HIPAA Compliance - Compliance Ready Lab Setup Requirements.docx

Compliance Ready Lab Build GuideHIPAA VersionContentsOverviewSecurity Application Zone (Runs on)RequirementsSegmentation/firewallESXi Host SecurityESXi Host FirewallConfigure NTP Time Synchronization For ESXi HostLockdown ModeSet DCUI (Direct Console UI) AccessRemote Syslog/LoggingDisable MOB (Managed Object Browser)Zero-Out VMDK (before deletion)Create A Non-Root Local Admin AccountConfigure Host ProfilevSwitch SecurityReject Promiscuous ModeReject MAC Address ChangesReject Forged TransmitsNetwork SecurityFirewall internalAllowed ports for managementFirewall externalSECURITY MANAGEMENTvCloud Networking And Security (vCNS)vShield ManagervShield Manager InstallationvShield AppFlow MonitoringApp FirewallvShield App Fail Safe SettingvShield App Exclusion ListvShield App InstallationExample Of vShield App Firewall Blocking RulevShield EdgevShield Edge InstallationvShield Edge Gateway And Isolated Network Configuration.vShield EndpointvShield Endpoint InstallationTesting Requirements:vShield Data SecurityvShield Data Security InstallationvShield Data Security PolicyTesting RequirementsBMC Server AutomationBSA ArchitectureClient TierServer TierMiddle TierInstallationBSA Database ServerBSA File Server AgentBSA Application ServerBSA GUI ConsoleBSA Compliance ModuleTesting RequirementSetting Discovery JobSetting Policy-Based Compliance AuditBMC BladeLogic Decision Support For Server AutomationInstallationTesting RequirementBMC BladeLogic Atrium IntegrationBSA Atrium Integration DiagramInstallationTesting RequirementCustomizing Data Mapping Between BSA And CMDBTransferring Business Service Data from Atrium CMDB to BSAConfiguration And TestingDenial Of ServiceDATA PROTECTIONENCRYPTIONEncryption In FlightEncryption At RestVULNERABILITY ASSESSMENTIntrusion DetectionDeep Packet InspectionData Leak PreventionData Loss Prevention/Data Loss ProtectionvCNS vShield Data SecurityLogging And AuditingEXPLOIT AND MALWARE PROTECTIONVirus ScanningvCNS vShield Endpoint And VMware Partners AntiVirus And AntiMalware SoftwareConfiguration And Patch ManagementIntegrated SolutionSupernaNet.ConnectVCE Vision Intelligent OperationsVMware vCenterBMC CMDBManual Tagging For Compliant CIsvCenter Inventory TaggingBMC CMDB TaggingAutomatic Tagging For Compliant CIsSupernaNet.Connect Mapping FileMonitoringIDENTITY AND ACCESS MANAGEMENTLoginTC For OpenVPNLoginTC Cloud DomainLoginTC Radius ConnectorOpenVPNLDAPUserData protectionbackup/restore/replicationConfiguration And Patch ManagementAuto Deploy Installation VMWare vSphere 5.1ComplianceHIPAA 164.306 Security Standards: General Rules. 164.308 Administrative SafeguardsSecurity Management Process ( 164.308(a)(1))Key Activities: Conduct Risk AssessmentTechnical Implementations:Key Activities: Develop And Deploy The Information System Activity Review ProcessTechnical Implementations:Technical Implementations:Key Activities: Develop Appropriate Standard Operating ProceduresTechnical Implementations:Information Access Management ( 164.308(a)(4))Key Activities: Implement Policies And Procedures For Authorizing AccessTechnical Implementation:Security Awareness and Training ( 164.308(a)(5))Implementation Specification: Protection From Malicious SoftwareTechnical Implementation: 164.310 Physical SafeguardsDevice And Media Controls ( 164.310(d)(1))Key Activities: Implement Methods For Final Disposal of EPHITechnical Implementations:Key Activities: Develop And Implement Procedures For Reuse Of Electronic MediaTechnical Implementations: 164.312 Technical SafeguardsAccess Control ( 164.312(a)(1))Key Activities: Analyze Workloads And Operations To Identify The Access Needs Of All UsersTechnical Implementations:Key Activities: Identify Technical Access Control CapabilitiesTechnical Implementations:Key Activities: Ensure That All System Users Have Been Assigned A Unique IdentifierTechnical Implementations:Key Activities: Implement Access Control Procedures Using Selected Hardware And SoftwareDescription:Technical Implementations:Key Activities: Review And Update User AccessTechnical Implementations:Key Activities: Terminate Access If It Is No Longer RequiredTechnical Implementation:Audit Controls ( 164.312(b)) - Future In Scope - Security PartnerKey Activities: Determine The Activities That Will Be Tracked Or AuditedTechnical Implementation:Key Activities: Select The Tools That Will Be Deployed For Auditing And System Activity ReviewsTechnical Implementations:Integrity ( 164.312(c)(1))Key Activities: Mechanism To authenticate Electronic Protected Health InformationTechnical Implementations:Person Or Entity Authentication ( 164.312(d))Key Activities: Determine Authentication Applicability To Current Systems/ApplicationsTechnical Implementation:Key Activities: Evaluate Authentication Options AvailableTechnical Implementation:ReferencesOverview

This document serves as the master design document for all areas of the design. It will be designed to allow ISVs to design their product into a functional area. The scope of phase I design is shown in the Figure 1.

Security Application Zone (Runs on)

Application deployments will follow a deployment method that ensures that a secure network is in place between the virtual machines that need to communicate. Applications that adhere to best practices will follow the requirements below for deployment in the test bed.

Requirements1. Must Support one or the other deployment option for VM to VM communications

Segmentation/firewallvSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT) to provide remote attestation of the hypervisor image based on hardware root of trust. The hypervisor image comprises the following elements:ESXi software (hypervisor) in VIB (package) format

Third-party VIBs

Third-party drivers

To leverage this capability, your ESXi system must have TPM and TXT enabled.

1. Enable TPM and documenthttp://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-E9B71B85-FBA3-447C-8A60-DEE2AE1A405A.htmlCisco Trusted Platform Module The Cisco Trusted Platform Module (TPM) is a computer chip that securely stores artifacts such as measurements, passwords, certificates, or encryption keys, that are used to authenticate the Vblock Systems. The Cisco TPM provides authentication and attestation services that enable safer computing in all environments. The Cisco TPM module is available by default in Vblock Systems as a component within the Cisco UCS M3 Blade Servers, and is shipped disabled. For more information, refer to the VCE Vblock Systems Blade Packs Reference. Refer to Accessing VCE documentation. VCE supports Cisco TPM hardware but does not support the Cisco TPM functionality. Using Cisco TPM features involves using a software stack from a vendor with significant domain experience in trusted computing. Consult your software stack vendor for configuration and operational considerations relating to the Cisco TPMs.

ESXi Host SecurityESXi Host FirewallESXi includes a firewall between the management interface and the network. The firewall is enabled by default.This ESXi Firewall provides a new access control capability for ESXi. We need to configure this ESXi host firewall to restrict access to services running on the host. Some important points about this ESXi 5.x firewall: ESXi 5.x has a new firewall engine that is not based on iptables. The firewall is enabled by default and allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients. The firewall is service oriented. The ability to restrict access to specific services based on IP address/Subnet Mask. There is Host Profile support for the ESXi 5.x firewall. A new ESXCLI interface (esxcfg-firewall) is available in ESXi 5.x.We can configure firewall properties to allow or deny access for a service or management agent. We can also specify which networks are allowed to connect to each service that is running on the host.Specify startup policy: set service or client startup option (automatically/manually/start and stop with host.

Fig.2 ESXi Host Security Profile

Fig.3 ESXi Host Firewall

Configure NTP Time Synchronization For ESXi HostBy ensuring that all systems are synchronizing to the time standard, we can make it simpler to track and correlate an intruders actions when reviewing the relevant log files. Incorrect time settings can make it difficult to inspect and correlate log files to detect attacks, and can make auditing inaccurate.We need to set the time configuration of the host to point to the NTP server (specify IP address) and start the service.It is recommended to synchronize the ESXi clock with a time server that is located on the management network rather than directly with a time server on a public network. This time server can then synchronize with a public source through a strictly controlled network connection with a firewall.

