IL B16 - Vision 2013 - Compliance for the SDDC - Final

Report
Compliance for the Software-Defined
Data Center
Jerry Breaud
Kurt Van Etten
VMware
Global Strategic Alliances - Compliance
Symantec
Director, Risk & Compliance Product
Management
IL B16 April 17, 2013 2:30pm to 3:30pm
1
Agenda
IT Drivers and the Software-Defined Data Center
Compliance in the SDDC
Our Approach: Compliance Reference Architectures
Symantec and VMware – PCI Solution
Q&A
SYMANTEC VISION 2013
2
IT Pressures – a Constant Over the Decades
“Are you getting the
maximum efficiency
out of your
infrastructure?”
“How quickly can IT
respond to LOB
requests?”
• Legislative Compliance
• Risk Reduction – SLAs & Business Continuity
• Security – Corp Assets & IP
SYMANTEC VISION 2013
Adoption Has Enabled Agility
25%
60%
>90%
WEEKS
DAYS/
HOURS
MINUTES/
SECONDS
2008
2012
FUTURE
SYMANTEC VISION 2013
Driven by Infrastructure
Storage/
Availability
Servers
Networking
Security
Management/
Monitoring
VDC
SOFTWARE-DEFINED
DATACENTER SERVICES
WEEKS
DAYS/
HOURS
MINUTES/
SECONDS
2008
2012
FUTURE
SYMANTEC VISION 2013
SOFTWARE-DEFINED
DATACENTER
All infrastructure is virtualized and
delivered as a service, and the
control of this datacenter is
entirely automated by software.
Abstract.
Pool.
Automate.
SYMANTEC VISION 2013
Getting to The Software-Defined Data Center (SDDC)
VMware vCloud Suite
MANAGEMENT
CLOUD INFRASTRUCTURE
EXTENSIBILITY
VMware vCloud Director
VMware vCloud
APIs
VMware vCloud
Automation Center
SOFTWARE-DEFINED
NETWORKING &
SECURITY
VMware vCenter
Operations
Mngmnt. Suite
VMware vFabric
Application
Director
VMware vCloud
Networking &
Security
SOFTWARE-DEFINED
STORAGE &
AVAILABILITY
VMware vCenter
Site Recovery
Manager
VIRTUALIZATION
VMware vSphere
Physical Infrastructure
(Server, Storage, Network)
SYMANTEC VISION 2013
VMware vCloud
Connector
VMware vCenter
Orchestrator
Symantec and the SDDC
Security and
Compliance
Solutions
MANAGEMENT
Storage &
Availability
Solutions
CLOUD INFRASTRUCTURE
Extensibility
EXTENSIBILITY
VMware vCloud Director
VMware vCloud
Automation Center
“At the endpoint
and beyond”
SOFTWARE-DEFINED
NETWORKING
&
Anti-virus
and Malware
SECURITY
VMware vCenter
Operations
Mngmnt. Suite
Virtual Server
Hardening (vSphere)
VMware vCloud
Data
Loss Prevention
Networking
&
Security
Threat Correlation
Content Filtering
VMware vFabric
Application
Director
“Always on, always
available”
SOFTWARE-DEFINED
VMware vCloud
APIs
STORAGE &
Backup
& Recovery
AVAILABILITY
High Availability
Application
Availability
VMware
vCenter
Site Recovery
Clustering
Manager
Archiving
Storage Management
Legal & Regulatory
VIRTUALIZATION
and Reporting
Compliance
Dynamic Multi-pathing
VMware vSphere
Managed Security
Physical Infrastructure
(Server, Storage, Network)
SYMANTEC VISION 2013
VMware vCloud
Connector
VMware vCenter
Orchestrator
The Virtualization Path – Continue the Journey
Software-Defined Data Center
Opex Saving
Capex Savings
Thru
Reactive
Thru
Automation
Consolidation
Game Change
Thru
Self-Service
Proactive
Abstract. Pool.
Automate.
Empower.
