VMware Security & Compliance

Automation is a powerful tool, with automation we can not only make our lives as administrators easier and less cumbersome but also enable products to do things automagically that they never could do before.

This quote which I really liked, can be attributed to VMware's very own Alan Renouf.  Alan is somewhat of an automation genius here at VMware, putting together all kinds of cool scripts and workflows to do all kinds of neat stuff.  Well he has taken his skills and applied them to the vShield REST APIs, and has graciously made the work that he has done available for all to leverage.

If you are interested in automating your vShield deployments through Powershell, Alan has developed a Powershell Module that leverages the vShield REST APIs.  It will allow you to do many things including the automation of the deployment of vShield App and Edge appliance to updating policies and more.  

He posted it here on his personal blog.  He is planning a series of blogs with more on what powerful operations you can perform with this module and how you can do it. So if you are interested I would highly suggest you start to follow his blog more closely.  

Rob Randell, CISSP - Principal CIM Architect - Security and Compliance Specialist

The VMware Center for Policy and Compliance (CP&C) is pleased to announce our latest content update for FISMA, GLBA, HIPAA, and SOX in vCenter Configuration Manager ™ (VCM). 

Based off DISA’s last major release, we have now updated critical compliance requirements across several verticals.

How does this help you address your compliance needs?

Healthcare sector is a main area of focus for CP&C and VMware. With our updated templates, Healthcare Organizations can now leverage this content to prepare for upcoming audits in 2k12. With these templates and VCM’s automated patching solution, Healthcare organizations that use Hitrust as a source of guidance will also be able to apply these new rules, dashboards and content for audit requirements. CP&C also updated SOX, FISMA and GLBA templates as well helping folks out in D.O.D, Federal Government and Finance sectors with Continuous Compliance. VMware CP&C is also pleased to announce that we now cover the full spectrum of auditing settings for Vista, W7, and 2k8, and 2k8 R2. 

What’s new in this package? DISA Platform support for:

• Windows 2003 version 6.1.22
• Windows 2008 v6.1.15
• Windows 2008 R2 V1 Rel 1
• Windows 7 Ver1.5
• Windows Vista 6.1.22
• Windows XP 6.1.22

Check out the HIPAA Dashboard below covering virtual, physical, Unix, Linux and Windows results! You can quickly determine where your non compliant settings are and easily remediate them.

Right Click Fix, or set an exception!

Last but not least ,Audit settings!

How do you get it the new content?
Customers wishing to harden their DISA, SOX, HIPAA, FISMA and GLBA environment can download the new content via the VCM Content Wizard.

Also, feel free to hit us up with questions & comments at:

• on the Security & Compliance Blog or the Virtualization Management Blog
• on Twitter: @georgegerchow and @vmwaremgmt 
• on Facebook: IT Management 
• at the Management Mastery site 
• and at the Management Mastery Forum

Happy New Year from VMware & CP&C!

George Gerchow - VMware Director, Center for Policy & Compliance

Hi fellow security gurus….Ana Seijas from Security & Compliance Specialist team here at VMware. I wanted to bring you up to speed on some exciting things happening with virtual security and getting you on the Virtual Security Journey……

It’s been a few months since VMworld 2011 but security made a big splash!  So much so that I've been talking to a lot of customers about what they heard there.  With all the talk about cloud, virtual desktops and agility come new concerns for everyone on how are we going to secure these things we can no longer see or touch.  

I see the security industry as a whole still very immature when it comes to understanding virtualization and how it can be used to provide agility, better processes, more control and overall better security.  

I've been in security for well over 20 years and although security, compliance and governance have become critical to organizations, little has been done with it to take advantage of the new agile infrastructures customers are building.

Every company out there has some virtualization...and IT as a whole is changing to support the Facebook generation.  So IT has to move fast to provide the apps that customers want to consume instantly while still making sure to meet the security policies and requirements of so many regulations, while also keeping the hackers out and their brand intact.

VMware has lead the change in how we consume IT….servers, memory, storage and now desktops can all be virtualized.  So what about security!  

Well I believe VMware is leading the way there as well.   Last year at VMworld 2010, VMware announced the vShield suite of products and APIs and the beginning of a new way to consume security.   In the last year, not only have the vShield products been enhanced but 3rd party security vendors are now taking their products and not only making them virtualization aware but also taking advantage of the automation that this new infrastructure provides.   VMware has shaken the security industry and security vendors are hurrying to have the best products for the cloud era.

So what does that mean to customers and specifically to security teams in their organizations.  

For most customers, sometimes security is an afterthought, a burden to maintain...inflexible and the list goes on.... Why not build security right into the platform and make it transparent by automating it.  Security as a Service!

As customers begin to virtualize more of their tier 1 apps, security is beginning to get more involved.  As a security person I urge other security practitioners to get on the virtualization journey and learn how to do better security through virtualization.

Let me give you the top advantages of virtualization and how they can help with security:

1. Built in HA (High Availability) and FT (Fault Tolerance) for VMs and VMs running 3rd party security solutions
2. Isolation in ESX and ESXi is built in by design along with memory protection
3. Ability to automate disaster recovery with tools like SRM (Site Recovery Manager)
4. Ability to automate moving VMs causing malicious activity to a quarantined area using REST API's available in vShield products
5. Ability to automatic security processes with vCO (vCenter Orchestrator) plugins available for Active Directory, UCS, NetApp, SOAP and REST.
6. Automated compliance using vCM (vCenter Configuration Manager) to continuously monitor and remediate both physical and virtual environments.

At this year's VMworld, a slew of 3rd party security vendors were on hand showcasing their new virtually aware technologies....never mind the enormous amount of backup and availability products.

McAfee, Symantec, Trend, BitDefender, Kaspersky, and Sophos all made announcements or showcased their support for vShield Endpoint and agentless AV.

Lumension is also using vShield Endpoint for their whitelisting and blacklisting product.

Hytrust, CA, Catbird, all showcased virtualizaton aware security and compliance tools.

Sourcefire, NetOptics, McAfee, HP Tipping Point, are inspecting inter-VM traffic and showcasing network security solutions.

LogLogic, Splunk, and Envision showcased event management and correlation of vSphere events.

And the list continues to grow!  I suggest taking a look at these products that are bringing the same level of security to the virtual world.  Challenge the security vendors you have today to take the virtualization journey that the rest of your organization is on.

As part of VMware’s Security & Compliance Specialist team, we’re brought in to speak about a very wide range of concepts that extend from CPU architecture all the way up to the traditional tools like Firewalls, IPS’, Anti-Virus, and many others. Usually there’s some type of compliance question or concern driving the need to have a security conversation. And what most people don’t explicitly realize is that a discussion about security, whether physical or computer, always distills to the lowest common denominator being ‘trust’.

The concept of trust is an interesting notion. Trust is usually a faith or belief based emotion, and the hope that we hold for one another is that in matters of science and technology that trust is based upon some empirical evidence and well-informed reasoning. So obviously education is often our best methodology to assist customers with building that trust around our products.

Often the questions I receive are not about things like virtualized security products, like vShield, or the various API’s that have been developed. Instead the focus is most often on the vSphere platform itself. The reasoning behind this is mainly a lack of accurate information of sufficient detail available in the market. For several years VMware did a great job of building a secure architecture of vSphere but did not focus on advertising much of those design decisions, not because it wasn’t important but because it was not a topic our customers were expressing a need to have with us. Obviously as customers move through their own unique virtualization journey and move into Phase 2, Business Production, they are tackling security and compliance concerns around the more mission critical applications and data that are beginning to be virtualized. Having these conversations are also a pre-cursor  of things that need to be resolved prior to a company investing in a private, public, or hybrid “cloud” solution as it all relates back to how well a company can trust the technological controls that have been put in place.

Since I am so often asked questions about vSphere, that tell me the asker does not trust vSphere, or any hypervisor platform, I am frequently having a discussion on what I call “building a pyramid of trust”. Like any structure, the foundation is the most important part because without a well-formed base, in this case with regards to knowledge, it is highly unlikely the other pieces layered on top will be stable enough to continue adding more layers. In my pyramid, my base consists of the core constructs of virtualization. These are the Core Isolation Principles that describe exactly how the hypervisor is designed to separate out itself from the virtual machines and also what keeps each VM separate from one another.  Should these principles be violated, so would the isolation described by the very definition of virtualization.

To help explain the core principles I break apart the functions of the hypervisor into 4 key areas, CPU, Memory, Storage, and Networking. Each of these describe the physical functions that are abstracted into the VM’s themselves. The ways in which this abstraction occurs are very key concepts to fully grasping and understanding how we’ve developed our platform from the ground up with security in mind. It shows through in how we isolate specific CPU instructions, how our memory is layered, abstracted, and allocated, through the storage platform, and most importantly the protections guarding against remote exploit and arbitrary code execution. All of these things build defense in depth techniques that layer security in a virtualized environment.

