Enhancing the

Software Defined

Datacenter

Danny Claproth

Sr. Sales Engineer

• Bringing Security to virtualisation and cloud

– Responsibilities and Challenges

• Deep Security

– What, How, Why

• Secure Cloud

– What, How, Why

• What about NSX (Deep Security 9.5)?

Agenda

Security in the cloud (and virtualized environments)

Responsibilities and Challenges

Resource Contention 1

Typical AV

Console 3:00am Scan

Automatic antivirus scans

overburden the system

Antivirus Storm

Virtualization & Cloud

Key Security Inhibitors

Resource Contention 1

Instant-on Gaps 2

Dormant

Active

Reactivated with

Out-dated security

Cloned

Reactivated and cloned VMs can have out-of-date security

Resource Contention 1

Inter-VM Attacks / Blind Spots 3

Instant-on Gaps 2

Attacks can spread across VMs

Complexity of Management 4

Resource Contention 1

Inter-VM Attacks / Blind Spots 3

Instant-on Gaps 2

VM sprawl inhibits compliance

Patch

agents

Rollout

patterns

Provisioning

new VMs

Reconfiguring

agents

Cloud Security Challenges

Challenge: Multi-tenancy / Mixed Trust Level VMs

Shared resources creates a mixed trust level environment

Cloud Security Challenges

Challenge: Data Access and Governance

Cloud data can provide less visibility and control

10010011

01101100

10011

01110

00101

Cloud Security Challenges

Challenge: Data Destruction

When data is moved, unsecured data remnants can remain

10011

01110

00101

10011

0

00101

Deep Security Be Smart when changing your datacenters

PHYSICAL VIRTUAL CLOUD

Server Security Platform

Open, Automated, Scalable Platform

Anti-

malware Firewall

Integrity

Monitoring

Intrusion

Prevention

Log

Inspection

Web

Reputation

Anti-

malware • Anti-malware prevent viruses and other malicious code from penetrating your data center

• Real-time – scanning on all your disk activities

• Scheduled - and Manual scanning of all your disks

• Web-Reputation prevent hosts to access web content hosted on malicious

• Web resources are being categorized.

• Dynamic list based on Trend Micro’s Smart Protection Network

Web

Reputation

• IDS/IPS detects and blocks known and zero-day attacks that target vulnerabilities

• Web Application Protection: shields web application vulnerabilities

• Application Control provides increased visibility into or control over applications accessing the network

Intrusion

Prevention

Firewall • Reduces attack surface.

• Prevents DoS and detects reconnaissance scans

• Detects malicious and unauthorised changes to – Files

– Directories

– Registry keys

– …

Integrity

Monitoring

Log

Inspection

• Optimizes the identification of important security events buried in the log entries

Deep Security Architecture

3/11/2014 Copyright 2013 Trend Micro Inc.

DSVA VM VM VM VM

ESX

Hypervisor – Filter Driver

Deep Security Architecture

3/11/2014 Copyright 2013 Trend Micro Inc.

DSVA VM VM VM VM

ESX

Hypervisor – Filter Driver

Disk I/O Network Traffic

Physical Network Physical Disks

Deep Security Architecture

3/11/2014 Copyright 2013 Trend Micro Inc.

DSVA VM VM VM VM

ESX

DSVA VM VM

Hypervisor –

Filter Driver

ESX

Hypervisor – Filter Driver

DSM

Deep Security Architecture

3/11/2014 Copyright 2013 Trend Micro Inc.

DSVA VM VM VM VM

ESX

vCenter

DSVA VM VM

Hypervisor – Filter

Driver

ESX

Hypervisor – Filter Driver

DSM

Improved performance for Malware and Integrity Scans

Up to 20X improvement especially for VDI

Deeper agentless guest context enables software and vulnerability scan for automatic policy management

Deep Security 9

vSphere

VMs

OS

APPs

Deep Security Virtual Appliance Anti-Malware

Web Reputation

Intrusion Prevention

Firewall

Integrity Monitoring VM Tools Thin Driver

Deep Security 9 – Instant on Security

Flexible Deployment in the cloud

3/11/2014 Copyright 2013 Trend Micro Inc.

