End to End Protection for

Virtualised & Cloud Environments

© Copyright 2010 EMC Corporation. All rights reserved. 1
Why virtualization matters

Massive Cost Reduction

Speed and Business Impact

Expertise and Performance

Copyright 2009 Trend Micro Inc.

“Typical” Customer Virtualization Evolution

Stage 1 Stage 2 Stage 3

Consolidation Expansion & Desktop Private > Public Cloud
85%
Desktops

15% 30% 70%

Servers

DC Consolidation Mission critical applications Public and private cloud

&
Endpoint Control
- Multi-hypervisor
- Non-mission critical - Performance becomes critical -Virtualized storage
base applications -API and advanced -Multi-tenancy
- Standardized hypervisor management use -Workload Management
- Simple VM Management VDI sampling -Dedicate or Burst to public
-Enhanced Compliance controls

Copyright 2009 Trend Micro Inc.

GET TECHIE
“By far, the number one concern about
cloud services is security.”
-- Frank Gens, IDC, Senior VP & Chief Analyst

Copyright 2009 Trend Micro Inc.

 Phase 1 Security Challenge

Perimeter-only (“Outside-in”) approach together

with rapid virtualization have created less secure
application environments

Through 2012, 60% of virtualized servers will be less secure than

the physical servers they replace.
“Addressing the Most Common Security Risks in Data Center Virtualization Projects” Gartner, 25 January 2010

Copyright 2009 Trend Micro Inc. 5

Phase I: The virtual datacenter is very
dynamic !

Inter-VM
attacks PCI Mobility Cloud Computing

Hypervisor

New Challenges Require a New Security Architecture

Copyright 2009 Trend Micro Inc. 6
Virtual Machines Need Specialized Protection

Same threats in virtualized servers

as physical.


New challenges:

1. Instant-on/Dormant VMs
2. Resource contention

3. VM Sprawl

4. Inter-VM traffic 
5. vMotion

Copyright 2009 Trend Micro Inc. 7

Virtualization Security Foundation
“Secure the workload”

Self-secured workload VM & Network

App FW, IPS, AV… Security Integration

VM1 VM3
App1 App3

OS1 OS3

Hypervisor

Copyright 2009 Trend Micro Inc.

Customers most common Phase I concern:
Instant-on or unmanaged VMs & Patching
• Determines missing patches and existing vulnerabilities
– Operating System
– Common desktop applications

• Recommends set of lightweight, fast-to-deploy filters

– Virtually patches the vulnerabilities
– Zero-Day protection
– Reports on attempts to exploit vulnerabilities

• Removes filters as soon as the patch is deployed

Virtual patch endpoints until patch is ready

Without exposing them to exploits
Copyright 2009 Trend Micro Inc.
 Deep Security
“Inside-out” Protection Model for Physical,
Virtual and Cloud Computing

“De-Militarized Zone” (DMZ)

IPS Firewall Firewall

IDS / IPS
NIPS
IPS
File Integrity
Monitoring

Log Inspection
Business Servers
Mission Critical Servers

Trend Micro Deep Security Provides A Secure

Container for Applications and Data
Copyright 2009 Trend Micro Inc.
“Typical” Customer Virtualization Evolution

Stage 1 Stage 2 Stage 3

Consolidation Expansion & Desktop Private > Public Cloud
85%
Desktops

15% 30% 70%

Servers

DC Consolidation Mission critical applications Hybrid and

& selected public cloud
Endpoint Control
- Non-mission critical - Performance becomes critical - Multi-hypervisor
base applications -API and advanced -Virtualized storage
- Standardized hypervisor management use -Workload Management
- Simple VM Management VDI sampling -Burst to public
-Enhanced Compliance controls

Copyright 2009 Trend Micro Inc.

GET TECHIE
 Phase 2: Security Challenge

”Virtually unaware” traditional security

architectures eliminate the benefits of VDI and
virtualized mission-critical applications

Copyright 2009 Trend Micro Inc. 12

Phase II Server Performance
Firewall
Security VM IDS / IPS
Anti-Virus
App App App Integrity

OS OS OS Monitoring

ESX Server
VMsafe APIs

• Protect the VM by inspection of virtual components

• Unprecedented security for the app & data inside the VM
• Complete integration with, and awareness of, vMotion,
Storage VMotion, HA, etc.

Copyright 2009 Trend Micro Inc.

13
Phase II: Securing virtual desktops (VDI)

• Malware risk potential: Identical to physical desktops

– Same operating systems
– Same software
– Same vulnerabilities
– Same user activities
=> Same risk of exposing corporate and sensitive data

• New challenges, unique to VDI:

– Identify endpoints virtualization status
– Manage resource contention
• CPU
• Storage IOPs
• Network

Copyright 2009 Trend Micro Inc.

Phase II: Cloud-client architecture
WEB
REPUTATION

Threats

EMAIL FILE
REPUTATION REPUTATION
Threat Collection

Management

SaaS/Managed
Partners

• ISPs Cloud
• Routers
• Etc.
Endpoint
Off Network Gateway

Messaging

Copyright 2009 Trend Micro Inc.

Phase II: Light and Lean Architecture
Smart Protection Network
CLOUD-CLIENT ARCHITECTURE
• Speeds protection
In-the-cloud technologies are constantly updated
• Frees resources
WEB Offloads growing patterns to the cloud

EMAIL

FILE
GLOBAL THREAT INTELLIGENCE
• Correlated
Integrates web, email, and file reputation databases
• Instant feedback
Immediately updates using global feedback loops

Copyright 2009 Trend Micro Inc.

