Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:

Increasing Security while Decreasing
Costs when Virtualizing In-Scope Servers:

How to virtualize more by building a security fortress around
your "in-scope” virtual environment with HyTrust

First in a three-part series for IS and IT professionals responsible for
virtualization and data center architecture, management, and optimization

1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com
© 2012, HyTrust, Inc. www.hytrust.com 1

Overview

 Meet the Experts
 What are the key business drivers for the virtualization security
blueprint ?
 Can you recommend a strategy, framework, and tools to help us
succeed with compliance audits and beyond?
 What cross-vendor architectures exist to help virtualize more mission-
critical applications, more securely this year?
 What best practices and methodologies can you outline for planning
and undertaking these newer virtualization security initiatives?
 Summary
 Q&A


Today’s Experts

Justin Lute
 Director, Product Management - Virtualization, Cloud, and
Technology Integrations – Qualys
 Extensively-certified, technical and business leader in
cloud security
 Strategic product, technical consulting, and engineering
roles at VCE, EMC, RSA, and more.
 Justin has studied at Stanford University and The Ohio
State University.


Today’s Experts

Dave Shackleford
 SVP of Research and CTO, IANS
 Former consultant at Voodoo Security
 Author of SANS Virtualization Security and Cloud
Security courses, and SANS curriculum lead for
Virtualization and Cloud Security
 Sybex “Virtualization Security” book coming in Q3 2012
 Helped create and publish first virtualization security
hardening guides while CTO at Center for Internet
Security


Today’s Experts

Eric Chiu
 Eric Chiu is CEO and co-founder of HyTrust, Inc.
(http://www.hytrust.com/),
 Vice President of Sales and Business Development at
Cemaphore Systems, a leader in disaster recovery for
Microsoft Exchange, Business Development at MailFrontier
and mySimon
 Instrumental in building OEM partnerships and technology
alliances and driving new product initiatives.
 Formerly a Venture Capitalist for Brentwood (now Redpoint)
and Pinnacle, he also served in the M&A Group for
Robertson, Stephens and Company.
 Eric holds a BS in Materials Science and Engineering from
UC Berkeley.


HyTrust Backgrounder

 Founded: Fall 2007

 Headquarters: Mountain View, CA

 Venture Funding: $16 million

 Strategic Partners:

 Awards & Top Ten Lists: VMworld 2009 Best of Show, VMworld 2009 Gold,
VMworld 2010 Finalist, TechTarget 2009 Product of the Year, RSA Innovation Sandbox
2009/2010 Finalist, SC Magazine 2010 Rookie Company of the Year, Network World
Startup to Watch 2010, InfoWorld Tech Company to Know 2010, Forbes “Who’s Who”
in Virtualization, Red Herring 2010 North America winner, Gartner Cool Vendor 2011


Data Center of the Future – 3 year Vision

“Rented” Cloud
SaaS Application Infrastructure Self-Service

Access
Identity and
Usage
Consolidation & IT as a
Virtualization Service
Ubiquitous Access

Data Cost

End result of datacenter transformation: IT is delivered as-a-service;
Role of Corporate IT is transformed from operational to control / governance

What security concern ranks highest in importance in your
virtualized environments heading into 2012?
 Lack of automation (admin is brought in for every update and change)
 Self service for line of businesses to access/manage their virtual machines
 Strength of security policies and processes around access and change controls
 Insider breach – either malicious or errant
 Logging and reporting tools for audit and/or forensics purposes
 All of the above

© 2011, HyTrust, Inc. Inc. www.hytrust.com 8
© 2012, HyTrust, www.hytrust.com

When are you planning your next server refresh?
 Next 6 months as part of a full data center re-architecture
 Next 6 months as standalone server refresh
 Next 7-12 months as part of a full data center re-architecture
 Next 7-12 months as standalone server refresh
 Greater than 12 months as part of a full data center re-architecture
 Greater than 12 months as standalone server refresh
 No server refresh planned
 Unknown


Key Drivers – Innovation Driving Business Goals

Virtualize More…

Analyst research of CIO top priorities for 2012,
40% picked virtualization as one of top three

Analyst research shows market is now 52% virtualized,
with many organizations goaled to be 75% virtualized
by 2014. *

Forrester Research CISO’s Guide to Virtualization Security

Key Drivers - Virtualization / Cloud Security Leading IT

Virtualize More Securely…
“There will be more
“By 2015, 40% of the
virtual machines
security controls used
deployed on servers
within enterprise data
during 2011 than in
centers will be
2001 through 2009
virtualized, up from
combined”2
less than 5% in 2010.”1

“Virtualization increases security risk by 60%.”1
1Gartner; “From Secure Virtualization to Secure Private Clouds”; Neil MacDonald & Thomas J. Bittman; 13 October 2010
11 2Gartner; “Q&A: Six Misconceptions About Server Virtualization”, Thomas J. Bittman; 29 July 2010


Key Drivers - Business Demands More

Virtualize More…
More Securely…
With Less!

Forrester Research CISO’s Guide to Virtualization Security

Key Drivers - Proactively Protect and Secure Your IP

87% Percentage of companies that
have experienced a data breach
— IT Compliance
Institute

48% Percent of all breaches that
involved privileged user misuse
— Verizon report, 2010

74% Percentage of breached companies
who lost customers as a result of the
breach
— IT Compliance
Institute


Typical Response for Errant Insider-caused Breach


Key Drivers - Summary

 Build the Business Case
 External and Internal drivers
 Describing What is ISO/IEC 27001?
 Articulating benefits
 Value to your intellectual property (IP)
 Value to Brand
 Value to departmental reputation and team careers


Strategy, Framework, and Tools

 Scoping – the Key to Success
 Planning and Design - Understanding the environment is critical
 ISMS - Documented Components
 Communication and Setting Expectations Internally


Strategy, Framework, and Tools

 GRC Tool Benefits
 ISO Controls Testing (control activities)
 Obtain Certification
 Maintenance, Surveillance, and Re-Audit


Why Get Started Now?

 Jason Cornish, former Shionogi
Pharma IT Staffer
 Plead guilty to Feb ‘11 computer
intrusion
 Wiped out 88 corporate servers (VMs) –
email, order tracking, financial, & other
services – and 15 ESX hosts
 Shionogi’s operations frozen for days
 unable to ship product
 unable to cut checks
 unable to send email
 Estimated cost: $800k All of this was accomplished from a McDonalds

19
19

Why Get Started Now?

“…down the road, the cyber
threat will be the number one
threat to the country…”

FBI Director Robert Mueller
…”service attacks … into NASDAQ,
RSA, and the IMF“ underscore
the vulnerability of key sectors
of the economy."

…"wholesale plundering" of
American intellectual property.,,

Director National Intelligence, James Clapper


Best Practices and Guidance - Getting Started

 How To Get Started with Virtualization Security

Strive for virtual security that is equal to or better than the traditional
security in your environment.

 Consider the following:
 Apply the “Zero Trust” model of information security to your network
architecture
 Consider virtualization-aware security solutions
 Implement privileged identity management
 Incorporate vulnerability management into the virtual server environment


 eric@hytrust.com
 jlute@qualys.com
 dave@daveshackleford.com

Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:

More Related Content

What's hot (19)

Similar to Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers: (20)

More from HyTrust (7)

Recently uploaded (20)

Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers: