How Does Virtualization Change Your Approach to Enterprise Security and Compliance?

Transcription

1 HowDoesVirtualizationChangeYour ApproachtoEnterpriseSecurityand Compliance? SevenStepstoaVirtual awaresecuritystrategy. MichaelBaum Co founder ChiefCorporate&Business DevelopmentOfficer ScottShepard CISSP,CISM PrincipalConsultant Splunk Inc. 250 Brannan Street San Francisco, CA GlassHouse Technologies, Inc. 200 Crossing Boulevard Framingham, MA Copyright 2009 Splunk Inc. and GlassHouse Technologies, Inc.. All rights reserved.

2 SevenStepstoaVirtual awaresecuritystrategy Virtualization is a disruptive new technology that can greatly improve IT operational effectiveness while reducing overall costs, making it a critical initiative for IT Directors charged to do more with less. VirtualizationhasthepotentialtotransformeverylayeroftheenterpriseITstack,bringingconsolidationand increasedutilizationofphysicalassets,versioncontrolofentireoperatingsystemsandapplications,and instant virtualization as one of the fastest growingemerging technologies. Estimatesare thatthe server virtualizationsoftwaremarketwillgrowatacompoundannualrateof28%from2008through2013(from $1.8billionto$6.2billion). However,asvirtualizationadoptioncontinuestoincrease,ithasopenedaheateddebateinthemarketover the security and compliance of virtual environments. On one side, many virtualization product vendors arguethatimplementingvirtualizationincreasessecuritybyisolatingfunctionsintotheirownenvironments. However,manysecurityproductvendorscounterthatvirtualizationintroducesnewrisksincludingnovel pointsofattack,theabilityforvirtualresourcestoeasilyevadepolicyandthevolatilityofcriticalsecurityand compliancedata.whoisright?therearecoretruthsinbotharguments.aswithanynewtechnology,in ordertoachieveasecureimplementation,itisnecessarytoaugmentexistingpolicesandpracticeswithan understandingofhowvirtualizationworks. Ratherthandwellonthedebate,thefocusshouldbeonenablinga virtual aware securityandcompliance strategy adaptingbestpracticestotheuniquecharacteristicsofavirtualenvironment.enablingavirtualaware security and compliance strategy requires accounting for not only the technology aspects of the implementation,butalsothepeople,processandpolicycomponents.thiswhitepaperoutlinessevensteps toestablishingavirtual awaresecurityandcompliancestrategy.althoughvmwareiscitedforillustrating and explaining concepts within this document, the recommendations are applicable to any virtual environmentregardlessofthevendororproductsused. 1.AlignYourSecurityStrategywithYourBusinessRiskTolerance Astheuseofvirtualizationhasgrown,therehasbeenawaveofproductsandsolutions,includingvendors, Altor, Catbird, and Reflex, introduced in the market to address different aspects of security in virtual environments.but,indiscriminatelyimplementingsecuritytechnologiescanleavegapsinprotectionand impacttheperformanceofyourvirtualizedenvironments.inordertomakebusinessappropriatedecisions onsecuritymeasuresandsolutionstoimplement,youmuststartbyidentifyingyourbusinessrisktolerance. Thisisdefinedasthebalancebetweenthesecuritymeasuresimplementedandtheamountofriskyouare willing to take in conducting business. Security measures should always be implemented within the frameworkofadefinedsecuritystrategyandthatstrategymustalignwithkeybusinessdriversandthe businessriskappetite. Thefirststepinidentifyingrisktoleranceandbuildingyoursecuritystrategyistounderstandandidentify your business drivers for a specific virtualization environment and the organization as a whole. When consideringvirtualization,businessdriversmayincludereducingitinfrastructurecosts,improvingservice failovercapabilitiesoragreaterreturnon,andutilizationof,theinvestmentyouhavealreadymadeinit assets.thisshouldbefollowedwithasecurityriskassessmentinordertogainanunderstandingofyour current or baseline risk profile. This will provide the inputs for defining an initial security policy that is designedtoprotectcriticalassetswhileachievingtheidentifiedbusinessdrivers.keepinmindthatthe policymustmeetapplicablelawsandcompliancemandatesrelevanttoyourindustryandorganizationas HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page2

