Virtualization Security in Healthcare: How to Feel Confident Virtual Environments

Secure: Enable and Protect Your Business with End-to-End IT Security
SA303SN
Virtualization Security in
Healthcare: How to Feel Confident
Using Real Customer Data in
Virtual Environments
Troy D. Casey
Principal Security Architect
Company logo goes here
Abstract
Troy D. Casey
McKesson Corporation, Principal Security Architect
McKesson must meet rigid data security requirements while
enabling development and support teams to handle sensitive
customer data. Virtual environments need to be as secure – if not
more secure – than physical environments. This means that
highly secure virtual machines have to be easily provisioned and
ready to scale to meet the growing need for capacity. Hear how
McKesson used new virtualization tools and capabilities to
reduce risk and costs, while accelerating business by expanding
the use of virtualization throughout the organization.
2
Copyright © 2013 CA. All rights reserved.
Agenda
 Foundations
– Capabilities, Concerns, Environment
– Overall Information Security Management System
 Developing the Technical Architecture
– Requirements -> Features -> Design
– Solutions -> Integration -> Operationalization
3
Copyright © 2013 CA. All rights reserved.
Summary
 Foundations: A virtualization security project or program
executes within the context of an existing Information Security
Management System
 Project Flow: A security project can be organized and
managed similarly to any other IT project
– Start with requirements analysis
– Evaluate the end product in light of the defined requirements
4
Copyright © 2013 CA. All rights reserved.
Key Points
5
1
Virtualization inserts new components that must be
secured
2
Virtualization breaks down traditional IT role
separation
3
Virtualization introduces “Blind Spots”
- Virtual network traffic
- Virtualization administrator activity
Copyright © 2013 CA. All rights reserved.
SA303SN:
Virtualization Security in Healthcare:
How to feel confident using real customer data in virtual environments
Foundational Elements
Foundational Elements
An existing security program provides a critical foundation
for understanding the requirements for meeting the
Organization’s desired security profile and enables
appropriate Risk management
A competency in effectively managing risk and providing an
appropriate security posture for HIPAA compliance is a
fundamental capability of a security program for any entity
operating in the Healthcare industry in the United States
7
Copyright © 2013 CA. All rights reserved.
Foundations: Security Principles
Trust but Verify
Need to Know
Least Privilege
Defense in Depth
8
Copyright © 2013 CA. All rights reserved.
Foundations: Capabilities
PEOPLE
9
PROCESS
Copyright © 2013 CA. All rights reserved.
TECHNOLOGY
Foundations: Concerns
CONFIDENTIALITY
10
INTEGRITY
Copyright © 2013 CA. All rights reserved.
AVAILABILITY
Foundations: Concerns
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
IDENTITY SERVICES
AUDIT SERVICES
BACKUP & RESTORE
AUTHENTICATION
NONREPUDIATION
HA CLUSTERING
AUTHORIZATION
LOG CAPTURE
DISASTER RECOVERY
ACCESS CONTROLS
EVENT CORRELATION
BUSINESS CONTINUITY
11
Copyright © 2013 CA. All rights reserved.
Foundations: IT Environment & Operations
Facilities
Systems
Storage
Data
Apps
Building
Hardware
Local Disk
Structured
Data Center
Firmware
SAN
Unstructured
Revenue
Generating
Surveillance
Operating
System
NAS
In-Motion
Cloud
Storage
At-Rest
Guards
Gates
Badge
Readers
12
Hypervisor
VM
System
Software
Removable
Storage
In-Use
Classification
Copyright © 2013 CA. All rights reserved.
Support
Monitoring
Security
RDBMS
IDE/SDK
Foundations: Enterprise ISMS Model
PEOPLE PROCESS
TECH
Facilities
Systems
Storage
Apps
CONFIDENTIALITY SERVICES
INTEGRITY SERVICES
AVAILABILITY SERVICES
INFOSEC PROGRAM MANAGEMENT & OVERSIGHT
13
Copyright © 2013 CA. All rights reserved.
Data
Foundations: Controls Interaction & Defense in Depth
The Control layers must work together to realize a responsive ISMS
Prevent
Deter
Detect
Adapt
React
Compensate
14
Copyright © 2013 CA. All rights reserved.
Foundations: Controls Interaction & Defense in Depth
Control Directive
Physical World
IT Example
Comment
Deter
Visible Guard
Monitoring Notice
Discourage attacker
Prevent
Locked Door
Firewall
Stop an attack
Detect
Motion Detector
NBAD Sensor
Find the threat
React
Sound the Alarm
Incident Response
Active Response
Compensate
Man Trap
Encryption
Last line of defense
Adapt
After-Action Review
& retooling
Continuous Service
Improvement
Change the system to
better handle future
threats & attacks
15
Copyright © 2013 CA. All rights reserved.
