Presentation is loading. Please wait.

Presentation is loading. Please wait.

Johan Celis Security Solutions Architect EMEA IBM

Published byLorena Quinn Modified over 6 years ago

Similar presentations

Presentation on theme: "Johan Celis Security Solutions Architect EMEA IBM"— Presentation transcript:

1 Johan Celis Security Solutions Architect EMEA IBM
Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM

2 Virtualization – First Step in Journey to Cloud Computing
Rapid deployment of infrastructure and applications. Request-driven service management. Service Catalog. Cloud Computing Integrated service lifecycle mgmt. Expose resources “as-a-Service”. Integrated Security infrastructure. Rapid provisioning of IT resources, massive scaling. Dynamic service mgmt. Energy saving via auto workload distribution. Virtualization. Better hardware utilization. Improved IT agility. In preparing my presentation for today and reviewing today's event agenda, clearly many are sold on the benefits of virtualisation but many are also challenged by moving to virtualised IT environment. There are numerous considerations - on top of security, what is the right systems to support your virtualised environment, the steps to ensure the right level of resiliency, which workloads to optimise via virtualisation and the operational model required to manage this new environment. Then for those seeking the nirvana of cloud computing, virtualisation is only the first step of a transformational journey. All of this is outside the scope of my presentation today, but hopefully some further food for thought. Now lets focused on one of the key challenges - how to secure your virtualised environment. Server Consolidation. Streamline Operations – manage physical and virtual systems. Lower power consumption. 2

3 Top Threats To Cloud Computing
Abuse and nefarious use of cloud computing Insecure interfaces and API’s Malicious insiders Shared technology issues Data loss or leakage Account of service hijacking Unknown risk profile 3

4 Layers of a typical Cloud Service
Application as a service Application software licensed for use as a service provided to customers on demand IAAS SAAS PAAS Platform as a service Optimized middleware – application servers, database servers, portal servers Cloud Delivered Services WORKFLOW REPORTING Infrastructure as a service Virtualized servers, storage, networking Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Cloud Platform Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Virtualized Resources Virtual Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment 4

5 Cloud Security Application as a service Application software licensed for use as a service provided to customers on demand Secure integration with existing enterprise security infrastructure Federated identity / identity as a service Authorization, entitlements Log, audit and compliance reporting Intrusion prevention Platform as a service Optimized middleware – application servers, database servers, portal servers Cloud Delivered Services Infrastructure as a service Virtualized servers, storage, networking Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Process isolation, data segregation Control of privileged user access Provisioning w/ security and location constraints Image provenance, image & VM integrity Multi-tenant security services (identity, compliance reporting, etc.) Multi-tenant intrusion prevention Consistency top-to-bottom Cloud Platform Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Virtualized Resources Virtual Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment 5

6 Cloud Security = SOA Security + Virtualization Security
Application as a service Application software licensed for use as a service provided to customers on demand Platform as a service Optimized middleware – application servers, database servers, portal servers Cloud Delivered Services Service Oriented Architecture (SOA) Security Infrastructure as a service Virtualized servers, storage, networking Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Cloud Platform Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Virtualization Security Virtualized Resources Virtual Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment 6

7 Hypervisor Security Challenges – New Complexities
Before Virtualization After Virtualization Virtualization introduces a whole new set of complexities when there are new VMs that can be instantly be created and moved and additional layers and multiple operating systems to manage. You go from a one to one relationship of operating systems and applications to a one to many relationship where the physical boundaries between the systems are now removed and there are 100s if not 1000s of VMs to track, configure, manage and secure. 1:1 ratio of OSs and applications per server 1:Many ratio of OSs and applications per server Additional layer to manage and secure

