Craig SavagePaul Wiggett

LDT1720BE

#VMworld #LDT1720BE

Securing the Hybrid Cloud (Agility vs. Control)

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

OverviewsConsider the perspectivesGeneral Security and Governance ConsiderationsKey control areas

VMworld 2017 Content: Not fo

r publication or distri

bution

Perspectives

#LDT1720BE CONFIDENTIAL 4

VMworld 2017 Content: Not fo

r publication or distri

bution

Agility for whom?

#LDT1720BE CONFIDENTIAL

Management?

Consumers?

Service Teams?

Platform Teams?

#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

So what are these controls?

• Data protection

– UK Data Protection Act

– GDPR

– POPI

– etc

• Security standards

– ISO27000

• Regulation and industry specific security requirements

– Banking regulation

– Pharmaceutical regulation

– PCI-DSS

– etc

6

Overview of general security and governance considerations for large scale hybrid cloud deployments

#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Key control areas

• Technology control points

– Coming up in detail next

• Process control points

– Consider the points where data/code comes into and exits your environment, Cloud for Dev and Cloud for Production

– Access control for the environments

• People controls

– Knowledge, knowledge, knowledge! Make sure people know what they are doing

– What you measure is what you get, revise objectives and ways of working

• Cultural considerations

– Quick response requires openness and honesty

– Move from CYA to CYBusiness

7

Not always what you might think!

#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

How do we do this then?User Access ManagementProduct Hardening Vulnerability ScanningSecurity Event Monitoring

VMworld 2017 Content: Not fo

r publication or distri

bution

Standard VMware Cloud Roles

9

Cloud Infrastructure

Services Team

Cloud Infra Service Owner

Cloud Infra Service

Architect

Cloud Infra Service

Engineer

Cloud Infra Service Analyst

Cloud Infra Service

Administrator

Cloud Infra Service

Developer

Cloud Service Team

Service Owner

Service Architect

Service QA

Service Analyst

Service Administrator

Service Developer

Portfolio Management

Team

Cloud Business Manager

Portfolio Manager

Policy / Blueprint Manager

Business Relationship

Manager

#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

User Access Management

• Key Guidelines

– “God Mode” should not be granted to anyone on a permanent basis

– Service accounts must be tightly controlled

– Segregation of duties. Just enough privilege should be granted to perform daily role

– Some personas to use as starting point:

• Super Admin (God Mode). Only in Emergency

• Admin (Privileged - Incident/Change. No Security Administration)

• Security Admin (Maintaining Product Security Permissions ONLY)

• Operator (Daily Tasks)

• User (Read Only)

– Use default product roles as starting point. Large number of customised roles are a nightmare to operate and maintain

– Perform detailed mapping to your Cloud teams

10#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Product Hardening

• Don’t reinvent the wheel

– https://www.vmware.com/uk/security/hardening-guides.html

• NSX

• vSphere

• vRealize Automation

• vRealize Operations

• These actions have mostly already been performed on appliance based deployment methods

• Measure Hardening Compliance in vRealize Operations

11#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Vulnerability Scanning

• VMware uses a number of techniques throughout the software development cycle to improve upon the security of its products. These standard techniques include:

– Threat Modeling

– Static Code Analysis

– Penetration Testing using both internal and external security expertise

– Incident Response Planning

• Member of BSIMM, SAFECode, CII

• Sign up for product security advisories

– https://www.vmware.com/security/advisories.html

12#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Vulnerability Scanning (Best Practice)

• Use a scanning tool that supports scanning without credentials

– Scanning with user created credentials potentially violates VMware support conditions

– It is not supported to modify VMware virtual appliances (vCSA, vROPS, etc) including adding additional service accounts, packages

– Any modifications could also potentially be lost in product upgrades

• Test initial vulnerability scans on a small subset of your non-production clusters/hosts

– Some tools have been known to cause outages on scans

• VMware will act on any vulnerabilities you may find through tooling scans and subsequently report to us

– https://www.vmware.com/support/policies/security_response.html

13#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Security Event Monitoring

• Well designed Security Event Monitoring should pre-emptively detect and report on all events, that may impact the security level of a cloud management system.

• As a minimum the following should be tracked:

– Log on and access to files/programs using privileged accounts

– Log on using normal user accounts

– System start-up and stop

– I/O device attachment/detachment

– Unauthorized access attempts

– Log deletion and modification

– Account creation and deletion

– Unavailability of system or key services

14#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

Security Event Monitoring

Enter vRealize Log Insight

• Log Insight agent now supported and included on most GA product virtual appliances

• Large amount of content packs with targeted security dashboards out of the box

• Conditional event forwarding to upstream log consolidation tools such as SIEM or Splunk

• Archive logs for long term auditing

15#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

16#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

SummarySee the clouds from above

VMworld 2017 Content: Not fo

r publication or distri

bution

In conclusion

• Technology control points

– Understand the business requirement, match it to the security/governance requirements and implement controls only where necessary

• Process control points

– Differentiate between Mature IT and Cloud processes, combine where possible

– Constantly review your cloud processes, optimize often and focus on delivering managed speed

• People controls

– Train and develop, operating at speed requires focus and discipline

– Incentivize stability in Mature IT, speed of execution in the Cloud

• Cultural considerations

– Must be led top down, encourage senior management to be part of the change

– Cover Your Business, it’s a team effort now

18

Transform your way of working

#LDT1720BE CONFIDENTIAL

VMworld 2017 Content: Not fo

r publication or distri

bution

VMworld 2017 Content: Not fo

r publication or distri

bution

Craig Savage, Operations Architect, VMwaresavagec@vmware.com @craig_savage

Paul Wiggett, Technical Operations Architect, VMwarepwiggett@Vmware.com @mrporcles

Thank you

VMworld 2017 Content: Not fo

r publication or distri

bution

VMworld 2017 Content: Not fo

r publication or distri

bution