Secure: Enable and Protect Your Business with End-to-End IT Security SA303SN Virtualization Security in Healthcare: How to Feel Confident Using Real Customer Data in Virtual Environments Troy D. Casey Principal Security Architect Company logo goes here Abstract Troy D. Casey McKesson Corporation, Principal Security Architect McKesson must meet rigid data security requirements while enabling development and support teams to handle sensitive customer data. Virtual environments need to be as secure – if not more secure – than physical environments. This means that highly secure virtual machines have to be easily provisioned and ready to scale to meet the growing need for capacity. Hear how McKesson used new virtualization tools and capabilities to reduce risk and costs, while accelerating business by expanding the use of virtualization throughout the organization. 2 Copyright © 2013 CA. All rights reserved. Agenda Foundations – Capabilities, Concerns, Environment – Overall Information Security Management System Developing the Technical Architecture – Requirements -> Features -> Design – Solutions -> Integration -> Operationalization 3 Copyright © 2013 CA. All rights reserved. Summary Foundations: A virtualization security project or program executes within the context of an existing Information Security Management System Project Flow: A security project can be organized and managed similarly to any other IT project – Start with requirements analysis – Evaluate the end product in light of the defined requirements 4 Copyright © 2013 CA. All rights reserved. Key Points 5 1 Virtualization inserts new components that must be secured 2 Virtualization breaks down traditional IT role separation 3 Virtualization introduces “Blind Spots” - Virtual network traffic - Virtualization administrator activity Copyright © 2013 CA. All rights reserved. SA303SN: Virtualization Security in Healthcare: How to feel confident using real customer data in virtual environments Foundational Elements Foundational Elements An existing security program provides a critical foundation for understanding the requirements for meeting the Organization’s desired security profile and enables appropriate Risk management A competency in effectively managing risk and providing an appropriate security posture for HIPAA compliance is a fundamental capability of a security program for any entity operating in the Healthcare industry in the United States 7 Copyright © 2013 CA. All rights reserved. Foundations: Security Principles Trust but Verify Need to Know Least Privilege Defense in Depth 8 Copyright © 2013 CA. All rights reserved. Foundations: Capabilities PEOPLE 9 PROCESS Copyright © 2013 CA. All rights reserved. TECHNOLOGY Foundations: Concerns CONFIDENTIALITY 10 INTEGRITY Copyright © 2013 CA. All rights reserved. AVAILABILITY Foundations: Concerns CONFIDENTIALITY INTEGRITY AVAILABILITY IDENTITY SERVICES AUDIT SERVICES BACKUP & RESTORE AUTHENTICATION NONREPUDIATION HA CLUSTERING AUTHORIZATION LOG CAPTURE DISASTER RECOVERY ACCESS CONTROLS EVENT CORRELATION BUSINESS CONTINUITY 11 Copyright © 2013 CA. All rights reserved. Foundations: IT Environment & Operations Facilities Systems Storage Data Apps Building Hardware Local Disk Structured Data Center Firmware SAN Unstructured Revenue Generating Surveillance Operating System NAS In-Motion Cloud Storage At-Rest Guards Gates Badge Readers 12 Hypervisor VM System Software Removable Storage In-Use Classification Copyright © 2013 CA. All rights reserved. Support Monitoring Security RDBMS IDE/SDK Foundations: Enterprise ISMS Model PEOPLE PROCESS TECH Facilities Systems Storage Apps CONFIDENTIALITY SERVICES INTEGRITY SERVICES AVAILABILITY SERVICES INFOSEC PROGRAM MANAGEMENT & OVERSIGHT 13 Copyright © 2013 CA. All rights reserved. Data Foundations: Controls Interaction & Defense in Depth The Control layers must work together to realize a responsive ISMS Prevent Deter Detect Adapt React Compensate 14 Copyright © 2013 CA. All rights reserved. Foundations: Controls Interaction & Defense in Depth Control Directive Physical World IT Example Comment Deter Visible Guard Monitoring Notice Discourage attacker Prevent Locked Door Firewall Stop an attack Detect Motion Detector NBAD Sensor Find the threat React Sound the Alarm Incident Response Active Response Compensate