8 Hypervisor Security Challenges – New Risks
Virtual sprawl —————————— Dynamic VM state & relocation VM stealing Management Vulnerabilities —————————— Secure storage of VMs and the management data Resource sharing —————————— Single point of failure Reduced visibility & control Virtual servers are susceptible to several primary potential threat vectors: VM-to-VM attack. An attacker who has successfully compromised a virtual machine might be able to attack other machines on the same host. A compromised VM might launch “ordinary” attacks through its network interfaces, or — in theory — exploit weaknesses in the hypervisor’s VM memory protections to inject code into the memory space of a neighboring VM. VM stealing or VM escape. In this attack, malware brought into the guest environment seeks to break out of the guest VM to subvert, attack, or take over the hypervisor. This is also known as “hyperjacking.” Most of vulnerability research on virtualization has focused on guest VM escapes. One IT manager Forrester spoke to noted: “If the guest OS gets compromised. A very intelligent criminal has access to the whole virtual server” which is one of the reasons many organizations have been slow to adopt virtualization broadly due to the potential exposure and threats. Malicious hypervisor that attacks its hosted VMs. In theory, an attacker who was able to subvert a running hypervisor would be able to monitor all network traffic from or to child VMs, inject code or interfere with application execution, subvert guest OS kernels, or snoop on sensitive guest OS memory locations such as key operations. Management vulnerabilities Operating from outside the hypervisor host, an external attacker exploits operational mistakes or technical weaknesses in the external network interfaces of the host, such as an administrative listening port or shared storage interface. The agent of attack could be, for example, customized malware that scans for and compromises potentially vulnerable hypervisor hosts. VM Sprawl. An attacker impersonates a migration target host and coerces the VM to migrate to it rather than the intended target. Techniques such as ARP spoofing, for example, form part of the strategy for this type of attack. After coercing the VM into migrating to it, the impersonator then controls its execution. Stealth rootkits in hardware now possible —————————— Virtual NICs & Virtual Hardware are targets

9 Security Challenges – OS & Application Vulnerabilities
OS and application vulnerabilities and exposures do not change in the virtual world !!! Traditional threats remain as long as VMs communicate with the network, virtual or physical Worms Rootkits Trojans DoS SQL Injection Cross Site Scripting Virtual machine state changes (online, offline, snapshots) and cloning can obsolete patching processes This slide reiterates that the existing security concerns do not go away when a workload is virtualized. Operating systems and applications still have the same vulnerabilities (buffer overflows, SQL Injection, DoS, etc.). What virtualization makes possible is the ability for a virtual server to rapidly change state. For example, the security team may have verified that a particular workload has the latest patches, proper security settings, etc., but, in a matter of seconds that workload could be reverted back to an insecure state using a feature such as VMware’s snapshot. Offline virtual servers also represent a challenge in that they may be missed when assessments are performed or security controls are implemented. As such, those virtual server can come online in an insecure state and represent a risk to the network or other systems. 9 9

10 Security Challenges – Security & Network Convergence
One of the most significant technical and organizational challenges that server virtualization brings to the table is the introduction of the virtual network . Organizationally, the separation of duties between server owners and network owners must stay in tact even though the virtual network resides inside of the server. The blurring of the delineation line between these groups could result in security and/or compliance-related issues. From the security perspective, blind spots are created because virtual server can now communicate with each other without any connection to the physical world. This reduces the effectiveness of existing intrusion prevention devices as well as discover and vulnerability management tools/processes. Again, it’s the hosts that you don’t know about that represent the most danger to the network and other systems. Inter-VM communication (communication between virtual servers through a virtual switch) is a significant issue. Unless all network traffic is routed outside of the physical server, which is impractical at best, malicious activity or policy violations cannot be stopped. It has been argued that this is no different than physical servers communicating through a physical switch. That is true, however, that is precisely why a layered approach with network IPS and host IPS is recommended. The host IPS is based in the virtual servers, so all network traffic to & from that virtual server is analyzed. There are limitations to even this solution – more on that later. 10

