Table Of ContentThis solution guide provides information about the features and configuration
options available for securing system operations for a hybrid cloud. The guide
explains why, when, and how to use these security features.
February 2016
Copyright © 2016 EMC Corporation. All rights reserved. Published in the USA.
Published February 2016
EMC believes the information in this publication is accurate as of its publication date. The information is subject to
change without notice.
The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any
kind with respect to the information in this publication, and specifically disclaims implied warranties of
merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in
this publication requires an applicable software license.
2
EMC , EMC, Avamar, Data D omain, Data Protection Advisor, Isilon, PowerPath , EMC RecoverPoint, ScaleIO,
Symmetrix , Unis phere, ViPR, VMAX, VPLEX, VNX, XtremIO, and the EMC logo are registered trademarks or
trademarks of EMC Corporation in the United States and other countries . All other trademarks used herein are the
property of their respective owners.
For the most up - to - date listing of EMC product names, see EMC Corporation Trademarks on EMC.com .
Federation Enterprise Hybrid Cloud 3.5 Security Management
Solution Guide
Part Number H14699
2
Contents
Chapter 1 Executive Summary 5
Federation solutions ............................................................................................ 6
Document purpose .............................................................................................. 6
Audience ............................................................................................................ 6
Essential reading ................................................................................................ 6
Cloud security challenges ..................................................................................... 6
Federation product security approach .................................................................... 7
Technology solution............................................................................................. 8
Terminology ....................................................................................................... 8
We value your feedback! ...................................................................................... 9
Chapter 2 Public Key Infrastructure 10
Overview .......................................................................................................... 11
Enterprise PKI architecture .................................................................................. 11
Enterprise PKI solution integration ....................................................................... 13
Summary .......................................................................................................... 15
Chapter 3 Converged Authentication 16
Security and authentication ................................................................................. 17
Active Directory integration ................................................................................. 19
VMware Platform Services Controller .................................................................... 19
TACACS+ authentication integration ..................................................................... 20
Summary .......................................................................................................... 20
Chapter 4 Centralized Log Management 22
Overview .......................................................................................................... 23
VMware vRealize Log Insight remote syslog architecture ......................................... 25
Centralized logging integration ............................................................................ 26
Content packs for VMware vRealize Log Insight ..................................................... 28
Configuring alerts .............................................................................................. 29
Summary .......................................................................................................... 32
Chapter 5 Network Security 33
Overview .......................................................................................................... 34
Solution architecture .......................................................................................... 34
VMware NSX for vSphere .................................................................................... 40
VMware NSX for vSphere extensibility with Palo Alto Networks firewalls .................... 42
VMware NSX firewall policy creation ..................................................................... 43
N-tier application considerations .......................................................................... 43
Use case 1: On-demand micro segmentation with security tags ............................... 45
Use case 2: Micro-segmentation with N-tier virtual applications ............................... 47
Use case 3: Micro-segmentation with converged N-tier virtual applications ................ 50
3
Contents
Use case 4: Micro-segmentation with App Isolation for component machines ............. 50
Summary .......................................................................................................... 51
Chapter 6 Configuration Management 52
Overview .......................................................................................................... 53
VMware vCenter Server host profiles .................................................................... 53
VMware vSphere Update Manager ........................................................................ 55
VMware vRealize Configuration Manager ............................................................... 60
Use case 1: Configuring a custom compliance standard .......................................... 63
Use case 2: Applying exceptions to compliance templates ....................................... 65
Summary .......................................................................................................... 66
Chapter 7 Multitenancy 67
Overview .......................................................................................................... 68
Secure separation .............................................................................................. 68
Role-based access control ................................................................................... 70
Summary .......................................................................................................... 72
Chapter 8 Data Security 73
Overview .......................................................................................................... 74
CloudLink SecureVM ........................................................................................... 74
Policy-based management .................................................................................. 74
Integration with the service catalog ...................................................................... 76
Use case 1: Encrypting new workloads ................................................................. 76
Use case 2: Encrypting an existing live workload ................................................... 77
Chapter 9 Conclusion 79
Summary .......................................................................................................... 80
Chapter 10 References 81
Federation Enterprise Hybrid Cloud documentation ................................................. 82
Federation Enterprise Hybrid Cloud security documentation ..................................... 82
Other documentation .......................................................................................... 83
Appendix A Federation Enterprise Hybrid Cloud Security Data 85
Security data ..................................................................................................... 86
4
Chapter 1: Executive Summary
This chapter presents the following topics:
Federation solutions ............................................................................................ 6
Document purpose .............................................................................................. 6
Audience ............................................................................................................ 6
Essential reading ................................................................................................ 6
Cloud security challenges ..................................................................................... 6
Federation product security approach .................................................................... 7
Technology solution............................................................................................. 8
Terminology ....................................................................................................... 8
5
Chapter 1: Executive Summary
EMC II, Pivotal, RSA, VCE, Virtustream, and VMware form a unique Federation of
strategically aligned businesses that are free to execute individually or together. The EMC
Federation businesses collaborate to research, develop, and validate superior, integrated
solutions and deliver a seamless experience to our collective customers. The Federation
provides customer solutions and choice for the software-defined enterprise and the
emerging third platform of mobile, cloud, big data, and social networking.
