new directions for security services and the software defined data center

1

New Directions for Security Services and the Software Defined Data Center

Chip EppsSymantecProduct Manager, Data Center Security & Compliance

IL B06 Apr 16, 2013 2:30pm to 3:30pm

Jeremiah CorneliusVMwareAlliances Partner Architect

SYMANTEC VISION 2013

Agenda

Vision for Security Service Model in SDDC

Designing Security Services for the SDDC

Symantec and Software Defined Security

Where is the SDDC and When is the Future?

Q&A

Why the “Software-Defined Data Center”

SYMANTEC VISION 2013 3

The Virtualization Path – Continue the JourneyFollowing economic benefit

Capex SavingsThru

Consolidation

Opex SavingThru

Automation

Game ChangeThru

Self-Service

IT as a ServiceIT Production

Abstract. Pool. Automate. Empower.

Software-Defined Data Center

Business Production

CostAgilityGovernance


IT Pressures – a Constant Over the Decades

COST“Are you getting the maximum efficiency out of your infrastructure?”

AGILITY“How quickly can IT respond to LOB requests?”

GOVERNANCE• Legislative Compliance• Risk Reduction – SLAs & Business Continuity• Security – Corp Assets & IP


80% PV

VCLOUD

AND risk neutral?

AND compliant?

NO host sprawl?

NO overprovisioning?

Virtualization Architects Are Asking For Security Rethink


2008 2012 FUTURE

25% 60% >90%

Adoption Has Enabled Agility

WEEKSDAYS/

HOURSMINUTES/SECONDS


Storage/Availability Servers Networking Security Management/

Monitoring

2008 2012 FUTURE

SOFTWARE-DEFINEDDATACENTER SERVICES

VDC

WEEKSDAYS/

HOURSMINUTES/SECONDS

Driven by Infrastructure


SOFTWARE-DEFINED DATACENTER

All infrastructure is virtualized and delivered as a service, and the control of this datacenter is entirely automated by software.

Abstract. Pool. Automate.


Getting to The Software-Defined Data Center (SDDC)

1. Decouple

Physical

Virtual

2. Reproduce 3. Automate

NetworkOperations

Cloud Operations

Hardwareindependence

Operational benefits of virtualization

No change to networkfrom end host perspective

Virtual

Physical


MANAGEMENT

Physical Infrastructure(Server, Storage, Network)

CLOUD INFRASTRUCTURE

SOFTWARE-DEFINEDNETWORKING &

SECURITY

SOFTWARE-DEFINEDSTORAGE & AVAILABILITY

EXTENSIBILITY

VIRTUALIZATIONVMware vSphere

VMware vCloud Director

VMware vCenterOrchestrator

VMware vCloudAPIs

VMware vCloudAutomation Center

VMware vFabricApplication

Director

VMware vCenterOperations

Mngmnt. Suite

VMware vCloudConnectorVMware vCloud

Networking & Security

VMware vCenterSite Recovery

Manager

Symantec and the SDDCStorage & AvailabilitySolutions

Security and Compliance

Solutions

“At the endpoint and beyond”Anti-virus and Malware

Virtual Server Hardening (vSphere)

Data Loss Prevention

Threat Correlation

Content Filtering

Legal & Regulatory Compliance

Managed Security

“Always on, always available”Backup & Recovery

High Availability

Application Availability

Clustering

Archiving

Storage Management and Reporting

Dynamic Multi-pathing


Agenda





Q&A



$18005 DAYS, 2 MIN!

Provisioning Services for Virtualization is Still be Slow and Costly

$3002 MINUTES

$10,00010 WEEKS

PresentPast

Creating the VM is fast but still have to wait for networking and security

VLAN networks

Firewall

IDS, security,

monitoring

Availability

Load Balancer


From whiteboard… …to Visio diagrams…

Actionable

Repeatable

Both are….

Our customers struggles to deliver actionable and repeatable security services, and rules configuration - within and across dev/test and production environments.