SA303SN:
Virtualization Security in Healthcare:
How to feel confident using real customer data in virtual environments
Architecting the Solution
Develop Technical / Solution Architecture
Determine Requirements
Map Requirements to Features
High-level Architecture & Design
Identify Solutions
Implement & Integrate
Deploy & Operationalize
17
Copyright © 2013 CA. All rights reserved.
Determine Requirements
Biz Requirements
Contracts
Government
Industry
Policies
The business’ security requirements are derived from a number
of authoritative sources. Requirements are merged from the
Business, Customer Contracts, Government Regulations (HIPAA)
and Industry Standards (e.g., ISO 27001) to arrive at the unique
set of requirements called for by the Company’s set of Policies
relative to InfoSec and IT and Business operations.
18
Copyright © 2013 CA. All rights reserved.
Operational Use Case
Customer
Data Set Submission
Bug Fix
Issue due to Data Anomaly
Release / Patch
Deliver Code Fix
19
Copyright © 2013 CA. All rights reserved.
Map Requirements to Security Features
Data Classification
Example
Regulation/Policy
Security Feature
Comment
SECRET
Inventions prior
to Patent
submission
Internal
Two-Factor
Authentication
Security over and
above what’s
required by typical
regulatory
frameworks
Personal Health
Info
HIPAA/HITECH
SENSITIVE
Digital Rights
Management
Encryption
Application Isolation
Data Loss Prevention
Strong Audit
COMPANY
Network
Diagrams
ISO
Vulnerability
Management
Intrusion Detection
Define a level of
security that meets
the requirements of
the Policy and/or
Regulation
Security level
appropriate for
organizational risk
tolerance
Perimeter Security
PUBLIC
Marketing
Materials
Internal
Anti-Virus
Patching
Backup
20
Copyright © 2013 CA. All rights reserved.
“Default” or Baseline
security level
High-Level Design
21
Copyright © 2013 CA. All rights reserved.
Identify Solutions
Technology
Tool(s)
DLP – DIM, DAR, DIU
CA DataMinder™, CA Email Control for the
Enterprise
Anti-Virus / Anti-Malware
eTrust AV
Vulnerability Management
Tenable/Nessus
Encryption & Key Management
Vormetric Data Security
Authentication & Authorization
Active Directory/LDAP, CA AuthMinder™
Firewall & Segmentation/Isolation
VMware vShield Edge, App; vCloud
Log & Event management
RSA Envision
Privileged User Mgmt/Monitoring
HyTrust, CA ControlMinder™ for Virtual
Environments
Configuration Management
CA Automation Suite for Data Centers
Patching & updates; Backup & Archive
*existing solutions
Low-level access controls
*existing OS & applications
22
Copyright © 2013 CA. All rights reserved.
Architectural Complexity: Virtualization Components
23
Copyright © 2013 CA. All rights reserved.
Architectural Complexity: Securing Virtualization within the IT Infrastructure
24
Copyright © 2013 CA. All rights reserved.
Architectural Complexity: Securing Virtualization within the IT Infrastructure
B2B
Extranet
Internet
ISP 2
ISP 1
ASP
MPS
F/W
Edge
Router
F/W
Edge Perimeter Zone
F/W
Partners, Vendors,
Sub-Contractors
External Untrusted Layer
McKesson CareBridge
CoLo’s
External Hosting
F/W
McK
Remote Offices
F/W
F/W
VPN
Remote Access
PCI
DMZ
McKIT
Shared DMZ
McK Remote Sites
Core Edge Firewall Layer
Infrastructure Distribution Layer
PCI Internal
Service
Networks
HyTrust
Gateway
Management & Admin
Network Zone
vCenter
vShield
App
Edge
Endpoint
Management &
Security Services
(Physical)
Directory Services
EKMDE
Patching
HP SA
SEIM
CoLo Internal Service
Network
Internal Trusted
Layer
McKIT
WAN-MPLS
McKIT Shared Service
Network
ASP-MSP Internal Service
Network
Hosts 1…n
ESXi
Mgmt I/F
vNet Fabric
vSwitch1
B.U.R.N
Hypervisor Layer
vSwitch2
vSwitch3
VM1…n
Auth-LDAP
Crypto
Logs
Anti-Malware
Backup
Srvr Admin
Patch
vSwitchn
vShield Endpoint
vSafe 1.6/API
vShield 1.6/API
VTL
VTL
vShield Edge
Central Logging
Anti-virus
Backup & Recovery
Agent Virtualization
Key Management
IDS / IPS
DLP
Vulnerability Scan
Inventory
De-Dup
Secure
VMs
Back-up/Restore
Solution
Tape
VM
Repository
25
Network Core Layer
Internal
Router
VM
Build
O/S
Build
Copyright © 2013 CA. All rights reserved.
* DASD
* SAN
* NAS
-NSF
-ISCI
-SMB
Implement & Integrate
Your Security Stack includes a number of
components that may not immediately be
recognized as security components.
Hardware-based elements, virtual hardware
and other virtual infrastructure pieces,
middleware, OS, and the application all
contribute to the overall security posture.