Lockdown ModeEnabling lockdown mode disables direct access to an ESXi host, requiring the host to be managed remotely from vCenter Server. Lockdown limits ESXi host access to the vCenter server. This is done to ensure that the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently attaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to users who log in using authorized keys. When you use an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Note that users listed in the DCUI.Access directory for each host are allowed to override lockdown mode and login to the DCUI. By default the "root" user is the only user listed in the DCUI.Access list.

Set DCUI (Direct Console UI) AccessTo set this DCUI.Access is to allow only trusted users to override lockdown mode.Lockdown disables direct host access requiring admins manage hosts from vCenter. However, if a host becomes isolated from vCenter, the admin would become locked out and would be unable to manage the host. To avoid potentially becoming locked out of an ESXi host that is running in locked down mode, set the DCUI.Access to a list of highly trusted users that are allowed to override the lockdown mode and access the DCUI.

Remote Syslog/LoggingLog files are an important component of troubleshooting attacks and obtaining information about breaches of host security.Remote logging to a central log host provides a secure, centralized store for ESXi logs. To facilitate this we can use vSphere Syslog Collector tool.By gathering host log files onto a central host you can more easily monitor all hosts with a single tool. For security purposes we can aggregate analysis and search to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Disable MOB (Managed Object Browser)The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host; it enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it could also be used as a method to obtain information about a host being targeted for unauthorized access.We cannot disable MOB while the host is in lockdown mode. We can disable MOB before we set the host in lockdown mode. Zero-Out VMDK (before deletion)To help prevent sensitive data in VMDK files from being read off the physical disk after it is deleted, the virtual disk should be zeroed out prior to deletion. This will make it more difficult for someone to reconstruct the contents of the VMDK file. The CLI command 'vmkfstools-writezeroes' can be used to write zeros to the entire contents of a VMDK file prior to its deletion.Create A Non-Root Local Admin AccountESXi 5.1 allows the creation of individual local user accounts. Being able to create individual local user accounts on ESXi hosts eliminates the need to share or use the root accounts and passwords. This approach helps mitigate one of the most common security risks. This approach facilitates better auditing and traceability capabilities of the ESXi hosts.Configure Host Profile

Monitoring Changes To The ConfigurationMonitoring for configuration drift and unauthorized changes is critical to ensuring the security of an ESXi hosts. Host profiles provide an automated method for monitoring host configurations against an established template and for providing notification in the event that deviations are detected.vSwitch SecurityReject Promiscuous Mode

In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode.This promiscuous mode security policy can be defined at the virtual switch or port group level in ESX/ESXi Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A010-8820D7250350.html Reject MAC Address Changes If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network.Reject MAC Address Changes setting will prevent VMs from changing their effective MAC address. It will affect applications that require this functionality. An example of such an application is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer-2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to.Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html

Reject Forged Transmits By default this forged transmits setting is set to Accept. This means that the virtual switch does not compare to the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to Reject.Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html

Fig.4 vSwitch Security

Network SecurityFirewall internalTo safeguard the virtual machines resources, the system administrator lowers the risk of DoS and DDoS attacks by configuring a resource reservation and a limit for each virtual machine. The system administrator further protects the ESXi host and virtual machines by installing software firewalls at the front and back ends of the DMZ, ensuring that the host is behind a physical firewall, and configuring the networked storage resources so that each has its own virtual switch.DMZ setup

http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-A309590A-FFFC-45FF-95AD-43242F58D6B4.html

Allowed ports for management This is the list of predetermined TCP and UDP ports used by vCenter, ESXi host and other network components. Some ports are open by default at installation time as indicated in this Table as (Default). Depending on our requirement and security reasons we can configure the firewall to allow or reject access to those TCP and UDP ports.

PortPurposeTraffic Type

22SSH ServerIncoming TCP

53 (Default)DNS ClientIncoming and outgoing UDP

68 (Default)DHCP ClientIncoming and outgoing UDP

161 (Default)SNMP ServerIncoming UDP

80 (Default)vSphere Fault Tolerance (FT) (outgoing TCP, UDP)HTTP accessThe default non-secure TCP Web port typically used in conjunction with port 443 as a front end for access to ESXi networks from the Web. Port 80 redirects traffic to an HTTPS landing page (port 443).WS-ManagementIncoming TCPOutgoing TCP, UDP

111 (Default)RPC service used for the NIS register by vCenter Virtual ApplianceIncoming and outgoing TCP

123NTP ClientOutgoing UDP

135 (Default)Used to join vCenter Virtual Appliance to an Active Directory domainIncoming and outgoing TCP

427 (Default)The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.Incoming and outgoing UDP

443 (Default)HTTPS accessvCenter Server access to ESXi hostsDefault SSL Web portvSphere Client access to vCenter ServervSphere Client access to ESXi hostsWS-ManagementvSphere Client access to vSphere Update ManagerThird-party network management client connections to vCenter ServerThird-party network management clients access to hostsIncoming TCP

513 (Default)vCenter Virtual Appliance used for logging activityIncoming UDP

902 (Default)Host access to other hosts for migration and provisioningAuthentication traffic for ESXi and remote console traffic (xinetd/vmware-authd)vSphere Client access to virtual machine consoles(UDP) Status update (heartbeat) connection fromESXi to vCenter ServerIncoming and outgoing TCP, outgoing UDP

903Remote console traffic generated by user access to virtual machines on a specific host.vSphere Client access to virtual machine consolesMKS transactions (xinetd/vmware-authd-mks)Incoming TCP

1234, 1235 (Default)vSphere ReplicationOutgoing TCP

2049Transactions from NFS storage devicesThis port is used on the VMkernel interface.Incoming and outgoing TCP

3260Transactions to iSCSI storage devicesOutgoing TCP

5900-5964RFB protocol, which is used by management tools such as VNCIncoming and outgoing TCP

5988 (Default)CIM transactions over HTTPIncoming TCP

5989 (Default)CIM XML transactions over HTTPSIncoming and outgoing TCP

8000 (Default)Requests from vMotionIncoming and outgoing TCP

8009AJP connector port for vCenter Virtual Appliance communication with TomcatOutgoing TCP

8100, 8200 (Default)Traffic between hosts for vSphere Fault Tolerance (FT)Incoming and outgoing TCP, UDP

8182Traffic between hosts for vSphere High Availability (HA)Incoming and outgoing TCP, incoming and outgoing UDP

9009Used to allow a vCenter Virtual Appliance to communicate with the vSphere Web ClientIncoming and outgoing TCP

http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-ECEA77F5-D38E-4339-9B06-FF9B78E94B68.html

Firewall externalMore:http://www.vmware.com/go/compliancehttp://www.vmware.com/go/security/Information about VMsafe technology for protection of virtual machines, including a list of partner solutionshttp://www.vmware.com/go/vmsafe/

SECURITY MANAGEMENTvCloud Networking and Security (vCNS)vCNS provides basic networking and security functionality for virtualized compute environments, built using the VMware vCloud Suite. It provides a broad range of services delivered through virtual appliances, such as a virtual firewall, virtual private network (VPN), load balancing, NAT, DHCP, and VXLAN-extended networks. Components of vCNS:1. vShield Manager2. vShield App3. vShield Edge4. vShield Endpoint5. vShield Data SecurityvShield ManagervShield Manager is the central point of control for all vShield solutions and integrates seamlessly with VMware vCenter to offer role-based access control and administrative delegation in a unified framework for managing virtualization security.

