Vision 2013 - Security Services and the SDDC
Download
Report
Transcript Vision 2013 - Security Services and the SDDC
New Directions for Security Services and
the Software Defined Data Center
Chip Epps
Jeremiah Cornelius
Symantec
Product Manager,
Data Center Security & Compliance
VMware
Alliances Partner Architect
IL B06 Apr 16, 2013 2:30pm to 3:30pm
1
Agenda
Why the “Software-Defined Data Center”
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
SYMANTEC VISION 2013
The Virtualization Path – Continue the Journey
Following economic benefit
Cost
Software-Defined Data Center
Agility
Governance
Capex Savings
Thru
Consolidation
Opex Saving
Thru
Automation
Game Change
Thru
Self-Service
Abstract. Pool.
Automate.
Empower.
IT Production
Business
Production
IT as a Service
SYMANTEC VISION 2013
3
IT Pressures – a Constant Over the Decades
“Are you getting the
maximum efficiency
out of your
infrastructure?”
“How quickly can IT
respond to LOB
requests?”
• Legislative Compliance
• Risk Reduction – SLAs & Business Continuity
• Security – Corp Assets & IP
SYMANTEC VISION 2013
Virtualization Architects Are Asking For Security
Rethink
AND
80% PV
VCLOUD
AND
NO
NO
SYMANTEC VISION 2013
Adoption Has Enabled Agility
25%
60%
>90%
WEEKS
DAYS/
HOURS
MINUTES/
SECONDS
2008
2012
FUTURE
SYMANTEC VISION 2013
Driven by Infrastructure
Storage/
Availability
Servers
Networking
Security
Management/
Monitoring
VDC
SOFTWARE-DEFINED
DATACENTER SERVICES
WEEKS
DAYS/
HOURS
MINUTES/
SECONDS
2008
2012
FUTURE
SYMANTEC VISION 2013
SOFTWARE-DEFINED
DATACENTER
All infrastructure is virtualized and
delivered as a service, and the
control of this datacenter is
entirely automated by software.
Abstract.
Pool.
Automate.
SYMANTEC VISION 2013
Getting to The Software-Defined Data Center (SDDC)
Physical
Physical
SYMANTEC VISION 2013
Cloud
Operations
Symantec and the SDDC
Security and
Compliance
Solutions
MANAGEMENT
Storage &
Availability
Solutions
CLOUD INFRASTRUCTURE
EXTENSIBILITY
VMware vCloud Director
VMware vCloud
Automation Center
“At the endpoint
and beyond”
SOFTWARE-DEFINED
NETWORKING
&
Anti-virus
and Malware
SECURITY
VMware vCenter
Operations
Mngmnt. Suite
Virtual Server
Hardening (vSphere)
VMware vCloud
Data
Loss Prevention
Networking
&
Security
Threat Correlation
Content Filtering
VMware vFabric
Application
Director
“Always on, always
available”
SOFTWARE-DEFINED
VMware vCloud
APIs
STORAGE &
Backup
& Recovery
AVAILABILITY
High Availability
Application
Availability
VMware
vCenter
Site Recovery
Clustering
Manager
Archiving
Storage Management
Legal & Regulatory
VIRTUALIZATION
and Reporting
Compliance
Dynamic Multi-pathing
VMware vSphere
Managed Security
Physical Infrastructure
(Server, Storage, Network)
SYMANTEC VISION 2013
VMware vCloud
Connector
VMware vCenter
Orchestrator
Agenda
Why the “Software-Defined Data Center”
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
SYMANTEC VISION 2013
Provisioning Services for Virtualization is Still be Slow
and Costly
VLAN
networks
Firewall
Load
Balancer
IDS,
security,
monitoring
Availability
Creating the VM is fast but still have to wait for networking and security
SYMANTEC VISION 2013
Challenge: Make security policies actionable,
repeatable across environments
Our customers struggles to deliver actionable and repeatable security
services, and rules configuration - within and across dev/test and
production environments.
From whiteboard…
…to Visio diagrams…
Both are….
