Securing Virtualization in Real-World Environments IBM Software
Optimizing the World’s Infrastructure
© 2010 IBM Corporation
Image from Microsoft Clip Art
1
1
Virtualization is a Key Enabler for a Smarter Planet Globalization and Globally Available Resources
Billions of mobile devices accessing the Web
Access to streams of information in the Real Time
New Forms of Collaboration
New possibilities. New complexities. New risks. 2
Managing Risks Introduced by New Opportunities Complexity of Infrastructure
Explosion of Data More than 12 incidents 20%
Growth
Maintain
% of IT Investment Spent on Maintaining Existing Infrastructure
Less than 3 13%
Between 3 and 12 67%
Disclosures of Sensitive Business Data
Sources: IBM; IT Policy Compliance Group 3
Virtualization has many benefits but introduces new complexities Virtualization blurs the physical boundaries between systems that that are used to separate workloads and those responsible for securing them. Virtualization enables mobility of systems and flexible deployment deployment and rere-deployment of systems. Manually tracking software stacks and configurations of VMs and images becomes increasingly difficult.
Before Virtualization
After Virtualization
4
4
Virtualization has many benefits but introduces new complexities Before Virtualization
• 1:1 ratio of OSs and applications per server
After Virtualization
• 1:Many ratio of OSs and applications per server • Additional layer to manage and secure
5
Common security-centric questions with virtualization
Equipment is Physical Wires and cables. Routers and switches. Servers on racks. Storage arrays and disks. Memory and CPUs. Machines stay put. Security is in place.
BEFORE
AFTER
? ?
?
? ?
Equipment is Virtual How do we watch the network? Where are VMs located?. Are they moving around? What’s our change control policy? Are VMs patched? Is the hypervisor secure? Who’s responsible for security?
6
More components = more exposures and more difficulty in maintaining compliance standards and regulations Traditional Threats New threats to vm environments
Management Vulnerabilities —————————— Secure storage of VMs and the management DATA —————————— Requires new skill sets
Traditional threats can attack VMs just like real systems
Virtual sprawl —————————— Dynamic relocation —————————— VM stealing
Resource sharing —————————— Single point of failure
Stealth rootkits in hardware now possible —————————— Virtual NICs & Virtual Hardware are targets
7
7
Virtualizing Security vs. Securing Virtualization Virtualizing Security
Securing Virtualization
• Existing Solutions • Virtual Appliances
• Integrated Security • Future Protection
8
Introducing IBM Virtual Server Protection for VMware Integrated threat protection for VMware vSphere 4
SVM
VM
VM
VM
Hypervisor Hardware
Integrated security leveraging the hypervisor On-demand, centralized protection Selective network intrusion and host malware protection 9
Introducing IBM Virtual Server Protection for VMware Integrated threat protection for VMware vSphere 4
Provides dynamic protection for every layer of the virtual infrastructure Helps meet regulatory compliance mandates by providing security and reporting functionality customized for the virtual infrastructure Increases ROI over using physical security for virtual data centers Increases virtual server uptime with virtual rootkit detection 10
IBM Virtual Server Protection for VMware can accelerate and simplify compliance audits • Enables firewall network segmentation to reduce the scope of the PCI audit • Monitors the integrity of critical system • Detects and prevents attacks that target cardholder data • Leverages IBM Virtual Patch® technology that automatically protects vulnerabilities on virtual servers regardless of patch strategy • Collects important security events from the virtual infrastructure • Isolates payment processing applications from VMs on the same physical hardware that are separate from the cardholder data environment
e.g. PCI DSS Adding Virtualization Security Requirements in 2010 VSP helps meets Security Aspects of PCI Standards Requirement 1 – Firewall and Router Configuration (meets 1.1, 1.1.2, 1.2.1, 1.3.1,
1.3.2, 1.3.4, 1.3.5, 1.3.7, and 1.4.2)
Requirement 2 – Configuration Standards
(meets 2.2, 2.2.1, 2.2.2, and 2.4)
Requirement 6 – Security Patching (meets
6.1, 6.2, 6.5 and 6.6)
Requirement 10 – Tracks and Monitors Access to Data (meets 10, 10.2, 10.5.2, 10.5.5 and 10.6)
11
IBM Virtual Server Protection for VMware increases ROI of the virtual infrastructure • Automated Protection as each VM comes online – Automatic Discovery – Automated vulnerability assessment – IBM Virtual Patch® technology
