Secure Administration of Virtualization - A Checklist ofVRATECH

Transcription

1 Securing the Administration of Virtualization An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) Market Research Report Prepared for RSA, The Security Division of EMC March 2010 IT MANAGEMENT RESEARCH,

2 Table of Contents Executive Summary...1 Secure Administration: Priority One for Virtualization Security...1 Managing Resource Consolidation...1 Controlling Risk Exposure...2 Point in Time Means Something Different...2 VM Images are Data, Too...2 The Impact of Administration...2 Meeting the Challenge...3 Start with Strategy...3 Plan: Architect Proper Configuration...3 Do: Administrative Security in Operations...4 Check: Monitoring Administrative Actions...5 Act: The Critical Importance of Response...6 Toward the Future...7 EMA Perspective...7 About RSA...8

3 Executive Summary Virtualization has been one of the most transformative information technologies to appear in many years. What many organizations still do not yet fully appreciate, however, is the transformative impact virtualization has on security as well. Virtualization enables the IT investment to yield maximum benefit with greater flexibility. It also introduces new risks, many without parallel in traditional IT. Unlike physical systems, multiple guest virtual machines (VMs) share a common host. VMs can be configured offline and deployed on demand, making for a far more dynamic environment. Virtualized functionality such as networking is abstracted from its physical topology. Securing these capabilities depends directly on administrative control. This, in turn, emphasizes the need for security in the administration of virtualization, and for processes and technologies to secure administration that are virtualization aware. Virtualization enables the IT investment to yield maximum benefit with greater flexibility. It also introduces new risks, many without parallel in traditional IT. In this report, Enterprise Management Associates (EMA) describes a systematic approach to securing the administration of virtualized systems, based on the ISO series Plan Do Check Act philosophy. While emerging aspects of endpoint virtualization are discussed, the primary focus is on the administration of virtualization in the data center, where the bulk of today s concerns may be found. Guidance on securing the administration of VMware one of the most prevalent names in virtualization and the use of the tools and technologies of EMC and its Security Division, RSA, are highlighted as primary examples. Readers should gain an enhanced awareness of the essential capabilities required for the secure administration of virtualization, with reference to technology-specific guidance such as VMware s Security Hardening publications offered for more detailed information. Secure Administration: Priority One for Virtualization Security Every generation of IT has its transformative technologies but few have had the impact of virtualization in the data center. The values it brings for resource consolidation, on-demand provisioning and offline maintenance enable IT to be far more flexible in meeting business demands. But these demands will not indeed, cannot be well met unless the risks that virtualization introduces can be understood and managed. Some of these risks have little or no parallel in the physical environment. Managing Resource Consolidation For example, virtualized guest systems sharing a common physical platform may have different levels of sensitivity in their operations, their network exposure, or in the information they handle. A guest VM exposed to a public network may run the risk of exposing sensitive data handled on another guest on the same host. In the past, such risky interactions were largely controlled through physical or logical isolation. Virtualization, however, makes it much easier to violate this isolation by consolidating functionality on

4 a shared host. Large retailers have failed an audit for compliance with the Payment Card Industry (PCI) Data Security Standard for just such failures. Controlling Risk Exposure Even simple changes in server configuration or network topology can expose vulnerabilities, such as an unpatched software defect or network access that can lead to system takeover. Virtualization, however, has the potential to greatly amplify this exposure, when a vulnerable VM configuration is replicated many times over in production. The ability to move and deploy virtual systems on demand may also increase risk. Organizations may assume they have a certain number of servers that must be managed, but on-demand virtualization may increase that number considerably if uncontrolled. This virtualization sprawl has several major implications: It increases the sheer volume of risk exposures (or attack surface ) if proper and consistent security measures are not applied across the whole virtual environment. It exposes the organization to software licensing violations. It potentially introduces regulatory compliance violations surrounding private data management, separation of systems and networks, adequate logging and asset and change control. Point in Time Means Something Different Unlike the physical environment, where change is immediate, changes to a VM are typically made offline, and do not take effect until the image is deployed in production. This could be some time after changes are defined in a master VM image or service configuration. If changes are made for security reasons, such latency could prolong risk exposure. Another point-in-time factor unique to virtualization is the ability to suspend a VM. Starting and stopping a service may be logged as a system-level event. Without visibility into virtualization infrastructure, however, VM suspension may go undetected by traditional monitoring methods. This increases the risk that suspended VMs may disrupt critical functionality, or go offline due to undetected security issues. VM Images are Data, Too A VM image is effectively a file or set of files which are stored as data. This data can be copied and later run in an uncontrolled environment, circumventing authorized protections. This increases the priority placed on control over access to storage systems that manage such data. The Impact of Administration Note the critical role played by administration and management in each of these examples. Administrative privilege enables the definition of VM images, the ability to retrieve VM images stored as data, control over their deployment, and management in production. This heightens the need to secure administrative privilege and actions. It also highlights the importance of controls that are virtualizationaware. Insight into virtual infrastructure is needed to detect such These factors heighten the need to secure administrative privilege and actions. They also highlight the importance of controls that are virtualization-aware