Actionable
Repeatable
SYMANTEC VISION 2013
What if a Software Defined Data Center made it
possible…
WEB_APP_FILTER
SYMANTEC VISION 2013
Automate Service Provisioning and Service Availability
Service Provisioning
Partner A:
vCenter/vCloud/vCAC
vCNS Manager
Partner B: Application Filter
Includes VMware security services
Partner C: Vulnerability Assessment
Includes partner services
PartnerManagement
Management
Partner
Partner Management
Console
Console
Console
• All network and security categories
• Multi-vendor support
Health Monitoring
Monitor, ensure availability of services
Separation of Duties
Role for service provisioning is separate from
vCenter VI Admin permissions
Includes roles for Security Admin, Audit
Cluster level SLAs
Policy and consistency
SYMANTEC VISION 2013
Customer Scenario: Enclaves, Sub-enclaves and
Remediation Zones
“Datacenter” (within a VC) is carved up into
groups based on business function
Each group is bound to a firewall service
Firewall service configured to deny/permit access
to shared services or other groups
VMs are placed in respective groups and are
Security Groups - map to business function; empty or
prepopulated w/ VMs
Security Policy Object – includes firewall service
VMs are placed in respective groups – as in example
Groups can be nested and policies are inherited
protected based on services, rules for these
groups.
SYMANTEC VISION 2013
SDDC Solution - Security Services Provisioning
Automation
Services can be grouped into
Policy Templates (Gold,
Database, SharePoint, etc.)
“Database”
VM “X”
Database Security Policy
Policy Templates are then
“Database
”
VM “X”
“Share Point”
vApp “Y”
Share Point Security
Policy
Security Groups can be
“Database
”
nested, and policies can be
inherited
VM “X”
“ERP Application”
vApp “Y”
“HR Department”
applied to workloads
organized into Security
Groups at various levels
(VMs, Apps and Groups,
etc.)
“Gold” Security Policy
vDC “Z”
SYMANTEC VISION 2013
SDDC Solution - Extend Platform to Best of Breed Services
Properties of virtual services:
• Programmatic provisioning
• Place any workload anywhere
• Move any workload anywhere
• Decoupled from hardware
• Operationally efficient
Partners provide best of breed services in these
categories:
Anti-Virus (AV), Anti-Malware
Application Delivery Controller (ADC)
Application Whitelisting
Application Firewall
Data Loss Prevention (DLP)
Encryption
File Integrity Monitoring (FIM)
Firewall (Host/Network)
Identity and Access Management
Intrusion Detection/Prevention System (IDS/IPS)
Load Balancer
Network Forensics
Network Gateway (VXLAN)
Network Port Profile
Policy and Compliance Solution
Security Intelligence and Event Management (SIEM)
User Access Control (closest to our SAM)
Vulnerability Management
WAN Optimizer
Web Filter
SYMANTEC VISION 2013
Agenda
Why the “Software-Defined Data Center”
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
SYMANTEC VISION 2013
Preservation of Elasticity and Motion
– continuity, present
• Security needs to expand and contract quickly
• Security must adapt to movement
• WHY:
– Can’t break promise of virtualization and the SDDC, i.e. elasticity, HA, etc.
Subsequently, workloads can be brought into service or moved onto any
piece of hardware instantly
– E.g. Security should have awareness of every workload, regardless of
which host and SVA it runs on, in case a VM should appear within an
SVA’s realm of protection… global policy and content
SYMANTEC VISION 2013
20
Single System View
– efficient, responsive
• Security is implemented from a “leveraged” position
– Admin sees the “logical” system defined by VMware
• Security overcomes abstraction and removes
complexity
– Simplifies management
• Security is “symmetrical”
– Security is retained regardless of underlying infrastructure
• WHY:
– Services layer is highly abstracted from Infrastructure
– E.g. Security should focus on the logical nature of the infrastructure, and
not necessarily on the physical infrastructure (hosts & SVAs)
SYMANTEC VISION 2013
21
Admin’s View
From this Lens…
To this Lens
Host-1
VM
VDC- PCI Servers
VM
VM
vApp
vApp
Host-2
VM
VM
VDC- Dev Servers
Host-3
vApp
VM
vApp
VM
VM
SYMANTEC VISION 2013
22
System View
VM
VM
SVA
SVA
VM
VM
Security
Manager
vCenter
VM
VM
SVA
VM
SVA
VM
SYMANTEC VISION 2013
23
Deterministic
– consistent, compliant
• Security does no harm
– Shouldn’t contribute to problem or make things worse
• No surprises… resources, behavior, performance, etc.
