ebook img

FEHC 3.5 Security Management Solution Guide PDF

95 Pages·2016·3.89 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview FEHC 3.5 Security Management Solution Guide

This solution guide provides information about the features and configuration options available for securing system operations for a hybrid cloud. The guide explains why, when, and how to use these security features. February 2016 Copyright © 2016 EMC Corporation. All rights reserved. Published in the USA. Published February 2016 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. 2 EMC , EMC, Avamar, Data D omain, Data Protection Advisor, Isilon, PowerPath , EMC RecoverPoint, ScaleIO, Symmetrix , Unis phere, ViPR, VMAX, VPLEX, VNX, XtremIO, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries . All other trademarks used herein are the property of their respective owners. For the most up - to - date listing of EMC product names, see EMC Corporation Trademarks on EMC.com . Federation Enterprise Hybrid Cloud 3.5 Security Management Solution Guide Part Number H14699 2 Contents Chapter 1 Executive Summary 5 Federation solutions ............................................................................................ 6 Document purpose .............................................................................................. 6 Audience ............................................................................................................ 6 Essential reading ................................................................................................ 6 Cloud security challenges ..................................................................................... 6 Federation product security approach .................................................................... 7 Technology solution............................................................................................. 8 Terminology ....................................................................................................... 8 We value your feedback! ...................................................................................... 9 Chapter 2 Public Key Infrastructure 10 Overview .......................................................................................................... 11 Enterprise PKI architecture .................................................................................. 11 Enterprise PKI solution integration ....................................................................... 13 Summary .......................................................................................................... 15 Chapter 3 Converged Authentication 16 Security and authentication ................................................................................. 17 Active Directory integration ................................................................................. 19 VMware Platform Services Controller .................................................................... 19 TACACS+ authentication integration ..................................................................... 20 Summary .......................................................................................................... 20 Chapter 4 Centralized Log Management 22 Overview .......................................................................................................... 23 VMware vRealize Log Insight remote syslog architecture ......................................... 25 Centralized logging integration ............................................................................ 26 Content packs for VMware vRealize Log Insight ..................................................... 28 Configuring alerts .............................................................................................. 29 Summary .......................................................................................................... 32 Chapter 5 Network Security 33 Overview .......................................................................................................... 34 Solution architecture .......................................................................................... 34 VMware NSX for vSphere .................................................................................... 40 VMware NSX for vSphere extensibility with Palo Alto Networks firewalls .................... 42 VMware NSX firewall policy creation ..................................................................... 43 N-tier application considerations .......................................................................... 43 Use case 1: On-demand micro segmentation with security tags ............................... 45 Use case 2: Micro-segmentation with N-tier virtual applications ............................... 47 Use case 3: Micro-segmentation with converged N-tier virtual applications ................ 50 3 Contents Use case 4: Micro-segmentation with App Isolation for component machines ............. 50 Summary .......................................................................................................... 51 Chapter 6 Configuration Management 52 Overview .......................................................................................................... 53 VMware vCenter Server host profiles .................................................................... 53 VMware vSphere Update Manager ........................................................................ 55 VMware vRealize Configuration Manager ............................................................... 60 Use case 1: Configuring a custom compliance standard .......................................... 63 Use case 2: Applying exceptions to compliance templates ....................................... 65 Summary .......................................................................................................... 66 Chapter 7 Multitenancy 67 Overview .......................................................................................................... 68 Secure separation .............................................................................................. 68 Role-based access control ................................................................................... 70 Summary .......................................................................................................... 72 Chapter 8 Data Security 73 Overview .......................................................................................................... 