Many security practitioners have built their careers focusing on more up leveled concepts of security, and their primary attention was never much directed to the physical hardware interfaces themselves. Much in the same way that server admins were not familiar with centralized storage and networking when we taught them how to virtualize over the last 10+ years. We are helping the security admins also break down their traditional barriers of understanding and now helping them to understand all of these other disciplines in the context of their day-to-day activities.

The interesting part is the resistance we face in educating security teams about all of these technologies and helping to build their trust in the technology. The experience thus far has shown that the typical US corporation is full of cliché terminology, which we’ve already known for years. Dilbert, The Office, SNL, all have made us laugh for hours at what we have become. Even with all this exposure to the ludicrousness of business clichés, I was taken aback a few weeks ago when an attendee at a meeting said we needed to “get out of the weeds”. It was obvious with that one statement that this person was not able to see the foundation of the pyramid being built. They were not willing to connect the dots and see how knowing the information being presented was able to answer all of their questions. Instead, they were using their pre-conceived notions that were founded on mis-information and FUD in the market to limit their ability to absorb the material in an educational context.

I don’t blame this person for their comment. In the day and age we live, time is precious and things happen so quickly it’s hard to keep up with changes in business without sacrificing too much personal time. We’re constantly being asked to make value judgments on which information is worthwhile to absorb vs deciding when it’s time to move on. For some of us, our thread of patience is stretched to the breaking point already.

After a few days had passed, the meeting organizer came back to me and said how grateful they were to have the conversation. They said the discussions that were sparked both during our meeting and in the days following has caused some very positive decisions to be made, mostly because of the comment made by that one individual to “get out of the weeds”. That was a key indicator for many other attendees that their co-worker was resistant to change and to use another cliché “unable to see the forest for the trees”.

This is not an all-too unique situation for us. In fact, it’s become more of a norm for our team to have initial education meetings followed a week or two later by another meeting to review the information again. The reason is that we’ve got to come back and reinforce and inspect that foundation of the pyramid so our audience fully builds their trust of our solution. We’re having great success in this education endeavor and we look forward to meeting with you and your teams in the future.

 --

Rob

Rob Babb is a Senior Systems Engineer on the Security and Compliance Specialist team at VMware. 

One of VMware's senior Cloud Security Architects, Michael Haines, has started a multi-part blog series on using the vShield API.  He has taken the approach of showing how the vShield API can be used in the daily life of a Network and Security Admin.  In his words

In these series of blogs the Network and Security System Administrator will get hands on programming experience with the vShield API and learn how to consume the API in their own programs and applications. The Network and Security System Administrator does not need to be a developer, although basic programming concepts will help them understand the vShield API better.

He has already posted the Introduction, as well as Part 1 and Part 2.  To keep up with the rest of the series (and to learn more about cloud security), bookmark the VMware vCloud Blog.

We are pleased to announce the general availability of vCenter Configuration Manager 5.4.1(VCM), a key component of the vCenter Operations Management Suite. VCM has always detected all changes even if they were done outside of the change management process. With this release we take a major step towards delivering integrated performance and configuration management by correlating configuration changes to the performance events and non compliant results. In addition, the new release also works together with the VMware Cloud Infrastructure Suite to discover and manage VMs that run in vCloud Director based cloud deployments.

Here are the major highlights of this release:

• Integration with vCenter Operations Manager 5.0
  • The integration of VCM with vCenter Operations Manager enables IT operations to quickly identify health and performance issues that may be caused by configuration changes on the managed machines. It also provides launch in context to change log in VCM, where you could remediate changes.
• Integration with vCloud Director
  • Using VCM, you can discover and manage virtual machines that are running in vCloud Director based clouds. This release supports VMs that are either directly connected (no NAT) or behind 1:1 NAT configuration
• OS Provisioning Enhancements
  • Support for custom ISOs and Linux disk partition configuration
  • OS provisioning support for RHEL 5.6 and 6.0 (32 and 64-bit)
• New Platforms Support
  • Managed Platforms Additions: ESX/ESXi 4.1 Update 1, ESXi 5.0, RHEL 5.6 and 6.0, Mac OS X 10.6
  • Collector Platform Support: Windows 2008 R2 SP1 & SQL Server 2008 R2 SP1
  • Installing VCM Server on a non-English operating system is also now supported. See release notes for more details on this.
• Addition of the New Content Architecture (NCA) for UNIX & Linux Patching
  • UNIX and Linux patching has been updated to support NCA changes for assessment, deployment, repository synchronization, and content downloading and importing.
• New and updated compliance content to support the following standards:
  • vSphere 4.x Hardening Guidelines
  • PCI 2.0
  • Basel III

Check out more details about this release:

• Release Notes
• Documentation

To close out, here's a quick screenshot from vCenter Operations Manager 5.0 showing correlation with vCenter Configuration Manager change events. You can click on these events to launch VCM in context to quickly understand and remediate performance issues arising from configuration changes and non compliant results. After all, it is usually changes that at the root of compliance deviation.