Fig.5 vShield Manager Web Interface

Fig.6 vShield integrated with VMware vCentervShield Manager InstallationProcedure1. Log in to the vSphere Client and deploy the vShield Manager from the OVA file.2. Once the installation has been completed, the vShield Manager is installed as a virtual machine in our vSphere inventory.3. Power on the vShield Manager virtual machine.4. Login to the vShield Manager virtual console and set the IP address.5. Login to the Web GUI for further configurations (vCenter, SSO/Lookup Sever, DNS, NTP settings).6.Login to the vSphere Client and select the ESX host where the vShield Manager resides. Verify that vShield appears as a tab. You can then install and configure vShield components from this vSphere Client.vShield AppA hypervisor-based firewall that protects applications in the virtual data center from network based attacks. The vShield App provides the stateful inspection firewall that is applied at the virtual network interface card (vNIC) level directly in front of specific workloads.This vShield App needs to be installed on each ESXi host where the VMs that needs to be protected by this vShield App reside. For example, install vShield App on each ESXi hosts in a Cluster so that VMware vMotion operations work and virtual machines remain protected as they migrate between ESX hosts. By default, a vShield App virtual appliance cannot be moved by using vMotion.The System Status option lets us view the health of a vShield App. Details include system statistics, status of interfaces, software version, and environmental variables.

Fig.7 vShield App StatusThere are two main components provided by vShield App: Flow Monitoring and App Firewall.Flow MonitoringThe Flow Monitoring is a traffic analysis tool that provides a detailed view of the traffic on our virtual network that passed through a vShield App. The Flow Monitoring output defines which machines are exchanging data and over which application. This data includes the number of sessions, packets, and bytes transmitted per session. Session details include sources, destinations, direction of sessions, applications, and ports being used. Session details can be used to create firewall allow or block rules.

Fig.8 vShield App Flow MonitoringApp FirewallThe App Firewall service is a centralized firewall for ESX hosts. App Firewall enables us to create rules that allow or block access to and from our virtual machines. Each installed vShield App enforces the App Firewall rules. Example of the basic rule that allows everything is shown in the following figure:

Fig.9 vShield App Firewall vShield App Fail-Safe SettingBy default, traffic is blocked when the vShield App appliance fails or is unavailable. We can change the fail-safe mode to allow traffic to pass. Refer to figure below. vShield App Exclusion ListWe can exclude a set of virtual machines from vShield App protection. This exclusion list is applied across all vShield App installations within the specified vShield Manager. The vShield Manager and service virtual machines are automatically excluded from vShield App protection. We should exclude the vCenter server and partner service virtual machines as well to allow traffic to flow freely.

Fig.10 vShield app fail-safe and exclusion listvShield App InstallationNotes:If the vCenter Server or vCenter Server database virtual machines are on the ESX host on which we are installing vShield App, we need to migrate them to another host before installing vShield App.During the installation process, this warning will be highlighted (Do not install on a host or cluster where the VC or vShield Manager reside.) Refer to figure below.

Fig.11 vShield App Installation ProcessProcedure:1. Log in to the vSphere Client and select an ESX host from the inventory tree. 2. Click the vShield tab and then click Install for the vShield App service.3. Under vShield App, provide the following information: Datastore, Management Port Group, IP Address, Netmask, and Default Gateway.4. Click Install.

Example Of vShield App Firewall Blocking RuleFor example, if we want to block a VM from SSH service, we set the Firewall Rule to block the SSH traffic from that VM.

Fig.12 Set the firewall blocking ruleTest that by trying to create an SSH session from the VM => Error

Fig.13 SSH service is blockedvShield App Flow Monitoring detects that blocked SSH flow.

Fig.14 Flow monitoring detects blocked traffic

Fig.15 Flow monitoring provides the details about the blocked trafficvShield EdgeProvides network edge security and gateway services to isolate a virtualized network, or virtual machines in a port group, vDS port group, or Cisco Nexus 1000V port group. The vShield Edge provides the stateful inspection firewall that is applied at the perimeter of the virtual data center.vShield Edge Installation1. Log in to vSphere Client and select Network Virtualization tab on the data center resource from the inventory tree.2. Click Edges and then click Add to add the vShield Edge.3. Type a name for the vShield Edge VM.4. Set CLI user name and password. You can also enable SSH access if required.5. Add Edge Appliance.6. Add Interfaces (Internal and Uplink Interfaces). Configure Subnets.7. Configure the Default Gateway.8. Configure the Default Firewall Policy.9. Install the vShield Edge.vShield Edge Gateway And Isolated Network Configuration.Once the vShield Edge has been installed, you can check the status of this vShield Edge.

Fig.16 vShield Edge statusTo create the gateway service for isolated network you need to configure the uplink and internal interfaces of the vShield Edge.

vShield Edge will act as the gateway between private and public networks.

Fig.17 vShield Edge connectivity diagram

Fig.18 vShield Edge interfacesuplink and internalYou also need to configure SNAT (Source Network Address Translation) to provide the isolated VMs (VMs reside on the isolated network) access to external network (internet). This SNAT rule is configured to translate a private internal (isolated) IP address into a public IP address for outbound traffic.The translated (public) IP address must have been added to the vShield Edge interface on which you want to add the rule.

Fig.19 vShield Edgesource NAT configurationTo control the security of the outbound traffic you can configure the vShield Edge Firewall Service.

Fig.20 vShield Edgefirewall rulevShield Edge has the traffic monitoring tools to provide interface throughput statistics.

Fig.21 vShield Edgeinterface throughput statistics

vShield EndpointOff-loads antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered by VMware partners.vShield Endpoint is installed as a hypervisor module and security virtual appliance from a third-party antivirus vendor (VMware partners) on an ESX host. With this vShield Endpoint on the hypervisor level, it can scan guest virtual machines without the need for agents in every virtual machine.vShield Endpoint InstallationSelect the vShield Tab on the ESXi Host level in the vCenter Inventory Tree, and click Install.

Fig.22 vShield Endpoint installation

Testing Requirements:1. After you have installed vShield Endpoint on the ESXi host, you need to deploy and configure a security virtual machine (SVM) to each ESX host according to the instructions from the anti-virus solution provider.2. Install the latest version of VMware Tools released for the version of ESX that is on all virtual machines to be protected. VMware Tools include the vShield Thin Agent that must be installed on each guest virtual machine to be protected. To include this vShield component with the VMware Tools, you need to select Interactive Tools Installation or Interactive Tools Upgrade. In the Setup Type wizard, you can select the Custom option and from the VMware Device Drivers list, select VMCI Driver, then select vShield Driver.

Fig.23 vShield Endpoint on ESXi host3. Use the Security Virtual Appliances Management User Interface to manage the SVM/SVA, e.g., download the latest AntiVirus Signature, set the scanning schedule, set policy to handle virus and to initiate scanning process.

Fig.24 vShield Endpoint and 3rd party security virtual applianceflow control

Fig.25 vShield Endpoint status and events logvShield Data SecurityProvides visibility into sensitive data stored within your organization's virtualized and cloud environments.vShield Data Security Installation1. You need to install vShield Endpoint on the ESXi host before you can install vShield Data Security.2. Log in to vSphere Client and select the ESXi host from the Inventory Tree.3. Select vShield Tab and click Install next to the vShield Data Security Option.4. Specify Data Store, Management Port Group, and set the IP address, Netmask and Default Gateway for the vShield Data Security Appliance.5. Click Install.vShield Data Security PolicyTo begin using vShield Data Security, you need to create a policy that defines the regulations that apply to data security in your organization and specifies the areas of your environment and files to be scanned. A regulation is composed of content blades, which identify the sensitive content to be detected. vShield supports PCI, PHI, and PII-related regulations only.

Fig.26 vShield data security with HIPAA regulation setting (based on PHI/PII category)vShield Data Security provides the report (e.g. number of violation and details)

Fig.27 vShield data security reportTesting vCNS vShield Data Security allows to detect HIPAA Regulation violations.

Fig. 28 vCNS vShield data security scan completed report

Fig.29 vCNS vShield Data Security report detail

From the Scan History you can see that the vShield Data Security is also able to detect new data.

Fig.30 vCNS vShield Data Security scan history

Testing Requirements1. Set the Policyregulations and rsandards to detect: HIPAA (Health Insurance Portability and Accountability Act) HIPAA (Health Insurance Portability and Accountability Act) Low Threshold PCI-DSS (Payment Card Industry Data Security Standard)2. Define the Security Group that you want to include in the scan (or use default if you want to scan the entire vCenter Inventory).