3 wellasremediatethecriticalvulnerabilitiesidentifiedduringtheriskassessmentprocess.understandingthe business drivers and risk tolerance for specific virtualization initiatives will help you balance the security measuresrequiredtomeetbothyourbusinessandsecurityobjectives.considerthecasewhereyourmedia studioisusingvirtualizationinacloudserviceproviderenvironmenttoapplyextracomputeresourcesand speedupprojects.inthisexample,yourrisktolerancemaybefairlyhighandthesecuritymeasuresyou applyataminimum.contrastthiswithyourcrmsystemthatmanagescriticalsales,marketing,support andcustomeraccountinformation.yourrisktoleranceforthisapplicationislikelyverylowandthesecurity measuresappliedwillbesignificant. Figure1:VirtualEnvironmentRiskTolerance The next step is to identify the control points and technologies that can be applied to address the appropriate security measures. Control points identify where to place security monitoring and control technologiestoimplementthegivensecuritymeasuresandpolicies.controlpointsaretypicallyplacedon the user, network, system, application, or the data. Some control points, for example, network control points, may change drastically when moving from a physical to virtual environment. In a physical environment monitoring messages, logs, configurations and packets can be accomplished in a fairly straightforwardmannerusinganynumberoftools.inavirtualenvironment,virtualmachines(vms)have theabilitytoabstractthenetworkthroughvirtualswitchesandsomeofthetraditionalnetworkcontrol points may have moved inside the hypervisor itself. For example, since inter VM communication stays withinthehypervisor,theinformationmaynotbeabletobeeasilycollectedandmonitoredwithtraditional physicalnetworksecuritycontrolpointslikefirewalls,logmanagersorintrusiondetectionsystems(ids). Yourvirtualsecurityandcompliancestrategywillneedtoaccountforanychangesincontrolpointsand ensurethatyoursecuritysolutionisappropriateandeffectivewithinavirtualizedenvironment.traditional security products don t typically provide the same level of security when virtualized as they did in the physical environment due to physical limitations. For example, physical IDS and firewalls are not always capableofhandlingthejumboframes(largerpacketsizes)thatareusedtotransferdatawithinavirtual switch and physical monitoring and log management solutions may not be capable of collecting the necessaryinformationfromthehypervisoritself,forexample. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page3

4 Figure2:ChangingControlPoints Finally,afterthesecuritymeasuresandassociatedcontrolpointsintheformofprocessesandtechnologies havebeenimplemented,thelaststepistoperformariskandvulnerabilityassessmentinordertoverifythat thesecuritypolicyandbusinessobjectiveshavebeenmet.inordertoremaineffective,thesecuritystrategy needs regular validation by conducting periodicsecurity assessments against the implemented security measures,thecurrentsecuritypolicyandthebusinessdrivers.expectthesecuritystrategytochangeover time.theoutputoftheriskassessmentisusedtotuneandadjustthesecuritymeasuresasnecessary.the endresultwillbeasecurevirtualenvironmentandstrategythatisinlinewiththebusinessrisktolerancefor eachenvironmentandtheorganizationasawhole. 2.SecureVirtualMachinesLikePhysicalMachines ThereisacommonmisconceptionthatVMsdonotrequirethesameprotectivemeasuresasphysicalones. ThemisconceptionstemsfromtheabstractionandhidingoftheVMonavirtualnetworkbehindorinside physicalhardwarethoughnetworkaddresstranslation(nat).thismaygivetheimpressionthatsincethe VMisnotaphysicalentity,itcannotbeseenbytheoutsideworld.However,theVMhasitsownIPaddress andmustprovideaserviceporttoacceptcommunicationfromtheoutsideworldleavingitopentothe same vulnerabilities and threats as a separate physical machine. There is no additional security that is inheritedjustbydeployingvirtualization.therefore,vmsneedtheallofthesamecontrolsandprotective measures, including but not limited to: software patches, antivirus, change management, and intrusion prevention. AnadditionalmisconceptionisthattheVMsaresomehowhiddenbehindthehostoperatingsystemor hypervisor.mostvmswillneedtobeexposedinordertoprovideclientswithaccesstotheapplicationsand services on the VM. Even if the VMs are hidden behind Network Address Translation(NAT), and not directlyreachable,theyarealmostcertainlyofferingaservice,suchas ,web,oradatabase,thatis forwarded to them through that protective layer. Those services can still be attacked through the hypervisor.applicationattacks,particularlytowebapplications,areanincreasinglycommonattackvector. Simplyput,theVMsmustcomplywithandmaintainthesamelevelofsecurityasthephysicalsystemonthe networkandavirtualizedapplicationisasvulnerabletoexploitasanon virtualone. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page4

