SlideShare a Scribd company logo

Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates

H
HyTrust

This document discusses securing virtual infrastructure while meeting compliance mandates. It notes that security and compliance will be key to virtualizing the next 50% of the data center, as tier 1 and 2 workloads have higher security and compliance needs than basic virtualization can provide. Purpose-built solutions are needed. It highlights how privileged users can impact organizations through data breaches or other incidents. Expert consensus recommends restricting administrator access and enforcing least privilege for virtualization solutions. The HyTrust Appliance is presented as providing necessary controls to securely virtualize mission-critical applications by enforcing access policies, providing auditing, and validating the integrity of the virtual infrastructure.

TechnologyBusiness
1 of 25
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates Tim Grance, Senior Computer Scientist, NIST Sushant Rao, Product Management Director, HyTrust Curtis Salinas, Systems Engineer, HyTrust © 2012, HyTrust, Inc. www.hytrust.com 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 1
Security and Compliance Will Be Key to Virtualizing the Next 50% of the Data Center   Discussion   Growth depends on virtualizing mission critical workloads   Virtualization platform provides basic security: OK for non- critical workloads   Tier 1/2 workloads have higher security, compliance needs   Purpose-built solutions needed © 2012, HyTrust, Inc. www.hytrust.com 2
Privileged Users Can Have Huge Impact Percentage of companies that 87% have experienced a data breach — IT Compliance Institute Shionogi & Co: $3.2B pharmaceutical company Percentage of breached 74% Laid off IT admin: companies who lost customers •  Logged in remotely to vSphere from as a result of the breach local McDonald’s WIFI — IT Compliance Institute •  Deleted 88 virtual production servers •  Took down email, order entry, payroll, BlackBerry, & other services •  Caused $800K damage Percent of all breaches that 48% involved privileged user misuse — Verizon report, 2010 © 2012, HyTrust, Inc. www.hytrust.com 3
Expert Consensus on Virtualization Best Practices •  “Restrict and protect administrator access to the virtualization solution.” •  “Secure each management interface” •  “Monitor and analyze logs at all layers of the virtualization infrastructure” •  “Enforce least privilege and separation of duties” •  “It is critical that independent monitoring of all activities be enforced” •  “Require multi-factor authentication for all administrative functions.” •  “Administrative access to the hypervisor/VMM layer must be tightly controlled” * NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow © 2012, HyTrust, Inc. www.hytrust.com 4
HyTrust Appliance Provides Necessary Controls to Confidently Virtualize Mission-Critical Applications Secures the administration of the hypervisor & virtual infrastructure:   Enforces consistent access and authorization policies covering all access methods   Provides granular, user-specific, audit-quality logs   Enables strong, multi-factor authentication   Verifies platform integrity, ensuring the hypervisor is hardened and the virtual infrastructure is trusted Provides complete visibility into and control over who accesses the infrastructure, the integrity of the infrastructure, and the validity of the changes requested. © 2012, HyTrust, Inc. www.hytrust.com 5
HyTrust’s Unique Role in Virtual Infrastructure Security © 2012, HyTrust, Inc. www.hytrust.com 6
Major Partners Trust HyTrust HyTrust is key "go to" HyTrust is part of CA HyTrust is the platform HyTrust provides partner for vSphere Access Control for security solution - combined reporting security and compliance Virtual Environments access control and with Trend's Deep auditing - for vBlock Security product HyTrust provides HyTrust reporting and HyTrust is part of Intel's HyTrust event reporting and native integration with controls being integrated trusted cloud architecture TXT integration being SecurID and enVision with Symantec CCS based on TXT integrated with McAfee ePO © 2012, HyTrust, Inc. www.hytrust.com 7
Virtualize More With HyTrust   Admin compliance and controls essential for mission critical workloads   Capabilities not available from the virtual infrastructure   Granular, audit-quality administration logs   Granular, consistent privileged user and VM control policies   Multi-tenancy logical segmentation   Trusted by market leaders   Key component of major partners’ solutions © 2012, HyTrust, Inc. www.hytrust.com 8
NIST Special Publication (SP) 800-125 Guide To Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Tim Grance Senior Computer Scientist in the Computer Security Division 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 9
Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. 10
Agenda   What is SP 800-125   Why virtualization   Full virtualization   Security concerns   Recommendations for Security for full virtualization technologies   Summary   Questions and answers   Resources 11
SP 800-125   Full Virtualization technologies   Server and desktop virtualization   Security threats   Security recommendations for protecting full virtualization 12
Why Virtualization?   Reduce hardware footprint   More efficiency   Reduce energy, operations, and maintenance costs, e.g., disaster recovery, dynamic workload, security benefits, etc.   Consolidation 13
Forms of Virtualization   Simulated environment   Not cover OS and application virtualization   Full virtualization – CPU, storage, network, display, etc   Hypervisor and host OS   Virtual Machine (VM) – Guest OS  Isolated  Encapsulated  Portable 14