Fig.31 Define the security group for the scans participating areas3. Define Files to Scan.For example based on the modified date/time

Fig.32 Define files to scan

4. Create and store test data with Privacy Information on test system.Example of data for HIPAA test============

Medical Record Number: PHI-123-900Account Number: SUP-456-876SSN: 098765Date of Birth: 01/01/1980E-mail Address: super@yummy.comDate of Admission: 01/12/2000Date of Discharge: 01/08/2001Test Result: PositivePatient Name: Super Duper YummyPatient ID: A-345-678Physician Name: Dr. Very GOODHealth: InjuredVirus: InfluenzaBlood: A+U.S Address:10240 Sorrento Valley Rd San Diego, California 92121

Medical Record Number: PHI-123-901Account Number: SUP-456-877SSN: 098766Date of Birth: 01/01/1981E-mail Address: peter@yummy.comDate of Admission: 01/12/2000Date of Discharge: 01/08/2001Test Result: PositivePatient Name: Peter PanPatient ID: A-345-679Physician Name: Dr. Very GOODHealth: AccidentVirus: Chicken PoxBlood: B+

Medical Record Number: PHI-123-902Account Number: SUP-456-878SSN: 098767Date of Birth: 01/01/1982E-mail Address: mickey@yummy.comDate of Admission: 01/12/2004Date of Discharge: 01/08/2005Test Result: NegativePatient Name: Mickye MousePatient ID: A-345-680Physician Name: Dr. Very GOODHealth: NegativeVirus: Super VirusBlood: O=============

Example for PCI test===============Credit Card Number Patients

1.Name: SuperDuperAccount: 65758 Master CardCredit Card Number: 5111-1111-1111-1118Expiration Date: Expire: 07/07/2015

2. Name:Looney TunesAccount: 768690American ExpressCredit Card Number: 3111-1111-1111-1117Expiration Date: Expire: 07/08/2015

3. Name:Scooby DooAccount: 998690VISA Credit Card Number: 4111-1111-1111-1111Expiration Date: Expire: 07/08/2015================5. Initiate scan Click the Start button to run the scan. vShield Data Security Virtual Appliance will communicate with the Objects in the defined Security Group through the vShield Endpoint and VMware Tools vShield driver.

Fig.33 vShield Data Securityflow control

6. Once the scan is done, it will stop by itself and you can see the Report.BMC Server AutomationBMC Server Automation is part of the BMC BladeLogic Automation Suite. In terms of compliance, BMC Server Automation helps IT organizations achieve and maintain compliance by defining and applying configuration policies. When a server or application configuration deviates from policy, the necessary remediation instructions can be configured to be either automatically or manually deployed on the server.BSA ArchitectureA BMC Server Automation system has a three-tier architecture that consists of client, server, and middle tiers. Client TierClient Tier is the interface through which the user accesses the BMC Server Automation Application. This includes: The BMC Server Automation console, a graphical user interface (GUI) A command line interface (BLCLI) that provides application programming interface (API)level access to the functionality available through the console Network Shell for ad hoc administration of one or more servers. Network Shell is a network-scripting language that enables cross-platform access through a command line interface. A web interface to the BMC BladeLogic Decision Support for Server Automation serverServer TierThis is a tier for servers managed by BMC Server Automation. In order for these servers to be managed by BMC Server Automation, the RSCD agent needs to be deployed on remote servers. The BMC Server Automation Application Server communicates with RSCD agents and initiates all communication to perform ad hoc and scheduled tasks. Middle TierIn this tier, the primary component is the Application Server, which controls communication between the BMC Server Automation console (Client Tier) and remote servers (Server Tier). It also controls interaction with the database and file servers.

Fig.34 BMC server automation three-tier architectureInstallationBSA Database Server1. For BSA-Database Server, install MS SQL Server 2008 R2.2. Create a database for BSA, create a user login for BSA, and configure user mapping to give db_owner database role to the BSA user.3. Run the BSA external script to load the database schema.BSA File Server Agent1. Run the RSCD (Remote System Call Daemon) agent installer.2. You can edit the agent security export file with this option * rw,user=Administrator. This is to map the all in-bound connection to the Administrator user.BSA Application Server1. Run the BSA Application Server installer2. Set the password3. Configure the BSA Application ServerSet the Database connection (database type, database server, database name, user ID, password4. Define the BSA File Server and file server storage location5. Set password for RBACAdmin and BLAdmin usersBSA GUI Console1. Run the BSA Console installer2. Install together with the Network Shell Client utility3. Run to the BSA Console and create the default Profile, define the Application Server and Authentication method. (e.g. Secure Remote Password)4. Log in to Console with that profile and user password (BLAdmin user)5. Run blcontent from the network shell console to load some BSA initial samples and configurationsBSA Compliance Module1. Run the Compliance Content installer2. With the Custom Setup, you can select which Compliance Content Templates you want to install (e.g., HIPAA, PCI, SOX)

Fig.35 BMC server automationcompliance templatesHIPAA

Testing RequirementFor testing, you installed and configured all mid-tier components on a host. You also installed the BSA console on the same host. The following components were installed on a Windows 2008 R2 VM:- BSA Database Server - BSA File Server Agent- BSA Application Server- BSA Console- BSA Compliance ModuleAlso, configure another server to be managed by the BSAinstall RSCD Agent on this server.Setting Discovery Job1. Create a template under HIPAA folder to discover server with Windows 2008 or 2008 R2 Operating Systems2. Define the rule for discovery

Fig.36 Rule definition for discovery3. Run the Discover Job based on that template. Once it is done, check the discovery result.

Fig.37 BSA discover resultSetting Policy-Based Compliance AuditFor this testing, you used the HIPAA template for the policy-based compliance audit.1. Select the Compliance Template that you want to run. (e.g. HIPAA). Create the Compliance Job.

Fig.38 BSA compliance job2. Run and check the result

Fig.39 BSA compliance result3. You can export the result as a report (e.g. html format).

Fig.40 Compliance report exported into HTML format

BMC BladeLogic Decision Support For Server AutomationBMC BladeLogic Decision Support for Server Automation is a web-based application that uses the IBM Cognos Business Intelligence and a central reports data warehouse (the database for storing data used in reports).This BBDSSA provides the ETL (Extract, Transform, and Load) tool to transfer and transform data from the BSA databases and populates the reports data warehouse. The reporting web application reads data from the reports data warehouse.An Apache web server delivers reporting information to web browsers. Installation1. Install a Remote System Call Daemon (RSCD) agent (installed and licensed)2. Install BMC Server Automation Network Shell version 8.1 or later3. Install Database (e.g. Microsoft SQL Server) and MS SQL client software 4. Create the following databases:- BSARA_DW_DB - BSARA_ETL_MASTER_DB - BSARA_ETL_WORK_DB - BSARA_PORTAL_DB5. Create SQL Server Users and configure these users as database owner of their own corresponding databases:- BSARA_DW- BSARA_ETL_MASTER- BSARA_ETL_WORK- BSARA_PORTAL_DB6. Create data warehouse schema on SQL Server7. Run the BBDSSA installer8. Configure BBDSSA after installationTesting RequirementFor testing go through the following steps:1. Create and Run discovery Job (e.g. to discover windows server)2. Create and Run Snapshot Job3. Run ETL4. Verify Report

Fig.41 Example of BBDSSA report (server configuration report)

BMC BladeLogic Atrium IntegrationThe BMC BladeLogic Atrium Integration enables you to share data about the endpoint computers in your BMC Server Automation system with the BMC Atrium CMDB.To transfer discovered data from the BMC Server Automation database to BMC Atrium CMDB, the discovered data is first transferred from the BMC Server Automation database to the BMC BladeLogic Decision Support for Server Automation database by using the extract, transform, and load (ETL) tool. The Bladelogic Atrium Integration uses the AIE (Atrium Integration Engine) to do the following: Define data exchange and data mapping parameters Pull data from the BMC BladeLogic Decision Support for Server Automation database Insert the data into the BMC Atrium CMDB with the BMC BladeLogic Import Dataset

BSA Atrium Integration Diagram

Fig.42 BSA Atrium Integration

InstallationPrior to the BladeLogic Atrium Integration installation, you need to have the following components: BMC Server Automation Application Server BMC Server Automation Console on the computer where BMC BladeLogic Atrium Integration is to be installed BMC BladeLogic Decision Support for Server Automation BMC Remedy AR System BMC Atrium CMDB BMC Atrium Integration Engine

1. Run ETL first before installing the BladeLogic Atrium Integration2. Run the installer3. After installation, you need to run the procedure to add domain names to the servers in BSA. 4. Create indexes on BMC_BaseElement form5. Activate the data exchanges in the BMC Atrium Engine Data Exchange Console6. Enable the BMC BladeLogic Atrium Integration

Testing Requirement1. Run BSA Discovery and Snapshot Job2. Run ETL3. Verify that the Data has been transferred to Atrium CMDB.