The Federation Enterprise Hybrid Cloud 3.5 solution is a completely virtualized data center,
fully automated by software. The solution starts with a foundation that delivers IT as a
service (ITaaS). Optional cloud services for database as a service, platform as a service, and
cloud brokering can be added to ITaaS to enhance the solution. There are also options to
implement high availability, data recovery, and backup and recovery services.
This solution guide provides information about the features and configuration options that
are available for securing system operations in an on-premises implementation of the
Federation Enterprise Hybrid Cloud 3.5 solution. It explains why, when, and how to use
these security features.
This solution guide is part of the Federation Enterprise Hybrid Cloud solution documentation
set and is intended for security architects, practitioners, and administrators responsible for
the overall configuration and operation of the solution. Readers should be familiar with the
®
VMware vRealize Suite, storage technologies, hybrid cloud infrastructure, and general IT
functions.
The following documents describe the architecture, components, features, and functionality
of the Federation Enterprise Hybrid Cloud 3.5 solution:
Federation Enterprise Hybrid Cloud 3.5 Concepts and Architecture Guide
Federation Enterprise Hybrid Cloud 3.5 Administration Guide
Federation Enterprise Hybrid Cloud 3.5 Infrastructure and Operations Management
Guide
Federation Enterprise Hybrid Cloud 3.5 Reference Architecture Guide
Table 2 in Chapter 10 lists publications that are related to understanding Federation
Enterprise Hybrid Cloud security. Chapter 10 also lists relevant documentation.
While many organizations have successfully introduced virtualization as a core technology
within their data center, end users and business units within the organizations have not
experienced many of the benefits of cloud computing such as increased agility, mobility, and
control. Many organizations are now under pressure to provide secure and compliant cloud
services to deliver these cloud computing benefits to their consumers. As a result, IT
departments need to create cost-effective alternatives to public cloud services, alternatives
that do not compromise enterprise security and features such as data protection, disaster
recovery, and guaranteed service levels.
6
Chapter 1: Executive Summary
Potential security threats must be addressed for organizations to maintain or improve their
security posture while enabling the business to continue to operate. In a cloud environment,
these threats must be addressed at both the underlying infrastructure and virtualized
workload levels. The cloud infrastructure can be protected with restricted administration-
level access, integration with authentication, logging, and monitoring systems, and system
hardening in case of attack. As virtualized applications are commonly available to end users
across the traditional enterprise perimeter, these applications and their consumers are
potential threat vectors.
Web application vulnerabilities, OS configuration errors, and missing patches are still
possibilities with virtualized workloads. However, cloud security technologies provide
controls to protect against these vulnerabilities; they also offer enhanced workload
containerization, which can limit the potential exposure of a successful attack and keep an
attacker from infiltrating other systems in the environment.
The Federation Enterprise Hybrid Cloud implements a variety of security features to control
user and network access, monitor system access and use, and support the transmission of
encrypted data. The security features related to the Federation Enterprise Hybrid Cloud are
®
implemented on the EMC and VMware systems and services that constitute the solution
and include the following:
Public key infrastructure integration
Converged authentication
Centralized log management
Security configuration management
Secure multitenancy
Data security
An increasingly interconnected world has created growth opportunities that are accelerating
with the rise of hybrid clouds. Organizations can now deploy information infrastructures
more quickly and run them with greater efficiency, control, and choice. These advances
foster business agility and connectivity, but they also create pervasive dependencies among
computing components that make problems and vulnerabilities difficult to contain. Complex,
interconnected electronic systems inevitably have software bugs and vulnerabilities. Even a
“perfect” product can develop problems through linkages to flawed partner products or to
subsequent changes in the technology environment that create new exposures.
