RSA Solution for Cloud Security and Compliance RSA

RSA Solution for Cloud Security and Compliance RSA, The Security Division of EMC Bernard Montel Directeur Technique, RSA France Bernard. montel@rsa. com

Customer Challenges, Key Messages Solution Capabilities 2

Cloud Computing by NIST and VMware Cloud Computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Cloud is a way of doing computing Enterprises Private Cloud Operated solely for an organization, typically within the firewall Bridging Hybrid Cloud Composition of 2 or more interoperable clouds, enabling data and application portability Cloud Service Providers Public Cloud Accessible over the Internet for general consumption

Security-Specific Factors That Would Enable More Widespread Usage of Server Virtualization © 2010 4 Enterprise Strategy Group

Customer Challenges Business Objective (CIO) Accelerate/start virtualization of business critical apps to continue optimizing costs Business Objective (CISO) PAINS Manage risk and compliance while going from IT production to business production Lack of visibility into and control over security and compliance status of the virtual infrastructure Difficult to rationalize the complexity of compliance requirements across virtual and physical environments Lack of guidance and orchestration for securing virtual infrastructure comprehensively Lack of consistency in physical and virtual security increases cost and complexity of virtualization High cost and difficulty of responding to compliance audits for virtual environments Inefficient management of security and compliance across IT and security operations teams Fragmented views of data across hybrid infrastructure causes delays in identifying risk and compliance breaches/concerns

Negative Consequences Increased risk of fines and failed audits – – – “we are flying blind” “we are going to be painted into a corner” (if something that fails an audit gets into production and the company is committed, it is really hard to fix it later!) Policy for meeting regulations (e. g. PCI) in virtualized environments still evolving Compliance concerns stall the adoption of virtualization – – – Mission critical applications with sensitive data are riskier Segmenting regulated data onto separate virtualized hardware Limits the cost savings inherent in virtualization

Negative Consequences (cont. ) Responding to audits is time consuming, error prone and costly – – – Across mixed virtual and non-virtual IT infrastructure No time for other value-added security projects 20% of IT time and resources spent on compliance; this is compounded by virtualization Delays in identifying risk and compliance breaches/concern – Due to fragmented views across virtual and physical infrastructure

The Enterprise Journey to the Hybrid Cloud Public cloud adoption Software as a Service IT Production Lower Costs Platform as a Service Infrastructure as a Service Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% 95% 70% 30% High Availability 15% Data Protection 8

Securing the Enterprise Journey to the Cloud Identity management Public cloud adoption Software as a Service Platform as a Service Infrastructure as a Service Multi-factor authentication IT Production Lower Costs Trust management Business Production Improve Quality Of Service IT-As-A-Service Improve Agility % Virtualized 85% Security event management 70% Information and workload control 30% 15% Hardening 95% Compliance monitoring Service provider control Security patches Visibility and compliance Integration with enterprise security processes 9

Use Case Examples 10 10

Use Case : Reducing Risk of VM Theft Risk: Securing virtual infrastructure is often a check list of best practices. Hardening VMware environment is complex and difficult to verify. What can I do to limit the risk of VM theft from my datacenter? Need to take preventative steps that limit access to VM file in the first place (e. g. ) • • Disable Datastore Browser Storage User Access Limit use of service console Use least privileged role concept for system and data access (also: possible strong authentication to ensure access of only approved people and roles) Archer has built in Control Procedures to check for VM file access best practices Security and IT Ops can easily see if controls enforce policy Cloud Solution identifies VMware devices, assesses configuration status, and informs responsible VI admin En. Vision provides “electronic bread crumb trail” forensics to ensure security events not disrupting compliance posture

Customer Challenges, Key Messages Solution Capabilities 12 12

RSA Archer e. GRC Solutions Audit Management Centrally manage the planning, prioritization, staffing, procedures and reporting of audits to increase collaboration and efficiency. Policy Management Centrally manage policies, map them to objectives and guidelines, and promote awareness to support a culture of corporate governance. Risk Management Identify risks to your business, evaluate them through online assessments and metrics, and respond with remediation or acceptance. Business Continuity Management Automate your approach to business continuity and disaster recovery planning, and enable rapid, effective crisis management in one solution. Threat Management Track threats through a centralized early warning system to help prevent attacks before they affect your enterprise. Vendor Management Centralize vendor data, manage relationships, assess vendor risk, and ensure compliance with your policies and controls. Compliance Management Document your control framework, assess design and operational effectiveness, and respond to policy and regulatory compliance issues. Incident Management Report incidents and ethics violations, manage their escalation, track investigations and analyze resolutions. Enterprise Management Manage relationships and dependencies within your enterprise hierarchy and infrastructure to support GRC initiatives.

Summary: RSA Solution for Cloud Security and Compliance v 1. 0 What’s New RSA Securbook Discover VMware infrastructure Define security policy What’s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer e. GRC What’s New RSA en. Vision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e. g. DLP, VMware v. Shield and v. CD, Hy. Trust, Ionix, etc. ) Remediation of non-compliant controls What’s New solution component automatically assesses VMware configuration and updates Archer

Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy What’s New Over 100 VMware-specific controls added to Archer library, mapped to regulations/standards Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer e. GRC Remediation of non-compliant controls

RSA Archer: Mapping VMware security controls to regulations and standards Authoritative Source Regulations (PCI-DSS, etc. ) “ 10. 04 Administrator and Operator Logs” Cx. O Control Standard Generalized security controls “CS-179 Activity Logs – system start/stop/config changes etc. ” Control Procedure Technology-specific control “CP-108324 Persistent logging on ESXi Server” VI Admin

Discover VMware infrastructure and define policy/controls to manage

Distribution and Tracking Control Procedures Security Admin Server Admin Project Manager Network Admin VI Admin

Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer e. GRC Remediation of non-compliant controls What’s New solution component automatically assesses VMware configuration and updates Archer

Initial Deployment Questionnaire

Automated Assessment via Power. CLI Automatically discover and assess VMware infrastructure via Power. CLI RSA Archer e. GRC VMware objects (ESX, v. Switches, etc…) are automatically populated into Archer They are then mapped to control procedures. Over 40% are automatically assessed via Power. CLI and the results fed into Archer for reporting and remediation.

Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer e. GRC Remediation of non-compliant controls

Control Procedure – List, Status and Measurement Method

Deployment and Remediation Work Queues

Overall Virtual Infrastructure Compliance Dashboard

Enabling the Cycle of Security Compliance Discover VMware infrastructure Define security policy Manual and automated configuration assessment Manage security incidents that affect compliance RSA Archer e. GRC What’s New RSA en. Vision collects, analyzes and feeds security incidents from RSA, VMware and ecosystem products to inform Archer dashboards (e. g. DLP, v. Shield, Hy. Trust, etc. ) Remediation of non-compliant controls

RSA Solution for Cloud Security and Compliance: Architecture Regulations, standards Generalized security controls VMware-specific security controls Automated assessment Configuration State RSA en. Vision VMware cloud infrastructure (v. Sphere, v. Shield, VCD) Ecosystem (Hy. Trust, Ionix, ) Security Events

Example: VMware v. Shield Network Security Events Fed to Archer

Overall Compliance Dashboard and Reporting: Physical and Virtual

Learn More RSA social media release with demo http: //rsawebdev. na. rsa. net/go/press/RSAThe. Security. Divisionof. EMCNews. Release_83010. html www. rsa. com/virtualization – Secure Cloud

www. rsa. com/virtualization Thank you!