Fig.43 Data transferred from BSACustomizing Data Mapping Between BSA And CMDBIf needed, you can customize the data mappings on BMC Server Automation to control what to transfer. To configure this data mapping you select Atrium Integration menu from BSA console and choose BL to Atrium Customization option.

Transferring Business Service Data From Atrium CMDB To BSATransferring data from BMC Atrium CMDB to the BMC Server Automation database pulls business service information from BMC Atrium CMDB and associates it with the corresponding servers in BMC Server Automation as a custom property.Configuration And Testing1. Configure Atrium Integration connectivity to the CMDB / AR system.2. Configure Atrium Import Job (e.g., the production dataset that will be used for the import job and the business service class name).

Fig.44 Atrium Import Job Configuration (CMDB data set name, business service class name)

Fig.45 Atrium Import Job Configuration (CI relationship, BladeLogic custom property)

3. Test by creating the Business Service in CMDB and set the relationship between server and Business Service.

Fig.46 Business Service in CMDB4. Run the Atrium Import Job. 5. Verify that the Business Service field of the server in BSA is populated with the info from CMDB.

Fig.47 Business Service property for the server

6. Then, you can create Server Smart Group based on this Business Service classification.

Fig.48 BSA Server Smart Group based on Business Service

Denial Of Service

By default, ESXi imposes a form of resource reservation by applying a distribution algorithm that divides the available host resources equally among the virtual machines, while keeping a certain percentage of resources for use by other system components. This default behavior provides a degree of natural protection from DoS and distributed denial-of-service (DDoS) attacks. You set specific resource reservations and limits on an individual basis to customize the default behavior so that the distribution is not equal across the virtual machine configuration.DATA PROTECTIONENCRYPTIONEncryption In FlightEncryption At RestVULNERABILITY ASSESSMENTIntrusion DetectionDeep Packet InspectionData Leak PreventionData Loss Prevention/Data Loss ProtectionvCNS vShield Data SecurityLogging And Auditing

EXPLOIT AND MALWARE PROTECTIONVirus ScanningvCNS vShield Endpoint And VMware Partners AntiVirus And AntiMalware Software

Configuration And Patch Management

Integrated SolutionConverged Infrastructure needs to be managed as a whole system and not only by individual components.An example of an integrated solution for managing vBlock Converged Infrastructure:1. SupernaNet.Connect2. VCE Vision software3. VMware vCenter 4. BMC CMDB SupernaNet.ConnectSupernaNet.Connect CMDB connector for BMC leverages VCE Vision software and VMware vCenter to provide a single integration point for automating CMDB CI discovery along with logical to physical topology with fully automated CI relationships created in the CMDB.

Fig.49 SupernaNet.Connect dashboardThe connector discovers Vblock Systems components, relationships, physical topology, and creates the CI objects to represent the Vblock Systems in the CMDB. In addition to physical CI discovery and synchronization, the Connector retrieves virtual machine, ESX host and data store objects from vCenter and maps the logical resources to the physical by creating CI objects and relationships dynamically.VCE Vision SoftwareVCE Vision software enables and simplifies converged operations. The software acts as a mediation layer between the Vblock Systems and data center management tools, dynamically informing those tools about Vblock Systems.

Fig.50 VCE Vision Software discovers Vblock Systemsconverged infrastructure details

VMware vCenterVMware vCenter Server provides a centralized platform for managing your VMware vSphere environments.

Fig.51 vSphere web client accessing vCenter

BMC CMDB

BMC Atrium CMDB is a configuration management database system to manage data from across IT and create a more efficient IT infrastructure.

Fig.52 BMC Atrium Core Consolelist of CI in CMDB data set

Fig.53 BMC Atrium Explorer shows relationships between CIs

Fig.54 BMC ITSMasset management

Manual Tagging For Compliant CIsvCenter Inventory Tagging

In vSphere 5.1 and 5.5 there is a new feature that further enhances the search capabilities called tags. Tags are the ability to create custom labels and/or metadata and apply to any object with the vCenter inventory. These tags are fully searchable so you can now provide granular searches on the attached labels and metadata to further reduce time when retrieving information. You can also utilize this tagging feature to tag objects that is part of compliant configuration. For example, in the following figure we set the HIPAA tagging for the VM that is part of HIPAA compliant setup.

Fig.55 vCenter Inventory Tagging With this vCenter Inventory Tagging, you can quickly search any vCenter Objects that has the specific tagging (e.g. HIPAA Tagging).

Fig.56 vCenter Search Object based on tagging

BMC CMDB TaggingIn BMC CMDB you can set additional tagging for configuration items to enable these CIs to be searched based on their tagging. For example, you can utilize the CITag attribute of the CI to specify that it is compliant to HIPAA.

Fig.57 BMC CMDB taggingAutomatic Tagging For Compliant CIsSupernaNet.Connect Mapping FileYou can set the BMCMapping.xml file on SupernaNet.Connect to map the compliant info to the BMC CMDB attribute. For example, you set BMCMapping.xml file to map HIPAA to CITag CMDB Attribute.In BMCMapping.xml file, you add the following configuration:

After you have updated the BMCMapping.xml file, you also need to generate the new version info and update the BMCConfig.xml file with the new generated version info.For example:

Then, you run the SupernaNet.Connect synchronization to sync the update to the CMDB.Now your CMDB is populated with the CITag info.

Fig.58 CMDB with CITag info

Fig.59 CI Property with CITag infoMonitoring

In order to comply with monitoring in-scope devices and to find alarms and events related to potential noncompliance security or authorization issues on Vblock Systems, the CA Nimsoft Monitor product combined with the SupernaNET.Converge Probe for Nimsoft with Compliance enhancements allows to select in-scope objects for monitoring and highlighting the probe UMP Dashboard of any VM, or Vblock Systems component that has raised an alarm.

The screen shot below shows how the probe simplifies the monitoring function for compliance.

IDENTITY AND ACCESS MANAGEMENT

The authentication system will divide application OS and infrastructure into two separate unrelated user domains for AAA. This will ensure that a compromise in the management domain will not translate into a compromise in the application management domain.

LoginTC two-factor authentication will be used to secure the following login access:1. Infrastructure Domain a. vCenter SSO Openldap i. Add a vCenter Single Sign On Identity Sourceii. Active Directory LDAP Server and OpenLDAP Server Identity Source Settingsiii. 2. Application Domain

LoginTC For OpenVPNThe LoginTC Radius Connector enables OpenVPN to use LoginTC for the two-factor authentication. Diagram for the Basic Infrastructure of LoginTC Radius Flow: (Ref: LoginTC web site)

Components for this solution:LoginTC Cloud DomainYou need to create a Radius Domain for the Radius Connector configuration. To create this domain, you need to log in to the LoginTC Cloud admin (https://cloud.logintc.com/panel/login) as the administrator user. For this login, you need the token from the LoginTC app.Once you have logged in to the LoginTC Cloud admin web console panel, you can create a domain for Radius Connector:

Each LoginTC Cloud has a unique API key and each domain has a unique Domain ID. You need this key and ID for the connector configuration. The API key is found on the LoginTC Cloud Settings page. The Domain ID is found on the domain settings page.