Full Virtualization   Bare metal virtualization   Hosted virtualization   Server virtualization   Desktop virtualization 15
Virtualization and Security Concerns   Additional layers of technology   Many systems on a physical system   Sharing pool of resources   Lack of visibility   Dynamic environment   May increase the attack surface 16
Recommendations for Security for Full Virtualization Technologies   Risk based approach   Secure all elements of a full virtualization solution and perform continuous monitoring   Restrict and protect administrator access to the virtualization solution   Ensure that the hypervisor is properly secured   Carefully plan the security for a full virtualization solution before installing, configuring, and deploying it 17
Summary of Threats and Countermeasures   Intra-guest vulnerabilities  Hypervisor partitioning   Lack of visibility in the guest OS  Hypervisor instrumentation and monitoring   Hypervisor management  Protect management interface, patch management, secure configuration   Virtual workload security  Management of the guest OS, applications, data protection, patch management, secure configuration, etc   Virtualized infrastructure exposure  Manage access control to the hardware, hypervisors, network, storage, etc. 18
Resources   Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is available on the following Web page: http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing- unneeded-federal-real-estate   NIST publications that provide information and guidance on planning, implementing and managing information system security and protecting information include:   Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems   NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations   NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide   NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle   NIST SP 800-88, Guidelines for Media Sanitization   NIST SP 800-115, Technical Guide to Information Security Testing and Assessment   NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)   For information about these NIST standards and guidelines, as well as other security- related publications, see NIST’s Web page http://csrc.nist.gov/publications/index.html 19
HyTrust Fills Critical Platform Access Gaps Virtualization Platform Gap HyTrust Solution Multiple administrators can log into hosts Uses root password vaulting (check-in/out) anonymously by sharing a root account to ensure admins are individually accountable An admin can bypass vCenter access controls Controls and logs access via any and logging by connecting directly to hosts connection method, creating accountability An admin can access another organization’s Ensures that admins can only access their virtualized workloads in multi-tenant own organization’s data and applications, environments enabling secure multi-tenancy Prevents use of default passwords and Platform allows access via default password supports multi-factor authentication to stop or compromised admin password unauthorized access A current or terminated admin can connect to Controls and logs access to every admin the platform undetected using a backdoor account, preventing major security breaches account © 2012, HyTrust, Inc. www.hytrust.com 20
HyTrust Fills Critical Platform Authorization Gaps Virtualization Platform Gap HyTrust Solution An administrator can shut down any Protects business continuity by controlling virtualized application or switch what resources an admin can manage An admin can create unapproved VMs, with Prevents damaging outcomes by controlling negative operations or compliance impacts VM creation privileges An admin can disable security such as Preserves security by blocking unapproved virtualized firewalls and antivirus shutdowns of virtual security measures An admin can copy sensitive data from a VM Keeps sensitive data confidential by applying to external storage controls to virtual resources An admin can replace a critical VM with a Exposes tampering by creating a permanent, compromised copy while leaving no tracks unchangeable record of every operation An admin can move a low trust virtualized Mitigates security and compliance risks by workload to a high trust server or virtual preventing mixing of trust levels subnet, and vice versa © 2012, HyTrust, Inc. www.hytrust.com 21
HyTrust Fills Critical Log Data Gaps Log Data Data for Allowed Data for Denied Usability and Provider Operation (example) Operation (example) Productivity Virtualization User: root none •  Separate log files for Platform Time/date vCenter and each host Target resource name, server URL Operation executed •  Different log formats for vCenter vs. hosts HyTrust All of the above, plus: •  User ID •  Consolidated, centrally •  User ID •  Date/time managed logs covering •  Source IP address •  Source IP address vCenter and all hosts •  Resource reconfigured •  Operation requested •  Previous resource state •  Operation denial •  Single, uniform format for •  New resource state •  Target resource name, combined vCenter and host •  Label (Production) IP address, port, and log data •  Required privileges protocol •  Evaluated rules/ •  Required privileges •  Logs sent to central constraints •  Missing privileges repository or SIEM via •  Evaluated rules/ syslog constraints © 2012, HyTrust, Inc. www.hytrust.com 22
HyTrust In Action – Live Demo 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 23
HyTrust is a Critical Component in Virtualizing Mission-Critical Applications Visibility Control Validation • Authentication • Role-Based • Configuration • Logging Access Assessment & Control Remediation • Policy © 2012, HyTrust, Inc. www.hytrust.com 24
Thank You! Questions and Answers © 2012, HyTrust, Inc. www.hytrust.com 25