11 Security Challenges – Compliance
Best Practices for Security Compliance in a Virtualized Environment Configuration and change management processes should be extended to encompass the virtual infrastructure Maintain separate administrative access control though server, network and security infrastructure is now consolidated Provide virtual machine and virtual network security segmentation Maintain virtual audit logging Confidential data can be compromised. Because there’s no way to monitor traffic flow between virtual servers sharing the same physical server, there’s no way to tell whether confidential or legally protected data (such as medical records or credit card numbers) have been compromised. This level of exposure can lead to an organization being out of compliance. Therefore, organizations need to ensure that while their gaining all of the efficiencies brought on by virtualization, they don’t’ risk falling out of compliance and risk failing an audit. These are the best virtualization security best practices from the RSA security brief on how to maintain security in a virtual world and they state that the the same processes should extend to the virtual infrastructure, separate administrative controls must also be maintained although many functions are now consolidated, VM and virtual network security segmentation must also be provided and clients must maintain virtual audit logging. All of these requirements - although necessary - can add significant cost and complexity to a data center operation. *Source: RSA Security Brief: Security Compliance in a Virtual World

12 Traditional Security Solutions May Add Cost And Complexity
Seems Secure … … Not Secure Enough Network IPS Only blocks threats and attacks at the perimeter Should protect against threats at perimeter and between VMs Server Protection Secures each physical server with protection and reporting for a single agent Securing each VM as if it were a physical server adds time and cost System Patching Patches critical vulnerabilities on individual servers and networks Needs to track, patch and control VM sprawl In a recent analyst report, it was noted that special features of virtualization add new vulnerabilities to IT infrastructure. Without modification, physical-world security tools are poorly equipped to handle these threats. [451 Group] Why? Because you can use physical or traditional security solutions for your virtual data center – which is what many clients are using today - but you will leave many areas exposed to risk and which can lead not only to security breaches, and loss of data and information but can also, again, can lead your organization to be non-compliant. For example, traditional intrusion detection won’t work on virtual servers. Intrusion detection (and intrusion prevention) generally functions by monitoring network traffic and raising a red flag if there’s a traffic spike or type of traffic not explained by legitimate operations. But because there’s no way to monitor traffic between virtual servers on one physical host, you can’t count on them to alert you to a security breach in a virtual server. Malware can spread among virtual servers. With traditional intrusion detection blind to activity between virtual servers, it’s easy for a virus or other malignant software to spread from one virtual server to another. And beyond that, virtualization is often used in conjunction with clustering that moves data and applications among two or more servers. Therefore, virtual data centers need security that can monitor and protect the traffic on and between each VM. Traditional security simply cannot file this role. A system admin can manually track and patch each VM, but think about the time and resources it takes to do this. Therefore, this task alone can minimize the savings that were received during virtualization. Security Policies Policies are specific to critical applications in each network segment and server Policies must be more encompassing (Web, data, OS coverage, databases) and be able to move with the VMs

13 IBM Virtualization Security Solutions
Existing solutions certified for protection of virtual workloads Threat protection delivered in a virtual form-factor Integrated virtual environment-aware threat protection IBM ISS brings comprehensive, end-to-end security to virtualization, enabling you to more quickly realize the benefits of virtualization technology with: Virtual environment ready solutions which are Existing solutions certified for protection of virtual workloads Virtual appliances Threat protection delivered in a virtual form-factor Virtual infrastructure protection which is integrated virtual environment-aware threat protection and is what we’re here to discuss to today with the Virtual Server Security for VMware launch. IBM Security Server IPS IBM Security Network IPS IBM Security Network Mail Security IBM Security Network MFS IBM Security Virtualized Network Security IBM Security Network Mail Security IBM Security Virtual Server Protection for VMware

14 What is VMsafe API ? Speaker Notes CPU & Memory Inspection Networking
1414 What is VMsafe API ? CPU & Memory Inspection Networking Storage Security VM (SVM) VMsafe API

