Designing data center is a complex and daunting task that requires careful planning to ensure it’s build cost, it’s operations and scalability requirements are met. If you are a security architect responsible for providing requirements to the data center design architect, I’m sure you will appreciate the option to first get a top down view on the security product of your choice unless you are given “The Magic Roundabout Swindon” top down view to look at…
this one for sure needs a YouTube video to explain how it works but the good news is that the Deep Security top-down view or should we call it “holistic” view doesn’t need a video to explain.
This is my attempt to provide you a 30,000 foot overview on how Deep Security Solution fits into the overall picture of your security architecture.
Download the poster here
Some of the questions that I attempt to cover when creating the holistic view are;
- What solution components do I need for this solution?
- What security controls are offered?
- What choices do I have to control the access to the management interface?
- What configuration management tools I can use?
- Can I forward the security events to my SIEM for a 360-degree visibility to support rapid time to identify and resolve security threats?
- Does the solution offer rich API interface to meet my needs of customization?
- Is the solution capable of providing same security functions across my hybrid infrastructure?
If I appeared projecting our solution as center of universe for your data center then believe me I’m not, I know very well from experience that you have a lot more to consider and plan for. If this grab your interest and you like to know more then perhaps look at the reference architectures that suits your deployment model as well.
Still have questions? Reach out to us at firstname.lastname@example.org
In the past, compliance and regulation standards have meant organizations could be limited to housing software within their own data center, removing the option for SaaS and the features and benefits that come with it. SaaS has become a very popular option for software developers these days due to its speed of adoption. But why should these benefits be limited to SaaS? Does storing in your own data center mean having to be constrained to a less agile solution?
We don’t think so.
Big changes are coming with Deep Security 10.1, giving you the opportunity to move at cloud speed. Read our blog, Bringing Data Center Security to Cloud Speed to learn more.
Technology advancements such as high-speed Internet connectivity, ability to create abstract layers in computing environments has allowed us to achieve things that were unthinkable ten years ago. I have personally experience these advancements in my professional life. At one point, I was happy to get my hands on virtualization and ability to run integrated solution from my laptop and an external portable storage device for my work. Now, with the eruption of cloud computing combined with the power of orchestration tools is mind blowing. We have entered into an-era where we are looking to automate everything aka Infrastructure as a Code.
Today, I’m happy to talk about our “Azure quickstart template”, let’s get started and get to the technical details.
What makes this quickstart template?
This integrated stack consists of Trend Micro Deep Security, Splunk Enterprise and Chef automation platform, all running on Azure.
How is this quickstart template created?
This integrated stack is built using a JSON template, the template is based on Microsoft Azure Resource Manager (ARM) templates. With ARM templates, we can deploy topologies quickly, consistently with multiple services along with their dependencies. You do it once and consume it many times. It’s pretty powerful, since we by working with our Azure partner did for you already, you can simply consume.
What’s in it for me?
It saves you a lot of time that you can spend on things that matters to you, I don’t know perhaps watching a hockey game (yes, I’m Canadian and it’s our sport). Seriously, thing about it, if you are familiar with these solutions then you must be aware of it that each element has various components such as web based management application, database etc. and requires specific communication paths, database schema etc. To setup this type of environment where you have a fully functional integrated components would take you at least couple of hours and this estimate is by assuming your three-year-old daughter is not screaming in the background and you have your full attention and focused time to build this up. I don’t know but I love when someone else can do part of my job and make it easy for me.
I’m with you tell me more.
Okay, if you are sill reading then I like to think I have your attention so let’s look at this diagram on what is involved here to give more technical details about this quick start;
To break it up, we have;
- A storage account in the resource group.
- A Virtual Network (vNet) with four subnets
- Virtual Machines to host solution components
- Network security groups to control what communication paths are allowed
- Azure SQL DB to host Deep Security persistent data
- Three test Virtual Machines; 2 VMs (Linux, Windows) with bootstrap scripts to install TrendMicro agents (through Azure VM extensions) and 1 VMs (Linux) with bootstrap scripts to install Chef Agents
There is a lot happening here as you can see and the only thing you need to do as part of consuming this is to provide some values for the template parameters such as;
- Where you want to deploy this stack.
- Web application administrators account and Virtual machine administrator account credentials for the various stack components.
