Scribd Logo
Upload

Welcome to Scribd!

  • Virtualization and Compliance: How To Maintain Speed While Navigating Bumps in The Road

    Uploaded by

    huney_huney064963
    63 views15 pages
    Virtualization has emerged from test/dev environments and now 18-25% of enterprise servers are virtualized. While virtualization has proven ROI for development/test and lower priority workloads, securing and managing tier 1, business critical applications presents new challenges. Compliance frameworks are also constantly evolving with new technologies, requiring more automated and portable controls for dynamic virtual and cloud environments.

    Original Description:

    Original Title

    Hemma_Prafullchandra_-_Presentation

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Virtualization has emerged from test/dev environments and now 18-25% of enterprise servers are virtualized. While virtualization has proven ROI for development/test and lower priority workloads, securing and managing tier 1, business critical applications presents new challenges. Compliance frameworks are also constantly evolving with new technologies, requiring more automated and portable controls for dynamic virtual and cloud environments.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    63 views15 pages

    Virtualization and Compliance: How To Maintain Speed While Navigating Bumps in The Road

    Uploaded by

    huney_huney064963
    Virtualization has emerged from test/dev environments and now 18-25% of enterprise servers are virtualized. While virtualization has proven ROI for development/test and lower priority workloads, securing and managing tier 1, business critical applications presents new challenges. Compliance frameworks are also constantly evolving with new technologies, requiring more automated and portable controls for dynamic virtual and cloud environments.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 15

    Virtualization and Compliance:

    How to Maintain Speed While


    Navigating Bumps in the Road

    Hemma Prafullchandra
    CTO, HyTrust, Inc.
    hemma@hytrust.com
    Virtualization Today
    Virtualization Emerges from the Test/Dev
    Sandbox

    • 18-25% of servers in SMB and large enterprise are


    virtualized today

    • More than 70% of users are comfortable deploying


    production apps on shared environments

    • “Virtualization First” is the deployment goal for


    many larger enterprises
    Source: Taneja Group

    2
    Virtualization Today
    Virtualization Emerges
    from the Test/Dev
    ROI is Proven for Dev-Test
    Sandbox and Tier 2 Applications
    • 18-25% of servers
    in SMB and large enterprise
    are virtualized today • Primary Use Case to Date:
    • More than 70% of users
    Consolidation
    are comfortable deploying
    production apps on shared
    environments • Primary IT Challenges: P2V, Rapid
    • “Virtualization First” is the
    Provisioning, Sprawl Management
    deployment goal for many
    larger enterprises
    • Server virtualization has driven
    storage and network virtualization
    Source: Taneja Group

    3
    Virtualization Today
    Virtualization Emerges ROI is Proven for Dev- The Next ROI Challenge: Tier
    from the Test/Dev Test and Tier 2 1 Business-Critical
    Sandbox Applications
    Applications
    • 18-25% of servers • Primary Use Case to Date:
    in SMB and large enterprise Consolidation • More than ¾ plan to virtualize
    are virtualized today an additional 25% of servers by
    • Primary IT Challenges: mid-2012
    • More than 70% of users P2V, Rapid Provisioning,
    are comfortable deploying Sprawl Management • The combination of sprawl and
    production apps on shared
    higher business criticality for the
    environments • Server virtualization has
    driven storage & network next wave of virtualized
    • “Virtualization First” is the virtualization workloads will place heavy
    deployment goal for many burdens on IT operations teams
    larger enterprises
    • Demands higher levels of
    Source: Taneja Group
    infrastructure security,
    automated management, and
    best-practice control processes

    4
    Virtualization Management Inflection Point
    Virtualization in Transition
    Growth Phase Transition Control Phase
    • VM numbers increasing
    • Workload priority is higher
    • CapEx savings leveling off
    • OpEx efficiency declining
    • Risk curve rising rapidly
    Ops
    Compliance Efficiency
    Risk Management Focus Shifts:

    From Growth to
    CapEx Command and Control
    Savings

    Lower-Priority Business-Critical
    Workloads Workloads Source: Taneja Group

    5
    Before Virtualization

    Established Controls
     Physical Security
     Identity and Access Mgmt
     Firewall Mgmt (incl. WAF)
     Perimeter/network segmentation
     Asset Management
    Administrator
    s
     Vulnerability & Patch Mgmt
     Log/Event Monitoring & Mgmt
     Backup, encryption
     A/V, IDS/IPS, …
    Physical Datacenter
     Incident Mgmt
     Policies & Procedures

    6
    Before Virtualization
    Established Controls
     Physical Security
     Identity and Access Mgmt
     Firewall Mgmt (incl. WAF)
     Perimeter/network segmentation
     Asset Management
     Vulnerability & Patch Mgmt
    Administrators  Log/Event Monitoring & Mgmt
     Backup, encryption, A/V, IDS/IPS

     Incident Mgmt
     Policies & Procedures
    Physical Datacenter
    Typical Challenges
    Poor hardware utilization leading to higher power/space costs
    Limited flexibility
    • Rigid architecture
    • Long Mean-Time-To-Recovery
    Near zero agility – provisioning assets/infrastructure
    Limited redundancy/DR setup