15 Speaker Notes 1515 IBM Security Virtual Server Protection for VMware Integrated threat protection for VMware vSphere 4 IBM Security Virtual Server Protection VMsafe Integration Firewall and Intrusion Prevention Rootkit Detection/Prevention Inter-VM Traffic Analysis Automated Protection for Mobile VMs (VMotion) Virtual Network Segment Protection Virtual Network-Level Protection Virtual Infrastructure Auditing (Privileged User) Virtual Network Access Control IBM Virtual Server Security for VMware is an integrated software product in a virtual appliance form factor that is integrated with the VMsafe initiative within the new vSphere 4 release from VMware and gives us the ability to have a hypervisor level view into security. We are providing the same Intrusion Prevention System and protocol analysis engine we are using in the rest of our IBM ISS IPS products. By being integrated into the hypervisor, VSS for VMware captures information in between VMs, all without requiring any changes to the virtual network itself. This offers true plug and play connection which is the automated protection expertise. The product also provides firewall technologies for critical network level access control specifically designed to prevent virtual server sprawl. In conjunction with the IBM X-Force research, we detect VMsafe APIs (based on a blacklist approach) to get signatures or finger prints of known rootkits to alert users to any malware in the system without any presence in the guest operating system. Our virtual infrastructure auditing ties into regulatory compliance initiatives to make sure there is a holistic view of the infrastructure to report on privilege user activities. And we can also report on virtual network changes, new VMs created, suspended and moved from one layer to another. As we originally promised to the industry, we are the first to market to incorporate our intrusion prevention technology and X-Force capabilities into true virtual infrastructure protection in one product– providing our clients the flexibility to use both physical network, host or virtual devices all centrally managed through SiteProtector. Now some of the other features that I want to emphasize are the: VM rootkit detection - Virtualization-based rootkits are particularly worrying because they can cause the hypervisor to become exposed to malware that can conceal themselves from traditional security tools. IBM VSS for VMware transparently inspects VMs to detect installation of rootkits which is a key differentiator for IBM vs. competitive products. Automatic discovery - Virtual servers operate in a dynamic state which can render traditional security technology ineffective. With VSS for VMware, the security virtual machine or the SVM can perform automatic discovery of all virtual machines. This helps increase security awareness and visibility across the virtual environment. IBM Virtual Patch technology - Automatically protects vulnerabilities on virtual servers regardless of patch strategy. Web Application Protection - Offers proactive Web application, Web 2.0 and database protection to limit potential business interruptions and exposures The IBM Proventia® Management SiteProtector™ system offers a simpler, cost-effective way to manage security solutions and ease regulatory compliance by providing a central management point to control security policy, analysis, alerting and reporting for your business and is supported on VMware ESX. It’s designed for simplicity and flexibility, and the SiteProtector system can provide centralized configuration, management, analysis and reporting for the full IBM ISS Proventia product family. A key differentiator for IBM vs. competitive offerings. We provide all of the features that I mentioned in this one software solutions whereas competitive products have only some of the features that we’ve talked about or it takes several modules to provide only some of what we are providing in one product. Imagine the headaches and hassles trying to maintain all of those different modules. With Virtual Server Security for VMware, we provide, easy to deploy, easy to maintain in-depth security. VMware VMsafe provides a unique capability for virtualized environments through an application program interface (API)-sharing program that enables select partners to develop security products for VMware environments. The result is an open approach to security that provides customers with the most secure platform on which they can virtualize their business-critical applications. Intrusion prevention and firewall - Virtual Server Security for VMware provides market-leading IPS and firewall technology to protect the virtual data center in a solution that is purpose-built to protect the virtual environment at the core of the infrastructure. Inter-VM Traffic Analysis - While traditional host and network intrusion prevention systems do not have visibility into traffic between VMs, VSS for VMware monitors traffic between virtual servers to stop threats before impact. Virtual network access control - VSS for VMware performs virtual network access control to quarantine or limit network access from a virtual server until VM security posture has been confirmed. Virtual infrastructure auditing - VSS for VMware reports on privileged user activity such as VMotion events, VM state changes (start, stop, pause) and login activity which can reduce the preparation time required to support audits. Pricing Product $4, SVPV-BASE-1-P (SVPV-BASE-1-P) License for 2 Processors $1, SVPV-ADD-1-P (SVPV-ADD-1-P) License for Addl 2 Processors Maintenance $ SVPV-BASE-1-P-M (SVPV-BASE-1-P-M) for 2 Processors $ SVPV-ADD-1-P-M (SVPV-ADD-1-P-M) for Addl 2 Processors 