More Related Content

PDF
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
HyTrust
 
PDF
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
HyTrust
 
PPTX
Best Practices for Cloud Security
IT@Intel
 
PDF
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust
 
PDF
Cloud Security: Perception VS Reality
KVH Co. Ltd.
 
PPT
Guardium value proposition for fss pn 12 02-10
Avirot Mitamura
 
PDF
Trend micro deep security
Trend Micro
 
PDF
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec
 
Virtualize More While Improving Your Cybersecurity Risk Posture - The "4 Must...
HyTrust
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
HyTrust
 
Best Practices for Cloud Security
IT@Intel
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust
 
Cloud Security: Perception VS Reality
KVH Co. Ltd.
 
Guardium value proposition for fss pn 12 02-10
Avirot Mitamura
 
Trend micro deep security
Trend Micro
 
Symantec Introduces New Security Solutions to Counter Advanced Persistent Thr...
Symantec
 

What's hot (19)

PPTX
Cloud securityperspectives cmg
Neha Dhawan
 
PDF
Intel Cloud Summit: Greg Brown McAfee
IntelAPAC
 
PDF
Trend Micro - Virtualization and Security Compliance
1CloudRoad.com
 
PDF
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust
 
PPTX
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Acrodex
 
PDF
Introduction - Trend Micro Deep Security
Andrew Wong
 
PDF
Silicon Overdrive IT Services
Ryan Fullerton
 
PDF
Isc2conferancepremay15final
Mahmoud Moustafa
 
PDF
Trend Micro Dec 6 Toronto VMUG
tovmug
 
PDF
Defense Foundation Product Brief
wdjohnson1
 
PDF
TrendMicro
1CloudRoad.com
 
PDF
IBM InfoSphere Guardium overview
nazeer325
 
PDF
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
PPTX
Trend micro v2
JD Sherry
 
PPTX
From Physical to Virtual to Cloud
Cisco Security
 
PDF
Regulatory Compliance Financial Institution
Apani Enterprise Security Software
 
PPTX
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
PPT
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Private Cloud
 
PDF
BMC - Response to the SolarWinds Breach/Malware
Mike Rizzo
 
Cloud securityperspectives cmg
Neha Dhawan
 
Intel Cloud Summit: Greg Brown McAfee
IntelAPAC
 
Trend Micro - Virtualization and Security Compliance
1CloudRoad.com
 
HyTrust-FISMA Compliance in the Virtual Data Center
HyTrust
 
Secure Your Virtualized Environment. Protection from Advanced Persistent Thre...
Acrodex
 