IT Production
Business
Production
IT as a Service
Presentation Identifier Goes Here
SYMANTEC VISION 2013
Reducing
Cost
Agility
Enabling
Governance
9
Compliance in the Software-Defined Data
Center
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2013
10
Typical Compliance Challenges
Virtualize Applications on The Journey
Operations Wants to Virtualize
and Consolidate More
 Reducing Costs
 Infrastructure efficiency
 Simpler management
 Reduces Compliance
Complexity
 Streamline compliance
reporting
Compliance & Security
Operations
But Sometimes Risk Owners
Need Convincing
Will I meet compliance &
security requirements?
Will my auditor approve?
What’s in it for me?
Will my virtualized environment
be as compliant as my physical
environment?
Business Risk Owner
Chief Compliance Officer/ Legal Council
SYMANTEC VISION 2013
Trust and Cloud Computing – Some New Challenges
• Mixed mode levels of trust
• VMs riding on the same Guest with different Trust Levels (PCI)
• Multi-Tenancy protecting Intellectual Property (IP) with shared
Resources
• Auditor, QSA Approval of Design
• Evidence based compliance
• What standards and frameworks do I adopt to minimize risk?
• How do I prove my data is properly protected and segmented?
• How do I automate the application best practices, regulatory
guidelines and vendor standards?
• Separation of consumer and provider
• Consumer delivered governance around workloads
• Evidence from provider around infrastructure compliance
• How do I address data governance, privacy, etc?
• How do we account for change? (Loss of Service)
SYMANTEC VISION 2013
VMware Offerings Lay The Foundation
Continuously assess
and remediate
compliance for guests
and VMware
Infrastructure.
SYMANTEC VISION 2013
Compliance Framework
Compliance Drivers
People
Process
Compliance Levers
Technology
VMware
1.
Compliance is the Top Business Driver
for Security Investment
2.
Compliance & Regulatory Concerns Is
#2 Concern For Private Cloud
3.
Compliance Is The # 1 Inhibitor to
Moving Data/Apps to the (Public) Cloud
Technology
Partners
(Symantec)
SYMANTEC VISION 2013
Services
Partners
(Consulting
& Audit )
VMware Compliance Reference
Architecture Framework
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2013
15
VMware Compliance GTM
Virtualize Applications on The Journey
• Customers want to Virtualize Business Critical Applications and
maintain required Compliance
• Concerns can slow adoption as an “objection” to virtualizing
‒ Concerns are being addressed one-off with individual customers
‒ Opportunity is to define Compliance solutions and scale through GTM model
• VMware Approach
‒ Deliver Thought Leadership To/Via Audit/Compliance Industry
‒ Build And Deliver Compliance Reference Architecture Framework
• Enable Compliant Cloud Solutions By Extending The VMware Eco-System
• 1) Align Audit/Advisory, 2) Infrastructure and 3) SI/SO/SP Partners
‒ Focus on Highly Regulated Industries
• Focus On PCI, HIPAA/HITECH, FedRAMP, FISMA, SOX, etc
• Start with PCI Solution to build framework and partnerships
‒ Expand to other solutions and GTM activities to scale
SYMANTEC VISION 2013
VMware – Compliance GTM – In the News
Virtualize Applications on The Journey
SYMANTEC VISION 2013
Solution Development Lifecycle
Virtualize Applications on The Journey
VMWARE & PARTNER
PRODUCTS
MAPPED TO
COMPLIANCE
CONTROLS
JOINT REFERENCE
ARCHITECTURE
DESIGN
BUSINESS FOCUSED
ADDRESSES
COMPLIANCE RISK
AUDITOR LAB
VALIDATION
PRODUCT +
SERVICES
TESTED FOR
INTEROPERATIBLITY &
COMPATIBILITY
VMware Ready, NetX,
etc.