5 factors as VM consolidation, movement and suspension, and the control of VM images as data. Without this visibility, administrative actions that pose risk may go undetected. Without virtualizationspecific controls, they may go unmanaged as well. Meeting the Challenge Securing the administration of virtualization must therefore be a top priority for securing virtualization itself. Organizations may not yet be aware, however, of how best to secure virtualization management and administrative privilege. This calls for a comprehensive consideration of the factors involved, in order to develop an effective plan of action. Start with Strategy In other words, this means taking a strategic approach, in line with the requirements of the business. One such approach is reflected in the ISO family of security management standards, frequently referenced for guidance of IT security management. In essence, the ISO standards recommend a systematic approach, which describes a logical sequence that helps organizations define, implement and monitor their objectives, with high emphasis on action. This approach is often summarized as: Plan Do Check Act The ISO standards represent a body of guidance that can be applied in the general case. Technologyspecific guidance should be referenced to secure the actual implementation. Organizations such as the Computer Security Institute (CSI) offer such guidance, while vendors often provide their own. VMware, for example, offers Security Hardening guidelines for VMware virtualization technologies 1. These materials provide useful information for securing the administration of virtualized environments. Plan: Architect Proper Configuration Safeguarding administrative control is implicit in fundamental security principles that apply in both virtual and physical environments. Securing the administration of virtualization thus begins with securing the physical environment, and extending those principles to virtualization. Limit exposures that could lead to unauthorized high-privilege access. Install customary security tools such as anti-malware, firewall and host intrusion prevention systems. Disable unnecessary or superfluous functions. Reserve system resources for Service Management processes patch, change, asset and configuration management. Secure configurations should be built into hardened templates, for assuring that when new systems are deployed, they are configured properly. This includes the configuration of the physical host, the hypervisor, and each guest VM. Network segmentation takes on an added dimension in virtualized environments, since guest VMs each have their own connections to physical and logical network topologies outside the virtualized host, as well as within the host itself. 1 (as of March 2010) This means taking a strategic approach, in line with the requirements of the business.

6 In most cases, network communications between guest VMs should be isolated. Technologies such as VMware vshield Zones can limit inter-vm traffic and resulting risk exposures, extending long-established network segmentation principles to the virtual world. Connection to specific physical interfaces can further assure this protective isolation and mitigate software configuration risks. Configuration of virtualization management systems is particularly important, since they directly control functionality. VMware vcenter, for example, provides centralized administration of VMware environments, and must be carefully deployed accordingly. Limit administrative access to the host where vcenter is running. vcenter itself should run under a separate administrative account specifically provisioned for that purpose Management and production networks should be isolated from each other, to limit the risk of unauthorized access to administrative functionality. When administrative access is authorized, the principle of least privilege should apply. Administrative access should be linked to individual accountability as much as possible. Access to shared administrative accounts such as root should be limited, while tools such as su should be restricted. Role-based access control (RBAC) offers a way to segregate administrative functions into individual roles that can be invoked by authorized users when needed. In the case of VMware vcenter, its Custom Roles capability offers a built-in way to define and segregate administrative privileges by roles. Environment monitoring is essential particularly to monitoring administrative access and actions, both authorized and unauthorized. Organizations should plan to deploy event management tools having insight into virtualization risks. This includes monitoring access to VM image storage resources. Here too, RBAC-based role segregation should help to assure that those with administrative access privileges do not also have the capability to tamper with evidence of administrative actions. Do: Administrative Security in Operations Once virtualization is deployed, the principles of limited exposure and least privilege should be continued in operations management. Exposure to administrative access risks can be mitigated by using the most secure or finely grained management tools when available. In the VMware environment, the ESX service console may enable overly broad capability with limited control. Better control can be achieved by the use of more finely grained tools that leverage vcenter functionality, such as PowerCLI and toolkits that use the vsphere API. Because these tools leverage vcenter, they enforce centralized privilege control and monitoring. They also provide role-based administrative access through vcenter Custom Roles. Once virtualization is deployed, the principles of limited exposure and least privilege should be continued in operations management.