Hej, virtualization Nerds, 

Like Danish Dynamite, we are going to blow it up this week at VMworld Copenhagen! 

IT Control Objectives for Basel III provides a framework for managing operational and information risk and extends the VMware content family that is used to achieve a Trusted vCloud solution.

These deep technical  rules will help reduce time to audit by providing immediate analysis of Compliance Assessment, Automated Remediation & Evidence based verification. 

Platforms covered include:    

• ESX, ESXi, vCenter
• Guest Windows & LINUX
• Non x86  AIX, HPUX 


Center for Policy & Compliance (CP&C) built the out of the box Basel III rules by cross referencing ISO standards and leveraging the CobiT Framework.  

Here is a BASEL III Heterogeneous, Comprehensive Dashboard Example from vCM.

These deep technical  rules will help reduce time to audit by providing immediate analysis of Compliance Assessment, Automated Remediation & Evidence based verification.

BASEL III Sample Rule violations and remediation:

CP&C built the out of the box Basel III rules by cross referencing ISO standards and leveraging the CobiT Framework. We also started accounting for enhancements in Windows Server 2008 R2 and Windows 7 that allow administrators to connect business rules and audit policies within the vCM Compliance Engine.  

Here is a BASEL III Heterogeneous, Comprehensive Dashboard Example from vCM. 

Look for more EMEA based content in the future from CP&C along with free tools like a BASEL III & PCI 2.0 compliance checkers.

Peace Out or fred ud!

George Gerchow - VMware Director, Center for Policy & Compliance

The VMware Center for Policy and Compliance is pleased to announce our latest content update for PCI 2.0 in vCenter Configuration Manager ™ (VCM).

PCI 2.0 is right around the corner 2k12 and many of you should be preparing for these audits yesterday!

Are any of you starting to prep for PCI 2.0? Please share your concerns, we want to help! Get CP&C in touch with your QSA.

Here is a sample of what has changed, for more information check out the PCI DSS v2 Summary of Changes doc.

Scope of Assessment for Compliance with PCI DSS Requirements

• Added “virtualization components” to the definition of “system components.”  

Network Segmentation

• Added clarifications including that segmentation may be achieved through physical or logical means 

What’s new in this package? Platform support for:

• Windows 7,
• Windows Vista
• Windows XP
• Windows 2003,
• Windows 2008
• vSphere/ESX
• UNIX & LINUX 

How does this help you address your compliance needs?

This is at the core of what VMware offers as part of our Trusted Cloud Solution. At VMworld, we announced our PCI self healing Virtual environment around CDE and auto segmentation of VM’s based upon data, defining relationships to those VM’s and continually applying policy & remediation to the entire environment. The Combination of vCM, vShield & VIN make for a Compliance Solution that is unmatched in the market and works for other use cases like HIPAA. (See Diagram Below)

How do you get it the new content?
Customers wishing to harden their PCI 2.0 environment can download the new content via the VCM Content Wizard

Be on the lookout for a free PCI 2.0 checker to be released by CP&C later this year!

Also, feel free to hit us up at:

• on the Security & Compliance Blog or the Virtualization Management Blog
• on Twitter: @georgegerchow and @vmwaremgmt 
• on Facebook: IT Management 
• at the Management Mastery site 
• and at the Management Mastery Forum

Adios,
George Gerchow VMware Director, Center for Policy & Compliance

All week, we have been chatting back & fourth about Mixed Mode, PCI and general questions about what is more secure, Virtual or Physical Environments?

Yesterday I got into a swell conversation during a podcast on this very topic. What is your opinion? Let me have it! 

I would argue that only way to keep a Physical Environment totally secure is UPNC. (Un Plugged Network Cable) 

Earlier this week things got a bit heated on Facebook, Twitter and this blog when I said “Mixed Mode” is ok for PCI. 

How is this for timing: 

CESG and VMware Deliver Trusted Platform for Hosting Multi-Level Environments

CESG, the UK National Technical Authority for Information Assurance, and VMware announced that VMware vSphere 4.0 has successfully completed a CESG assessment. It is now possible to host virtual machines from different impact levels on the same platform, up to Business Impact Level 3. 

http://www.cesg.gov.uk/news/docs_pdfs/cesg-vmware_joint-statement14-09-11.pdf 

Mixed Mode is not just limited to Virtual Environments, we have been running  multiple apps, db’s and business services on Physical Machines since the last time the Cubs won the World Series.