    7
    Compliance Today
    Reached a certain level of maturity

    • Much to comply with: HIPAA, PCI DSS, SOX, GLBA, FISMA, NIST
    800-*, SAS 70, NERC, …

    • Many methodologies and frameworks to help: ITIL, COBIT,


    VALIT,GAIT, ISO27K, …

    • Clear delineation of roles and responsibility

    • Typically top-down, risk-based approach

    8
    Compliance Today
    Reached a certain level of BUT, constantly evolving given innovation
    maturity
    in technology and threats/risks; and new
    • Much to comply with: regulatory/policy requirements
    HIPAA, PCI DSS, SOX,
    GLBA, FISMA, NIST 800-*,
    SAS 70, NERC … • PCI SSC established a Virtualization SIG in
    • Many methodologies and
    February 2009
    frameworks to help: ITIL,
    COBIT, VALIT, GAIT, ISO27K • Draft-800-125 released by NIST in July

    2010
    • Clear delineation of roles
    and responsibility
    • Cloud Security Alliance developing
    • Typically top-down, risk- guidance, frameworks and audit tools for
    based approach
    Cloud Computing

    9
    Compliance Today
    Reached a certain level BUT, constantly evolving Challenge: Adoption and
    of maturity given innovation in implementation
    technology and
    • Much to comply with threats/risks; and new
    (HIPAA, PCI DSS, SOX, regulatory/policy • Demands actionable,
    GLBA, FISMA, NIST 800-*, requirements auditable & portable controls
    SAS 70, NERC, …) for the emerging highly
    • PCI SSC established a dynamic environments
    • Many methodologies and Virtualization SIG in Feb09
    frameworks to help ITIL, • Greater automation and
    COBIT, GAIT, ISO27K, …) • Draft-800-125 released by
    improved processes
    NIST in July10
    • Clear delineation of roles
    and responsibility • Cloud Security Alliance • Continuous visibility and
    developing guidance, compliance auditing become
    • Typically top-down, risk- frameworks and audit tools critical
    based approach for Cloud Computing
    • Models and frameworks
    have to span both internal
    and external clouds

    10
    After Virtualization

    Administrators

    Benefits
     Lower OpEx and CapEx
     Greater flexibility
     Ability to recover more quickly
    Virtualized Datacenter
     Speed of server deployment
    • Template-based provisioning
     Easy to maintain redundancy
     Cost effective for DR/backup

    11
    After Virtualization
    Virtualized Datacenter

    Administrators

    Control and Visibility Challenges


    Unknown Perimeter
    New powerful layer – hypervisor
    • Configuration management
    • Separation of duties
    Benefits
     Lower OpEx and CapEx Undefined access paths/new remote APIs
     Greater flexibility Virtualized infrastructure components
     Ability to recover more quickly Server consolidation – density & diversity
     Speed of server deployment
    Fully functioning Assets are mobile
    • Template-based provisioning
     Easy to maintain redundancy Lack of Visibility
     Cost effective for DR/backup • Trouble-shooting root cause
    • Logs from each components

    12
    Re-review with Virtualization in Mind
    Plan Establish policies, processes, procedures, and security
    Plan
    controls taking a top-down risk based approach.
    Implement and operate policies, controls, processes
    Act Do
    Do and procedures focusing on automation and
    consistency.
    Check Check Monitor/assess and review focusing on continuous.
    Maintain and improve, take corrective and preventive
    Act
    actions focusing on automation and consistency.
    Operational and
    support-oriented
    processes

    Compliance
    and security
    IT goals

    Compliance
    and risk
    Four Inter-related Domains of COBIT
    Source: ISACA business goals

    13
    Existing controls/solutions are inadequate
    Security Control Domain Additional Virtualization-specific controls
    Access and User Administration: - Consider both physical and logical access
    - Centralize User and Group (de)provisioning - Segregate hypervisor administrative duties (e.g. by
    - Grant access on need basis function, purpose or ownership)
    - Enforce least privilege - Control all access paths/remote APIs
    - Reduce and monitor privileged access - Segment virtual networks
    - Segregate resources by purpose or ownership

    Change and configuration: - Harden hypervisor, virtual machine container,


    - Inventory and track all assets virtualized infrastructure components & associated
    - Authorize and track all change mgmt activity management servers configurations & monitor drift
    - Monitor and manage configuration - Inventory and track all virtual components/resources
    - Ensure that critical virtualized infrastructure
    components are NOT turned off (accidently /otherwise)

    Operations: - Patch hypervisor and virtual machines (offline &


    - Vulnerability and patch management online)
    - Retain granular logs for audit/forensic needs - Collect logs from hypervisor, management servers,
    - Regularly review collected logs virtualized infrastructure components
    - Log records MUST state who did what, when and on
    what virtual object residing on what host

    14
    Questions?
    Click on the questions tab on your screen, type in your question, name
    and e-mail address; then hit submit.

    15

    You might also like