7 Strong authentication can further secure access to administrative privilege. Some compliance mandates such as the PCI Data Security Standard may specifically require two-factor authentication for remote administrative access. One of the most popular examples of two-factor authentication is the one-time password technology of RSA SecurID, long used to secure administrative access in many organizations worldwide. Check: Monitoring Administrative Actions Building monitoring capability in the planning phase is essential but it must be used effectively in operations. In the 2009 Verizon Business data breach investigations report 2, 66% of victims had sufficient evidence available in log data to discover a breach, had they been more diligent in log analysis. The sheer volume of monitoring information IT generates compounds the issue for many. This mass of data is difficult to manage, if not impossible, without tools for prioritizing alerts that identify significant risks. Security information and event management (SIEM) systems are a primary tool for meeting these challenges. In order to be most effective in monitoring the administration of virtualization, however, they must have comprehensive visibility: Events in any environment: Monitoring should cover events not specific to virtualization, but which have an impact on the security of virtualization management. For example: Events should be correlated with IT change. The monitoring of IT change is a fundamental principle of IT management that reinforces change control and improves IT reliability. In security, change detection may reveal threat activity. Events should be correlated with administrative access. This can help identify unauthorized administrative access or a security attack that exploits administrative privilege. It also benefits more reliable IT management, by helping to identify root causes of performance or availability problems due to administrative actions. Access to storage resources that house VM images should be monitored, to protect against unauthorized deployment or analysis of virtual systems. Virtualization-specific events: Monitoring tools must also have visibility into administrative activity unique to virtualization. This is particularly critical when events have few or no parallels with the physical environment: Administrative actions that result in changes to VM state should be monitored. Stopping and starting a service on a physical server may be detected by conventional tools, but virtualization-specific issues such as VM suspension may not. VMs may also be moved from one physical host to another, which may violate policy. Monitoring must have visibility into virtualization infrastructure in these cases. In most cases, making changes to the configuration of a VM require taking it offline and remounting it, which may not be as intuitive as rebooting a physical server. When changes are defined in master VM images, monitoring must assure that they have been put into production in a timely way. This may be critical when patching actively exploited security vulnerabilities. 2 W. H. Baker et al, 2009 Data Breach Investigations Report, Verizon Business, April Monitoring tools must also have visibility into administrative activity unique to virtualization. This is particularly critical when events have few or no parallels with the physical environment.