5 Figure3:VirtualResourcesBehaveLikePhysicalResourcesontheNetwork NotonlydoestheVMneedtobesecured,butalsosodoesthehostoperatingsystemorvirtualizationlayer (inmanycasesthehypervisorreplacesthehostoperatingsystemwithabaremetalvirtualizationos).itis best to use a hardened, thin host operating system or hypervisor, similar to VMware ESXi. These thin operatingsystemsalreadyhavemostoftheirunnecessaryservicesandapplicationsdisabledandremoved to reduce the chance of a vulnerability exposure. When implementing a thin host operating system considerwhatservicescouldbere enabledthroughunsupportedfeatures.forexample,anadministrator with console access to an ESXi server can enable remote SSH connections, or other services, simply by accessingarootlevelcommandpromptandthenenablingthefeaturesinthenetworkconfigurationfile. Makesuretoperformasecurityassessmentofthehostoperatingsystem,usingappropriatetoolsthatare designedforvirtualenvironments,toensurethattheenabledsystemservicesmeetthesecuritypolicy. Figure4:SecuringHostOS/VirtualizationOS HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page5

6 3.VirtualMachineIsolation Whendiscussingvirtualization,mostsecurityprofessionalsfirstidentifysecurityconcernsoverhowtheVMs areisolatedfromeachotherandfromthehostoperatingsystem.initialvendorsecuritystrategiesfocused onwaystoisolatethevirtualizedoperatingsystemssothatacompromisedvmcouldnotgainaccesstothe other guest systems in the virtual environment. Additionally, VMware and other vendors go into great detaildiscussinghowtoisolatethemanagementinterfaces. However, in February of 2008, VMware introduced VMsafe, which allows access to the same internal applications VMware uses to manage the virtual infrastructure. With this capability, a special VM with promiscuous modeforwardingenabledcanmonitorthetrafficofallvmsonthevirtualswitch.besides network,thespecialvmcanbeconfiguredtomonitorothervirtualizedcomponents(i.e.process,memory, ordisk).vmsafewasintroducedtoimproveperformanceofsimilaractivitiesinallvms.forexample,why run anti virus in each VM, when a single VM can run anti virus and perform file scanning for all VMs? However,thiscapabilityviolatesthefundamentalphilosophyofvirtualmachineisolation. Figure5:ViolatingVMIsolation Atthispoint,moveforwardcautiouslywithVMsafeorsimilarsolutionsuntilthistechnologymatures.VM isolationshouldberetainedandeachvmshouldmaintainsecuritywithinthevirtualenvironmentandnot relyonvmsafe.virtualsecuritypolicyshouldrequirethatallvmtrafficcrossinganetworkboundaryroute outside of the virtual environment pass through physical networking security measures in the form of firewalls,intrusiondetectionsensors,datalossprevention,andothernetworkprotectiveandmonitoring technologies. Once the technology matures, VMsafe will likely prove quite beneficial in improving the securityofallvmsintheenvironment. 4.LimitandMonitorAdministrativeAccess Theintroductionofthehypervisorrequiresadditionalmanagementsoftware.Thisraisessecurityconcerns becausethemanagementsoftwaregrantsadministrativeaccesstomultiplevms.toaddressthisissue, establishrole basedaccesscontrolsfortheindividualvmsthroughthevcentertomirrorthephysicalaccess controls that had been established before virtualization. Additionally, establish network based firewall controlstolimitnetworkaccesstoadministrativeinterfaces.severelyrestrictthenumberofadministrators thathaveconsole/rootlevelaccesstothehostoperatingsystem.thisaccess,aswellasalladministrative HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page6