Challenge: Make security policies actionable, repeatable across environments


What if a Software Defined Data Center made it possible…

WEB_APP_FILTER

• Deploy - Security services were easily deployed and available to all workloads?

• Bind - You could group your apps however you like (VMs, vApps, user IDs…) - and assign security services (firewall, antivirus, IPS…) to these groups?

• Orchestrate - One security control could be enforced based on the result of another control, without the requirement for point to point integrations?


Partner Management Console



vCenter/vCloud/vCAC

vCNS Manager

Automate Service Provisioning and Service Availability Service Provisioning

Includes VMware security services

Includes partner services• All network and security categories

• Multi-vendor support

Health Monitoring Monitor, ensure availability of services

Separation of Duties Role for service provisioning is separate from

vCenter VI Admin permissions

Includes roles for Security Admin, Audit

Cluster level SLAs Policy and consistency

Partner A: IPS, AV

Partner B: Application Filter

Partner C: Vulnerability Assessment


Customer Need SDDC Security Capability “Datacenter” (within a VC) is carved up into

groups based on business function

Each group is bound to a firewall service

Firewall service configured to deny/permit access to shared services or other groups

VMs are placed in respective groups and are protected based on services, rules for these groups.

Security Groups - map to business function; empty or prepopulated w/ VMs

Security Policy Object – includes firewall service

VMs are placed in respective groups – as in example

Groups can be nested and policies are inherited

Customer Scenario: Enclaves, Sub-enclaves and Remediation Zones


VM “X”

“Database”

Database Security Policy

“HR Department”

vDC “Z”

vApp “Y”

“ERP Application”

VM “X”“Database

”

“Gold” Security Policy

Services can be grouped into Policy Templates (Gold, Database, SharePoint, etc.)

Policy Templates are then applied to workloads organized into Security Groups at various levels (VMs, Apps and Groups, etc.)

Security Groups can be nested, and policies can be inherited

VM “X”

vApp “Y”

“Share Point”

Share Point Security Policy

“Database”

SDDC Solution - Security Services Provisioning Automation


Software Defined Data CenterPartners provide best of breed services in these categories:Anti-Virus (AV), Anti-Malware Application Delivery Controller (ADC)Application Whitelisting Application Firewall Data Loss Prevention (DLP) Encryption File Integrity Monitoring (FIM) Firewall (Host/Network) Identity and Access Management Intrusion Detection/Prevention System (IDS/IPS) Load BalancerNetwork ForensicsNetwork Gateway (VXLAN)Network Port ProfilePolicy and Compliance Solution Security Intelligence and Event Management (SIEM) User Access Control (closest to our SAM)Vulnerability Management WAN OptimizerWeb Filter

SDDC Solution - Extend Platform to Best of Breed Services

Properties of virtual services:• Programmatic provisioning• Place any workload anywhere• Move any workload anywhere• Decoupled from hardware• Operationally efficient


Agenda





Q&A



Preservation of Elasticity and Motion– continuity, present

• Security needs to expand and contract quickly• Security must adapt to movement• WHY:

– Can’t break promise of virtualization and the SDDC, i.e. elasticity, HA, etc. Subsequently, workloads can be brought into service or moved onto any piece of hardware instantly

– E.g. Security should have awareness of every workload, regardless of which host and SVA it runs on, in case a VM should appear within an SVA’s realm of protection… global policy and content

20


Single System View– efficient, responsive

• Security is implemented from a “leveraged” position– Admin sees the “logical” system defined by VMware

• Security overcomes abstraction and removes complexity– Simplifies management

• Security is “symmetrical”– Security is retained regardless of underlying infrastructure

• WHY:– Services layer is highly abstracted from Infrastructure– E.g. Security should focus on the logical nature of the infrastructure, and

not necessarily on the physical infrastructure (hosts & SVAs)

21


Admin’s View

22

From this Lens… To this Lens

VM VMVM vApp vApp

VM VM

VM VMvApp vApp VM

VDC- PCI Servers

VDC- Dev Servers

Host-1

Host-3

Host-2


System View

23

VM

VM

VM

VM

VM

VM

VM

VM

vCenterSecurity Manager

SVA

SVA

SVA

SVA


Deterministic– consistent, compliant

• Security does no harm– Shouldn’t contribute to problem or make things worse

• No surprises… resources, behavior, performance, etc.– All SVAs running a consistent state