Fig.60 API Key

Fig.61 Domain ID

LoginTC Radius ConnectorLoginTC Radius Connector is a Virtual Appliance that can be deployed on ESXi host (or VirtualBox). This Virtual Appliance requires 1 GB RAM and 8 GB of disk space.At first we need to log in via virtual console to configure the network settings. Then, you can log in via ssh for further configuration.Connector ConfigurationYou need to create a configuration file (/opt/logintc/conf/client.cfg) [logintc]api_key=ZPjeNQ6mzfqR6okzLb55zVu5dVn1stPDdLmyKQ1nKPrqQRlwoBcPtSyw23AumXFx#domain_id=a7641569669c5322db4d64e2fb4e79ef2fbfe2b0domain_id=06902ff4b82d99c75484ebae71e2236f54f0b494 [ldap]host=sup-pcidc-01.pci.superna.netbind_dn=cn=LoginTC1,cn=Users,dc=pci,dc=superna,dc=netbind_password=GoSuperna!base_dn=dc=pci,dc=superna,dc=netattr_username=sAMAccountNameattr_name=displayNameattr_email=mailfilter=(objectClass=person) [client]name=OpenVpnip=172.16.84.20secret=bigsecretauthentication=ldap,logintc

OpenVPN Install the OpenVPN Radius Plugin on the OpenVPN server. Configure the OpenVPN (server.conf file)local 172.16.84.20port 1194proto udpdev tuntun-mtu 1500tun-mtu-extra 32mssfix 1450ca /etc/openvpn/ca.crtcert /etc/openvpn/server.crtkey /etc/openvpn/server.keydh /etc/openvpn/dh1024.pemplugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf# plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/loginclient-cert-not-requiredusername-as-common-namepush "redirect-gateway def1"server 10.0.10.0 255.255.255.0push "dhcp-option DNS 172.16.84.12"ifconfig-pool-persist ipp.txtclient-to-clientduplicate-cnkeepalive 10 120comp-lzopersist-keypersist-tunstatus openvpn-status.loglog openvpn.loglog-append openvpn.logverb 5management localhost 7505reneg-sec 0 Configure the Radius Plugin:# The NAS identifier, which is sent to the RADIUS serverNAS-Identifier=OpenVpn # The service type, which is sent to the RADIUS serverService-Type=5 # The framed protocol, which is sent to the RADIUS serverFramed-Protocol=1 # The NAS port type, which is sent to the RADIUS serverNAS-Port-Type=5 # The NAS IP address, which is sent to the RADIUS serverNAS-IP-Address=172.16.84.20 # Path to the OpenVPN configuration file. The plugin searches for:# client-config-dir PATH (searches for the path)# status FILE (searches for the file, version must be 1)# client-cert-not-required (if the option is used or not)# username-as-common-name (if the option is used or not) OpenVPNConfig=/etc/openvpn/server.conf # Support for topology option in OpenVPN 2.1# If you don't specify anything, option "net30" (default in OpenVPN) is used.# You can only use one of the options at the same time.# If you use topology option "subnet, fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"subnet=255.255.255.0# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"# p2p=10.8.0.1 # Allows the plugin to overwrite the client configuration in client configuration file directory# default is trueoverwriteccfiles=true # Allows the plugin to use authorization control files if OpenVPN (>= 2.1 rc8) provides them# default is false# useauthcontrolfile=false # Only the accounting functionality is used. If no user name is forwarded to the plugin, the common name of certificate is used.# as user name for radius accounting# default is false# accountingonly=false # If the accounting is nonessential, nonfatal accounting can be set to true.# If set to true, all errors during the accounting procedure are ignored, which can be:# - radius accounting can fail# - FramedRouted (if configured) may not be configured correctly# - errors during vendor specific attributes script execution are ignored# But if set to true, the performance is increased because OpenVPN does not block during the accounting procedure.# default is falsenonfatal accounting=false # Path to a script for vendor specific attributes# Leave it out if you don't use an own script# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl # Path to the pipe for communication with the vsa script.# Leave it out if you don't use an own script# vsanamedpipe=/tmp/vsapipe # A radius server definition (there could be more than one).# The priority of the server depends on the order in this file. The first one has the highest priority.server{ # The UDP port for radius accounting. acctport=1813 # The UDP port for radius authentication. authport=1812 # The name or ip address of the radius server. name=172.16.84.17 # How many times should the plugin send the if there is no response? retry=1 # How long should the plugin wait for a response? wait=60 # The shared secret. shared secret=big secret} #server#{# # The UDP port for radius accounting# acctport=1813# # The UDP port for radius authentication# authport=1812# # The name or ip address of the radius server# name=127.0.0.1# # How many times should the plugin send the if there is no response?# retry=1# # How long should the plugin wait for a response?# wait=1# # the shared secret.# shared secret=testpw#}

LDAP

Create an LDAP (Active Directory) user for the LoginTC Radius Connector. Provide this user information in LoginTC Radius Connectors client.cfg file. Set the LDAP as the first factor authentication and LoginTC as the second factor authentication.UserFor this two-factor authentication with LDAP/Active Directory and LoginTC, create a user in both Active Directory and LoginTC Radius domain..

Data ProtectionBackup/Restore/Replication

Configuration And Patch Management

This section will capture how to automate tasks related to building a repeatable infrastructure as simply as possible to remove manual steps.Auto Deploy Installation VMWare vSphere 5.1

User name: administrator Password: GoSuperna!

Install Solar Winds TFTP Server (172.16.70.156)Go to vSphere Client -> Auto Deploy -> Download TFTP Boot Zip

Save TFTP Boot Zip and extract it to TFTP Server folder (\\DMANNING-02\TFTP-Root)Turn off Windows firewallStart TFTP Server

Add Score Options in DHCP Server (172.16.70.30)066: 172.16.70.156067: undionly.kpxe.vmw-hardwired

Run PowerShell as administrator to change the execution policy

vSphere PowerCLI should be installed.Run PowerCLI on 172.16.70.156Run the command to connect to vCenter Server: connect-VIServer Server 172.16.70.25

Download ESXi 5.1 Offline Bundle .zip file https://my.vmware.com/web/vmware/details?downloadGroup=VCL-VSP510-ESXI-510-EN&productId=285Temp Storage Container (\\172.16.70.29)Z:\VCE\vmware\VMware-ESXi-5.1.0-799733-depot.zip

NEXT STEPS:1. Add path to ESXi 5.1 in PowerCLI: add-esxsoftwaredepot C:\vsphere5.1\ESXi\VMware-ESXi-5.1.0-799733-depot.zip2. Get-EsxImageProfile3. use the Standard image profile4. New-DeployRule -Name "FirstBoot" -Item "ESXiStatelessImage" -AllHosts5. Add-DeployRule -DeployRule "FirstBoot"Or6. New-DeployRule Name FirstTimeBoot Item ESXi-5.0.0-469512-standard Pattern model=VMware Virtual Platform7. Add-DeployRule -DeployRule FirstTimeBoot8. And so on

ComplianceHIPAA 164.306 Security standards: General rules(a) General requirements. Covered entities must do the following:(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity creates, receives, maintains, or transmits.(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this section.(4) Ensure compliance with this subpart by its workforce.(b) Flexibility of approach(1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.(2) When deciding which security measures to use, a covered entity must take into account the following factors:(i) The size, complexity, and capabilities of the covered entity(ii) The covered entitys technical infrastructure, hardware, and software security capabilities(iii) The costs of security measures(iv) The probability and criticality of potential risks to electronic protected health information(c) Standards. A covered entity must comply with the standards as provided in this section and in 164.308, 164.310, 164.312, 164.314, and 164.316 with respect to all electronic protected health information.(d) Implementation specificationsIn this subpart:(1) Implementation specifications are required or addressable. If an implementation specification is required, the word Required appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word Addressable appears in parentheses after the title of the implementation specification.(2) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications.(3) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316 includes addressable implementation specifications, a covered entity must:(i) Assess whether each implementation specification is a reasonable and appropriate safeguard for its environment when analyzed with reference to the likely contribution to protecting the entitys electronic protected health information(ii) Be applicable to the entity (A) Implement the implementation specification if reasonable and appropriate; or(B) If implementing the implementation specification is not reasonable and appropriate:(1) Document why it would not be reasonable and appropriate to implement the implementation specification(2) Implement an equivalent alternative measure if reasonable and appropriate(e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under 164.105 and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at 164.316.