Introduction - Trend Micro Deep Security
Andrew Wong
 
Silicon Overdrive IT Services
Ryan Fullerton
 
Isc2conferancepremay15final
Mahmoud Moustafa
 
Trend Micro Dec 6 Toronto VMUG
tovmug
 
Defense Foundation Product Brief
wdjohnson1
 
TrendMicro
1CloudRoad.com
 
IBM InfoSphere Guardium overview
nazeer325
 
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
Trend micro v2
JD Sherry
 
From Physical to Virtual to Cloud
Cisco Security
 
Regulatory Compliance Financial Institution
Apani Enterprise Security Software
 
Defending the Data Center: Managing Users from the Edge to the Application
Cisco Security
 
Microsoft Forefront - Unified Access Gateway (UAG) Presentation
Microsoft Private Cloud
 
BMC - Response to the SolarWinds Breach/Malware
Mike Rizzo
 
Ad

Viewers also liked (14)

PPTX
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
PPTX
Transforming the CSO Role to Business Enabler
CloudPassage
 
PPTX
Simplifying Security Management in the Virtual Data Center
AlgoSec
 
PDF
Secure Multi Tenancy In the Cloud
Roger Xia
 
PPTX
SDDC Study: SDDC Goes Mainstream
Jason Lackey
 
PDF
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
PPTX
Outcome of democracy
sadaf mansoori
 
PDF
VMware Outlines Its Own Journey to the Cloud
VMware
 
PPTX
Control the Creep: Streamline Security and Compliance by Sharing the Workload
aregnerus
 
PDF
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
PDF
Protecting the Software-Defined Data Center from Data Breach
CA Technologies
 
PDF
Cyber security threats for 2017
Ramiro Cid
 
PDF
Atelier IFOCOP " Quels outils numériques pour les assistantes en 2014"
Guillaume CM IFOCOP
 
PPTX
Outils numériques
SKennel
 
Rethinking Security: The Cloud Infrastructure Effect
CloudPassage
 
Transforming the CSO Role to Business Enabler
CloudPassage
 
Simplifying Security Management in the Virtual Data Center
AlgoSec
 
Secure Multi Tenancy In the Cloud
Roger Xia
 
SDDC Study: SDDC Goes Mainstream
Jason Lackey
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
BeyondTrust
 
Outcome of democracy
sadaf mansoori
 
VMware Outlines Its Own Journey to the Cloud
VMware
 
Control the Creep: Streamline Security and Compliance by Sharing the Workload
aregnerus
 
Enemy from Within: Managing and Controlling Access
BeyondTrust
 
Protecting the Software-Defined Data Center from Data Breach
CA Technologies
 
Cyber security threats for 2017
Ramiro Cid
 
Atelier IFOCOP " Quels outils numériques pour les assistantes en 2014"
Guillaume CM IFOCOP
 
Outils numériques
SKennel
 
Ad

Similar to Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates (20)

PDF
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
HyTrust
 
PPTX
Cloud Is Built, Now Who's Managing It?
doan_slideshares
 
PDF
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
HyTrust
 
PDF
Cloud Security: Perception Vs. Reality
Internap
 
PDF
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
 
PDF
IBM Tivoli Endpoint Manager - PCTY 2011
IBM Sverige
 
PDF
360is Capabilities
nickhutton
 
PDF
Virtela Corp Brochure
tmcleland
 
PDF
Data security in cloud
Interop
 
PDF
The Cloud according to VMware
OpSource
 
PDF
VMworld 2014: Virtualization 101
VMworld
 
PPTX
2012-01 How to Secure a Cloud Identity Roadmap
Raleigh ISSA
 
PDF
Jaime cabrera v mware. su nube. acelere ti. acelere su negocio
datacentersummit
 