7 activities,mustbeloggedtoacentralizedlogmanagementserver(seesectiononsecuritymonitoring).in additiontoaccesscontrols,utilizeencryptionandmonitoringsoftware(sshandsudo,respectively)toavoid thesniffingofadministratorcredentialsandtomonitorforabuseofadministratorprivileges. Figure6:LimitingAdministrativeAccess Inadditiontoprotectionofthemanagementsoftware,protectingthevirtualfilesthatmakeuptheVMis critical.utilizebestpracticestoencryptthemwhennotinuse,andlimitadministrativeaccesstothesefiles. WhenVMotionorsimilartechnologyisusedtotransferthesefilesbetweenvirtualenvironments,employ encryptedchannelsoroutofbandadministrativechannels. 5.ProtectVirtualMachineResources Virtualization offers the flexibility to leverage under utilized computing power within the virtual environment.whathappenswhenmultiplevmsinthevirtualizedenvironmentcomeunderadenial ofserviceattack?inatraditional,physicallyseparatedenvironment,thesystems,whicharenotunderattack, arenotaffected.however,inavirtualenvironmenttheunderlyingphysicalinfrastructureandallvmsmay beaffected.forexample,ina4ghzphysicalinfrastructure,iffourvmswereeachallocated2ghzofvirtual processingpower,adenialofserviceattackontwovmswouldadverselyimpacttheperformanceofthe remainingtwovmseventhoughtheyarenotunderadenialofserviceattack. Expandingthisexample,assumetherearefourVMsspreadacrossmultiplenetworkboundariesinaDMZ ( demilitarizedzone thebufferzonethatseparatestheinternetandyourprivatelan).twoofthevms makeupawebclusterthatisaccessiblefromtheinternet.theothertwovmsareontheinternalnetwork andarenotdirectlyaccessiblefromtheinternet.usingtheexampleconfiguration,whereeachofthefour VMsareallocated2GHz,adenialofserviceattackontheWebclusterwillhaveaperformanceimpactonthe twointernalnetworkvms.theendresultisthattheserviceavailabilityofallfourvmswouldbedegraded. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page7

8 Figure7:PhysicalHostPartitioning Figure8:ResourceLoadBalancing To maintain the desired level of service availability across all VMs, resource (processor and memory) allocation should be managed based on the desired service levels for the VMs, and not solely on the business driver in reduction of physical servers. Establishing reservations, shares, and limits, will ensure stabilityandavailabilityofcriticalvmsifmultiplevmscomeunderdenialofserviceattack.additionally, thesesettingsshouldbemonitoredandadjustedovertimeasthevirtualenvironmentevolves.thiscanbe donemanuallyorthroughvmwaredrs(distributedresourcescheduler),whichallocatesandbalances computingcapacityforvirtualenvironmentsonmultipleesxhosts. 6.EnforceVirtualMachineConfigurationandPatchManagementPolicies Inaphysicalenvironment,configurationandpatchmanagementaremandatoryformaintainingasecure environment.thissameprincipleappliesequallytothevirtualenvironment.allvirtualsystemsshouldfall underthesameconfigurationandpatchmanagementprocess.withvirtualization,however,thereisone notabledifference.howdoyouaddressconfigurationandpatchmanagementforoff linevms?utilizing serverendpointprotectiontoensureanyoff linevmsarebroughtintosecuritycompliancebeforetheygo online can solve this. Additionally, all VMs used for disaster recoveryplanning must be brought online periodicallytoensurethattheyarecompliantwithcurrentsecuritypolicy,andensureimmediateactivation duringanemergency. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page8