COLLABORATIVE
DESIGN EFFORT
JOINT
ARCHITECTURES
BEST PRACTICES
Assessment, Design,
Deployment and
Operational Services
 Tested for
 Tested for API
compatibility &
Conformance
support
REVIEWED BY AUDITOR
VMware +
Infrastructure +
Auditor + Services
Partners
 Designed to  Designed to meet
meet business
majority of
requirements
technical controls
VALIDATED BY AUDITOR
 Led by VMware
 Multi-party strategy
 Auditor design input
 Meets regulatory audit requirements
 Sales motion alignment
 Delivery capabilities aligned
 Full solution lifecycle
SYMANTEC VISION 2013
Route to Market – Access, Expertise, Capability
Virtualize Applications on The Journey
1
Audit/Advisory Partners
Define & Validate RA’s
Industry Thought Leadership
NEW
Partners
Enhanced
2
Infrastructure Partner
Symantec is the first VMware
partner to publish Architecture
Design Guide for PCI
Strategy
Technology White Space
Enhance Compliance Capabilities
1
2
Compliance Solution Guides
Validated VMW
Reference
Architectures
4
Validated Partner
Reference
Architectures
3 GTS Compliance
Solution Toolkit
Customer
Converged Infrastructure
3
Systems Integrator
Outsourcer
Service Provider
SYMANTEC VISION 2013
Compliance Reference Architecture Framework
Virtualize Applications on The Journey
VMware
VMware
VMware
Approach to
Compliance
Solution
Guide
Architecture
Design Guide
Auditor
Reviewed
Document 1
Document 2
Document 3
VMware
VMware
Validated
Reference
Architecture
Auditor
Validated
GTS
Compliance
Solution
Toolkit
Auditor
Reviewed
Document 4
Document 5
VMware Technology
+
Services
Audit Advisory Partners
1
Defines the overall approach to compliance undertaken by VMware, Partners and Auditors for the broadest
understanding of the effort
2
Collaboration between VMware SMEs and Auditor to establish applicability of VMware software and applicable
regulation(s)
3
Builds upon the first 2 documents and describes more detailed approach for considerations when designing a
compliant architecture
4
Defines expected results of compliant architecture implemented with design principals from Doc 3, focus on audit
procedures for verification
5
Expands concepts of Reference Architecture into a concept of Deployment & operations for green field or remediation
implementations
SYMANTEC VISION 2013
Compliance Reference Architecture Framework
Virtualize Applications on The Journey
VMware
VMware
VMware
Approach to
Compliance
Solution
Guide
Architecture
Design Guide
Auditor
Reviewed
Document 1
Document 2
Document 3
VMware
VMware
Validated
Reference
Architecture
Auditor
Validated
GTS
Compliance
Solution
Toolkit
Auditor
Reviewed
Document 4
Partner
Partner
Partner
Partner
Approach to
Compliance
Solution
Guide
Architecture
Design Guide
Auditor
Reviewed
Document 1
Document 2
Symantec is the first VMware
partner to publish a Solution
Guide and Architecture Design
Guide for PCI
Document 3
VMware Technology
+
VMware
Technology
Services
Document 5
Audit Advisory Partners
VMware
Partners
VMware PSO
Compliance
Infrastructure
Solution
Partner
Compliance
Solution
Toolkit
Auditor
Reviewed
Validated
Reference
Architecture
Auditor
Validated
Document 4
Document 5
Audit Advisory Partners
SYMANTEC VISION 2013
VAR, SI, SO,
SP
Deployment
Services
Partner PSO
Partner Technology
Partner Technology
+
Services
Symantec-VMware Partnership
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2013
22
PCI Example – Functional Responsibilities
29%
PCI DSS Requirements
Organization
Responsibility
Non-technical
Policy, Process,
Procedure and
Physical
50%
VMware
Technical Products
22%
Partner
Technical Products
14%
VMware + Partners
Technical Products
SYMANTEC VISION 2013
23
Meeting PCI - Before Virtualization
PCI DSS x Symantec Solutions*
PCI DSS IT Control Statement
1. Install & Maintain a firewall configuration to protect cardholder data
DLP
2. Do not use vendor supplied defaults for passwords & other security
parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open and public
networks
5. Use and regularly update anti-virus software or programs
Firewalls
SIM