PDF
Strengthen Operational Efficiencies with IT Infrastructure Managed Services b...
IBM India Private Limited
 
PPTX
Securing Your Infrastructure: Identity Management and Data Protection
Lumension
 
PPTX
Fadi El Moussa Secure Cloud 2012 V2
fadielmoussa
 
PPTX
Siebel to Salesforce
Pactera_US
 
PPTX
Top 10 Reasons Why F5 Makes Sense
F5 Networks
 
PDF
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
OpSource
 
PDF
F5 Networks: architecture and risk management
AEC Networks
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
HyTrust
 
Cloud Is Built, Now Who's Managing It?
doan_slideshares
 
Increasing Security while Decreasing Costs when Virtualizing In-Scope Servers:
HyTrust
 
Cloud Security: Perception Vs. Reality
Internap
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
Andris Soroka
 
IBM Tivoli Endpoint Manager - PCTY 2011
IBM Sverige
 
360is Capabilities
nickhutton
 
Virtela Corp Brochure
tmcleland
 
Data security in cloud
Interop
 
The Cloud according to VMware
OpSource
 
VMworld 2014: Virtualization 101
VMworld
 
2012-01 How to Secure a Cloud Identity Roadmap
Raleigh ISSA
 
Jaime cabrera v mware. su nube. acelere ti. acelere su negocio
datacentersummit
 
Strengthen Operational Efficiencies with IT Infrastructure Managed Services b...
IBM India Private Limited
 
Securing Your Infrastructure: Identity Management and Data Protection
Lumension
 
Fadi El Moussa Secure Cloud 2012 V2
fadielmoussa
 
Siebel to Salesforce
Pactera_US
 
Top 10 Reasons Why F5 Makes Sense
F5 Networks
 
Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing
OpSource
 
F5 Networks: architecture and risk management
AEC Networks
 

More from HyTrust (6)

PDF
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
HyTrust
 
PDF
S24 – Virtualiza.on Security from the Auditor Perspec.ve
HyTrust
 
PDF
G12: Implementation to Business Value
HyTrust
 
PDF
IBM X-Force 2010 Trend and Risk Report-March 2011
HyTrust
 
PDF
PCI Compliance and Cloud Reference Architecture
HyTrust
 
PDF
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
HyTrust
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
HyTrust
 
S24 – Virtualiza.on Security from the Auditor Perspec.ve
HyTrust
 
G12: Implementation to Business Value
HyTrust
 
IBM X-Force 2010 Trend and Risk Report-March 2011
HyTrust
 
PCI Compliance and Cloud Reference Architecture
HyTrust
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
HyTrust
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation theory and applications.pdf
gurumoop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Cloud computing and distributed systems.
kkkkkhan
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 

Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates

  • 1. Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates Tim Grance, Senior Computer Scientist, NIST Sushant Rao, Product Management Director, HyTrust Curtis Salinas, Systems Engineer, HyTrust © 2012, HyTrust, Inc. www.hytrust.com 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 1
  • 2. Security and Compliance Will Be Key to Virtualizing the Next 50% of the Data Center   Discussion   Growth depends on virtualizing mission critical workloads   Virtualization platform provides basic security: OK for non- critical workloads   Tier 1/2 workloads have higher security, compliance needs   Purpose-built solutions needed © 2012, HyTrust, Inc. www.hytrust.com 2
  • 3. Privileged Users Can Have Huge Impact Percentage of companies that 87% have experienced a data breach — IT Compliance Institute Shionogi & Co: $3.2B pharmaceutical company Percentage of breached 74% Laid off IT admin: companies who lost customers •  Logged in remotely to vSphere from as a result of the breach local McDonald’s WIFI — IT Compliance Institute •  Deleted 88 virtual production servers •  Took down email, order entry, payroll, BlackBerry, & other services •  Caused $800K damage Percent of all breaches that 48% involved privileged user misuse — Verizon report, 2010 © 2012, HyTrust, Inc. www.hytrust.com 3
  • 4. Expert Consensus on Virtualization Best Practices •  “Restrict and protect administrator access to the virtualization solution.” •  “Secure each management interface” •  “Monitor and analyze logs at all layers of the virtualization infrastructure” •  “Enforce least privilege and separation of duties” •  “It is critical that independent monitoring of all activities be enforced” •  “Require multi-factor authentication for all administrative functions.” •  “Administrative access to the hypervisor/VMM layer must be tightly controlled” * NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow © 2012, HyTrust, Inc. www.hytrust.com 4
  • 5. HyTrust Appliance Provides Necessary Controls to Confidently Virtualize Mission-Critical Applications Secures the administration of the hypervisor & virtual infrastructure:   Enforces consistent access and authorization policies covering all access methods   Provides granular, user-specific, audit-quality logs   Enables strong, multi-factor authentication   Verifies platform integrity, ensuring the hypervisor is hardened and the virtual infrastructure is trusted Provides complete visibility into and control over who accesses the infrastructure, the integrity of the infrastructure, and the validity of the changes requested. © 2012, HyTrust, Inc. www.hytrust.com 5
  • 6. HyTrust’s Unique Role in Virtual Infrastructure Security © 2012, HyTrust, Inc. www.hytrust.com 6
  • 7. Major Partners Trust HyTrust HyTrust is key "go to" HyTrust is part of CA HyTrust is the platform HyTrust provides partner for vSphere Access Control for security solution - combined reporting security and compliance Virtual Environments access control and with Trend's Deep auditing - for vBlock Security product HyTrust provides HyTrust reporting and HyTrust is part of Intel's HyTrust event reporting and native integration with controls being integrated trusted cloud architecture TXT integration being SecurID and enVision with Symantec CCS based on TXT integrated with McAfee ePO © 2012, HyTrust, Inc. www.hytrust.com 7
  • 8. Virtualize More With HyTrust   Admin compliance and controls essential for mission critical workloads   Capabilities not available from the virtual infrastructure   Granular, audit-quality administration logs   Granular, consistent privileged user and VM control policies   Multi-tenancy logical segmentation   Trusted by market leaders   Key component of major partners’ solutions © 2012, HyTrust, Inc. www.hytrust.com 8
  • 9. NIST Special Publication (SP) 800-125 Guide To Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Tim Grance Senior Computer Scientist in the Computer Security Division 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 9
  • 10. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. 10
  • 11. Agenda   What is SP 800-125   Why virtualization   Full virtualization   Security concerns   Recommendations for Security for full virtualization technologies   Summary   Questions and answers   Resources 11
  • 12. SP 800-125   Full Virtualization technologies   Server and desktop virtualization   Security threats   Security recommendations for protecting full virtualization 12
  • 13. Why Virtualization?   Reduce hardware footprint   More efficiency   Reduce energy, operations, and maintenance costs, e.g., disaster recovery, dynamic workload, security benefits, etc.   Consolidation 13
  • 14. Forms of Virtualization   Simulated environment   Not cover OS and application virtualization   Full virtualization – CPU, storage, network, display, etc   Hypervisor and host OS   Virtual Machine (VM) – Guest OS  Isolated  Encapsulated  Portable 14
  • 15. Full Virtualization   Bare metal virtualization   Hosted virtualization   Server virtualization   Desktop virtualization 15
  • 16. Virtualization and Security Concerns   Additional layers of technology   Many systems on a physical system   Sharing pool of resources   Lack of visibility   Dynamic environment   May increase the attack surface 16
