ldt1720be securing the hybrid cloud (agility vs. control ... · securing the hybrid cloud (agility...
TRANSCRIPT
Craig SavagePaul Wiggett
LDT1720BE
#VMworld #LDT1720BE
Securing the Hybrid Cloud (Agility vs. Control)
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
OverviewsConsider the perspectivesGeneral Security and Governance ConsiderationsKey control areas
VMworld 2017 Content: Not fo
r publication or distri
bution
Agility for whom?
#LDT1720BE CONFIDENTIAL
Management?
Consumers?
Service Teams?
Platform Teams?
#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
So what are these controls?
• Data protection
– UK Data Protection Act
– GDPR
– POPI
– etc
• Security standards
– ISO27000
• Regulation and industry specific security requirements
– Banking regulation
– Pharmaceutical regulation
– PCI-DSS
– etc
6
Overview of general security and governance considerations for large scale hybrid cloud deployments
#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Key control areas
• Technology control points
– Coming up in detail next
• Process control points
– Consider the points where data/code comes into and exits your environment, Cloud for Dev and Cloud for Production
– Access control for the environments
• People controls
– Knowledge, knowledge, knowledge! Make sure people know what they are doing
– What you measure is what you get, revise objectives and ways of working
• Cultural considerations
– Quick response requires openness and honesty
– Move from CYA to CYBusiness
7
Not always what you might think!
#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
How do we do this then?User Access ManagementProduct Hardening Vulnerability ScanningSecurity Event Monitoring
VMworld 2017 Content: Not fo
r publication or distri
bution
Standard VMware Cloud Roles
9
Cloud Infrastructure
Services Team
Cloud Infra Service Owner
Cloud Infra Service
Architect
Cloud Infra Service
Engineer
Cloud Infra Service Analyst
Cloud Infra Service
Administrator
Cloud Infra Service
Developer
Cloud Service Team
Service Owner
Service Architect
Service QA
Service Analyst
Service Administrator
Service Developer
Portfolio Management
Team
Cloud Business Manager
Portfolio Manager
Policy / Blueprint Manager
Business Relationship
Manager
#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
User Access Management
• Key Guidelines
– “God Mode” should not be granted to anyone on a permanent basis
– Service accounts must be tightly controlled
– Segregation of duties. Just enough privilege should be granted to perform daily role
– Some personas to use as starting point:
• Super Admin (God Mode). Only in Emergency
• Admin (Privileged - Incident/Change. No Security Administration)
• Security Admin (Maintaining Product Security Permissions ONLY)
• Operator (Daily Tasks)
• User (Read Only)
– Use default product roles as starting point. Large number of customised roles are a nightmare to operate and maintain
– Perform detailed mapping to your Cloud teams
10#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Product Hardening
• Don’t reinvent the wheel
– https://www.vmware.com/uk/security/hardening-guides.html
• NSX
• vSphere
• vRealize Automation
• vRealize Operations
• These actions have mostly already been performed on appliance based deployment methods
• Measure Hardening Compliance in vRealize Operations
11#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Vulnerability Scanning
• VMware uses a number of techniques throughout the software development cycle to improve upon the security of its products. These standard techniques include:
– Threat Modeling
– Static Code Analysis
– Penetration Testing using both internal and external security expertise
– Incident Response Planning
• Member of BSIMM, SAFECode, CII
• Sign up for product security advisories
– https://www.vmware.com/security/advisories.html
12#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Vulnerability Scanning (Best Practice)
• Use a scanning tool that supports scanning without credentials
– Scanning with user created credentials potentially violates VMware support conditions
– It is not supported to modify VMware virtual appliances (vCSA, vROPS, etc) including adding additional service accounts, packages
– Any modifications could also potentially be lost in product upgrades
• Test initial vulnerability scans on a small subset of your non-production clusters/hosts
– Some tools have been known to cause outages on scans
• VMware will act on any vulnerabilities you may find through tooling scans and subsequently report to us
– https://www.vmware.com/support/policies/security_response.html
13#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Event Monitoring
• Well designed Security Event Monitoring should pre-emptively detect and report on all events, that may impact the security level of a cloud management system.
• As a minimum the following should be tracked:
– Log on and access to files/programs using privileged accounts
– Log on using normal user accounts
– System start-up and stop
– I/O device attachment/detachment
– Unauthorized access attempts
– Log deletion and modification
– Account creation and deletion
– Unavailability of system or key services
14#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Event Monitoring
Enter vRealize Log Insight
• Log Insight agent now supported and included on most GA product virtual appliances
• Large amount of content packs with targeted security dashboards out of the box
• Conditional event forwarding to upstream log consolidation tools such as SIEM or Splunk
• Archive logs for long term auditing
15#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
In conclusion
• Technology control points
– Understand the business requirement, match it to the security/governance requirements and implement controls only where necessary
• Process control points
– Differentiate between Mature IT and Cloud processes, combine where possible
– Constantly review your cloud processes, optimize often and focus on delivering managed speed
• People controls
– Train and develop, operating at speed requires focus and discipline
– Incentivize stability in Mature IT, speed of execution in the Cloud
• Cultural considerations
– Must be led top down, encourage senior management to be part of the change
– Cover Your Business, it’s a team effort now
18
Transform your way of working
#LDT1720BE CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Craig Savage, Operations Architect, [email protected] @craig_savage
Paul Wiggett, Technical Operations Architect, [email protected] @mrporcles
Thank you
VMworld 2017 Content: Not fo
r publication or distri
bution