• Agent based deployment mode

• Agent installation can be scripted

Secure Cloud Be Smart when changing your datacenters

Patient Medical Records Credit Card Payment

Information Sensitive Research

Results Social Security Numbers

Encryption with Policy-based

Key Management

What is Secure Cloud

• Compliance support

• Custody of keys

• No vendor lock-in

• Trusted server access

• Control for when and where

data is accessed

AES Encryption

128, 192, & 256 bit

Policy-based

Key Management

Auditing, Reporting,

& Mobility

• Unreadable to outsiders

• Obscured data on recycled

devices

Platform Support

3/11/2014

Copyright 2013 Trend Micro Inc.

Trend Micro

SaaS Solution

Key Management

Deployment Options

Encryption Support

Or

Data Center

Software Application

VM VM VM VM

VM VM VM VM

SecureCloud

Console

Private

Clouds

Public

Clouds

vSphere

Virtual

Machines

VM VM VM VM

2

5

Physical

Machines

How SecureCloud works

Storage:

- Encrypted

Server

SecureCloud

Key Management

- With SC agent

Random session

key over SSL

• Server that needs access to storage – SC agent opens session with SC key

management server

– Policy check

• SC key management releases key

• Server uses key to access storage

Cloud Service

Provider Enterprise

Datacenter or

SaaS Offering

• Full volume Encryption

• SecureCloud Agents sits in OS stack between Disk driver and File System driver

• Encryption transparent to the OS and applications

• Encryption persists even after the instance is stopped

• FIPS 140-2 certified AES encryption

Why Secure Cloud

3/11/2014 Copyright 2013 Trend Micro Inc.

Deep Security + Secure Cloud = A Perfect Match

Trend Micro Cloud Protection

3/11/2014 Copyright 2013 Trend Micro Inc.

Patient Medical Records Credit Card Payment Information Sensitive Research Results Social Security Numbers

SecureCloud

Encryption with Policy-

based Key Management

Deep Security

Server Security Platform

Physical Virtual Cloud

=

=

System and application

protection for VMs in private,

public, and hybrid clouds

Data protection with

encryption for data stored in

private, public and hybrid

clouds

Trend Micro Deep Security

Cloud Protection Pack

What about NSX? Deep Security 9.5

Innovating with VMware

Deep Security 7 (2009) – Agentless Intrusion Prevention and Firewall

Deep Security 7.5 (2010) – Agentless Anti-Malware

Deep Security 8 (2012) – Agentless Integrity Monitoring – Agentless Web Reputation

Deep Security 9 (2013) – Agentless Recommendation Scan – Scan Cache

NSX replaces vShield and vCNS

3/11/2014 Copyright 2013 Trend Micro Inc. 32

Service Catalog & Auto Deployment

3/11/2014 Copyright 2013 Trend Micro Inc. 33

Group Management through vSphere

3/11/2014 Copyright 2013 Trend Micro Inc. 34

Partial Policy Management through vSphere

3/11/2014 Copyright 2013 Trend Micro Inc. 35

Tags Enable Automation/Interoperability

3/11/2014 Copyright 2013 Trend Micro Inc. 36

NSX Benefits

Automatic Deployment of DSVA on ESXi 5.5+

Auto Activation of DSVA

No maintenance mode/reboot

Fine-grained packet traffic control

Multi-product interoperability and automation through tagging

3/11/2014 Copyright 2013 Trend Micro Inc. 37

Deep Security 9.5 support all modules (using vShield with VMsafe-NET) on:

• ESXi 5.5

• ESXi 5.1

NSX Alternatives

3/11/2014 Copyright 2013 Trend Micro Inc. 3

8

Deep Security 9.5 Beta: This month! GA: Beginning Q2

Questions?