74 CloudLink SecureVM ........................................................................................... 74 Policy-based management .................................................................................. 74 Integration with the service catalog ...................................................................... 76 Use case 1: Encrypting new workloads ................................................................. 76 Use case 2: Encrypting an existing live workload ................................................... 77 Chapter 9 Conclusion 79 Summary .......................................................................................................... 80 Chapter 10 References 81 Federation Enterprise Hybrid Cloud documentation ................................................. 82 Federation Enterprise Hybrid Cloud security documentation ..................................... 82 Other documentation .......................................................................................... 83 Appendix A Federation Enterprise Hybrid Cloud Security Data 85 Security data ..................................................................................................... 86 4 Chapter 1: Executive Summary This chapter presents the following topics: Federation solutions ............................................................................................ 6 Document purpose .............................................................................................. 6 Audience ............................................................................................................ 6 Essential reading ................................................................................................ 6 Cloud security challenges ..................................................................................... 6 Federation product security approach .................................................................... 7 Technology solution............................................................................................. 8 Terminology ....................................................................................................... 8 5 Chapter 1: Executive Summary EMC II, Pivotal, RSA, VCE, Virtustream, and VMware form a unique Federation of strategically aligned businesses that are free to execute individually or together. The EMC Federation businesses collaborate to research, develop, and validate superior, integrated solutions and deliver a seamless experience to our collective customers. The Federation provides customer solutions and choice for the software-defined enterprise and the emerging third platform of mobile, cloud, big data, and social networking. The Federation Enterprise Hybrid Cloud 3.5 solution is a completely virtualized data center, fully automated by software. The solution starts with a foundation that delivers IT as a service (ITaaS). Optional cloud services for database as a service, platform as a service, and cloud brokering can be added to ITaaS to enhance the solution. There are also options to implement high availability, data recovery, and backup and recovery services. This solution guide provides information about the features and configuration options that are available for securing system operations in an on-premises implementation of the Federation Enterprise Hybrid Cloud 3.5 solution. It explains why, when, and how to use these security features. This solution guide is part of the Federation Enterprise Hybrid Cloud solution documentation set and is intended for security architects, practitioners, and administrators responsible for the overall configuration and operation of the solution. Readers should be familiar with the ® VMware vRealize Suite, storage technologies, hybrid cloud infrastructure, and general IT functions. The following documents describe the architecture, components, features, and functionality of the Federation Enterprise Hybrid Cloud 3.5 solution:  Federation Enterprise Hybrid Cloud 3.5 Concepts and Architecture Guide  Federation Enterprise Hybrid Cloud 3.5 Administration Guide  Federation Enterprise Hybrid Cloud 3.5 Infrastructure and Operations Management Guide  Federation Enterprise Hybrid Cloud 3.5 Reference Architecture Guide Table 2 in Chapter 10 lists publications that are related to understanding Federation Enterprise Hybrid Cloud security. Chapter 10 also lists relevant documentation. While many organizations have successfully introduced virtualization as a core technology within their data center, end users and business units within the organizations have not experienced many of the benefits of cloud computing such as increased agility, mobility, and control. Many organizations are now under pressure to provide secure and compliant cloud services to deliver these cloud computing benefits to their consumers. As a result, IT departments need to create cost-effective alternatives to public cloud services, alternatives that do not compromise enterprise security and features such as data protection, disaster recovery, and guaranteed service levels. 6 Chapter 1: Executive Summary Potential security threats must be addressed for organizations to maintain or improve their security posture while enabling the business to continue to operate. In a cloud environment, these threats must be addressed at both the underlying infrastructure and virtualized workload levels. The cloud infrastructure can be protected with restricted administration- level access, integration with authentication, logging, and monitoring systems, and system hardening in case of attack. As virtualized applications are commonly available to end users across the traditional enterprise perimeter, these applications and their consumers are potential threat vectors. Web application vulnerabilities, OS configuration errors, and missing patches are still possibilities with virtualized workloads. However, cloud security technologies provide controls to protect against these vulnerabilities; they also offer enhanced workload containerization, which can limit the potential exposure of a successful attack and keep an attacker from infiltrating other systems in the environment. The Federation Enterprise Hybrid Cloud implements a variety of security features to control user and network access, monitor system access and use, and support the transmission of encrypted data. The security features related to the