  • 17. Recommendations for Security for Full Virtualization Technologies   Risk based approach   Secure all elements of a full virtualization solution and perform continuous monitoring   Restrict and protect administrator access to the virtualization solution   Ensure that the hypervisor is properly secured   Carefully plan the security for a full virtualization solution before installing, configuring, and deploying it 17
  • 18. Summary of Threats and Countermeasures   Intra-guest vulnerabilities  Hypervisor partitioning   Lack of visibility in the guest OS  Hypervisor instrumentation and monitoring   Hypervisor management  Protect management interface, patch management, secure configuration   Virtual workload security  Management of the guest OS, applications, data protection, patch management, secure configuration, etc   Virtualized infrastructure exposure  Manage access control to the hardware, hypervisors, network, storage, etc. 18
  • 19. Resources   Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is available on the following Web page: http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing- unneeded-federal-real-estate   NIST publications that provide information and guidance on planning, implementing and managing information system security and protecting information include:   Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems   NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations   NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide   NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle   NIST SP 800-88, Guidelines for Media Sanitization   NIST SP 800-115, Technical Guide to Information Security Testing and Assessment   NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)   For information about these NIST standards and guidelines, as well as other security- related publications, see NIST’s Web page http://csrc.nist.gov/publications/index.html 19
  • 20. HyTrust Fills Critical Platform Access Gaps Virtualization Platform Gap HyTrust Solution Multiple administrators can log into hosts Uses root password vaulting (check-in/out) anonymously by sharing a root account to ensure admins are individually accountable An admin can bypass vCenter access controls Controls and logs access via any and logging by connecting directly to hosts connection method, creating accountability An admin can access another organization’s Ensures that admins can only access their virtualized workloads in multi-tenant own organization’s data and applications, environments enabling secure multi-tenancy Prevents use of default passwords and Platform allows access via default password supports multi-factor authentication to stop or compromised admin password unauthorized access A current or terminated admin can connect to Controls and logs access to every admin the platform undetected using a backdoor account, preventing major security breaches account © 2012, HyTrust, Inc. www.hytrust.com 20
  • 21. HyTrust Fills Critical Platform Authorization Gaps Virtualization Platform Gap HyTrust Solution An administrator can shut down any Protects business continuity by controlling virtualized application or switch what resources an admin can manage An admin can create unapproved VMs, with Prevents damaging outcomes by controlling negative operations or compliance impacts VM creation privileges An admin can disable security such as Preserves security by blocking unapproved virtualized firewalls and antivirus shutdowns of virtual security measures An admin can copy sensitive data from a VM Keeps sensitive data confidential by applying to external storage controls to virtual resources An admin can replace a critical VM with a Exposes tampering by creating a permanent, compromised copy while leaving no tracks unchangeable record of every operation An admin can move a low trust virtualized Mitigates security and compliance risks by workload to a high trust server or virtual preventing mixing of trust levels subnet, and vice versa © 2012, HyTrust, Inc. www.hytrust.com 21
  • 22. HyTrust Fills Critical Log Data Gaps Log Data Data for Allowed Data for Denied Usability and Provider Operation (example) Operation (example) Productivity Virtualization User: root none •  Separate log files for Platform Time/date vCenter and each host Target resource name, server URL Operation executed •  Different log formats for vCenter vs. hosts HyTrust All of the above, plus: •  User ID •  Consolidated, centrally •  User ID •  Date/time managed logs covering •  Source IP address •  Source IP address vCenter and all hosts •  Resource reconfigured •  Operation requested •  Previous resource state •  Operation denial •  Single, uniform format for •  New resource state •  Target resource name, combined vCenter and host •  Label (Production) IP address, port, and log data •  Required privileges protocol •  Evaluated rules/ •  Required privileges •  Logs sent to central constraints •  Missing privileges repository or SIEM via •  Evaluated rules/ syslog constraints © 2012, HyTrust, Inc. www.hytrust.com 22
  • 23. HyTrust In Action – Live Demo 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com 23
  • 24. HyTrust is a Critical Component in Virtualizing Mission-Critical Applications Visibility Control Validation • Authentication • Role-Based • Configuration • Logging Access Assessment & Control Remediation • Policy © 2012, HyTrust, Inc. www.hytrust.com 24
  • 25. Thank You! Questions and Answers © 2012, HyTrust, Inc. www.hytrust.com 25