stop/config changes etc. Control Procedure Technology-specific control CP-108324 Persistent logging on ESXi Server VI Admin

Distribution and Tracking Control Procedures Security Admin Server Admin Project Manager Network Admin RSA Archer egrc VI Admin

RSA Solution for Cloud Security and Compliance Automated Measurement Agent VI Component Discovery and Population VI Configuration Measurement VMware-specific Controls RSA Archer egrc alerts RSA envision 51

52 VMware compliance: live demo

Control Procedures List, Status and Measurement Method

Control Procedures List, Status and Measurement Method

Compliance Dashboard across Physical and Virtual

RSA Sada řešení (nejen) pro virtuální prostředí Compliance (GRC) Archer egrc Suite VMware Cloud Identity Security Access / Fraud Authentication Provision Prevention Data Security Data Loss Encryption & Prevention Tokenization Monitoring / Audit / Reporting SIEM (envision)

Making Archer the Best GRC Solution for Hybrid Clouds Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Virtualization Identity and Access Management Assessing Service Provider Compliance RSA Solution for Cloud Security and Compliance aligns with CSA Consensus Assessment Questions by automating 195 questions that customers can issue to assess cloud service providers. Cloud Security Alliance s 13 domains of focus for cloud computing

CSA Assessment Questionnaire in Archer

Use Case: Assessing Cloud Service Providers RISK: Choosing the wrong service provider Results: Benchmarking vendors based on CSA standards

Creating the Trusted Cloud Trust = Visibility + Control Control: Availability Integrity Confidentiality Visibility: Compliance Governance Risk Management Availabilit y Security Private Cloud Performan ce Cost 99.99% High 0.2ms $500K 60

Hlavní změny na cestě ke cloudu Enterprise IT Private Cloud Public Cloud Cloud provider A Virtualizace Infrastructure Důvěra = SLA? Cloud provider B Cloud provider C Availabilit y Security Private Cloud Performan ce Cost Cloud provider D 99.99% High 0.2ms $500K

RSA Cloud Trust Authority Identity Services Compliance profiling 62

RSA řešení pro bezpečnost a compliance Vidíte dovnitř? Kde jsou Vaše data, kdo k nim přistoupil, co se stalo Můžete změřit compliance? Jaká je aktuální realita (technická konfigurace)? Co přesně je/není splněno? Můžete to dokázat/reportovat?

More Information Info o RSA resenich pro virtualizaci a cloud: www.rsa.com/rsavirtualization uvodni demo: http://www.rsa.com/experience/virtual/rsa_virtual_journ ey.html Reseni pro VMware: http://www.rsa.com/node.aspx?id=3684 Reseni pro Cloud (zakladem je zase virtualizace): http://www.rsa.com/node.aspx?id=1130 reseni pro VMware View: http://www.rsa.com/node.aspx?id=1334

RSA SecurBook: Cloud Security and Compliance www.rsa.com/rsavirtualization A technical guide for deploying and operating RSA Solution for Cloud Security and Compliance Documents solution architecture Solution deployment and configuration guides Operational guidance for effectively using the solution Troubleshooting guidance 65

More Information www.rsa.com/rsavirtualization RSA SecurBooks Technical guides for deploying and operating RSA Solutions EMC Solutions for VMware Webcasts - Every Thursday at 11:00 AM ET Join us for Webcasts: http://mediazone.brighttalk.com/comm/isc2/a7082f81e6-17335-2838-18812

Questions/Feedback/Discussion RSA Contacts: Ivan Svoboda: Key Account Manager ivan.svoboda@rsa.com + 420 604 293 394 67

www.rsa.com/securecloud Thank you!