Federation Enterprise Hybrid Cloud are ® implemented on the EMC and VMware systems and services that constitute the solution and include the following:  Public key infrastructure integration  Converged authentication  Centralized log management  Security configuration management  Secure multitenancy  Data security An increasingly interconnected world has created growth opportunities that are accelerating with the rise of hybrid clouds. Organizations can now deploy information infrastructures more quickly and run them with greater efficiency, control, and choice. These advances foster business agility and connectivity, but they also create pervasive dependencies among computing components that make problems and vulnerabilities difficult to contain. Complex, interconnected electronic systems inevitably have software bugs and vulnerabilities. Even a “perfect” product can develop problems through linkages to flawed partner products or to subsequent changes in the technology environment that create new exposures. The Federation meets these product security challenges by applying industry best practices, as well as a flexible and standardized approach to prioritizing security throughout the product lifecycle, from inception through sustainment. Trusted IT requires that products are developed so that the risks of vulnerabilities are minimized, and flaws that surface are assessed and resolved as quickly as possible. This end-to-end process is designed to protect customers and to provide what customers need to enable protection. The Federation believes that industry collaboration is invaluable for product security. Every company has something to teach and much to learn. Industry collaboration on product security has enabled Federation companies to help shape and quickly adopt best practices that raise everyone’s level of trust in technology. The Federation is committed to comprehensive product security programs that are built-in, transparent, and trustworthy. For more information about the EMC product security approach, refer to www.emc.com/security. For more information about the VMware product security approach, refer to www.vmware.com/security. 7 Chapter 1: Executive Summary The Federation Enterprise Hybrid Cloud solution integrates the best of EMC and VMware products and services. It empowers IT organizations to accelerate implementation and adoption of a hybrid cloud while still enabling customer choice for the compute and networking infrastructures within the data center. The solution caters both to customers who want to preserve their investment and make better use of their existing infrastructure and to customers who want to build new infrastructures that are dedicated to a hybrid cloud. The transition from either a physical or a partially virtualized infrastructure to a full hybrid cloud enables a transformative approach to providing security. While many of the same threats to physical environments still exist in the hybrid cloud model, there are new ways to mitigate those threats by using the powerful capabilities of the Federation Enterprise Hybrid Cloud. Network segments and boundaries become fluid because switches, routers, and load balancers can be provisioned as needed to ensure that dynamically changing environments remain secure, no longer dependent on hardware procurement or provisioning. The traditional use of firewalls in North-South network traffic can easily be extended to enforce restrictions on East-West traffic as well. This enables true micro-segmentation of applications, application sub-tiers (web, middleware, and database), and application environments (development, test/QA, and production). Newly provisioned virtual machines can inherit security postures based on their role. Host-based security controls can run as hypervisor kernel-level processes, allowing virtual machines to consume these services without requiring additional software to be installed in every guest virtual machine. This solution takes advantage of the strong integration between EMC technologies and the VMware vRealize Suite. The solution, developed by EMC and VMware product and services teams, includes EMC scalable storage arrays and data protection suites, integrated EMC and VMware monitoring, and VMware software-defined networking and security to provide the foundation for cloud services within customer environments. Table 1 lists the terminology used in the guide. Table 1. Terminology Term Definition CRL Certificate Revocation List—contains a list of serial numbers for revoked certificates ® DFW VMware NSX Distributed Firewall DLR VMware NSX Distributed Logical Router ESR VMware NSX Edge Services Router STS Security Token Service—a VMware vCenter™ Single Sign-On authentication interface VA An abbreviation for virtual appliance used in diagrams in this guide ® vRCM An abbreviation for VMware vRealize Configuration Manager™ used in diagrams in this guide ® VRO An abbreviation for VMware vRealize Orchestrator™ used in diagrams in this guide ® vRA An abbreviation for VMware vRealize Automation™ used in diagrams in this guide 8 Chapter 1: Executive Summary Term Definition ® vR Ops An abbreviation for VMware vRealize Operations Manager ™ used in diagrams in this guide vRealize Automation A specification for a virtual, cloud, or physical machine that is blueprint published as a catalog item in the vRealize Automation service catalog vRealize Automation A set of users, often corresponding to a line of business, business group department, or other organizational unit (OU), that can be associated with a set of catalog services and infrastructure resources vRealize Automation fabric A collection of virtualization compute resources and cloud group endpoints that is managed by one or more vRealize Automation fabric administrators EMC and the authors of this document welcome your feedback on the solution and the solution documentation. Contact Chapter 2: Public Key Infrastructure This chapter presents the following topics: Overview .......................................................................................................... 11 Enterprise PKI architecture .................................................................................. 11 Enterprise PKI solution integration ....................................................................... 13 Summary .......................................................................................................... 15 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.