- Communication ports for Deep Security
- Virtual machine size and number of test virtual machines
It takes roughly 30-45 minutes or so to have this environment fully functional. At the end, we will return the URL’s for each solution component (Trend Micro, Splunk and Chef) to you so that you can go ahead and simply login to these applications and do what ever you wanted to do e.g. protecting your Azure based workloads from various vulnerabilities, remember cloud security is a shared responsibility i.e. although cloud providers deliver an extremely secure environment but you need to protect what you put IN the cloud—your workloads.
I’m sold, where can I get this template for quick start?
That was easy! The ARM template is available on the Azure website (here). You can simply click the “Deploy to Azure” button on or select Browse in GitHub repository. You can also use PowerShell, Azure CLI etc. to start the deployment, the GitHub link provides necessary documentation for it.
The Chef recipe for Deep Security Agent is available here.
Questions? Reach out to us by email at email@example.com and we’ll be happy to help!
I’m excited to write about the availability of Deep Security Manager Solution Template in Azure Marketplace. You’re likely asking why we decided to provide our solution in this format versus the other options available through the Azure Marketplace. I can give you technically inclined answer but before I do that, let’s look at a traditional cloud deployment.
In the traditional way of deploying any solution in cloud you build each piece, one by one, and handle their dependencies. For example, to deploy a solution in Azure you will be looking at any number of the following;
- Storage account and blob
- Virtual network
- Network Security Groups
- Inbound and outbound Security rules
- And so on…
This approach can be ideal for complicated deployments which would require some understanding of the deployed solution before you can start using the deployed solution.
Solution template versus traditional deployment
- Time: Some will say this is our most scarce resource. By automating and scripting the deployment of Deep Security in Azure, you can start protecting your Azure based workloads immediately and focus on the tasks that really matters to you.
- Simplicity: Simplify the deployment of all the required resources by removing the complexities. For example, Deep Security Manager, Deep Security Relay, and other supporting infrastructure (such as a virtual network, database server, network security groups and firewall rules etc.). In this deployment option you have a complete control over Deep Security in your own environment (azure Account) and you will have the access to the data.
What solutions are available in Azure Marketplace?
Now you understand why we did it, you may be wondering what this offering is and what type of solution Trend Micro is offering in Azure Marketplace. As you may already know, Azure Marketplace supports multiple types of solutions
- Virtual Machine Image
- Developer Service
- Data Service
- Solution Template
What is a solution template?
Free form vs known configuration solution templates
There are two approaches when it comes to writing solution templates; free-from and known configuration t-shirt size approach. At first, free-form configurations sound appealing but when you dig deeper it is more complex, requires careful planning and you end up having to focus on decisions that can be scripted for you.
We decided to go with the t-shirt size, or Known configuration approach. This approach provides good, known configurations of varying sizes that are preconfigured for you. This enables you to easily select the deployment that fits your environment. Depending on the number of virtual machines you want to protect, you choose a matching Virtual Machine size configured for 25, 50, 100, 150 or 200.
If you’re wondering about protecting more than 200 workloads, we got this covered as well. It’s a matter of adding another Deep Security Virtual Machine (VM) from the Marketplace in your Azure account and picking up a “Use Existing “option for the Azure SQL database during the provisioning wizard. It’s a concept of horizontal scaling; we call such Deep Security deployments “multi-node” deployments. Alternately, you can go with the BYOL solution template and specify certain attributes of the deployment, such as VM type to go beyond the pre-configured standard offering.
Getting started with the Deep Security Solution Template for Azure
Let’s go on the journey to buy Deep Security Virtual Machine (VM) from Azure Marketplace and look at the information you’ll need to get started. Starting in the Azure Marketplace, search for the keyword “Deep Security”, which will return these results;
First you need to select your license model.
- If you’re an existing Deep Security customer, you can leverage your existing (or new) license with Deep Security on Azure marketplace. You can simply click on “Deep Security Manager (BYOL)” option.
- If you’re a new Deep Security customer, select the “Deep Security Manager” option to procure and deploy through the Azure Marketplace.
One you decide on the licensing model, the rest of the steps in this journey are the same. The solution template will guide you through a 7-step wizard that collects various parameter values, such as; user credentials, VM size, virtual network details and database selection.
Once you’re finished the quick 7-step wizard, you’ll have a fully optimized, connected configuration of Deep Security on a predefined network topology, ready to be used and protect your Azure workloads.
Here is what the deployment architecture will look like;
- Typical enterprise VDI use case yields 44% ROI and 16-month payback period.
- Typical enterprise cloud-centric use case yields 181% ROI and seven-month payback period.
- Typical enterprise server (non-VDI) virtualization use case yields 163% ROI and five-month payback period