Traditionally information security has been reasoned in terms of assets, vulnerabilities and threats. A mature info-sec program has visibility into its critical assets, a compliance program for reducing its attacks surfaces and vulnerabilities therein, and in detecting and blocking threats. A rich set of patterns and practices have emerged in supporting these for the physical (and static) data center. These include segmentation as a key practice for isolating higher-trust workloads (eg. PCI) from lower-trust workloads (e.g. test, VDI). Another important aspect is change control that surfaces through multi-step provisioning cycles and change management processes. While these practices are important to ensuring compliance and minimizing attack surfaces, there have impacted IT's ability to respond to changing business requirements. For example, physically segmented workloads create challenges in resource utilization e.g. the IT admin can't use the unused infrastructure in the QA labs to host the PCI workloads. Complex change management leads to prolonged provisioning cycles thereby limiting IT's responsiveness to changing business needs.
Virtualization offers the opportunity to run workloads of different trust levels and sensitivities on the same shared infrastructure. Shared infrastructure allows the IT admin the opportunity of hosting, for example, PCI workloads in the same compute, storage and networks as his QA workloads as long as a logical perimeter can be enforced consistently. This allows resources to run at higher utilization than would otherwise be in a physically segmented infrastructure.
The vSphere layer offers an extensive automation layer for accessing assets and events of the virtual infrastructure. Automation offers the opportunity to compress the change management cycle's thereby increasing IT's responsiveness while assuring the same or better security and compliance as physical infrastructure.
Symantec and VMware are demo'ing solutions based on orchestration and automation for these use cases for securing VDI workloads, and assuring logical perimeters in infrastructure that is shared across mixed trust workloads at RSA 2012. These solutions combine the capabilities of various product categories: Data Loss Prevention(DLP), GRC, Security Incident and Event Management (SIEM), vCenter, and virtual firewalls(vShield App).
Some of the use cases we are focusing on include:
(1) Instant-on VM Compliance. A pre-requisite for a newly launched VM to join the network is that it must demonstrate compliance to hardening guidelines. State images can often go out of compliance within weeks. How can IT take advantage of the accelerated change of change enabled by virtualization while requiring better-than-physical security policy?
(2) Secure Trust Zone Assurance. A new VM is added to a vSwtich that host VM's that access sensitive data stores. A policy-based approach to security and compliance would allows admins to declare: " Only VM's that have been hardened and launched by a sensitive_role can be on the same virtual network as VM's that access that access these sensitive data stores". This allows the use of shared infrastructure to host mixed trust workloads while attempting, again, to attain better-than-physical security throug policy orchestration.
(3) Automated Remediation of Botnets in VDI Workloads. An infected VM communicates with a C&C server. The desired security response is to quarantine it to a highly restricted network, and initiate incident response.
The Instant-on VM compliance use case can be addressed through a combination of off-line image scanning and orchestrating a compliance check immediately when we detect a new VM coming up, and remediating as necessary. SIEM products that have visibility into configuration events can detect new VM startups. These can be fed into a rule-based orchestration engine that can trigger a compliance check request into a GRC product. If the compliance check fails, then the orchestration engine based on (configured rules) may request vShield App to move the VM to a security group with limited rights until remediation.
The Secure Trust Zone Assurance use case offers controls on running mixed trust workloads on shared infrastructure. This requires visibility into which assets access sensitive data and make up a secure segment, network controls that be enforced, and configuration update events that must be assessed on whether they introduce vulnerabilities into the secured segment. DLP feeds, asset feeds, configuration and vulnerability feeds must be managed to achieve enforcement of the workload segment.
Botnet traffic detection can be achieved using Web Gateway products that scans network traffic, or a SIEM that is receiving log events from a vShield App firewall on that vSphere host, and correlating IP's to known bad sites obtained, for example, through Symantec DeepSight. An orchestration rule ties this notification to vShield App reconfiguration where the infected VM is moved into a quarantine security group. For additional incident context, this orchestration engine can extract malware scan history at that VM from an endpoint security product such as SEP, and attach it to the incident report.
DLP is used in many IT environments for detecting sensitive data. In the virtual data center this detection acts as the basis of tagging virtual assets - VM's, vSwtiches, data stores and hosts. These asset tags can be incorporated into federated asset tables via feeds out of DLP products such as Symantec DLP. This information-centric view into assets and workloads offer us a path to automate the definition, enforcement and assessment of logical perimeters for mixed trust workloads running on shared infrastructure.
Each of these product categories maintains an asset table with unique views: GRC tools(e.g. Symantec CCS) may have configuration and vulnerability views into assets(e.g. config checks, patch levels), vSphere has a the full relationship view (VM's, host, vSwitches, data stores), SIEM(e.g. Symantec SIM) has full visibility into data and configuration events at assets. These asset views must be combined with configuration and data events to offer a intelligent platform for security and compliance policy definition, enforcement and assessment.
Enjoy the demo's at RSA, and let us know what you think! We are planning to put up videos on the web as well.