26
Copyright © 2013 CA. All rights reserved.
Deploy & Operationalize
Application Administrator
Security Administrator
Storage Administrator
Server Administrator
Network Administrator
Virtualization Administrator
27
Copyright © 2013 CA. All rights reserved.
McKesson SecureLab: NGDC Architecture
Physical
desktops
& laptops
Developers &
App Support
vShield App
VDI “group” to App access
allowed by vShield App
VDI “bastion host”
only access
SecureLab
VCD
View 5 VDI
(hardened)
ESXi
ESXi
ESXi
App A
VDI
ESXi
Web MW
DB
vShield App
All VDI instances
automatically
firewalled from
one another
App B
VDI
MW
DB Web
vShield Edge
Network Gateway and Secure
Multi-tenancy
App C
VDI
DB
MW Web
App D
VDI
DB
ESXi Trusted boot with
Intel TPM/TXT
TPM/TXT
28
McKesson
Imaging
VDC
INTEL TXT
INTEL TXT
Copyright © 2013 CA. All rights reserved.
Horizon
Clinicals
VDC
McKesson SecureLab: NGDC Architecture
Consumed as a corporate service
Symantec
Data at Rest DLP
NESSUS
Tenable Security
Center
MSFT
Data Discovery
Secure File Transfer
Vulnerability assessment
Vormetric
Data Security Mgr
Sec Admin
Encryption Policy
& Key
Management
Egress monitoring
End point
McAfee EPO
protection
Antivirus
Data in Use DLP
Code Green
Data In Motion
DLP
Vulnerability
assessment
RSA
envision
SEIM
Audit trail
vShield
• App
• Edge
• Endpoint
vCenter
Multi-Tenancy Management
Application Partition
Role-Based Access Control
Privileged User Monitoring
WDC vInfrastructure Admin
One-way trust
Dev AD Domain
Sys Admin Operations
Active
Directory
AD domains, trusts, groups,
roles, assignments
Consumed as a corporate service
29
Copyright © 2013 CA. All rights reserved.
HyTrust
One-way trust
Virtualization Security
Secure Data Repository – Conceptual Design
30
Copyright © 2013 CA. All rights reserved.
SecureLab: Notional Design
Data Loss
Prevention
Vulnerability
Management
Encryption
&
Key Mgmt
End User (Developer)
Desktop
View 5 VDI
VCD
(hardened)
ESXi
ESXi
ESXi
vDI
vDI
Web
ESXi
vShield
vShield Edge
MW
DB
Virtual DC
App B
vDI
MW
DB
App
Edge
Endpoint
Multi-Tenancy Management
Application Partitioning
1
Web
vCenter
App A
App Z
vDI
DB
MW
Web
Virtual
Infrastructure
Admin
vSphere
Administration
HyTrust
Role-Based
Access Control
Privileged User
Monitoring
Virtual DC
2
vDI
SEIM &
Incident
Response
Network
Egress/Ingress
Monitoring
Audit trail
vShield App
App A
Sec Admin
End-Point
Protection
SecureLab
Secure
File
Transfer
DB
Dev AD Domain
One-way trust
INTEL TXT
INTEL TXT
Active
Directory
AD domains, trusts,
groups, roles,
assignments
Sys Admin Operations
Identity & Access Mgt
31
Copyright © 2013 CA. All rights reserved.
SA303SN:
Virtualization Security in Healthcare:
How to feel confident using real customer data in virtual environments
Conclusion: Take-aways, Q&A
Key Take-Aways
Extend Security Services to the Virtualization Infrastructure
especially Application Partitioning/Isolation!
rationalize the Hypervisor/Network vs. VM positioning
TRUST BUT VERIFY
Ensure a reasonable Separation of Duties
prevent a single Rogue Actor from compromising data
protect the system from Privileged Users
LEAST PRIVILEGE
Monitor, Log, Audit
Prevention is ideal, but Detection is critical!
Triggers the Response capabilities
DEFENSE IN DEPTH
33
Copyright © 2013 CA. All rights reserved.
Q&A
Session Evaluation
 Download the CA World Mobile App now to provide your
feedback about this session
 Session #: SA303SN
iPhone
Google Play
35
Copyright © 2013 CA. All rights reserved.
Recommended Sessions
Related Topics: Virtualization Security, Privileged User Mgmt
SESSION #
TITLE
DATE/TIME
SA304SN
Virtualization Security: How to Reduce Your
Risk from the Hypervisor to Virtual
Machines
04/23/2013
at 10:00 am
SA300SN
CA ControlMinder Roadmap and Strategy:
Managing Privileged Users in both Physical
and Virtual Environments
04/23/2013
at 2:30 PM
SA302SN
PwC Point of View on Privileged User
Management
04/24/2013
at 11:15 AM
Related Technologies
Virtualization Security and Privileged User Management:
 Booth 502– CA ControlMinder for Virtual Environments