Transcript Security and Compliance are the Primary Concerns with Cloud

VMware – Cloud Security Solutions
© 2011 VMware Inc. All rights reserved
Security and Compliance are the Primary Concerns with Cloud
Virtualization forms the foundation for building
private clouds. Security must change to
support both.
– Gartner, 2010
Internal IT
2
Public Cloud
New Challenges with Cloud Computing
Security must change
to support both private and public
cloud computing
• Virtual Machines are dynamic and can move around
• Virtual Machines are easily created and can be self provisioned by non IT staff
• Increased workloads with large amount of virtual desktops in datacenter
3
Our Answer: Security designed for Cloud Computing
VMware vShield is a Security Enabler
1. Unique introspection
2. Policy abstraction
Cost Effective
• Single virtual appliance with breadth
of functionality
• Single framework for comprehensive
protection
4
Simple
• No sprawl in rules, VLANs, agents
• Relevant visibility for VI Admins,
network and security teams
• Simplified compliance
Adaptive
• Virtualization and change aware
• Program once, execute everywhere
• Rapid remediation
Traditional vs vShield
SECURITY
SECURITY
SECURITY
APP
APP
APP
DATA
DATA
DATA
OS
OS
OS
Host based Security
Introspect Processor, Memory, Network, File Access
VMware vSphere + vShield
Network based Security
Benefits
Benefits
• Comprehensive host and VM protection
• Create and enforce security policies with
• Reduced configuration errors
live migration, automated VM load
• Quick problem identification
balancing and automated VM restart
• Reduced complexity – no security
• Rapid provisioning of security policies
agents per VM required
• Easier compliance with continuous
monitoring and comprehensive logging
5
VMware Security Solutions
 Perimeter Security
 Application Protection for Network Based Threats
 Anti-virus Challenges in Virtualization and Cloud
environments
6
Securing virtual Data Center (vDC) with legacy security solutions
PERIMETER
SECURITY
INTERNAL
SECURITY
WEB ZONE
APPLICATION ZONE
ENDPOINT
SECURITY
DATABASE ZONE
Internet
vSphere
vSphere
vSphere
• Air Gapped Pods with
dedicated physical
hardware
• Mixed trust clusters
without internal security
segmentation
• Configuration Complexity
o VLAN sprawl
o Firewall rules sprawl
o Rigid network IP rules
without resource context
• Private clouds (?)
Customers cannot realize true virtualization benefits
due to security concerns
7
Traditional Security Method is Isolation through “Air Gaps”
 Microsoft Hyper-V Security Guide:
“Deploy your virtual machines in such a way that all the VMs on a given physical
computer share a similar level of trust”
8
Hypervisor
Hypervisor
Hypervisor
PCI Compliant
Sales
Finance
Security Journey to the Cloud
Tenant A
Trust Zone 1
Trust Zone 2
hypervisor
WEB
APP
DB
hypervisor
Switch A
Service Provider
Switch B
Air Gap
Router A
Internet
Tenant A
Router B
Air Gapped Pods
9
Tenant B
Mixed Trust Zones
Private Clouds
VMware Transforms Security from Expensive to Cost Effective
vShield eliminates the need for multiple special purpose
hardware appliances – 3-5x Savings Capex, Opex
Load balancer
Firewall
VPN
Etc…
firewall
VPN
Load balancer
10
vShield
Edge
Virtual
Appliance
Automated Cloud VDC Perimeter Security with vShield Edge
APP
APP
DMZ
DMZ
DB
DB
Production
VDC
vShield Edge
Development
VDC
vShield Edge
Virtual Distributed Switch
vSphere
INTERNET
11
vSphere
vSphere
vSphere
vShield Edge Lowers Cost of Security
Network edge security solution
(Firewall + VPN + Load balancer)
Cost per
Mbps
50$
Assumptions
45$
• 100 VM per edge
40$
• vSphere & server costs
35$
30$
25$
20$
• High availability
Enables Private and Public
Cloud
Security
appliances
Computing
>5x
15$
Mixed
Trust Zones, Duplicate Environments, Multiple Tenants
on the same shared virtual infrastucture
10$
vShield Edge
5$
0$
.5Gbps
Mbps = Megabits/sec
Gbps = Gigabits/sec
12
1Gbps
10Gbps
Throughput
100Gbps
VMware Security Solutions
 Perimeter Security
 Application Protection for Network Based Threats
 Anti-virus Challenges in Virtualization and Cloud
environments
13
VMware Transforms Security from Complex…
Many steps.
Configure
• Network
Overlapping
Roles /
Responsibilities
• Firewall
Network
admin
Security
admin
• vSphere
Define, Implement,
Monitor, Refine
Policies,
Rules
VI admin
agent
agent
agent
agent
agent
agent
agent
agent
VLAN’s
Complex
• Policies, rules implementation – no clear separation of duties;
organizational confusion
• Many steps – configure network, firewall and vSphere
• Spaghetti of VLANs, Sprawl – Firewall rules, agents