• Non-intrusive – No reconfiguration of the virtual network – No presence in the guest OS • Improved stability • More CPU/memory available for workloads • Decreased attack surface
• Protection for any guest OS – Reduction is security agents for multiple OSs
Less presence in guest OS – More CPU/memory available for workloads – Decreased attack surface
Less management overhead eliminates redundant processing tasks – One Security Virtual Machine (SVM) per physical server – 1:many protection-to-VM ratio – CPU-intensive processing removed from the guest OS and consolidated in SVM
Centralized Management – IBM Proventia® Management SiteProtector™ system
12
Summary Need
How IBM VSP for VMware速 helps
Mitigate new risks and complexities introduced by Virtualization
Provides dynamic protection for every layer of the virtual infrastructure
Maintain compliance standards and regulations
Helps meet regulatory compliance by providing security and reporting functionality customized for the virtual infrastructure
Drive operational efficiency
Increases ROI of the virtual infrastructure
13
IBM Delivers Comprehensive Security Governance, Risk & Compliance Management – The only security vendor in the market with an end-to-end framework and solution coverage from both the business and IT security perspectives – 15,000 researchers, developers and SMEs on security initiatives – 3,000+ security & risk management patents – 200+ security customer references and 50+ published case studies – Managing over 4 Billion security events per day for over 3,700 clients – 40+ years of proven success securing the zSeries environment – $1.5 Billion security spend in 2008 14
IBM Security Solutions Portfolio Assess
Mitigate
Manage Tivoli Security Information and Event Manager (TSIEM)
Tivoli Access Manager family (TAM) Tivoli Security Policy Manager (TSPM)
Tivoli Identity Manager (TIM)
Guardium Tivoli Privileged Identity Management (TPIM)
Tivoli Federated Identity Manager (TFIM)
!
#
$
InfoSphere Content Assessment
InfoSphere Optim
InfoSphere Identity Insight
PGP
ISS Proventia Gx, Fidelis, Verdasys
WebSphere DataPower
"
+ Rational Ounce Labs
!
) WebSphere DataPower
)
%
!
Tivoli Federated Identity Manager (TFIM)
Lotus Protector
#
IBM Global Technology Services & BPs Tivoli Security Compliance Manager (TSCM) Tivoli zSecure
&
ISS Proventia Gx
'
)
IBM Global Technology Services & BPs
ISS Proventia Server
( *
IBM Virtual Server Protection (VSP)
Tivoli Key Lifecycle Manager (TKLM)
Tivoli Access Manager family (TAM) Tivoli Security Policy Manager (TSPM)
ISS Proventia Gx
Rational AppScan
#
InfoSphere eDiscovery Manager and Analyzer
!
IBM SiteProtector
! !
15
For More Information: IBM Virtualization Security Solutions
Virtualization Security Solutions Webpage http://www935.ibm.com/services/us/iss/html/virtualizat ion-security-solutions.html
White Paper
Links work in presentation mode 16
16
17
IBM Virtual Server Protection Features • Intrusion Prevention and Firewall – – – –
Enforces dynamic security wherever VMs are deployed Applies one Security Virtual Machine (SVM) per physical server Privileged presence gives SVM a holistic view of the virtual network Enables IBM Virtual Patch® technology to protect vulnerabilities on virtual servers regardless of patch strategy
• VM lifecycle enforcement – Performs automatic VM discovery in order to reduce virtual sprawl – Provides virtual access control and assessment by quarantining or limiting network access until VM security posture can be validated – Virtual infrastructure auditing
• VM Rootkit detection – Transparently inspects VMs and detects installation of rootkits – Reports on access and usage of the virtual environment
18
IBM offers the broadest, most integrated, defense-in-depth virtualization security with one product Feature
VSP
Altor
Refle Trend x
McAf ee
Firewall Rootkit Detection Hypervisor-Level (VMsafe) Integration Intrusion Prevention Intrusion Detection Virtual Patch Visibility into Virtual Network Activity Virtual Network Segment Protection VM Sprawl Management Central Management Web Application Protection Inter-VM Traffic Analysis Network Policy Enforcement Automated Protection for Mobile VMs (VMotion) 19
Auto Discovery
19
Questions? IBM Software
Thank You / Mercí IBM Software
Trademarks and disclaimers Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries./ Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to nonIBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. Photographs shown may be engineering prototypes. Changes may be incorporated in production models. Š IBM Corporation 1994-2010. All rights reserved. References in this document to IBM products or services do not imply that IBM intends to make them available in every country. Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at http://www.ibm.com/legal/copytrade.shtml.
22