new directions for security services and the software defined data center
DESCRIPTION
New Directions for Security Services and the Software Defined Data Center. Jeremiah Cornelius. Chip Epps. VMware Alliances Partner Architect. Symantec Product Manager , Data Center Security & Compliance . Agenda. Why the “Software -Defined Data Center”. - PowerPoint PPT PresentationTRANSCRIPT
1
New Directions for Security Services and the Software Defined Data Center
Chip EppsSymantecProduct Manager, Data Center Security & Compliance
IL B06 Apr 16, 2013 2:30pm to 3:30pm
Jeremiah CorneliusVMwareAlliances Partner Architect
SYMANTEC VISION 2013
Agenda
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
Why the “Software-Defined Data Center”
SYMANTEC VISION 2013 3
The Virtualization Path – Continue the JourneyFollowing economic benefit
Capex SavingsThru
Consolidation
Opex SavingThru
Automation
Game ChangeThru
Self-Service
IT as a ServiceIT Production
Abstract. Pool. Automate. Empower.
Software-Defined Data Center
Business Production
CostAgilityGovernance
SYMANTEC VISION 2013
IT Pressures – a Constant Over the Decades
COST“Are you getting the maximum efficiency out of your infrastructure?”
AGILITY“How quickly can IT respond to LOB requests?”
GOVERNANCE• Legislative Compliance• Risk Reduction – SLAs & Business Continuity• Security – Corp Assets & IP
SYMANTEC VISION 2013
80% PV
VCLOUD
AND risk neutral?
AND compliant?
NO host sprawl?
NO overprovisioning?
Virtualization Architects Are Asking For Security Rethink
SYMANTEC VISION 2013
2008 2012 FUTURE
25% 60% >90%
Adoption Has Enabled Agility
WEEKSDAYS/
HOURSMINUTES/SECONDS
SYMANTEC VISION 2013
Storage/Availability Servers Networking Security Management/
Monitoring
2008 2012 FUTURE
SOFTWARE-DEFINEDDATACENTER SERVICES
VDC
WEEKSDAYS/
HOURSMINUTES/SECONDS
Driven by Infrastructure
SYMANTEC VISION 2013
SOFTWARE-DEFINED DATACENTER
All infrastructure is virtualized and delivered as a service, and the control of this datacenter is entirely automated by software.
Abstract. Pool. Automate.
SYMANTEC VISION 2013
Getting to The Software-Defined Data Center (SDDC)
1. Decouple
Physical
Virtual
2. Reproduce 3. Automate
NetworkOperations
Cloud Operations
Hardwareindependence
Operational benefits of virtualization
No change to networkfrom end host perspective
Virtual
Physical
SYMANTEC VISION 2013
MANAGEMENT
Physical Infrastructure(Server, Storage, Network)
CLOUD INFRASTRUCTURE
SOFTWARE-DEFINEDNETWORKING &
SECURITY
SOFTWARE-DEFINEDSTORAGE & AVAILABILITY
EXTENSIBILITY
VIRTUALIZATIONVMware vSphere
VMware vCloud Director
VMware vCenterOrchestrator
VMware vCloudAPIs
VMware vCloudAutomation Center
VMware vFabricApplication
Director
VMware vCenterOperations
Mngmnt. Suite
VMware vCloudConnectorVMware vCloud
Networking & Security
VMware vCenterSite Recovery
Manager
Symantec and the SDDCStorage & AvailabilitySolutions
Security and Compliance
Solutions
“At the endpoint and beyond”Anti-virus and Malware
Virtual Server Hardening (vSphere)
Data Loss Prevention
Threat Correlation
Content Filtering
Legal & Regulatory Compliance
Managed Security
“Always on, always available”Backup & Recovery
High Availability
Application Availability
Clustering
Archiving
Storage Management and Reporting
Dynamic Multi-pathing
SYMANTEC VISION 2013
Agenda
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
Why the “Software-Defined Data Center”
SYMANTEC VISION 2013
$18005 DAYS, 2 MIN!
Provisioning Services for Virtualization is Still be Slow and Costly
$3002 MINUTES
$10,00010 WEEKS
PresentPast
Creating the VM is fast but still have to wait for networking and security
VLAN networks
Firewall
IDS, security,
monitoring
Availability
Load Balancer
SYMANTEC VISION 2013
From whiteboard… …to Visio diagrams…
Actionable
Repeatable
Both are….
Our customers struggles to deliver actionable and repeatable security services, and rules configuration - within and across dev/test and production environments.
