Educate /Update ISACA members on Cloud, SDDC, SDN⦠... RACF/ACP2/Top Secret ... Forrester defines SDDC as âa data st
Cloud and the So-ware Defined Data Center (SDDC) -‐Issues & Trends-‐
Keith Cowan -‐ NYC SE Frank Arena – Account Director © 2016 HyTrust, Inc. 1
HyTrust PresentaFon ObjecFve • • • •
Educate /Update ISACA members on Cloud, SDDC, SDN… Review trends and adopFon of above Review Audit, Compliance, Security, Risk and Governance Issues Discuss opFons to manage inherent risks
© 2016 HyTrust, Inc. 2
What is Cloud CompuFng? What is SDDC? What is SDN?... •
•
•
Cloud CompuFng: – A kind of Internet-‐based compuFng that provides shared processing resources and data to computers and other devices on demand. – ubiquitous, on-‐demand access to a shared pool of configurable compuFng resources – Analogous to an electric u/lity SDDC: – A datacenter where all infrastructure is virtualized and delivered as a service – Making datacenter services as easy and inexpensive to configure and manage as virtual machines – Hardware in a SDDC fully automated by so_ware – SDDC is an enabling technology for Cloud CompuFng SDN: – Like SDDC, the Control Plane and Data Plane are decoupled – So_ware-‐Defined Networking is to enable Network Engineers and vAdmins to be agile and address changing business requirements
© 2016 HyTrust, Inc. 3
A History of Security Playing Catch Up RACF/ACP2/Top Secret
AnNvirus
WPA
Forrester defines SDDC as “a data storage facility in Mainframe Internet 802.11 Wireless which all elements of the infrastructure—networking, storage, virtualized and2002 1976 CPU, and security—are 1994 delivered as a service. Deployment, provisioning, configuration, and the operation, monitoring, and automation of the entire infrastructure is abstracted 1991 1994 Today from hardware and implemented in software.” Firewall ??? SSL
Web Browser
Internet
Cloud and SDDC © 2016 HyTrust, Inc. 4
Top operaFonal challenges facing organizaFons on their road to SDDC AGILITY
ECONONICS
SIMPLICITY
SPEED
LIMITED VISIBILITY
COMPLIANCE DATA PRIVACY
PRIVILEGED USER THREATS
DATA PROTECTION
DATA GEOFENCING
SDDC JOURNEY BEGINS
© 2016 HyTrust, Inc. 5
What are some of your operaFonal concerns? Do you currently have different IT teams for servers, network and storage? Do you plan to collapse these established siloes as you move to the cloud? How will this affect roles & responsibiliFes? ExisFng processes? What does this transiFon mean for compliance? Planned or future audits? Is there a plan to address visibility in a hybrid cloud environment? © 2016 HyTrust, Inc. 6
Security Controls are Important to Reduce Risk
Modifying Virtual Machines WriFng a Check at Your Company • • • • •
Signature authority limits Two signatures Watermark or authenFcity measures SeparaFon of duFes (check wriFng and reconciliaFon) Checks stored in lockbox
• Without role-‐based policy enforcement, any admin might access or change any VM • Without two-‐person approval, any admin might make changes to criFcal VM’s or destroy them • Without strong authenFcaFon, admins might gain unauthorized access to VM’s • Without root password management, any admin might have access to all VM’s • Without VM encrypFon, unauthorized operators might access data or remove complete VM’s and spin up on another system
© 2016 HyTrust, Inc. 7
The Promise of Cloud CompuFng: Low Cost and Agility Physical Layer
Compute
Storage
… Server 50
Network
Server 1 Server 2 Server 3 Server 4 Server 5 Server 6 Server 7 Server 8 Server 9 Server 10 Server 11 Server 12 Server 13 Server 14 Server 15 Server 16 Server 17 Server 18 Server 19 Server 20 Server 21
Virtual Layer
Virtual Servers/Workloads Virtual Admins A
A
A
A
A
A
A
A
D
D
B
B
B
B
B
B
B
B
B
B
C
C
C
C
C
D
D
D
D
D
A
A
A
A
A
Users
Low Cost with Agility - Pooled resources - Workload elasticity - Resource utilization Security Risk • Loss of separation • Unfettered admins • Compliance issues
Spare Capacity Spare Capacity
© 2016 HyTrust, Inc. 8
Air-‐Gapped PODS to address Audit, Compliance, Risk.. Physical Layer
Compute
Storage
…
Server 20
Virtual Layer Network
Server 1 Server 2 Server 3
Compute
Physical Layer
Storage
…
Server 20
Virtual Layer Network
Server 1 Server 2 Server 3
Compute
Physical Layer
Storage
…
Server 20
Virtual Layer Network
Server 1 Server 2 Server 3
Compute
Physical Layer
Storage
…
Server 20
Network
Server 1 Server 2 Server 3
Virtual Layer
Virtual Servers/Workloads Virtual Admins Users A
A
A
A
A
A
A
A
Spare Capacity
Admins
Virtual Servers/Workloads Virtual Admins Users B
B
B
B
B
B
B
B
B
B
Admins
Virtual Servers/Workloads Virtual Admins Users C
C
C
Spare Capacity
Admins
High Cost Separation - Reduces density - Weakens agility - Less elasticity - Operational burden Lessens Security Risk - Achieves separation - Deployment similar to pre-virtualization
Virtual Servers/Workloads Virtual Admins Users D
D
D
D
D
Spare Capacity
D
D Admins
© 2016 HyTrust, Inc. 9
C-‐Level PrioriFes & Strategies for ‘Innovate & Reduce Spend’
Deliver on Business IniNaNves Faster
• • • • •
Virtualize more Consolidate more Use commodity Increase DevOps Agility Manage risks bemer
Declining Economy with Modest Recovery Expected
Be creaNve & conNnue to lower infrastructure costs
• • • • •
Lower top 3 spends Leverage SDDC Leverage Hyper-‐converged Leverage Hybrid Leverage Public Cloud © 2016 HyTrust, Inc. 10
Methodology Who: >500 Business and IT execuNves were surveyed, as follows: • 25% C-‐level execuFves (CEOs, CIOs, CISOs/CSOs)* • 25% VP level (EVP, SVP, VP) • 10% Director level • 20% Manager level • 20% IT Admin/Systems Admin level Size: Medium and large enterprises, as follows: • 80% organizaFons of >250 employees • 20% large enterprises of >1,000 employees LocaNon(s): US & UK, as follows: • 80% of respondents work for organizaFons in the USA • 20% of respondents work in the UK The survey methodology is 100% ESOMAR and MRS compliant. It leverages the OnePoll service and respondents are invited to parFcipate from an invitaFon-‐only panel of execuFves. All data points are specific to their careers and roles within the workplace. The data summarizes responses, and also breaks them out by job Ftle, size of organizaFon (by number of employees), region, and industry sector.