– All SVAs running a consistent state
• WHY:
– Infrastructure is designed to be templated and repeatable, and security
should similarly fit into this model
– E.g. Security controls (instantiated via an SVA) should be the same, thus
predictable (same app, same sizing, same policies, same defs, same logs,
etc)
SYMANTEC VISION 2013
24
Preservation of Fault Zones
– resilient, available
• Security works under duress – takes care of itself
• Security separate from infrastructure
– If you take away the management console, system will continue to run, ie.
security will run indefinitely if no changes
– And visa versa: if security ecosystem has an issue, it won’t disrupt
operations
• WHY:
– Should infrastructure fail, security needs to function
– E.g. Each SVA should be self sustaining with a complete view of the world
(ie operate “headless”)
SYMANTEC VISION 2013
25
Agenda
Why the “Software-Defined Data Center”
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
SYMANTEC VISION 2013
What is “Data Center Protection”?
FINAL branding pending
Agent
Sandboxing +
Application
Whitelisting Controls
“Data Center
Protection
(DCP)”
SYMANTEC VISION 2013
Next Symantec Releases: Ferrari - Athens Overview
Today
Ferrari - Athens
Agented protection
Antimalware protection using
AV, IPS, Reputation, Behavioral
techniques
Symantec Endpoint
Protection
FINAL branding pending
“Data Center Protection”
Agentless
(Servers & VDI)
Critical Systems
Protection
Agent
(for Servers)
SYMANTEC VISION 2013
Agentless protection
via EPSEC (AV) & NetX
integration
(includes vCenter hardening
and ESXi host monitoring
resources of CSP)
Includes entitlement to
agentless & agented
protection (SEP & CSP)
28
New SDDC Use Case – Remediation Action
Registration
Symantec
Agentless
“DCP”
VMware
Infrastructure
3rd Party
Security
System
Events/Actions
*Symantec registers its threat protection security
services, e.g. Agentless AV--Provides following to VMware: location of “DCP”
Manager, pointers to AV and IDP SVA OVA’s, and
policy types/profile definitions)
*VMware defines Security Policies for Security Groups,
e.g.
-AV Detect Only policy for Normal group
-AV Clean policy for Quarantine group
*VMware provisions AV and IDP (IPS) SVAs to Host
*VMware assigns GVM X to Host
GVM X assigned to Normal group with
AV Detect policy
SYMANTEC VISION 2013
29
New SDDC Use Case – Remediation Action
Registration
Symantec
Agentless
“DCP”
VMware
Infrastructure
3rd Party
Security
System
Events/Actions
User of GVM X tries to execute Malware
*Symantec Agentless AV (SVA) security service on
Host detects Malware on GVM X via AV Detect Only
policy, and denies access
*Symantec Manager sets Security Tag for AV Detect
*VMware reassigns GVM X to group Quarantine
*Symantec AV SVA responds to policy change
associated with Quarantine group, and applies AV
Clean policy to GVM X, deletes Malware on
execute, and clears AV Detect Security Tag
*VMware restores GVM X to group Normal
GVM X assigned to Normal group with
AV Detect policy
SYMANTEC VISION 2013
30
Agenda
Why the “Software-Defined Data Center”
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
SYMANTEC VISION 2013
What is the Future?
• This began with vMotion…
• NSX Service Composer – 2013 Focus Areas
– Simplify service provisioning
– Make policies actionable and repeatable
– Enable Multi-Vendor, Multi-Discipline Conditional Workflows for Service Automation
• Unparalleled Integration for Symantec Solutions Serving the Software
Defined Data Center and Security Policy Automation with NSX
• Converged roadmaps for VMware protection of enterprise
• Coordinated releases for 2013- See Demos at VMworld
• Visit the VMware booth and the Symantec booth for more information
SYMANTEC VISION 2013
Agenda
Why the “Software-Defined Data Center”
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
SYMANTEC VISION 2013
Q&A
SYMANTEC VISION 2013
Thank You!
SYMANTEC VISION 2013
35