Challenge: Make security policies actionable, repeatable across environments
SYMANTEC VISION 2013
What if a Software Defined Data Center made it possible…
WEB_APP_FILTER
• Deploy - Security services were easily deployed and available to all workloads?
• Bind - You could group your apps however you like (VMs, vApps, user IDs…) - and assign security services (firewall, antivirus, IPS…) to these groups?
• Orchestrate - One security control could be enforced based on the result of another control, without the requirement for point to point integrations?
SYMANTEC VISION 2013
Partner Management Console
Partner Management Console
Partner Management Console
vCenter/vCloud/vCAC
vCNS Manager
Automate Service Provisioning and Service Availability Service Provisioning
Includes VMware security services
Includes partner services• All network and security categories
• Multi-vendor support
Health Monitoring Monitor, ensure availability of services
Separation of Duties Role for service provisioning is separate from
vCenter VI Admin permissions
Includes roles for Security Admin, Audit
Cluster level SLAs Policy and consistency
Partner A: IPS, AV
Partner B: Application Filter
Partner C: Vulnerability Assessment
SYMANTEC VISION 2013
Customer Need SDDC Security Capability “Datacenter” (within a VC) is carved up into
groups based on business function
Each group is bound to a firewall service
Firewall service configured to deny/permit access to shared services or other groups
VMs are placed in respective groups and are protected based on services, rules for these groups.
Security Groups - map to business function; empty or prepopulated w/ VMs
Security Policy Object – includes firewall service
VMs are placed in respective groups – as in example
Groups can be nested and policies are inherited
Customer Scenario: Enclaves, Sub-enclaves and Remediation Zones
SYMANTEC VISION 2013
VM “X”
“Database”
Database Security Policy
“HR Department”
vDC “Z”
vApp “Y”
“ERP Application”
VM “X”“Database
”
“Gold” Security Policy
Services can be grouped into Policy Templates (Gold, Database, SharePoint, etc.)
Policy Templates are then applied to workloads organized into Security Groups at various levels (VMs, Apps and Groups, etc.)
Security Groups can be nested, and policies can be inherited
VM “X”
vApp “Y”
“Share Point”
Share Point Security Policy
“Database”
SDDC Solution - Security Services Provisioning Automation
SYMANTEC VISION 2013
Software Defined Data CenterPartners provide best of breed services in these categories:Anti-Virus (AV), Anti-Malware Application Delivery Controller (ADC)Application Whitelisting Application Firewall Data Loss Prevention (DLP) Encryption File Integrity Monitoring (FIM) Firewall (Host/Network) Identity and Access Management Intrusion Detection/Prevention System (IDS/IPS) Load BalancerNetwork ForensicsNetwork Gateway (VXLAN)Network Port ProfilePolicy and Compliance Solution Security Intelligence and Event Management (SIEM) User Access Control (closest to our SAM)Vulnerability Management WAN OptimizerWeb Filter
SDDC Solution - Extend Platform to Best of Breed Services
Properties of virtual services:• Programmatic provisioning• Place any workload anywhere• Move any workload anywhere• Decoupled from hardware• Operationally efficient
SYMANTEC VISION 2013
Agenda
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
Why the “Software-Defined Data Center”
SYMANTEC VISION 2013
Preservation of Elasticity and Motion– continuity, present
• Security needs to expand and contract quickly• Security must adapt to movement• WHY:
– Can’t break promise of virtualization and the SDDC, i.e. elasticity, HA, etc. Subsequently, workloads can be brought into service or moved onto any piece of hardware instantly
– E.g. Security should have awareness of every workload, regardless of which host and SVA it runs on, in case a VM should appear within an SVA’s realm of protection… global policy and content
20
SYMANTEC VISION 2013
Single System View– efficient, responsive
• Security is implemented from a “leveraged” position– Admin sees the “logical” system defined by VMware
• Security overcomes abstraction and removes complexity– Simplifies management
• Security is “symmetrical”– Security is retained regardless of underlying infrastructure
• WHY:– Services layer is highly abstracted from Infrastructure– E.g. Security should focus on the logical nature of the infrastructure, and
not necessarily on the physical infrastructure (hosts & SVAs)
21
SYMANTEC VISION 2013
Admin’s View
22
From this Lens… To this Lens
VM VMVM vApp vApp
VM VM
VM VMvApp vApp VM
VDC- PCI Servers
VDC- Dev Servers
Host-1
Host-3
Host-2
SYMANTEC VISION 2013
System View
23
VM
VM
VM
VM
VM
VM
VM
VM
vCenterSecurity Manager
SVA
SVA
SVA
SVA
SYMANTEC VISION 2013
Deterministic– consistent, compliant
• Security does no harm– Shouldn’t contribute to problem or make things worse
• No surprises… resources, behavior, performance, etc.– All SVAs running a consistent state
• WHY:– Infrastructure is designed to be templated and repeatable, and security
should similarly fit into this model– E.g. Security controls (instantiated via an SVA) should be the same, thus
predictable (same app, same sizing, same policies, same defs, same logs, etc)
24
SYMANTEC VISION 2013
Preservation of Fault Zones– resilient, available
• Security works under duress – takes care of itself• Security separate from infrastructure
– If you take away the management console, system will continue to run, ie. security will run indefinitely if no changes
– And visa versa: if security ecosystem has an issue, it won’t disrupt operations
• WHY:– Should infrastructure fail, security needs to function– E.g. Each SVA should be self sustaining with a complete view of the world
(ie operate “headless”)
25
SYMANTEC VISION 2013
Agenda
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
Why the “Software-Defined Data Center”
SYMANTEC VISION 2013
What is “Data Center Protection”?