© 2016 HyTrust, Inc. 11
Top SDDC AdopFon and Deployment Trends 65% -‐ Faster Deployment 62% -‐ Increased AdopFon 53% -‐ Storage VirtualizaFon
© 2016 HyTrust, Inc. 12
54% say More Data Breaches
NDA Material, ConfidenFal and Proprietary
© 2016 HyTrust, Inc. 13
Internal Compliance and AudiFng 72% expect more or the same amount of internal compliance/audiFng issues. What’s surprising: only 28% believe there’ll be fewer.
NDA Material, ConfidenFal and Proprietary
© 2016 HyTrust, Inc. 14
Security is the #1 Issue What do you believe is the #1 issue that keeps organizaFons from virtualizing all applicaFons (including mission criFcal)?
NDA Material, ConfidenFal and Proprietary
© 2016 HyTrust, Inc. 15
#1 Issue Holding Back VirtualizaFon Is….. IT/Sys Admins & Engineers (60%) were ~2X more concerned about security than C-‐level execs (~35%), while C-‐level execs (~30%) were >3X more concerned about budget than IT/Sys Admins/Engineers (~10%).
NDA Material, ConfidenFal and Proprietary
© 2016 HyTrust, Inc. 16
Who is HyTrust? The HyTrust Intelligent Workload Security soluFon miFgates the security and operaFonal risks that organizaFons face when pursuing cloud and virtualizaFon data center transformaFon § Founded in 2007 § Extensive virtualizaFon and cloud security experFse
CUSTOMERS
§ 12 granted and pending patents for virtualizaFon & cloud security § Acquired HighCloud Security in 2013
TECHNOLOGY PARTNERS
STRATEGIC & FINANCIAL INVESTORS © 2016 HyTrust, Inc. 17
HyTrust Intelligent Workload Security A workload can be anything – VM, Network Object, IOT device, etc.. Protect data, infrastructure that runs the workload, and administrator access to the workload. HyTrust eliminates need for dozens of vendors saving Capex and Opex.
© 2016 HyTrust, Inc. 18
HyTrust Cloud Security AutomaFon Plauorm VirtualizaFon Admins Enforce consistent security and access policies by role or asset, 2-‐person approval AuthenFcate VM administrators with 2FA enforcement and password vaulFng
HyTrust
BoundaryControl HyTrust CloudControl
HyTrust CloudControl
HyTrust DataControl
Intel TXT
SDDC Public Cloud
Maintain visibility with granular audit logging and real Fme alerFng for sensiFve changes
HyTrust DataControl
VM hardening, flag and remove insecure config, apply industry templates (PCI, HIPAA, etc.)
Restrict sensiFve virtual workloads to trusted HW/ SW servers
Encrypt and protect virtual workloads and data across clouds
Allow virtual servers to run only on HW in a parFcular locaFon
Perform key management and maintain mulF-‐tenancy
Encrypt virtual server data on HW in a parFcular locaFon
SDDC Private Cloud
© 2016 HyTrust, Inc. 19
With HyTrust: Cost EffecFve and Secure Convergence Physical Layer
Compute
Storage
…
Server 50
Network
Server 1 Server 2 Server 3 Server 4 Server 5 Server 12 Server 13 Server 14 Server 15 Server 20 Server 21 Server 22 Server 23 Server 30 Server 31 Server 32 Server 33 Server 34 Server 40 Server 41 Server 42
Virtual Layer Virtual Servers/Workloads A
A
A
A
A
A
A
A
A
A
A
A
A
B
B
B
B
B
B
B
B
B
B
C
C
C
C
C
D
D
D
D
D
D
D
Admins
Users
Lower Cost and Secure - Improves density - Pool resources - Multi-tenant security - Workload elasticity - Addresses compliance - Reduces insider risk - Trust tied to hardware
A A
B B
C C
D D
Spare Capacity Spare Capacity
Spare Capacity
HyTrust © 2016 HyTrust, Inc. 20
Thank you
[email protected] [email protected]
© 2016 HyTrust, Inc. 21