14
…To Disruptively Simple
Clear separation
of Roles /
Responsibilities
Few steps:
Network
admin
Define, Monitor, Refine
Security
admin
Configure
vShield
VI admin
Implement
Simple
• Clear separation of duties
• Few steps – configure vShield
• Eliminate VLAN sprawl – vNIC firewalls
• Eliminate firewall rules, agents sprawl
• Auto enable security on new (self) provisioned VMs/Apps
15
VMware vShield App
Application Protection for Network Based
Threats
• Hypervisor-level firewall
• Inbound, outbound connection
control applied at vNIC level
• Elastic security groups - “stretch”
as virtual machines migrate to new
hosts
• Robust flow monitoring
• Policy Management
• Simple and business-relevant
policies
• Managed through UI or REST
APIs
• Logging and auditing based on
industry standard syslog format
16
Leveraging Virtualization for Better-than-Physical Security
 Key Benefits
• Complete visibility and control to the Inter VM traffic enabling multi trust zones on
same ESX cluster.
• Intuitive business language policy leveraging vCenter inventory.
• Enable self service provisioning while enforcing security policies on your VMs/Apps
 Better than Physical
• Virtual firewall with unlimited port density
• Hypervisor level introspection provides access to inter-VM traffic
• Topology independent irrespective of network configuration as policies follow the
VMs IP address agnostic policies
• Built in Firewall capabilities provide better than physical security at 1/3rd the cost.
17
VMware Security Solutions
 Perimeter Security
 Application Protection for Network Based Threats
 Anti-virus Challenges in Virtualization and Cloud
environments
18
Anti-virus Challenges in Virtualization and Cloud
 Issues
• “AV storms” can cause brownouts in
shared compute (virtualization) and
storage (SAN/NAS) environments
• Traditional agents are resource
intensive - not optimized for high
utilization, efficient clouds
• Up to 6 GB on VMware View desktops
12:1 virtual servers / physical host
60:1 virtual desktops / physical host
VM
VM
VM
APP
APP
APP
AV
OS
AV
OS
Kernel
Kernel
Kernel
BIOS
BIOS
BIOS
VMware vSphere
19
AV
OS
Leveraging Virtualization for Better-than-Physical Security
 Issues
• “AV storms” can cause 100%
saturation in shared compute (CPU)
and SAN/NAS (storage I/O)
environments
• Traditional agents are resource
intensive - not optimized for high
utilization, efficient clouds
• Up to 6 GB on VMware View desktops
 Opportunities
• Leverage hypervisor to offload AV
functions from agents into a
dedicated security VM
• Deploy security in a more agile,
service-driven manner to both private
and public cloud environments
20
SVM
AV
OS
Hardened
VM
VM
VM
APP
APP
APP
OS
OS
OS
Kernel
Kernel
Kernel
BIOS
BIOS
BIOS
Introspection
VMware vSphere
Efficient Anti-virus as a Service for Virtual Datacenters
 Tighter collaborative effort with leading AV partners
 Hypervisor-based introspection for all major AV functions
• File-scanning engines and virus definitions
offloaded to security VM – scheduled and
realtime
• Thin file-virtualization driver in-guest >95%+
reduction in guest footprint (eventually fully
agentless)
 Deployable as a service
• No agents to manage
• Turnkey, security-as-service delivery
 Applicable to all virtualized deployment
models – private clouds (virtual datacenters),
public clouds (service providers), virtual
desktops
21
Efficient Memory Utilization
Scan server approach means no agent footprint, less memory
and management overhead
Without
EPSec

With
EPSec

BEFORE: Traditional agent-based approach
AFTER: Security Virtual Appliance using VMware End Point Security (EPSec)
22
Efficient I/O Bandwidth
Bandwidth during virus definition update

Without
EPSec
With
EPSec

BEFORE: Traditional agent-based approach
AFTER: Security Virtual Appliance using VMware End Point Security (EPSec)
23
VMware vShield End Point
Overview of available Anti-virus Solutions based
on vShield End Point
Available
Product
Today
Trend Micro
Deep Security 7.5
Later in
2011
TBC
24
VMware – Enabling Security for the Cloud
Inside VM
vShield Endpoint
VM <-> network
vShield App
vCloud / VDC edge
vShield Edge
• Industry firsts in all three areas
• Disruptive simplification, automation
• In position to unify security policy administration
25
The right solution for your project
Datacenter
Virtualization
Private / Public
Cloud Computing
End User Computing /
Desktop Virtualization
• vShield App
• vShield Edge
• vShield App
• vShield End Point⃰
• vShield App
⃰ vShield End Point is included with VMware View Premier
26
Thank You
© 2011 VMware Inc. All rights reserved