Phase II: IT Environment Changes
Challenge: Resource Contention with VDI

• The “9-AM problem”

– Multiple users log in and download updates at the same time
• “AV-Storms”, Scheduled scans
– Adds significant load to the endpoint
– Multiplied by number of VMs
Cumulative
Existing Endpoint Security Induces system load

Resource Contention and Limits

Desktop Virtualization Benefits

Copyright 2009 Trend Micro Inc.

Phase II Security has to have VDI-Intelligence

• Detects whether endpoints are physical or virtual

– With VMware View
– With Citrix XenDesktop
• Serialize updates and scans per VDI-host
– Controls the number of concurrent scans and updates per VDI host
– Maintains availability and performance of the VDI host
– Faster than concurrent approach
• Leverages Base-Images to further shorten scan times
– Pre-scans and white-lists VDI base-images
– Prevents duplicate scanning of unchanged files on a VDI host
– Further reduces impact on the VDI host
• Can be done agentlessly as well

Copyright 2009 Trend Micro Inc.

OfficeScan 10.5 has VDI-intelligence
• With OfficeScan 10.5, you can run more than double the
number of desktop images per host – without sacrificing
security

• Investment in OfficeScan„s VDI plug-in pays for itself:

– In less than 3 months with 1000 users*
– In less than 2 months with 2500 users*

You no longer have to choose between

Security and Return On Investment

Copyright 2009 Trend Micro Inc.

*: assuming average cost of $8000 per VDI server and the deployment of standard endpoint securi
Summary of Phase II Solutions

• Light and lean agents when deep visibility

is required
– Using cloud-client architecture

• Agent-less option for application & server

performance
– Using virtualization APIs

• Architecture optimizes performance across

entire infrastructure
– Processes are “virtually-aware” across CPU, network,
and storage

Trend Micro Confidential11/26/2010 Copyright 2009 Trend Micro Inc. 20

“Typical” Customer Virtualization Evolution

Stage 1 Stage 2 Stage 3

Consolidation Expansion & Desktop Private > Public Cloud
85%
Desktops

15% 30% 70%

Servers

DC Consolidation Mission critical applications Hybrid and

& selected public cloud
Endpoint Control
- Non-mission critical - Performance becomes critical - Multi-hypervisor
base applications -API and advanced -Virtualized storage
- Standardized hypervisor management use -Workload Management
- Simple VM Management VDI sampling -Burst to public
-Enhanced Compliance controls

Copyright 2009 Trend Micro Inc.

GET TECHIE
Phase III: Virtualized Storage and Multi-tenancy
Creates Data Protection Nightmares
Public and
Private
Datacenter Cloud
Perimeter

Company n
Company 1

Company 2

Company 3

Company 4

Company 5
App 1

App 2

App 3

App n
App 1

App 2

App 3

App 4

App 5
…

Hypervisor
Hypervisor

Strong perimeter security Weak perimeter security

No shared CPU Shared CPU
No shared network Shared network
No shared storage Shared storage

Traditional “outside-in” approach is inadequate in an

“inside-out” cloud world full of strangers
Classification 11/26/2010 Copyright 2009 Trend Micro Inc. 22
The Public Cloud:
Who Has Control? How Secure is the Data?
Servers Virtualization & Public Cloud Public Cloud Public Cloud
Private Cloud IaaS PaaS SaaS

End-User (Enterprise) Service Provider

Company n
Company 1

Company 2

Company 3

Company 4

Company 5
Company
Data
App 1

App 2

App 3

Shared CPU

App 2

App n
App 1

App 3

App 4

App 5
…
Shared network
Hypervisor Shared storage
Hypervisor

Copyright 2009 Trend Micro Inc.

Trend Micro Confidential 11/26/2010 23
 Phase 3: Security Challenge

How do I protect data in a virtualized and multi-

tenant storage environment (private, hybrid, or
public cloud) ?

Copyright 2009 Trend Micro Inc. 24

SecureCloud: Enterprise Controlled
Data Protection for the Cloud
Patent pending Trend Micro technology enables
enterprises to retain control of data in the cloud

Trend Micro Confidential11/26/2010 Copyright 2009 Trend Micro Inc. 25

 All Phases: Architecture Security Challenge

How do I bring it all together in a manageable way

across virtualized, private and public cloud
environments?

Copyright 2009 Trend Micro Inc. 26

A New Security Architecture For A New Era
All environments should be considered un-trusted
Benefits
•Facilitates movement between
Users datacenter & cloud
access app •Delivers security compliance
through encryption
•Enables portability between service
providers
•Ensures private data in public cloud
Host defends
itself from attack
Datacenter Public Cloud

Image ensures data

is always encrypted
DC1, LAN 1 and managed
Cloud 1, LAN 2

Encryption keys Encrypted

controlled by you Data

Data Data

DC2, LAN 2 Trend Micro Confidential11/26/2010 Copyright 2009 Trend Micro Inc. 27
Cloud 2, LAN 1
“Typical” Customer Virtualization Evolution
Stage 1 Stage 2 Stage 3
Consolidation Expansion & Desktop Private > Public Cloud
85%
Desktops

15% 30% 70%

Servers

Secure Architected Lock

the for data upon
workload performance creation
Deep Security OfficeScan 10.5
SecureCloud
Deep Security

Optimized Cloud Security Architecture

Smart Protection Network

Copyright 2009 Trend Micro Inc.

GET TECHIE
Back to the question: To Virtualize or not ?

Massive Cost Reduction

Speed and Business Impact

Expertise and Performance

ANSWER: YES, BUT ONLY WITH A

“BETTER-THAN-PHYSICAL” CLOUD
SECURITY ARCHITECTURE
Trend Micro Confidential11/26/2010 Copyright 2009 Trend Micro Inc. 29
Thank you
For visiting the Trend Micro Carnival

Copyright 2009 Trend Micro Inc.