Professional Documents
Culture Documents
Virtualization and Compliance: How To Maintain Speed While Navigating Bumps in The Road
Virtualization and Compliance: How To Maintain Speed While Navigating Bumps in The Road
Hemma Prafullchandra
CTO, HyTrust, Inc.
hemma@hytrust.com
Virtualization Today
Virtualization Emerges from the Test/Dev
Sandbox
2
Virtualization Today
Virtualization Emerges
from the Test/Dev
ROI is Proven for Dev-Test
Sandbox and Tier 2 Applications
• 18-25% of servers
in SMB and large enterprise
are virtualized today • Primary Use Case to Date:
• More than 70% of users
Consolidation
are comfortable deploying
production apps on shared
environments • Primary IT Challenges: P2V, Rapid
• “Virtualization First” is the
Provisioning, Sprawl Management
deployment goal for many
larger enterprises
• Server virtualization has driven
storage and network virtualization
Source: Taneja Group
3
Virtualization Today
Virtualization Emerges ROI is Proven for Dev- The Next ROI Challenge: Tier
from the Test/Dev Test and Tier 2 1 Business-Critical
Sandbox Applications
Applications
• 18-25% of servers • Primary Use Case to Date:
in SMB and large enterprise Consolidation • More than ¾ plan to virtualize
are virtualized today an additional 25% of servers by
• Primary IT Challenges: mid-2012
• More than 70% of users P2V, Rapid Provisioning,
are comfortable deploying Sprawl Management • The combination of sprawl and
production apps on shared
higher business criticality for the
environments • Server virtualization has
driven storage & network next wave of virtualized
• “Virtualization First” is the virtualization workloads will place heavy
deployment goal for many burdens on IT operations teams
larger enterprises
• Demands higher levels of
Source: Taneja Group
infrastructure security,
automated management, and
best-practice control processes
4
Virtualization Management Inflection Point
Virtualization in Transition
Growth Phase Transition Control Phase
• VM numbers increasing
• Workload priority is higher
• CapEx savings leveling off
• OpEx efficiency declining
• Risk curve rising rapidly
Ops
Compliance Efficiency
Risk Management Focus Shifts:
From Growth to
CapEx Command and Control
Savings
Lower-Priority Business-Critical
Workloads Workloads Source: Taneja Group
5
Before Virtualization
Established Controls
Physical Security
Identity and Access Mgmt
Firewall Mgmt (incl. WAF)
Perimeter/network segmentation
Asset Management
Administrator
s
Vulnerability & Patch Mgmt
Log/Event Monitoring & Mgmt
Backup, encryption
A/V, IDS/IPS, …
Physical Datacenter
Incident Mgmt
Policies & Procedures
6
Before Virtualization
Established Controls
Physical Security
Identity and Access Mgmt
Firewall Mgmt (incl. WAF)
Perimeter/network segmentation
Asset Management
Vulnerability & Patch Mgmt
Administrators Log/Event Monitoring & Mgmt
Backup, encryption, A/V, IDS/IPS
…
Incident Mgmt
Policies & Procedures
Physical Datacenter
Typical Challenges
Poor hardware utilization leading to higher power/space costs
Limited flexibility
• Rigid architecture
• Long Mean-Time-To-Recovery
Near zero agility – provisioning assets/infrastructure
Limited redundancy/DR setup
7
Compliance Today
Reached a certain level of maturity
• Much to comply with: HIPAA, PCI DSS, SOX, GLBA, FISMA, NIST
800-*, SAS 70, NERC, …
8
Compliance Today
Reached a certain level of BUT, constantly evolving given innovation
maturity
in technology and threats/risks; and new
• Much to comply with: regulatory/policy requirements
HIPAA, PCI DSS, SOX,
GLBA, FISMA, NIST 800-*,
SAS 70, NERC … • PCI SSC established a Virtualization SIG in
• Many methodologies and
February 2009
frameworks to help: ITIL,
COBIT, VALIT, GAIT, ISO27K • Draft-800-125 released by NIST in July
…
2010
• Clear delineation of roles
and responsibility
• Cloud Security Alliance developing
• Typically top-down, risk- guidance, frameworks and audit tools for
based approach
Cloud Computing
9
Compliance Today
Reached a certain level BUT, constantly evolving Challenge: Adoption and
of maturity given innovation in implementation
technology and
• Much to comply with threats/risks; and new
(HIPAA, PCI DSS, SOX, regulatory/policy • Demands actionable,
GLBA, FISMA, NIST 800-*, requirements auditable & portable controls
SAS 70, NERC, …) for the emerging highly
• PCI SSC established a dynamic environments
• Many methodologies and Virtualization SIG in Feb09
frameworks to help ITIL, • Greater automation and
COBIT, GAIT, ISO27K, …) • Draft-800-125 released by
improved processes
NIST in July10
• Clear delineation of roles
and responsibility • Cloud Security Alliance • Continuous visibility and
developing guidance, compliance auditing become
• Typically top-down, risk- frameworks and audit tools critical
based approach for Cloud Computing
• Models and frameworks
have to span both internal
and external clouds
10
After Virtualization
Administrators
Benefits
Lower OpEx and CapEx
Greater flexibility
Ability to recover more quickly
Virtualized Datacenter
Speed of server deployment
• Template-based provisioning
Easy to maintain redundancy
Cost effective for DR/backup
11
After Virtualization
Virtualized Datacenter
Administrators
12
Re-review with Virtualization in Mind
Plan Establish policies, processes, procedures, and security
Plan
controls taking a top-down risk based approach.
Implement and operate policies, controls, processes
Act Do
Do and procedures focusing on automation and
consistency.
Check Check Monitor/assess and review focusing on continuous.
Maintain and improve, take corrective and preventive
Act
actions focusing on automation and consistency.
Operational and
support-oriented
processes
Compliance
and security
IT goals
Compliance
and risk
Four Inter-related Domains of COBIT
Source: ISACA business goals
13
Existing controls/solutions are inadequate
Security Control Domain Additional Virtualization-specific controls
Access and User Administration: - Consider both physical and logical access
- Centralize User and Group (de)provisioning - Segregate hypervisor administrative duties (e.g. by
- Grant access on need basis function, purpose or ownership)
- Enforce least privilege - Control all access paths/remote APIs
- Reduce and monitor privileged access - Segment virtual networks
- Segregate resources by purpose or ownership
14
Questions?
Click on the questions tab on your screen, type in your question, name
and e-mail address; then hit submit.
15