Man Trap Encryption Last line of defense Adapt After-Action Review & retooling Continuous Service Improvement Change the system to better handle future threats & attacks 15 Copyright © 2013 CA. All rights reserved. SA303SN: Virtualization Security in Healthcare: How to feel confident using real customer data in virtual environments Architecting the Solution Develop Technical / Solution Architecture Determine Requirements Map Requirements to Features High-level Architecture & Design Identify Solutions Implement & Integrate Deploy & Operationalize 17 Copyright © 2013 CA. All rights reserved. Determine Requirements Biz Requirements Contracts Government Industry Policies The business’ security requirements are derived from a number of authoritative sources. Requirements are merged from the Business, Customer Contracts, Government Regulations (HIPAA) and Industry Standards (e.g., ISO 27001) to arrive at the unique set of requirements called for by the Company’s set of Policies relative to InfoSec and IT and Business operations. 18 Copyright © 2013 CA. All rights reserved. Operational Use Case Customer Data Set Submission Bug Fix Issue due to Data Anomaly Release / Patch Deliver Code Fix 19 Copyright © 2013 CA. All rights reserved. Map Requirements to Security Features Data Classification Example Regulation/Policy Security Feature Comment SECRET Inventions prior to Patent submission Internal Two-Factor Authentication Security over and above what’s required by typical regulatory frameworks Personal Health Info HIPAA/HITECH SENSITIVE Digital Rights Management Encryption Application Isolation Data Loss Prevention Strong Audit COMPANY Network Diagrams ISO Vulnerability Management Intrusion Detection Define a level of security that meets the requirements of the Policy and/or Regulation Security level appropriate for organizational risk tolerance Perimeter Security PUBLIC Marketing Materials Internal Anti-Virus Patching Backup 20 Copyright © 2013 CA. All rights reserved. “Default” or Baseline security level High-Level Design 21 Copyright © 2013 CA. All rights reserved. Identify Solutions Technology Tool(s) DLP – DIM, DAR, DIU CA DataMinder™, CA Email Control for the Enterprise Anti-Virus / Anti-Malware eTrust AV Vulnerability Management Tenable/Nessus Encryption & Key Management Vormetric Data Security Authentication & Authorization Active Directory/LDAP, CA AuthMinder™ Firewall & Segmentation/Isolation VMware vShield Edge, App; vCloud Log & Event management RSA Envision Privileged User Mgmt/Monitoring HyTrust, CA ControlMinder™ for Virtual Environments Configuration Management CA Automation Suite for Data Centers Patching & updates; Backup & Archive *existing solutions Low-level access controls *existing OS & applications 22 Copyright © 2013 CA. All rights reserved. Architectural Complexity: Virtualization Components 23 Copyright © 2013 CA. All rights reserved. Architectural Complexity: Securing Virtualization within the IT Infrastructure 24 Copyright © 2013 CA. All rights reserved. Architectural Complexity: Securing Virtualization within the IT Infrastructure B2B Extranet Internet ISP 2 ISP 1 ASP MPS F/W Edge Router F/W Edge Perimeter Zone F/W Partners, Vendors, Sub-Contractors External Untrusted Layer McKesson CareBridge CoLo’s External Hosting F/W McK Remote Offices F/W F/W VPN Remote Access PCI DMZ McKIT Shared DMZ McK Remote Sites Core Edge Firewall Layer Infrastructure Distribution Layer PCI Internal Service Networks HyTrust Gateway Management & Admin Network Zone vCenter vShield App Edge Endpoint Management & Security Services (Physical) Directory Services EKMDE Patching HP SA SEIM CoLo Internal Service Network Internal Trusted Layer McKIT WAN-MPLS McKIT Shared Service Network ASP-MSP Internal Service Network Hosts 1…n ESXi Mgmt I/F vNet Fabric vSwitch1 B.U.R.N Hypervisor Layer vSwitch2 vSwitch3 VM1…n Auth-LDAP Crypto Logs Anti-Malware Backup Srvr Admin Patch vSwitchn vShield Endpoint vSafe 1.6/API vShield 1.6/API VTL VTL vShield Edge Central Logging Anti-virus Backup & Recovery Agent Virtualization Key Management IDS / IPS DLP Vulnerability Scan Inventory De-Dup Secure VMs Back-up/Restore Solution Tape VM Repository 25 Network Core Layer Internal Router VM Build O/S Build Copyright © 2013 CA. All rights reserved. * DASD * SAN * NAS -NSF -ISCI -SMB Implement & Integrate Your Security Stack includes a number of components that may not immediately be recognized as security components. Hardware-based elements, virtual hardware and other virtual infrastructure pieces, middleware, OS, and the application all contribute to the overall security posture. 