 Well, maybe somewhere between that time frame and when the Bears last won Superbowl. 

Seriously, security is usually blind in physical environments, we run VA tools that only work in broadcast domains and BTW, how much info can you get from a Physical system that is powered off?

In case you have not guessed, the answer is ZERO

How acceptable is that? Not very in my book. 

Is this the case in Virtual Environments? Check out this use case around the OVF Standard and tell me what your thoughts are: 

http://www.flyingpenguin.com/

Basically, in some cases the metadata that I can get from the  Virtual Infrastructure makes it more Secure than Physical especially when it comes to dormant, suspended or offline systems. 

As per usual, forgive my ESL expressions, maybe I should blog in Spanish instead of Splanglish.

Gotta bounce for now but give us a holla at: 

• on the Security & Compliance Blog or the Virtualization Management Blog
• on Twitter: @georgegerchow and @vmwaremgmt 
• on Facebook: IT Management 
• at the Management Mastery site 
• and at the Management Mastery Forum

Healthcare peeps, HIPAA\ HITECH has teeth and the fines handed out this year are HUGE. 

The best example was Cignet Health Center, a group of clinics based in Prince Georges County, Md., that operates a health plan, was been fined $4.3 million for failing to turn over medical records to patients who requested them and failing to cooperate with the HHS probe. (Feb 2k11) 

http://www.ama-assn.org/amednews/2011/03/07/bisb0307.htm 

For my friends in EMEA, you're having issues around PHI as well. NHS Lost unencrypted devices with patient records. 

http://www.itpro.co.uk/634225/nhs-laptop-with-8-6-million-medical-records-missing

Finally, for those of you who are obsessed with Celebrities, don’t let that spill over into your job! Personally, I could care less about what Miley Cyrus is doing next, but some people just can’t help themselves.

 "The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification. 

http://thunderfeeds.com/reader/news/ucla-hospital-hit-with-hipaa-fine-on-celeb-records 

So, if Healthcare IT shops can’t cut it when it comes to protecting PHI, or meaningful use around EHR, should the business turn to the Cloud? 

From what I can see, part of the problem is some OLD legacy Healthcare apps can not run on x86 and do not support Virtualization. 

So, maybe a few things need to happen:  

• Assess the risk of apps that can no longer be maintained and will not meet compliance standards, versus the ease of migrating at least the front end of the legacy systems to a virtual platform
• There are a ton of healthcare apps that are cloud ready and work on mobile devices

o   http://www.readwriteweb.com/cloud/2010/11/3-mobile-healthcare-apps-that.php

o   Approximately 60% of all doctors today use IPADS or similar devices (IDC)

• VMware has the infrastructure to support those apps and allow IT shops to build private cloud services that can be moved to public providers during periods of high demand

o   And... ported back of course J

• For some small Healthcare Organizations, they are moving their services and patient data to Cloud Providers like NaviSite

o   http://www.informationweek.com/news/healthcare/EMR/231601342

o   BTW: A lot of these orgs are adopting HITRUST as a certification process to meet HIPAA\ HITECH Compliance 

The main concern is Trust, will Large Healthcare Organizations “Trust” cloud providers with Medical Records? 

My guess is yes, they will in time. At VMware we are working on Trusted Cloud Solutions with other vendors to build an eco system that will let Consumers move their workloads with confidence to the cloud. The key will be if the Providers will allow the Consumers to validate that “Trust”.  The Consumer holds the power, as my colleague and active QSA Davi Ottenheimer says, “If a service provider refuses to give you the log services or compliance support you need, it may be time to find another provider.”

When it comes to Healthcare, yes, the complexity of how regulated the vertical is when it comes to compliance could make it difficult for a Provider to offer those services. However, if we are really going to make the Journey to the cloud, Providers need to bake in cost efficient Security & Compliance solutions for consumers as part of their offering and open the kimono to let the Consumer Validate what is happening with their assets. 

We would love to get your feedback on the comments above, hit us up here or: 

• on the Security & Compliance Blog or the Virtualization Management Blog
• on Twitter: @georgegerchow and @vmwaremgmt 
• on Facebook: IT Management 
• at the Management Mastery site 
• and at the Management Mastery Forum 

As usual, please forgive me for any spelling and grammar errors. Spanish is my first language and like the rest of us, I am still learning.  

Peace out…