164.308 Administrative SafeguardsSecurity Management Process ( 164.308(a)(1))HIPAA Standard: Implement policies and procedures to prevent, detect, contain, and correct security violations.Key Activities: Conduct Risk AssessmentConduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.Technical Implementations:1. vCNS vShield Data SecurityvShield Data Security provides visibility into sensitive data stored within our organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, we can ensure that sensitive data is adequately protected and compliant with regulations around the world.

Fig.62 vShield Data Security discovers that files contain ePHI2. BMC Server AutomationCompliance ModuleIn BSA a component is a collection of configuration settings that encapsulates a business or infrastructure service, application, or security policy.Components can simplify many data center management tasks because a component provides a higher level of abstraction than do the servers and server objects that make up the component. A component template is used to define a component as it establishes rules and provides necessary information for the component, and then associate the template with a server. You can include the Compliance Rules in the component template, e.g. HIPAA security policy. With this compliance template you can run the compliance audit to assess the security risk of the component. For example, you can assess whether it does not comply with the HIPAA security policy.The following figure gives an example of how BSA detects noncompliance.

Fig.63 Noncompliance detected

Key Activities: Develop And Deploy The Information System Activity Review Process(Implementation Specification (Required))Description: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.Technical Implementations: a. BMC CMBD connector features tracking in scope devices, VMs, extract VMware vCenter, and VCE Vision software logs for the in scope devices and store in a DB on regular interval. b. ESXi Remote Syslog/LoggingLog files are an important component of troubleshooting attacks and obtaining information about breaches of host security.Remote logging to a central log host provides a secure, centralized store for ESXi logs. To facilitate this you can use vSphere Syslog Collector tool.By gathering host log files onto a central host you can more easily monitor all hosts with a single tool. For security reasons, you can aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record.

Technical Implementations: 1. Install monitoring software for in scope IT devices that process or handle compliance data applications using a monitoring tool that can show the alarms, events from in scope or flagged devices.2. CA Nimsoft plus SupernaNET.Converge probe can selectively track VMs, compute, store and network data within a portal to filter alarms and events only to the devices selected for HIPAA compliance in scope, within the UMP Dashboard portal.

Key Activities: Develop Appropriate Standard Operating ProceduresDescription: Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.Technical Implementations:1. Security logs from VCE Vision software and VMware Vcenter, CMDB attribute tracks last log sync2. Implement the Syslog Sever to centralize the logs from the vCNS vShield App. For example, it detects when unallowed traffic is being blocked by the vShield App Firewall Rule. Refer to the following Figure. 1006-DROP refers to the vShield App Firewall Rule ID 1006 blocking the traffic.

Fig.64 Syslog captured firewall-blocked trafficWith the vShield App Flow monitoring, you can get details and statistics about blocked traffic.

Fig.65 vShield App Flow monitoringBlocked Flows status

Information Access Management ( 164.308(a)(4))HIPAA Standard: Implement policies and procedures to authorize access to electronic protected health information that are consistent with the applicable requirements of subpart E of the Privacy Rule.Key Activities: Implement Policies And Procedures To Authorize Access

Technical Implementation:1. vCNS vShield Edge provides the stateful inspection firewall that is applied at the perimeter of the virtual data center. With this vShield Edge you can configure isolated/internal network for the application that needs to be protected and use the vShield Edge Firewall Service to control the access.2. vCNS vShield App Firewall provides the access control to the data and services within vSphere virtual data center. We can set firewall rules to protect EPHI resources from unauthorized access. This vCNS vShield App provides the firewall service that is applied at the virtual network interface card (vNIC) level directly in front of specific workloads (VMs).3. ESXi Host Internal Firewall. This is a firewall between the ESXi Hosts management interface and the network. This ESXi firewall allows ESXi to gain access control. You need to configure this ESXi host firewall to restrict access to services running on the host.

Security Awareness And Training ( 164.308(a)(5))HIPAA Standard: Implement a security awareness and training program for all members of its workforce (including management).Implementation Specification: Protection From Malicious Software

Technical Implementation:1. vCNS vShield Endpoint together with Partners Secure Virtual Appliance (Anti Virus). vShield Endpoint offloads antivirus and antimalware agent processing to a dedicated secure virtual appliance delivered by VMware partners.vShield Endpoint plugs directly into vSphere and consists of three components: Hardened secure virtual appliances, delivered by VMware partners Thin agent for virtual machines to offload security events (included in VMware Tools) VMware Endpoint ESX hypervisor module to enable communication between the first two components at the hypervisor layer

Fig.66 vShield Endpoint status and events logBecause the secure virtual applianceunlike a guest virtual machinedoesnt go offline, it can continuously update antivirus signatures, giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online.

164.310 Physical SafeguardsDevice And Media Controls ( 164.310(d)(1))HIPAA Standard: Implement policies and procedures governing the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.Key Activities: Implement Methods For Final Disposal of EPHIImplement policies and procedures to address the final disposition of EPHI and/or the hardware or electronic media on which it is stored.Technical Implementations:1. vCNS vShield Data SecurityMaintain a current inventory of EPHI on the network by running discovery scan with vShield Data Security. IT change management can update their data disposal processes to include the review of discovery reports so that the systems known to store EPHI data can be properly handled.Key Activities: Develop And Implement Procedures For Reuse Of Electronic MediaImplement procedures for the removal of EPHI from electronic media before the media are made available for reuse.Technical Implementations:1. vCNS vShield Data SecurityMaintain a current inventory of EPHI on the network by running discovery scan with vShield Data Security. IT change management can update their processes for handling the reuse of electronic media to include the review of discovery reports so that the systems known to store EPHI data can be properly handled.

164.312 Technical SafeguardsAccess Control ( 164.312(a)(1))

HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4)

Key Activities: Analyze Workloads And Operations To Identify The Access Needs Of All UsersTechnical Implementations:1. vCNS vShield Data SecurityPerform regular discovery scan of EPHI data on Data Center with vShield Data Security to determine where access controls must be in place.2. LoginTC Two-Factor Authentication protects the access control for all users. Access control can be enforced either locally or remotely. LoginTC provides an entry point of access control to systems and business applications that contain EPHI data. Users must be provisioned and authorized to obtain a LoginTC credential by their LoginTC administrator. Procedures must be in place in the organizations identity proofing process in order for a LoginTC administrator to provision a LoginTC credential. Applications/systems containing EPHI data can be enabled with a custom LoginTC connector to offer two-factor authentication.

Key Activities: Identify Technical Access Control CapabilitiesTechnical Implementations:

1. LoginTC can protect any system that requires authentication, including VPNs, web portals, and cloud applications; and with the LoginTC REST API, it can enable two-factor authentication virtually to any system or application that hosts EPHI data.LoginTC leverages user repositories installed in the clients infrastructure: MS Active Directory, LDAP or SQL-based systems, synchronizing, and updating users from their authoritative source(s).

Fig.67 LoginTC conceptual overviewKey Activities: Ensure That All System Users Have Been Assigned A Unique Identifier

Technical Implementations:1. LoginTC assigns both a unique USERNAME and a unique numeric USERID. The LoginTC administrator determines the users USERNAME, and optionally the users EMAILtypically the same username and email stored in the LDAP or MS AD repositories.The unique numeric USER ID is randomly generated by the LoginTC system: it is 160 bits or 40 hex characters that uniquely identifies a LoginTC user.LoginTC transaction logs capture every access to LoginTC-protected systems and can trace specific users identified by their USERNAME and/or USER ID.

Key Activities: Implement Access Control Procedures Using Selected Hardware and Software

Description: - Implement the policy and procedures using existing or additional hardware/software solution(s).Technical Implementations:1. 2 Factor Authentication. e.g. OpenVPN integrated with Active Directory and LoginTC Cloud. User needs to provide password (based on the active directory) and PIN (based on LoginTC token).LoginTC Admin is a web-based control panel for LoginTC administrators that provides:

Credential lifecycle managementDomain (system/application) lifecycle managementProvisioning, reports, auditingREST API servicesDelivery: On-premise VM or cloud service

Designated LoginTC administrators are provided with a 2-day LoginTC Admin training course that addresses LoginTC access control management, planning, configuration, integration, and troubleshooting.LoginTC provides extensive online documentation and know-how guidelines for planning, integration, configuration, and deployment of all LoginTC required components.