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict Physical access to cardholder data
10. Monitor and Test Network
Policy
Endpoint
Protection
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees
and contractors
Secure Config
SYMANTEC VISION 2013
Symantec Security & Compliance Solutions for VMware
Symantec Control Compliance Suite
• Policy scan of VM on deployment – quarantine / remediate
• Vulnerability scan of VM on deployment – quarantine / remediate
Symantec Data Loss Prevention
• Unparalleled ability to discover sensitive data on VMs
• Integration with vShield Endpoint to provide VM-quarantine based on DLP policy
Symantec Web Gateway
• Integration with vShield Endpoint Endpoint App for threat discovery (including botnets)
• Provision to quarantine / remediate threats
Symantec Security Information Manager | Symantec Managed Security Service
• Event correlation – quarantine / remediate
• Managed Security Service offering
Symantec Critical Systems Protection
• Protection from advanced threats for mission-critical servers
• vSphere and vCenter server protection to VMware and Industry standards
Symantec Endpoint Protection
• Dynamic, transparent, beyond-physical security on a hardened infrastructure
• Effective across both managed and unmanaged VMs
SYMANTEC VISION 2013
25
PCI Example –Virtualized Environment
Incident
Management and
Reporting
Endpoint Malware with
Intrusion
Detection/Prevention
Symantec DLP
with vCloud
Symantec Security Networking and
Information
Security
Manager
App
w/vShield Log
Collector
vShield
Endpoint
& Symantec
Endpoint
Solutions
Assess VMs for configuration
and vulnerability states to
remediate deficiencies and
policy violations
Discover sensitive data
• Scans environment looking for
sensitive data
• Flags affected VM’s
• Quarantine out of policy VMS
vCenter
Infrastructure
Navigator
Automated and
Self-healing
Symantec Control
Compliance Suite
w/vSphere Hardening
Policy
Map application
environment
• Show where the
affected systems
are connected
• Identify
relationships
vCloud
Networking and
Security Creates logical trust zones
• Automatically
App
• Based on App (banking)
segmented
• Inter-vSphere “firewall”
Policy and Assessment
Management
SYMANTEC VISION 2013
PCI Validated Solutions – available today
• Specific
implementation
guidance
• Maps VMware
and Partner
technologies
• VMwareauthored with
addendum by
partners
• Auditor reviewed
and validated
• HIPAA/HITECH in
2H 13
Symantec Compliance Practice
SYMANTEC VISION 2013
27
27
Bringing It All Together
VMware
Technology
Partners
(Symantec)
Presentation Identifier Goes Here
Services
Partners
(Consulting
& Audit )
SYMANTEC VISION 2013
28
Q&A
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2012
29
For More Information
VMware Compliance Press Release
https://www.vmware.com/company/news/releases/vmw-pci-100412.html
VMware Collateral
VMware Approach to Compliance
http://www.vmware.com/files/pdf/VMware-Approach-to-Compliance.pdf
VMware Solution Guide for PCI
http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf
VMware Architecture Design Guide for PCI
http://www.vmware.com/files/pdf/VMware-Architecture-Design-Guide-for-PCI.pdf
Partner Collateral
VMware Partner Solution Guides for PCI
https://solutionexchange.vmware.com/store/categories/compliance
[email protected]
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2012
30
For More Information
Symantec VMWare Press Release
http://www.symantec.com/about/news/release/article.jsp?prid=20120228_02
Symantec Collateral
Symantec VMWare Approach to Security in Virtualized Environment
http://www.symantec.com/content/en/us/enterprise/white_papers/bWP_SecuringThePromiseOfVirtualization_WP_21229614.en-us.pdf
Symantec Solutions for Security and Compliance in Virtualized Environment
http://www.symantec.com/productssolutions/solutions/detail.jsp?parent=virtualization&child=secure_virtualization
Symantec Solutions that support PCI Compliance
http://www.symantec.com/pci-compliance
VMware: The Virtualization Journey: Managing and Proving Compliance
SYMANTEC VISION 2012
31

similar documents