16 IBM Security Virtual Server Protection for VMware Intrusion Prevention System (IPS)
Vulnerability-centric, protocol-aware analysis and protection Abstraction from underlying network configuration Automated protection for new VMs Network-level workload segmentation Privileged-level protection of OS kernel structures

17 IBM Security Virtual Server Protection for VMware IPS - Protocol Analysis Module (PAM)
Performs deep packet inspection Performs deep protocol and content analysis Detects protocol and content anomalies Simulates the protocol/content stacks in vulnerable systems Normalizes at each protocol and content layer We originally designed our network protection core technology to enable security convergence. Our protocol analysis module (or PAM for short) is the protection engine at the heart of our solution. It enables the modular approach to network protection that we deliver. Our Protocol Analysis Module (PAM), along with the deep packet inspection it performs provide the strong protection you need to stop attacks. PAM’s core abilities are among the most advanced and in-depth when it comes to blocking network threats. Plus, PAM’s design enables us to shim in new security technology and functionality as threats evolve. In fact, PAM is constantly evolving to meet the challenges of security threats. That’s because our renowned X-Force research and development team regularly (and automatically) infuses PAM with new security intelligence. So we are constantly adding protocols, data file formats and techniques to prevent attacks. An investment in our Network Protection solution (really an investment in PAM) is designed to provide long-term strategic security value. But instead of having to roll out new security technology to meet new threats, we can deliver the functionality you need behind the scenes via automatic content updates to PAM. You will still have only one management console to alleviate the burden on your IT staff that multiple vendors and point solutions impose. Provides the ability to add new security functionality within the existing solution

18 Protocol Analysis Module Virtual Patch® Technology
Shielding a vulnerability from exploitation independent of a software patch Enables a responsible patch management process that can be adhered to without fear of a breach IBM is a MAPP (Microsoft Active Protections Program) partner

19 Why IBM ? IBM leads the industry in breadth and depth of security expertise with: 7,000,000,000+ security events managed daily 48,000+ vulnerabilities tracked in the IBM X-Force® research and development database 15,000 researchers, developers and subject matter experts on security initiatives 4,000+ customers managed in security operations centers around the world 3,000+ security & risk management patents 40+ years of proven success with security and virtualization on IBM Systems

20 Thank you! For more information, please visit: http://ibm.com/cloud
Johan Celis –

Download ppt "Johan Celis Security Solutions Architect EMEA IBM"

Similar presentations

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
VMware Virtualization Last Update 2014.02.06 2.0.0 1Copyright 2011-2014 Kenneth M. Chipps Ph.D. www.chipps.com.

VMware Virtualization Last Update Copyright Kenneth M. Chipps Ph.D.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Department Of Computer Engineering

Department Of Computer Engineering
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.

VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.

© 2010 IBM Corporation Cloudy with a chance of security Information security in virtual environments Johan Celis Security Solutions Architect EMEA IBM.
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.

Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C97-721796-00.

© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
Neil Sanderson 24 October, 2015. 1. Early days for virtualisation Virtualization Adoption x86 servers used for virtualization Virtualization adoption.

Neil Sanderson 24 October, Early days for virtualisation Virtualization Adoption x86 servers used for virtualization Virtualization adoption.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
VMware vSphere Configuration and Management v6

VMware vSphere Configuration and Management v6
Security Vulnerabilities in A Virtual Environment

Security Vulnerabilities in A Virtual Environment

Similar presentations

Ads by Google