• WHY:– Infrastructure is designed to be templated and repeatable, and security

should similarly fit into this model– E.g. Security controls (instantiated via an SVA) should be the same, thus

predictable (same app, same sizing, same policies, same defs, same logs, etc)

24


Preservation of Fault Zones– resilient, available

• Security works under duress – takes care of itself• Security separate from infrastructure

– If you take away the management console, system will continue to run, ie. security will run indefinitely if no changes

– And visa versa: if security ecosystem has an issue, it won’t disrupt operations

• WHY:– Should infrastructure fail, security needs to function– E.g. Each SVA should be self sustaining with a complete view of the world

(ie operate “headless”)

25


Agenda





Q&A



What is “Data Center Protection”?

“Data Center Protection

(DCP)”

Agentless AV and IDP

Virtual SecuritySVA’s

AgentSandboxing +

Application Whitelisting Controls

New

FINAL branding pending


Next Symantec Releases: Ferrari - Athens Overview

Agent(for Servers)

Today Ferrari - Athens

SEPSymantec Endpoint

Protection

Critical Systems Protection

Agentless(Servers & VDI)

28

Agentless protectionvia EPSEC (AV) & NetX integration

(includes vCenter hardening and ESXi host monitoring resources of CSP)

Includes entitlement to agentless & agented protection (SEP & CSP)

SEPAgented protectionAntimalware protection using AV, IPS, Reputation, Behavioral techniques

“Data Center Protection”FINAL branding pending


New SDDC Use Case – Remediation Action

VMwareInfrastructure

3rd PartySecuritySystem

SymantecAgentless

“DCP”

Registration

*VMware defines Security Policies for Security Groups, e.g.

-AV Detect Only policy for Normal group-AV Clean policy for Quarantine group

*VMware provisions AV and IDP (IPS) SVAs to Host*VMware assigns GVM X to Host

29

*Symantec registers its threat protection security services, e.g. Agentless AV---Provides following to VMware: location of “DCP” Manager, pointers to AV and IDP SVA OVA’s, and policy types/profile definitions)

Events/Actions

GVM X assigned to Normal group withAV Detect policy


New SDDC Use Case – Remediation Action

VMwareInfrastructure

3rd PartySecuritySystem

SymantecAgentless

“DCP”

Registration

Events/Actions

30

*VMware reassigns GVM X to group Quarantine

*VMware restores GVM X to group Normal

*Symantec Agentless AV (SVA) security service on Host detects Malware on GVM X via AV Detect Only policy, and denies access*Symantec Manager sets Security Tag for AV Detect

*Symantec AV SVA responds to policy change associated with Quarantine group, and applies AV Clean policy to GVM X, deletes Malware on execute, and clears AV Detect Security Tag

User of GVM X tries to execute Malware

GVM X assigned to Normal group withAV Detect policy


Agenda





Q&A



What is the Future?

THE SOFTWARE DEFINED DATA CENTER BEGINS TODAY• This began with vMotion…• NSX Service Composer – 2013 Focus Areas

– Simplify service provisioning– Make policies actionable and repeatable– Enable Multi-Vendor, Multi-Discipline Conditional Workflows for Service Automation

SYMANTEC LEADING TO DELIVER ON THE PROMISE• Unparalleled Integration for Symantec Solutions Serving the Software Defined

Data Center and Security Policy Automation with NSX • Converged roadmaps for VMware protection of enterprise• Coordinated releases for 2013- See Demos at VMworld

• Visit the VMware booth and the Symantec booth for more information


Agenda





Q&A



Q&A


Thank You!35

new directions for security services and the software defined data center

Documents

software defined security

security service model

infrastructuresymantec

better vm easy

instantbut vm dependent

vm capacity spikes

symantec event template

constant pressures