The Federation meets these product security challenges by applying industry best practices,
as well as a flexible and standardized approach to prioritizing security throughout the
product lifecycle, from inception through sustainment. Trusted IT requires that products are
developed so that the risks of vulnerabilities are minimized, and flaws that surface are
assessed and resolved as quickly as possible. This end-to-end process is designed to protect
customers and to provide what customers need to enable protection.
The Federation believes that industry collaboration is invaluable for product security. Every
company has something to teach and much to learn. Industry collaboration on product
security has enabled Federation companies to help shape and quickly adopt best practices
that raise everyone’s level of trust in technology. The Federation is committed to
comprehensive product security programs that are built-in, transparent, and trustworthy.
For more information about the EMC product security approach, refer to
www.emc.com/security. For more information about the VMware product security approach,
refer to www.vmware.com/security.
7
Chapter 1: Executive Summary
The Federation Enterprise Hybrid Cloud solution integrates the best of EMC and VMware
products and services. It empowers IT organizations to accelerate implementation and
adoption of a hybrid cloud while still enabling customer choice for the compute and
networking infrastructures within the data center. The solution caters both to customers who
want to preserve their investment and make better use of their existing infrastructure and
to customers who want to build new infrastructures that are dedicated to a hybrid cloud.
The transition from either a physical or a partially virtualized infrastructure to a full hybrid
cloud enables a transformative approach to providing security. While many of the same
threats to physical environments still exist in the hybrid cloud model, there are new ways to
mitigate those threats by using the powerful capabilities of the Federation Enterprise Hybrid
Cloud. Network segments and boundaries become fluid because switches, routers, and load
balancers can be provisioned as needed to ensure that dynamically changing environments
remain secure, no longer dependent on hardware procurement or provisioning.
The traditional use of firewalls in North-South network traffic can easily be extended to
enforce restrictions on East-West traffic as well. This enables true micro-segmentation of
applications, application sub-tiers (web, middleware, and database), and application
environments (development, test/QA, and production). Newly provisioned virtual machines
can inherit security postures based on their role. Host-based security controls can run as
hypervisor kernel-level processes, allowing virtual machines to consume these services
without requiring additional software to be installed in every guest virtual machine.
This solution takes advantage of the strong integration between EMC technologies and the
VMware vRealize Suite. The solution, developed by EMC and VMware product and services
teams, includes EMC scalable storage arrays and data protection suites, integrated EMC and
VMware monitoring, and VMware software-defined networking and security to provide the
foundation for cloud services within customer environments.
Table 1 lists the terminology used in the guide.
Table 1. Terminology
Term Definition
CRL Certificate Revocation List—contains a list of serial numbers for
revoked certificates
®
DFW VMware NSX Distributed Firewall
DLR VMware NSX Distributed Logical Router
ESR VMware NSX Edge Services Router
STS Security Token Service—a VMware vCenter™ Single Sign-On
authentication interface
VA An abbreviation for virtual appliance used in diagrams in this
guide
®
vRCM An abbreviation for VMware vRealize Configuration Manager™
used in diagrams in this guide
®
VRO An abbreviation for VMware vRealize Orchestrator™ used in
diagrams in this guide
®
vRA An abbreviation for VMware vRealize Automation™ used in
diagrams in this guide
8
Chapter 1: Executive Summary
Term Definition
®
vR Ops An abbreviation for VMware vRealize Operations Manager ™
used in diagrams in this guide
vRealize Automation A specification for a virtual, cloud, or physical machine that is
blueprint published as a catalog item in the vRealize Automation service
catalog
vRealize Automation A set of users, often corresponding to a line of business,
business group department, or other organizational unit (OU), that can be
associated with a set of catalog services and infrastructure
resources
vRealize Automation fabric A collection of virtualization compute resources and cloud
group endpoints that is managed by one or more vRealize Automation
fabric administrators
EMC and the authors of this document welcome your feedback on the solution and the
solution documentation. Contact
Chapter 2: Public Key Infrastructure
This chapter presents the following topics:
Overview .......................................................................................................... 11
Enterprise PKI architecture .................................................................................. 11
Enterprise PKI solution integration ....................................................................... 13
Summary .......................................................................................................... 15
10