Fig.68 LoginTC admin panel: domain management

2. ESXiLockdown ModeEnabling lockdown mode disables direct access to an ESXi host requiring that the host be managed remotely from vCenter Server. Lockdown limits ESXi host access to the vCenter server. This is done to ensure that the roles and access controls implemented in vCenter are always enforced and users cannot bypass them by logging into a host directly. By forcing all interaction to occur through vCenter Server, the risk of someone inadvertently gaining elevated privileges or performing tasks that are not properly audited is greatly reduced. Note: Lockdown mode does not apply to users who log in using authorized keys. When using an authorized key file for root user authentication, root users are not prevented from accessing a host with SSH even when the host is in lockdown mode. Note that users listed in the DCUI.Access list for each host are allowed to override lockdown mode and log in to the DCUI. By default the "root" user is the only user listed in the DCUI.Access list.

3. ESXiSet DCUI (Direct Console UI) AccessSet this DCUI access to allow only trusted users to override lockdown mode.Lockdown disables direct host access that require admins to manage hosts from vCenter. However, if a host becomes isolated from vCenter, the admin gets locked out and is unable to manage the host. To avoid potentially getting locked out of an ESXi host that is running in lockdown mode, set the DCUI.Access to a list of highly trusted users allowed to override the lockdown mode and access the DCUI.

4. ESXiDisable MOB (Managed Object Browser)The managed object browser (MOB) provides a way to explore the object model used by the VMkernel to manage the host; it enables configurations to be changed as well. This interface is meant to be used primarily for debugging the vSphere SDK, but because there are no access controls it can also be used as a method to obtain information about a host targeted for unauthorized access.You cannot disable MOB while the host is in lockdown mode. We can disable MOB first before we set the host in lockdown mode.

Key Activities: Review And Update User Access

Technical Implementations:1. LoginTCUsers can access LoginTC protected systems with their smartphones and tablets as the second factor for access control. Users mobile platforms must be connected to the Internet. LoginTC works in the 3G/4G and Wi-Fi networks and LoginTC notifications are supported locally, nationally, and worldwide. LoginTC provisioning and registration is the first step for authorized users to access EPHI systems and applications:Self-registrationBulk uploadLoginTC REST API (used programmatically)Synchronization with user stores: LDAP, MS AD, SQL, etc.The LoginTC mobile app can host multiple credentials to access multiple systems, hence allowing users to seamlessly gain access to multiple applications when required.

Fig.69 Provisioning LoginTC credential for a new user

Fig.70 LoginTC end user experience

Key Activities: Terminate Access If It Is No Longer RequiredTechnical Implementation:1. LoginTC:LoginTC credentials can be revoked in two ways:The LoginTC administrator access the LoginTC Admin panel and manually revokes the users credential.If the user record is updated in the master user repository (e.g. MS AD/LDAP) and the LoginTC synchronization module is in place, the users LoginTC credential will be updated accordingly in LoginTC Admin.

Audit Controls ( 164.312(b))Future In ScopeSecurity Partner HiPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.Key Activities: Determine The Activities That Will Be Tracked Or Audited

Technical Implementation:1. LoginTCThe LoginTC Admin control panel provides LoginTC administrators with a powerful reporting and auditing tool.LoginTC Administrators can select data captured by:All DomainsSpecific DomainStart Date to End Date

It can also download log data in TXT or CVS format for further analysis or correlation.

All LoginTC access is monitored for successful, rejected/suspected fraud, or failed attempts.

One of the most powerful LoginTC features is revealed in the LoginTC logs, including user ignored or suspect notifications that the end user rejects. This feature prevents phishing or man-in-the-middle attacks and can be acted upon by the LoginTC administrator, auditors, and security personnel (See previous Figure X LoginTC end user experience).

These LoginTC controls are extremely useful for recording and examining access information activity, especially when determining if a security violation has occurred.

Fig.71 LoginTC admin panel: log management

Key Activities: Select The Tools That Will Be Deployed For Auditing And System Activity Reviews

Technical Implementations:1. vCNS vShield Data Security:You can use this as an audit tool as it provides visibility into sensitive data stored within your organization's virtualized and cloud environments. Based on the violations reported by vShield Data Security, you can ensure that sensitive data is adequately protected and compliant with regulations around the world.For example: you can assign policies at the Security Group basis so that the application VMs in that Security Group will be scanned for HIPAA data and, if found, will be reported. 2. BMC Server Automation Compliance AuditBased on compliance policy, you can run compliance audit for components. The report will show to which section of the policy the component does not comply. The following figure gives an example.

Fig.72 BSA compliance audit resultred color to indicate noncompliantThe report also shows the number of Passed/Failed (compliant/noncompliant)

Fig.73 Compliance report shows number of Passed/Failed (compliant/noncompliant)Integrity ( 164.312(c)(1))HIPAA Standard: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.Key Activities: Mechanism To Authenticate Electronically Protected Health information Implement electronic mechanisms to corroborate that electronically protected health information has not been altered or destroyed in an unauthorized manner.Technical Implementations:1. vCNS vShield Data SecurityPerform regular discovery of EPHI data on Data Center with vShield Data Security to determine if data has been modified from previous discovery scan by checking the Scan History and Detail Reports.

Fig.74 vShield data securityscan history

Fig.75 vShield data securityreport

Person Or Entity Authentication ( 164.312(d))

HIPAA Standard: Implement procedures to verify the identity of a person or entity seeking access to electronically protected health information.Key Activities: Determine Authentication Applicability To Current Systems/Applications

Technical Implementation:

1. Two-factor authentication for loginLoginTC implements two-factor authentication for granting access to systems that contain EPHI records:LoginTC users must know the USERNAME, and optionally, a PASSWORD, to pass the first factor test.LoginTC users must have a smartphone or tablet with a provisioned LoginTC credential, which is something that the user possess as a second factor.When notified, the user must unlock the LoginTC credential in the mobile device with a PIN or passphrase, which is only known to the user.

Using LoginTC two-factor authentication can satisfy the HIPAA Security Rule requirement to create and maintain security controls that verify user identity when users are connecting to applications and databases with health data records, either remotely or via a web application.

Fig.76 LoginTC two-factor authentication session

2. vSwitch security to prevent impersonating from network perspective:a. vSwitch security: reject promiscuous mode In non-promiscuous mode, a guest adapter listens to traffic only on its own MAC address. In promiscuous mode, it can listen to all the packets. By default, guest adapters are set to non-promiscuous mode.This promiscuous mode security policy can be defined at the virtual switch or port group level in ESX/ESXi. Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-92F3AB1F-B4C5-4F25-A010-8820D7250350.html

b. Reject MAC Address Changes If the virtual machine operating system changes the MAC address, it can send frames with an impersonated source MAC address at any time. This allows it to stage malicious attacks on the devices in a network by impersonating a network adaptor authorized by the receiving network. Reject MAC Address Changes setting will prevent VMs from changing their effective MAC addresses. It will affect applications that require this functionality. An example is Microsoft Clustering, which requires systems to effectively share a MAC address. This will also affect how a layer-2 bridge will operate. This will also affect applications that require a specific MAC address for licensing. An exception should be made for the port groups that these applications are connected to.Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-942BD3AA-731B-4A05-8196-66F2B4BF1ACB.html

c. Reject forged transmits By default this forged transmits setting is set to Accept. This means that the virtual switch does not compare the source and effective MAC addresses. To protect against MAC address impersonation, all virtual switches should have forged transmissions set to Reject.Ref: http://pubs.vmware.com/vsphere-51/index.jsp#com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html

Fig.77 vSwitch security

Key Activities: Evaluate Authentication Options Available

Technical Implementation:1. LoginTCLoginTC two-factor authentication can protect systems that contain EPHI records, and can protect the desktops and mobile platforms used to access those EPHI systems.

LoginTC can be enabled in:VPNsWeb access managersWeb portalsSAML federation systemsO/S authentication: Windows/UnixMobile browsersMobile applicationsvirtually any platform or system that requires authentication

References

http://www.hipaasurvivalguide.com/hipaa-regulations/164-306.php 111