“Data Center Protection
(DCP)”
Agentless AV and IDP
Virtual SecuritySVA’s
AgentSandboxing +
Application Whitelisting Controls
New
FINAL branding pending
SYMANTEC VISION 2013
Next Symantec Releases: Ferrari - Athens Overview
Agent(for Servers)
Today Ferrari - Athens
SEPSymantec Endpoint
Protection
Critical Systems Protection
Agentless(Servers & VDI)
28
Agentless protectionvia EPSEC (AV) & NetX integration
(includes vCenter hardening and ESXi host monitoring resources of CSP)
Includes entitlement to agentless & agented protection (SEP & CSP)
SEPAgented protectionAntimalware protection using AV, IPS, Reputation, Behavioral techniques
“Data Center Protection”FINAL branding pending
SYMANTEC VISION 2013
New SDDC Use Case – Remediation Action
VMwareInfrastructure
3rd PartySecuritySystem
SymantecAgentless
“DCP”
Registration
*VMware defines Security Policies for Security Groups, e.g.
-AV Detect Only policy for Normal group-AV Clean policy for Quarantine group
*VMware provisions AV and IDP (IPS) SVAs to Host*VMware assigns GVM X to Host
29
*Symantec registers its threat protection security services, e.g. Agentless AV---Provides following to VMware: location of “DCP” Manager, pointers to AV and IDP SVA OVA’s, and policy types/profile definitions)
Events/Actions
GVM X assigned to Normal group withAV Detect policy
SYMANTEC VISION 2013
New SDDC Use Case – Remediation Action
VMwareInfrastructure
3rd PartySecuritySystem
SymantecAgentless
“DCP”
Registration
Events/Actions
30
*VMware reassigns GVM X to group Quarantine
*VMware restores GVM X to group Normal
*Symantec Agentless AV (SVA) security service on Host detects Malware on GVM X via AV Detect Only policy, and denies access*Symantec Manager sets Security Tag for AV Detect
*Symantec AV SVA responds to policy change associated with Quarantine group, and applies AV Clean policy to GVM X, deletes Malware on execute, and clears AV Detect Security Tag
User of GVM X tries to execute Malware
GVM X assigned to Normal group withAV Detect policy
SYMANTEC VISION 2013
Agenda
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
Why the “Software-Defined Data Center”
SYMANTEC VISION 2013
What is the Future?
THE SOFTWARE DEFINED DATA CENTER BEGINS TODAY• This began with vMotion…• NSX Service Composer – 2013 Focus Areas
– Simplify service provisioning– Make policies actionable and repeatable– Enable Multi-Vendor, Multi-Discipline Conditional Workflows for Service Automation
SYMANTEC LEADING TO DELIVER ON THE PROMISE• Unparalleled Integration for Symantec Solutions Serving the Software Defined
Data Center and Security Policy Automation with NSX • Converged roadmaps for VMware protection of enterprise• Coordinated releases for 2013- See Demos at VMworld
• Visit the VMware booth and the Symantec booth for more information
SYMANTEC VISION 2013
Agenda
Vision for Security Service Model in SDDC
Designing Security Services for the SDDC
Symantec and Software Defined Security
Where is the SDDC and When is the Future?
Q&A
Why the “Software-Defined Data Center”
SYMANTEC VISION 2013
Q&A
SYMANTEC VISION 2013
Thank You!35