26 Copyright © 2013 CA. All rights reserved. Deploy & Operationalize Application Administrator Security Administrator Storage Administrator Server Administrator Network Administrator Virtualization Administrator 27 Copyright © 2013 CA. All rights reserved. McKesson SecureLab: NGDC Architecture Physical desktops & laptops Developers & App Support vShield App VDI “group” to App access allowed by vShield App VDI “bastion host” only access SecureLab VCD View 5 VDI (hardened) ESXi ESXi ESXi App A VDI ESXi Web MW DB vShield App All VDI instances automatically firewalled from one another App B VDI MW DB Web vShield Edge Network Gateway and Secure Multi-tenancy App C VDI DB MW Web App D VDI DB ESXi Trusted boot with Intel TPM/TXT TPM/TXT 28 McKesson Imaging VDC INTEL TXT INTEL TXT Copyright © 2013 CA. All rights reserved. Horizon Clinicals VDC McKesson SecureLab: NGDC Architecture Consumed as a corporate service Symantec Data at Rest DLP NESSUS Tenable Security Center MSFT Data Discovery Secure File Transfer Vulnerability assessment Vormetric Data Security Mgr Sec Admin Encryption Policy & Key Management Egress monitoring End point McAfee EPO protection Antivirus Data in Use DLP Code Green Data In Motion DLP Vulnerability assessment RSA envision SEIM Audit trail vShield • App • Edge • Endpoint vCenter Multi-Tenancy Management Application Partition Role-Based Access Control Privileged User Monitoring WDC vInfrastructure Admin One-way trust Dev AD Domain Sys Admin Operations Active Directory AD domains, trusts, groups, roles, assignments Consumed as a corporate service 29 Copyright © 2013 CA. All rights reserved. HyTrust One-way trust Virtualization Security Secure Data Repository – Conceptual Design 30 Copyright © 2013 CA. All rights reserved. SecureLab: Notional Design Data Loss Prevention Vulnerability Management Encryption & Key Mgmt End User (Developer) Desktop View 5 VDI VCD (hardened) ESXi ESXi ESXi vDI vDI Web ESXi vShield vShield Edge MW DB Virtual DC App B vDI MW DB App Edge Endpoint Multi-Tenancy Management Application Partitioning 1 Web vCenter App A App Z vDI DB MW Web Virtual Infrastructure Admin vSphere Administration HyTrust Role-Based Access Control Privileged User Monitoring Virtual DC 2 vDI SEIM & Incident Response Network Egress/Ingress Monitoring Audit trail vShield App App A Sec Admin End-Point Protection SecureLab Secure File Transfer DB Dev AD Domain One-way trust INTEL TXT INTEL TXT Active Directory AD domains, trusts, groups, roles, assignments Sys Admin Operations Identity & Access Mgt 31 Copyright © 2013 CA. All rights reserved. SA303SN: Virtualization Security in Healthcare: How to feel confident using real customer data in virtual environments Conclusion: Take-aways, Q&A Key Take-Aways Extend Security Services to the Virtualization Infrastructure especially Application Partitioning/Isolation! rationalize the Hypervisor/Network vs. VM positioning TRUST BUT VERIFY Ensure a reasonable Separation of Duties prevent a single Rogue Actor from compromising data protect the system from Privileged Users LEAST PRIVILEGE Monitor, Log, Audit Prevention is ideal, but Detection is critical! Triggers the Response capabilities DEFENSE IN DEPTH 33 Copyright © 2013 CA. All rights reserved. Q&A Session Evaluation Download the CA World Mobile App now to provide your feedback about this session Session #: SA303SN iPhone Google Play 35 Copyright © 2013 CA. All rights reserved. Recommended Sessions Related Topics: Virtualization Security, Privileged User Mgmt SESSION # TITLE DATE/TIME SA304SN Virtualization Security: How to Reduce Your Risk from the Hypervisor to Virtual Machines 04/23/2013 at 10:00 am SA300SN CA ControlMinder Roadmap and Strategy: Managing Privileged Users in both Physical and Virtual Environments 04/23/2013 at 2:30 PM SA302SN PwC Point of View on Privileged User Management 04/24/2013 at 11:15 AM Related Technologies Virtualization Security and Privileged User Management: Booth 502– CA ControlMinder for Virtual Environments
© Copyright 2024