8 Unauthorized attempts to copy or clone VMs should be detected, to assure that sensitive information or systems are not exposed outside the authorized, controlled environment. Virtualization sprawl should be monitored and contained, to assure that virtualization is managed appropriately, regulated environments are under proper control, and to reduce risk exposure from enlarging the attack surface. SIEM platforms such as RSA envision provide visibility into comprehensive activity throughout both physical and virtualized environments. The EMC and VMware families of configuration and change management tools such as VMware vcenter Server Configuration Manager provide virtualizationaware configuration and change insight which can be correlated with event monitoring. These are examples of technologies having the visibility into virtualization infrastructure necessary to assure that virtualization-specific issues are not overlooked. Act: The Critical Importance of Response It is one thing to monitor; it is another to act, as data breach investigations suggest. Even when event management systems correlate and identify high-priority issues, actions must be taken not only to enable response, but to prevent recurrence and better secure virtualization management going forward. It is one thing to monitor; it is another to act, as data breach investigations suggest. Here also, general principles exist that can be applied to any environment, as well as those that are specific to virtualization: Evaluate the completeness of response. When security vulnerabilities become known, the exposure must be found and confirmed in other environments. Configuration management systems can not only verify its presence when it appears, but can also directly remediate exposures through configuration change. Take a proactive approach. Beyond monitoring, checking must also include the regular evaluation of program effectiveness. This helps assure that virtualization is managed responsibly as technologies, use cases and business requirements change. Change events that consistently require exceptions to accepted management processes, for example, may call for a re-evaluation of those processes. Expand virtualization awareness. Recognize that virtualization can have a dramatic impact on existing management disciplines such as configuration management. The virtual environment is far more dynamic than the legacy world. VMs can move with a great deal of freedom among physical hosts. Changes can be made offline, which reduces the impact of change on production environments, but operations teams must assure that these changes are put into production as expected. Organizations will want to assure that their administrative tools have adequate visibility into virtualization infrastructure, to avoid being blindsided by these virtualization-specific issues. Link the virtual infrastructure to IT Service Management. Monitoring systems can create a service desk ticket in response to specific events. This helps the tracking of incidents to a satisfactory conclusion, which may include forensic analysis or other follow-up if required. Conversely, a service desk ticket can be used to authorize a specific change event, whose outcome satisfactory or otherwise is reflected in monitoring systems.

9 Toward the Future Finally, response must also include keeping a forward-looking eye on the pace of technology in this case, on the ongoing evolution of virtualization, its management, and its risks. Emerging technologies such as Virtual Desktop Infrastructure (VDI) emphasize the need for virtualization aware security management tools. RSA envision, for example, integrates with VMware View to provide information such as when a user has logged on or off, when systems have been disconnected, when peripherals such as USB devices have been plugged in, and so on. This not only rivals but exceeds the extent of capability available in many non-virtualized environments just one example of the many ways in which endpoint virtualization may have a positive impact on endpoint security management. Other innovations likely to have a positive impact on the security of virtualization and the management of administrative risks in virtual environments include the continued adoption of VMware s VMsafe technologies for enhancing visibility and control over virtualization security. EMA Perspective In order to capitalize on virtualization s promise, organizations must confidently manage its risks and nowhere is this more important than in safeguarding the administration of virtualization. With its strategic relationship with VMware, a market leader in virtualization technology, and backed by the capabilities of its RSA Security Division, EMC stands out among vendors serving the requirements of responsible virtualization management. With its strategic relationship with VMware, a market leader in virtualization technology, and backed by the capabilities of its RSA Security Division, EMC stands out among vendors serving the requirements of responsible virtualization management. Its unique ties to VMware give it equally unique insight into one of the most successful virtualization portfolios in the industry, including VMware s virtualization-aware management platforms. The RSA family of SIEM resources and strong authentication provide vital capabilities for visibility into high-privilege actions and strong controls on administrative access, while the EMC and VMware management portfolios together provide essential configuration management and other disciplines necessary to secure the control of virtualization including management of the entire lifecycle of secure storage for VM images to protect administrative capabilities saved in VM configuration. The alignment of these capabilities gives EMC, RSA and VMware a distinctive understanding of virtual relationships between hosts and guests, in virtualized systems, networks, databases and applications. Just as important is the fostering of common integration and collaboration objectives among these vendor groups that mutually support each other, which help identify factors such as specific points of integration that help accelerate adoption and deployment of security measures, which can help reduce total security costs for virtualization management. These factors combine to recommend the EMC and VMware families as a preferred provider of solutions for assuring secure and responsible management of virtualization, and its expansive promise.

10 About RSA RSA, The Security Division of EMC, is a premier provider of security solutions for business acceleration, helping the world s leading organizations succeed by solving their most complex and sensitive security challenges. RSA s information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle - no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit and

11 About Enterprise Management Associates, Inc. Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that specializes in going beyond the surface to provide deep insight across the full spectrum of IT management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise IT professionals and IT vendors at or follow EMA on Twitter. This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. EMA and Enterprise Management Associates are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. EMA, ENTERPRISE MANAGEMENT ASSOCIATES, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc. Corporate Headquarters: 5777 Central Avenue, Suite 105 Boulder, CO Phone: Fax: