EIC 2012 Session: Security for Virtualized Environments, Privileged Users and PCI Compliance

Next up, we have a little discussion between vendor experts. We have guys from CA and from VMware up on stage to discuss. So I'd like to invite my next on stage people guy come up. Wonderful. Welcome to the stage. Thank you.

Hi, welcome. Yeah. Okay.

Oh, okay. Wonderful. So first we'll have some introductory slides that Giza and Han Bonang will present to us and warm. Welcome to you guys on stage. Thank you. All right. Thank you for having us I'm guy I'm product manager from CA technologies And I'm Stephan I'm se from VMware. So with this large audience, we'd like to speak about a very hot topic, which is virtualization security. That we've just covered that. And to be more particular, we'll use PCI compliance, the payment card industry as a sort of a use case for how security and virtualization might look like.

So I think it's clear that virtualization is on the rise and we've seen that survey results. And we know that that the stack is moving from development or from early test environments into full production.

And, and mutualization is here, whether you like it or not, and then you need to secure it. Yeah. So what we see now, the customers, this was our history. It started like Mr. Kuppinger said beforehand with small with test environments, but now for instance, SAP hosting and other stuff like SAP systems are running completely 100% virtualized on, on VMware. So we are getting there and also with our large enterprise customers, there's no need for physical database services. So they're getting now harder, evolved Intel and did a great jobs to, to improve the performance on X 86.

So there's no need, or there are very few reasons not to virtualize. That's true. So the questions, as, as we've seen so far is first we have the technology and usually then we start thinking about security implication. Although if we take VIM as an example for visualization, the security is different. The only beginning, but security is not only as you all know on, on an identity and access management conference is not only about technical controls. It's about management management of the security controls.

So we have a, a recent example on it was presented on the keynote on the opening day, on the employee of a pharmaceutical company that has used their access to the vitro data center to delete Viro machines, this type of, of malicious. So uncontrolled activity, whether it was done from a malicious activities or by mistake was not possible in the past where server were physical and not virtual. So in that context, and there were few sessions about privileged user access. We have a new type of, of privileged users that we need to control Super, super user.

Yeah, the God-like user as we call it. And, and what did it mean we had in the past, we have privilege access for operating systems. We had for every physical server, we have their own privilege access. Now we have that obstruction layer, that obstruction layer introduce the new user, the super user of the super users that can manage all the users on the underlying abstract layer without the need to access. The OS itself can delete, can access, can control machines.

And it's, it's something that has value to have those types of, of administrators that can manage large amount of, of virtual machines without the need of many accounts. But it's something, as I said, that it's need to be controlled Separation of duties. When I come to customers, most of the small customers, most of the biggest elect issues, they don't have it enforced virtual environments, or the administrative teams are, are to small and also say, why should I need the root password to my web server already? If I could also delete it, or yeah.

If, if I, if I lose control there. And another interesting discussion I had was two chief security officers of, of banks.

They, they don't trust reasonable reasons. They, their ment stuff is like data theft, the virtual machines, right?

So if I, if a copy or clone a virtual machine without having excess control, I can perfectly and slowly do a loft crack or a password to take it home. Right? So if I'm moving from, from what's, what is virtualization security?

So just a, a step back virtualization security doesn't mean that virtualization is not good. Virtualization is, is very good technology.

And with, with every new technology comes, new challenges and those new challenges sometimes remove the old challenges. It doesn't mean that we have new type of, of new security challenges, and we have to deal with the old ones. So new things come, all things being removed. So if we try to, to look on what type of changes we have now and correlate that to the, to the advantage of visualization. So I think the abstraction and to consolidation of the system is, is something has very much power.

It's reduced the operational expenses, but it has introduced new layers to protect that we need to protect somehow and a misconfiguration or a malicious activity can affect hundreds of server rather than one or two server. Another portion here is we are, we are touching different areas here, but we see also network ports greatly reduced and so on. And capital cost savings. The old story, new layer to be secured admin network nightmare from in the middle attacks, we just use encrypted protocols basically, but who is accessing the VFI clients who is using them and how they are able to use them.

This is a big point. And then we are, you're touching also, therefore you're consolidating a big VLAN trunk into is actually you touch the networking team. So also how, how it organizations use virtualization before even talking about cloud changes dramatically, because sometimes they're still thinking Zillows now comes to this resource layer and also uses network as, as resources. And sometimes I, the feeling that also these admin teams have networking and security might have the fear to lose power that the now the virtualization team is really playing in their back backyard of the competency.

And therefore also ation separation of really paramount and is possible, but it has to be designed. I think this is the key. When we look on virtualization security from an identity and access management perspective, I think this is the, the major shift in, in mindset is if we had in the past separation of duties, by the fact that we have different teams doing different activities, we have the network team dealing with switches, with routes, with all those types of, of identity and access activities related to network. We had the same thing for storage or for physical provisioning.

Now we had to have many people doing the same thing. We have consolidated that into the visualization platform. So we had gained the operational expense saving, but have introduced a new, powerful user that has all the control on all the mechanism. And so separation of duties has become a challenge because of that, the lack of visibility that we have now only one team manage everything. Okay. I think the second point is the same stuff.

Perhaps, perhaps one thing to notice on this slide, that's also why we see additional management needs apart from our central management vCenter. Because if you're going to cloud, you need a lot of automation, a lot of business intelligence, a lot of management frameworks. And also when you have a re let's say an it basket service delivery, then you need to have resource pools, planning, security for your resources and or some monitoring capabilities. This has been a really good thing for deployment VR mobility is great.

We are really able to do because of encapsulation completing new set of services like disaster recovery, because the VMs is always the hypervisor and does not need to have any physical driver configuration of an underneath line server. So it has enabled completely new disaster recovery methods like with outside recovery management.

But again, there unauthorized copy. My example is the bank. And obviously if you have lab, let's say development system or lab systems, you might have outlined outed, offline systems, actual patch levels, and so on inside the us.

Yeah, I think that's, I think the main, the main theme here, and perhaps one thing to add here, there's nothing that, because you always read this doesn't affect event, VMware alone is really valid for every other hypervisor windows. Well, So if, if we're looking on, on the regulatory aspect of visualization, so if we take PCI, so usually we tend to look on the requirements, what are the requirements of the regulation? And then think about how it affects our systems. So the first stage usually is, is not, that is scoping. What is the scope of the requirements?

And when we talk about virtualization, we have a new set of questions. Everything is being encapsulated. You might have a hypervisor, which has a very sensitive server running on top of it, but some test environment as well. We want to have that agility.

And, and this is one of the most common advantages of virtualization. The mobility, the high availability all relies on the fact that we can mix things together. So how we address scoping in that context As also has been an amendment to P C I DSS that went from version. I think it was one to one to two, zero. We also embraced virtualization. And I think one of the requirements is really layer to physical's operation of these cardholder data environments.

Cause if you're running on the same hypervisor, perhaps your cardholder data environment, your credit card database server might run beneath a web server, right. In a completely different zone. So how to ensure iation between them. So regarding PCI, as you said, PCI has released the payment card industry that a security standard has released a new version on October, 2010 called PCI DSS 2.0, which for the first time taking into account virtualization, if you go to an auditor, a QSA in the PCI world and ask them, why do you think about virtualization three years ago?

You won't get the same answer for everyone. Depends the amount of knowledge they have on virtualization technologies, the amount of trust they have in that sense. So PCI console has done something enormous, which is stating that virtualization, first of all, is part of the assessment of, of the payment card industry. That is a security standard. And they went even one, one step further and introduced a supplemented guide for virtualization alone, which has a very detailed requirements on how to secure virtualization, especially in mixed environments.

And what type of controls you want to, you need to implement in order to comply with this regulation. So I won't go into those details, but you can see that later on, we'll send you the slides. Yeah. We also introduced some technologies for that. And one of them is the visual product family. In addition to the special product family was called sensitive data discovery.

And what we're able to do is with our endpoint driver to really go into the machine agent lessons, scan again, certain data patterns with regular expressions and to really see if there is unstructured data or data that really violates our PCI DSS requirement. And when these violations are detected of obviously you can include VMs or exclude DM, then you, you you're able to get an audit report about these violations.

Of course, from a visionary standpoint, we try to take this further. And we discovered together by having a coffee today, outside that we have together really, really interesting approaches that I was not also aware and was really stunned by the capabilities that CA has there at this point to integrate as well with us, with VMware and deliver a real common market value. So let's skip on, then you have this non CD environment in the CD environment.

And what is quite interesting is that we able, I think I mentioned it yesterday, briefly, we are now having the capability to intercept network traffic between the virtual connect card and the virtual switch port group, which basically gives us the ability to block traffic from layer two to four on the same as ex host, which gives you completely transparency. You can compare it like, like a private VLAN without a need to configure private VLANs.

And you're able to isolate virtual machines on the same hypervisor really on only a two level, let's say a physical virtually a two segmentation, which is also by the way, one on the, one of the requirements of PCIs S 2.0. And then the next portion is when we have this intelligence, some another product and where we are also mapping real time sock relationships called VMware infrastructure navigator.

So we see every machine that is accessing our database server that is holding the credit card information, belongs to the same car data environment, and must therefore, we also isolated on layer two in the same environment, and we are able to take these and also put us into policy groups with CA and CAS. Then also I think I, I, I now understood dynamically able to integrate with our rest API of automation manager and do their some optimization for that, which is quite interesting and very convincing story there.

I think this, this, this technology is an example how the challenges of visualization become also an opportunity for new security mechanism. Those type of scanning inside dynamically attaching and changing network topology were not possible. We would not have that obstruction layer of, of network layers in the old world. We have to change switching configuration. We have to change wires sometimes in order to achieve that type of granularity.

And it might seem technically in nature, but it's more of a management capability where you manage the risk and the asset and the platform itself applies the logic beneath. So you can still look at it from an identity and access management aspect from the data aspect. As we NCA focus with our content to where I am rather than from the technical network layer perspectives. It's also perhaps one of the important streams we see there are also in the data center level that perhaps for service providers in the cloud era, we learns will not be enough.

So also there that networks and security has to be consumed as a service has to be programmable. I think this is something that is very important and key here that we are leveraging each other's intelligence and passing on information. So what we are also able to do is we have PCI 2.0 compliance templates apart from in our sensitive data discovery, which is on portion of our visual app firewall product family. We also having it also in our member configuration manager product to really determine to scan what CD contents are there allowed CD contents are there DLP breaches.

And then if we detect them and migrate them automatically to different zones, it's also where yeah. CA helps us with some intelligence and insight and, and also where we can see really good leverage from each other. So I'll skip that because we are basically out of time, but just to, to end this session with put something to tag off.

So when we, we are looking for, for a solution of security solution to comply with P C I DSS on Vitra environment, or to comply with any regulation, whether it's internal or external, I think we need to look on, on the new security solutions from three perspective. One is the guest security control. The second is from the hypervisor security controls and the third and most important one is from the automation or virtualization aware security perspective. So a security control or security solution need to be virtualization aware.

It can be the old security mechanism that we had in the past for the same reason that we moved for virtualization, we want to be agile and want to be fast. And we want to be able to use the benefits of the visualization platform to have a higher degree of security control. On the other hand, we need to, to look on, on the security aspect from end to end from the hypervisor layer to the guest system and up to the application. So it's not enough just to secure one of those. You need to secure every everything. And if you can, it should be automated and integrated.

And also from perhaps a practical tip, if you have a QSA that says, okay, Al data environment that is not possible on a virtualized environment, there are some helps. There are studies out there. Also our compliance page COFI did some study if you're placing the, the right technical implementations and controls, but also more important, the right controls. It is doable. So ask always a QA where they already have had successful audits from virtual environment.

And, and if he has expertise in this area, because I also see it in the German market, there's a lot of, there's a lot of room for interpretation because BSI itself, not doing any audits in the, the German legislation they are having advisories we have, or I have also with some colleagues, regular conference calls to really push it forward, that there is perhaps a common few about sense, sensible security controls in such environment. What makes sense there and how to audit that. All right. So thank you. Yeah. Thanks to our presenters.

We, we do have some time, sorry. We Have Mr. From telecom. So for now, I'd say thanks for this presentation. We now have the new presentation coming up and welcome the chair. Thank you very much. So give us a warm welcome here. So we will have another short presentation. Yes. That will actually show us when I know that shouldn't be it.

Well, the presentation I'm John junior from telecom. Here we go. Wonderful.

So I, I will try to give you an idea of another aspect of cloud of virtualization is the approach of telco provider of cloud cloud provider. A few words about Temelia because ter is not doing his business in Northern Europe and German. So on. So we spend few words about my company. The company has business in Italy and Brazil, and Argentina has revenues in the 2010 of something less than T billion euros. Our business is the most important part of business is mobile and fixed telecommunication.

Also, we have in Italy, broadcasting channel and some other business, but something that we are doing and we want to do in the future is the, the, our offering for business customer for the it offering since two years, more or less, we got some new brand that in Italy are very popular. One is impressive. That means making the enterprise easier is, let me say, is a number of it solution that we offer to our customer bot top customer, the, the more important insurance bank, energy company in Italy, and also for the, the small office home office customer.

The other brand that I would like to, to, to talk in the nexus slide is what the name of the brand is. No it's Italian cloud. Let me say, is the cloud offering of telecom Medallia?

Well, but let me take a step beside, let me say talking about it, infrastructure of tele Melia, it, one of the most important infrastructure in Italy, just a few numbers, 8,000 servers are in our eight data center and 80,000 and, and so on. So I think that our number very, very important, well, another thing that we have to take in mind when we, when we will spend some more about the cloud implementation, it, it is the regulatory pressure that in Italy is, is in place.

Part of this regulatory pressure is of course for the Italian private authority, that is more or less the same in respect the other part of Europe. But we, as the telco operator, we have a specific regulatory in place that 2006 were applied only to telecoms the incumbent operator. And then from 2008, the regulation has been extended to the other operator.

Well, these requirements are very specific to telcos, but are extremely change challenging. They, they object to be preserved is the, the traffic, the, the information, the traffic, what we call the CDR, the customer that records call the I got on.

So to, to, to respect this kind of regulation, we put in place, several things that helped us to, to bring an internal cloud that we think is quite secure. Let me explain what is this?

Well, we, we started in 2009 to, to realize a, a private cloud for internals and BSS and E P application. Since now we have utilized more than 70% of, of our application, our server.

They, of course, a key element for, for a success of the initiative is the, the automation of the, this implementation. So the, everything is automated from the delivery of, of a new server to the development of new application. For regarding security, we apply a risk merchant process that is fully compliant with O 27,001 regulation or methodology. This is very important to understand what are the security requirements to be applied to the, our internal cloud and to evaluating what are the right content measure to be applied.

Of course, the, those methodology should be applied to all the layer of the infrastructure. So from the operating system to the application to two slides that describe more or less what is in place.

Well, of course the needs for, for a cloud, for an it infrastructure are more for, for a cloud is to understand who is doing this, their business or it infrastructure. So we have in place ID measurement framework that is in place to understand who is doing this business, starting from it user that are the engineering. Let me say the ones that keep up and running the environment and the end user that are the people that face the customer that with CRM with, with our application. The second piece of technology is the logging framework.

So is what we use to, to keep track of what is going on in, in the infrastructure's previous. This one are two very huge application to very huge framework. Let me say that, for example, for the identity access management, we have all under this infrastructure, more or less 5,000 server, some hundreds of applications on, well, starting from this background is, as I said, is what we done, what we have done to secure securize our internet cloud.

Of course, we, we were thinking about how to make leverage and what we had done to support it to, for our customer, but for our customer, we realized that security should play should be a key, a key point for success story for our customer. Of course, the, the reason why security is the key point is one I think is, is that our customer should be, should trust his provider because since they server are not under the control, but the control the provider, they should have something to believe on what we are doing from our part.

Well, we starting, as I said before, from what, what we did for the cloud, what we did is of course, as I said before, the, the identity access management, the ING of the network and of the infrastructure, the server, the ID on the network, the, those prevention attack, attack prevention and so on. But then we use our, what we learn from our internal production system to delivery some service element to our customer.

It's for example, the IPSS server or the security resource appliance that we can bring to our customer as a new offering, of course, for making the work in the good way, there is a continuous pro improvement process on the way to, or let the environment be much more secure. But I, since I think we don't have so much time, I will go on the last point. That is what we, we are going to do in the near, near future, what we think that it's time for to differentiate the, the offering, because our competitor in this field that over the top, over the top player is Google or Amazon.

So, so we have the possibility to differentiate our offering with the security. So what we want to do is I will go or absolutely to the last slide, it to adopt some standard. We are looking to CSA security, trust national registry. That's why we think that it could be the way to make our, our customer or what we had done on our infrastructure to, to be as, let me say the most, the most crystal with our customer.

And also we, we have found this is quite a brand new initiative, but we have found that adopting the ISO 27,000 mechanism that we, we started to adopt several years ago, we think that the CSR star requirement are more or less on the same on the same road. So we think that without paying so much more, we, we can achieve this, this new standardization that could be important for target Alia. That's our experience. Wonderful. So thanks to the speakers, thanks to VMware and CA and especially telecom for presenting the customer view, how this can actually be deployed.

And I was specifically impressed by the 70% of servers actually being virtualized. And that was two years ago, I think. So it might be Sent since 2009.

So, So it sees that adoption of such a technology in the large enterprise is definitely something you need to do. So before saying goodbye to our presenters, I'd like to invite my friend, Dave Kerns up on stage. He's over there. Thank you.