© 2015 VMware Inc. All rights reserved. Software-Defined Data Center: Security for the new battlefield Rob Randell, CISSP Director/Principal Architect Security, NSBU April 2015
Where are we today? The only thing outpacing security spend… is security losses 2 IT Spend Security Spend Security Breaches
What does our battlefield look like today?
The data center 4 IT Stack NetworkStorageCompute Application Layer
Securing the data center 5 Security Stack Network FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS Storage Encryption, Key Management, Tokenization Compute AV, HIPS, AMP, Encryption, Exec/Device Control Identity Controls Advanced Authentication, SSO, Authorization, User Provisioning App/Database Controls Vulnerability Management, Storage Security, Web Services Security, Secure OS
Security Policy 6 People Applications Data
The changing battlefield 7 Multi-tiered Distributed Architecture Monolithic Stack Composed Services on Converged Infrastructure
CONFIDENTIAL 8 How do hackers take advantage of misalignment
1.Prep Attack Vector R&D Human Recon Delivery Mechanism 213
2. Intrusion Strain B Dormant Strain A Active Compromise Primary Entry Point 4 Install Command & Control I/F 5
Install C2 I/F Wipe Tracks Escalate Priv Strain A Active Escalate Privileges on Primary Entry Point 6 Lateral Movement Recon
4. Recovery Strain B Active Strain C Dormant Strain A Active Attack Identified ResponseWake Up & Modify Next Dormant Strain 9 Strain D Dormant
5. Act on intent & Exfiltration 13 Attack Identified 10 Parcel & Obfuscate 11 Exfiltration 1213 Cleanup
Modern attack: targeted, interactive, stealthy 14 Why is it so difficult to move security controls inside the datacenter? An architectural challenge. Stop infiltrationLack visibility, control to stop exfiltration Perimeter-centric Managing Compliance Application and User-centric Managing Risk Shift to…
The Impact of Architecture 15 Distributed application architectures comingled on a common infrastructure Creates a hyper-connected compute base with little context of how to connect the two layers Resulting in massive misalignment 1. Lateral Movement 2. Comingled Policy 3. Distributed Policy 4. Chain Alignment 5. Orchestration 6. Context
1. Lateral movement Moving from asymmetry to symmetrical concerns inside the data center 16 Perimeter Firewall Inside Firewall Data Breach Composed Services on Converged Infrastructure Entry Point
2. Comingled policy Converged infrastructure means many firewall policies for many comingled applications 17 Composed Services on Converged Infrastructure Perimeter firewall Inside firewall Policy mixing across multiple apps Mis-aligned over time due to above
3. Distributed policy Traversing the network could represent encountering 10,000+ policies 18 Composed Services on Converged Infrastructure Perimeter firewall Inside firewall Firewall #1 100 rules Firewall #2 700 rules Firewall #3 900 rules Inconsistent policies create misalignment
4. Chain alignment 19 Perimeter firewall Inside Firewall Composed Services on Converged Infrastructure Blue App: Green App: Improper sequencing of controls leads to issues
5. Orchestration Each security service is acting in a silo and not sharing states with each other Perimeter Firewall Inside Firewall Composed Services on Converged Infrastructure Vulnerability Management AntivirusNext-gen Firewall Intrusion Protection Anti-malware 20
21 Perimeter firewall Inside Firewall End Point Agent :00:02:A3:D1:3D :00:03:A4:C2:4C 6. Context Poor handles for policy and analytics Composed Services on Converged Infrastructure
Visualization is the key. A ubiquitous abstraction layer between the applications and the infrastructure.
A traditional data center starts with compute capacity 23
Then you network systems together 24 Internet
Then you virtualize your compute 25
And create “virtual data centers” 26 Virtual Networks Software Containers, Like VMs Virtual Network Topology
Micro-segmentation More than a barrier: a policy primitive 27 Assess Capture and expose application structural context to policy management (how do things connect together) Demonstrate the security posture of a service, in any state into which it may be driven (understand security posture) Align Align investment to risk—align controls to what they are protecting and to each other. Align candidate mitigations/remediation across an application topology 3 Isolate Compartmentalize the environment so a breach of one thing isn’t a breach of everything Provide a mechanism for structuring the right controls at the right position in the app topology
Take those comingled distributed applications… 28 App Services DB AD NTPDHCPDNSCERT DMZ
And can create a zero trust model 29 IsolationExplicit Allow Comm.Secure CommunicationsStructured Secure Comms. NGFW IPS NGFW IPS WAF And align your controls to what you are protecting
Implementing Security in the Virtualization Layer 30 SECURITY SERVICES MANAGEMENT Security Service Insertion and Orchestration SECURITY SERVICES MANAGEMENT Visibility, Provisioning, and Orchestration SOC SIEM, Security Analytics, Forensics GOVERNANCE/COMPLIANCE Vul Management, Log Management, GRC, Posture Management, DLP NETWORK FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS STORAGE Encryption, Key Management, Tokenization COMPUTE AV, HIPS, AMP, Encryption, Exec/Device Control SECURITY INFRASTRUCTURE IDENTITY CONTROLS Advanced Authentication, SSO, Authorization, User Provisioning APP/DATABASE CONTROLS Vulnerability Management, Storage Security, Web Services Security, Secure OS ISOLATION CONTEXT
Virtualization: making your security controls better 31 1 Ubiquity Place controls everywhere 2 Context Visibility into app/user/data 3 Mitigation Leverage the I/F and the ecosystem 4 Isolation Protect your controls from attackers 5 Orchestration and state distribution SECURITY SERVICES MANAGEMENT Visibility, Provisioning, and Orchestration SOC SIEM, Security Analytics, Forensics GOVERNANCE/COMPLIANCE Vul Management, Log Management, GRC, Posture Management, DLP NETWORK FW, IDS/IPS, NGFW, WAF, AMP, UTM, DDoS STORAGE Encryption, Key Management, Tokenization COMPUTE AV, HIPS, AMP, Encryption, Exec/Device Control SECURITY INFRASTRUCTURE IDENTITY CONTROLS Advanced Authentication, SSO, Authorization, User Provisioning APP/DATABASE CONTROLS Vulnerability Management, Storage Security, Web Services Security, Secure OS
Summary 32 We’re experiencing a changing battlefield We must re-align controls to what they are protecting Virtualization/SDDC holds the key to solving this The real value is not in simply looking at how to secure an SDDC but in how you can leverage an SDDC to secure the things that matter?
Thank you