Can Virtualization
Threaten Security
& C li ?& Compliance?
Moderator: Tim Grance, NIST
Panelists:
Mike Mucha, Stanford Medical
Hemma Prafullchandra, HyTrust
Justin Somaini, Symantec
Lynn Terwoerds, Barclays Bank
04/23/09 S i ID GRC 30304/23/09 Session ID: GRC-303
Reality - Adoption & Economic
Gartner says:
• By end of 2009 there will be 4M virtual machines (VMs)
• By 2011, there will be 660M virtual PCs
• By 2012, 50% of all x86 server workload will be running in VMs
1
Reality – Virtualization Roadmap
2
Reality - Virtualization Technology
Which server virtualization management
and administrative functionalities do you
expect to deploy in 2009? 250
Total Advisories Issued Total Vulnerabilties Reported
40%
50%
60%
p
o
n
d
e
n
t
s
150
200
20%
30%
r
c
e
n
t
a
g
e
o
f
R
e
s
p
50
100
0%
10%P
e
r
0
Source: Secunia Vulnerability Database as of 2/23/09Source: Morgan Stanley CIO Survey
3
Source: Secunia Vulnerability Database as of 2/23/09 Source: Morgan Stanley CIO Survey
Reality – Biggest IT Security Challenges
Managing the complexity of security
Which of the following are the biggest information/network
security challenges facing your company?
Managing the complexity of security
Preventing data breaches from outside attackers
Enforcing security policies
A i i kAssessing risk
Controlling user access to systems and data
Spreading user awareness
Preventing data theft by employees or other insiders
Meeting regulatory and industry compliance requirements
Getting management buy-in
0% 10% 20% 30% 40% 50% 60% 70%
Getting professional resources/expertise
Number of respondents - multiple responses allowedSource: InformationWeek Analytics 2008 Strategic Security
Study of 1,097 business technology professionals
4
y , gy p
Security & Compliance of Virtual Infrastructure
How does virtualization change/impact my security strategy & programs?
• Are the mappings (policy, practice, guidance, controls, process) more complex? How
can we deal with it?
• Where are the shortfalls, landmines, and career altering opportunities?
What are the unique challenges of compliance in the virtualized infrastructure?
H th i li f k (FISMA SAS 70 PCI HIPAA SOX• How are the varying compliance frameworks (FISMA, SAS 70, PCI, HIPAA, SOX,
etc.) affected by virtualization?
• How do you demonstrate compliance? e.g., patching or showing isolation at the
machine-, storage- & network- level
What’s different or the same with operational security?
• Traditionally separation was king – separation of duties, network zones, dedicated
hardware & storage per purpose and such – now what?
• VMs are “data” – they can be moved, copied, forgotten, lost, and yet when active they
are the machines housing the applications and perhaps even the app data – do you
now have to apply all your data controls too? What about VMs at rest?
5
Apply
• Do NOT ignore virtualization, it’s going to be deployed whether you (the
security person) like it or not!
9 Review your existing security programs & strategy. Think holistically about security & compliance of
your virtualization strategy/plan processes deployment and maintenanceyour virtualization strategy/plan, processes, deployment and maintenance.
9 Existing security& compliance tools and technologies may not work - look for additional tools, e.g.
automation tools given the high rate of change, audit-quality log maintenance & correlation.
• Virtualization complicates maintaining separation of duties and machines,
networks and storage:networks, and storage:
9 Configure virtualization platforms to authenticate users against central identity and group
repositories (e.g., Active Directory) across all management consoles.
9 Automate log collections and host configurations to reduce loss of information and human errors.
9 Look at published configuration benchmarks/checklists such as NIST (http://checklists nist gov)
• Operationally, gain control and visibility of the virtual infrastructure:
9 Avoid server sprawl by controlling who can import, snapshot, and copy VMs.
9 Look at published configuration benchmarks/checklists such as NIST (http://checklists.nist.gov),
Center for Internet Security, DoD DISA STIGs, and VMware Security Hardening Guide.
9 Develop green practices around unused VMs – only activate VMs when needed, control who can
start and stop VMs.
9 Apply sensitive data controls to the VMs at rest.
9 Practices to continue: mandate ‘golden’ VM configuration templates for standard operating systems,
patch active and non active VMs archive/delete unused VMs
6
patch active and non-active VMs, archive/delete unused VMs.
Useful Links
• Hypervisors & their security information:
– VMware: http://www.vmware.com, http://www.vmware.com/technology/security/
– Citrix/Xen: http://www.citrix.com/English/ps2/products/product.asp?contentID=683148
Mi ft htt // i ft / i d 2008/ / /h t h i l– Microsoft: http://www.microsoft.com/windowsserver2008/en/us/hyperv-technical-resources.aspx
• Publications, Guides, Best practices, Benchmarks, Blogs:
– Ross, R., et al., NIST Special Publication 800-53, Rev2, Recommended Security Controls for Federal Information
Systems, December 2007, from http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf
– Scarfone K et al NIST Special Publication 800-123 Guide to General Server Security July 2008 from– Scarfone, K., et al., NIST Special Publication 800-123, Guide to General Server Security, July 2008 from
http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
– Center for Internet Security benchmarks: http://www.cisecurity.org/benchmarks.html
– DISA, “ESX Server Security Technical Implementation Guide” from
http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf
DISA “Virtual Machine Security Technical Implementation Guide” from http://iase disa mil/stigs/stig/vm stig v2r2 pdf– DISA, Virtual Machine Security Technical Implementation Guide from http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf
– NSA, “VMware ESX Server 3 Configuration Guide”: http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf
– Alessandro Perilli: http://www.virtualization.info/
– Chris Hoff: http://www.rationalsurvivability.com/blog/
– Scott Lowe: http://blog scottlowe org/Scott Lowe: http://blog.scottlowe.org/
• Free solutions:
– HyTrust Appliance (Community release on 4/30): http://www.hytrust.com/community
– For VMware : http://www.vmware.com/technology/security/utilities.html
Free Microsoft Hyper V Security Guide: http://www microsoft com/downloads/details aspx?FamilyID=2220624b a562
7
– Free Microsoft Hyper-V Security Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=2220624b-a562-
4e79-aa69-a7b3dffdd090&displaylang=en
本文档为【GRC-303】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。