首页 GRC-303

GRC-303

举报
开通vip

GRC-303 Can Virtualization Threaten Security & C li ?& Compliance? Moderator: Tim Grance, NIST Panelists: Mike Mucha, Stanford Medical Hemma Prafullchandra, HyTrust Justin Somaini, Symantec Lynn Terwoerds, Barclays Bank 04/23/09 S i ID GRC 30304/23/09 Session ID: ...

GRC-303
Can Virtualization Threaten Security & C li ?& Compliance? Moderator: Tim Grance, NIST Panelists: Mike Mucha, Stanford Medical Hemma Prafullchandra, HyTrust Justin Somaini, Symantec Lynn Terwoerds, Barclays Bank 04/23/09 S i ID GRC 30304/23/09 Session ID: GRC-303 Reality - Adoption & Economic Gartner says: • By end of 2009 there will be 4M virtual machines (VMs) • By 2011, there will be 660M virtual PCs • By 2012, 50% of all x86 server workload will be running in VMs 1 Reality – Virtualization Roadmap 2 Reality - Virtualization Technology Which server virtualization management and administrative functionalities do you expect to deploy in 2009? 250 Total Advisories Issued Total Vulnerabilties Reported 40% 50% 60% p o n d e n t s 150 200 20% 30% r c e n t a g e o f R e s p 50 100 0% 10%P e r 0 Source: Secunia Vulnerability Database as of 2/23/09Source: Morgan Stanley CIO Survey 3 Source: Secunia Vulnerability Database as of 2/23/09 Source: Morgan Stanley CIO Survey Reality – Biggest IT Security Challenges Managing the complexity of security Which of the following are the biggest information/network security challenges facing your company? Managing the complexity of security Preventing data breaches from outside attackers Enforcing security policies A i i kAssessing risk Controlling user access to systems and data Spreading user awareness Preventing data theft by employees or other insiders Meeting regulatory and industry compliance requirements Getting management buy-in 0% 10% 20% 30% 40% 50% 60% 70% Getting professional resources/expertise Number of respondents - multiple responses allowedSource: InformationWeek Analytics 2008 Strategic Security Study of 1,097 business technology professionals 4 y , gy p Security & Compliance of Virtual Infrastructure How does virtualization change/impact my security strategy & programs? • Are the mappings (policy, practice, guidance, controls, process) more complex? How can we deal with it? • Where are the shortfalls, landmines, and career altering opportunities? What are the unique challenges of compliance in the virtualized infrastructure? H th i li f k (FISMA SAS 70 PCI HIPAA SOX• How are the varying compliance frameworks (FISMA, SAS 70, PCI, HIPAA, SOX, etc.) affected by virtualization? • How do you demonstrate compliance? e.g., patching or showing isolation at the machine-, storage- & network- level What’s different or the same with operational security? • Traditionally separation was king – separation of duties, network zones, dedicated hardware & storage per purpose and such – now what? • VMs are “data” – they can be moved, copied, forgotten, lost, and yet when active they are the machines housing the applications and perhaps even the app data – do you now have to apply all your data controls too? What about VMs at rest? 5 Apply • Do NOT ignore virtualization, it’s going to be deployed whether you (the security person) like it or not! 9 Review your existing security programs & strategy. Think holistically about security & compliance of your virtualization strategy/plan processes deployment and maintenanceyour virtualization strategy/plan, processes, deployment and maintenance. 9 Existing security& compliance tools and technologies may not work - look for additional tools, e.g. automation tools given the high rate of change, audit-quality log maintenance & correlation. • Virtualization complicates maintaining separation of duties and machines, networks and storage:networks, and storage: 9 Configure virtualization platforms to authenticate users against central identity and group repositories (e.g., Active Directory) across all management consoles. 9 Automate log collections and host configurations to reduce loss of information and human errors. 9 Look at published configuration benchmarks/checklists such as NIST (http://checklists nist gov) • Operationally, gain control and visibility of the virtual infrastructure: 9 Avoid server sprawl by controlling who can import, snapshot, and copy VMs. 9 Look at published configuration benchmarks/checklists such as NIST (http://checklists.nist.gov), Center for Internet Security, DoD DISA STIGs, and VMware Security Hardening Guide. 9 Develop green practices around unused VMs – only activate VMs when needed, control who can start and stop VMs. 9 Apply sensitive data controls to the VMs at rest. 9 Practices to continue: mandate ‘golden’ VM configuration templates for standard operating systems, patch active and non active VMs archive/delete unused VMs 6 patch active and non-active VMs, archive/delete unused VMs. Useful Links • Hypervisors & their security information: – VMware: http://www.vmware.com, http://www.vmware.com/technology/security/ – Citrix/Xen: http://www.citrix.com/English/ps2/products/product.asp?contentID=683148 Mi ft htt // i ft / i d 2008/ / /h t h i l– Microsoft: http://www.microsoft.com/windowsserver2008/en/us/hyperv-technical-resources.aspx • Publications, Guides, Best practices, Benchmarks, Blogs: – Ross, R., et al., NIST Special Publication 800-53, Rev2, Recommended Security Controls for Federal Information Systems, December 2007, from http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf – Scarfone K et al NIST Special Publication 800-123 Guide to General Server Security July 2008 from– Scarfone, K., et al., NIST Special Publication 800-123, Guide to General Server Security, July 2008 from http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf – Center for Internet Security benchmarks: http://www.cisecurity.org/benchmarks.html – DISA, “ESX Server Security Technical Implementation Guide” from http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf DISA “Virtual Machine Security Technical Implementation Guide” from http://iase disa mil/stigs/stig/vm stig v2r2 pdf– DISA, Virtual Machine Security Technical Implementation Guide from http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf – NSA, “VMware ESX Server 3 Configuration Guide”: http://www.nsa.gov/ia/_files/support/I733-009R-2008.pdf – Alessandro Perilli: http://www.virtualization.info/ – Chris Hoff: http://www.rationalsurvivability.com/blog/ – Scott Lowe: http://blog scottlowe org/Scott Lowe: http://blog.scottlowe.org/ • Free solutions: – HyTrust Appliance (Community release on 4/30): http://www.hytrust.com/community – For VMware : http://www.vmware.com/technology/security/utilities.html Free Microsoft Hyper V Security Guide: http://www microsoft com/downloads/details aspx?FamilyID=2220624b a562 7 – Free Microsoft Hyper-V Security Guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=2220624b-a562- 4e79-aa69-a7b3dffdd090&displaylang=en
本文档为【GRC-303】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑, 图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。
下载需要: 免费 已有0 人下载
最新资料
资料动态
专题动态
is_431304
暂无简介~
格式:pdf
大小:351KB
软件:PDF阅读器
页数:0
分类:互联网
上传时间:2010-10-14
浏览量:16