9 Figure9:EnforcingConfigurationPolicies Withavirtualenvironment,configurationandpatchmanagementofthehostoperatingsystemisamust. Vulnerabilitiesandpoorconfigurations,ifexploited,canimpacttheentirevirtualizedinfrastructure.Insome cases additional processes need to be created to handle bare metal host operating systems that are hardenedandstripped down.sincethesearereducedoperatingsystems,patchingandconfigurationtools may not be capable of applying the same patches to the host operating system. A customized patch management and configuration process must be established for patching the host OS. Ideally, the customizedprocessshouldleveragevirtualization shighavailabilitycapabilitiesthatmovecriticalvmsfrom onevirtualenvironmenttoanotherwhiletheunderlyinghostoperatingsystemispatched.lesscriticalvms cangoofflinewhilethehostosisbeingpatched.inbothcases,ensurethecustomizedprocessincludes notificationstoallusers,administrators,andownersofthesevms. 7.SecurityMonitoring Today sitcomputingenvironmentiscomplex,withbusinessrequirementsdrivinganinfrastructurethatis madeupofawidevarietyofapplications,systems,devicesandtechnologies.thethreatsandvulnerabilities inherentwithintoday senvironmentsmakemaintenanceandsecurityaconstantconcern.asimplechange to a single component can have a rippling effect on many other applications and systems across the enterprise. Industry best practices dictate the need for monitoring and reporting on the securityand compliancestateofyourenvironment. Addinganewtechnology,suchasvirtualization,toanalreadycomplexenvironmentmagnifiesthesecurity issues.deployingvirtualizationrequiresadditionalsecuritymonitoringoftheadministrationactivities,the virtualizationmanagementinterface,andaccesstothevirtualmachinelogs,messagesandevents.muchof this data will also need to be retained for security investigations and compliance reporting. Effective monitoringandreportingacrossavirtualenvironmentcanbetrickyasvirtualresourcesandtheirassociated securityandcompliancedatamigratebetweenphysicalsystemsandpotentiallydisappearalltogether. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page9

10 Figure10:VirtualizationSecurityMonitoringandReporting Security monitoring and reporting can be achieved by first performing an inventory of the security and compliancedatayourphysicalandvirtualresourcesgenerateincludingthelocation(memory,filesystem, network port) and the best way to access the data. Often accessing the logs and messages from a virtualizedenvironmentcanbetricky,asmanyvirtualizationvendorshaven tdesignedveryrobust,scalable APIsordataforwardingmechanisms.Capturingdatainnearrealtimeisimportantgiventhemigrationand volatilityofvirtualresourcesanddata.onceidentifiedthedatasourcesandcollectionmechanism,you ll needtodeployasecurityeventmanagementandreportingsolutiontocorrelateallthedifferenttypesof events and technologies in your virtual stack (applications, operating system, network, storage, access control). Best practice is not to deploy security monitoring and reporting solutions as part of the virtualized environment,asadministratorshavetheabilitytoremovetracesoftheirownactivity.onceyourdatais consolidated, the logs, events and message can be correlated to provide actionable alerts, enable comprehensivesecurityinvestigations,speedtroubleshootingofcomplexproblemsandarchivedtomeet complianceretentionandreportingrequirements. GettingAheadoftheGame Takingadvantageofnewtechnologiesneednotbeariskyproposition.Bycombiningsecuritybestpractices andanunderstandingofhowthetechnologyworks,companiescanefficientlyandsecurelyimplementthe promisedbenefits.byutilizingtherecommendationsoutlinedinthispaperyoucandefinetheappropriate risk basedsecuritypoliciesandimplementnecessarycontrolstoachieveasecurevirtualenvironment. Developawellthoughtout virtual aware securitystrategy. Assessandunderstandyourvulnerabilities Enhanceexistingsecuritymeasures,controlpointsandmonitoringtoaddressvirtualizationgaps. Balanceacceptableriskwithbusinessdrivestoachievethebenefitsofvirtualization. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page10

11 References SecurityDesignoftheVMwareInfrastructure3Architecture bycharuchaubal,vmware SecurityConsiderationsandBestPracticesforSecuringVirtualMachines byneilmacdonald,gartner, 6March2007 ESX SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Version 1, Release 1 Developed by DefenseInformationSystemsAgencyfortheDepartmentofDefense,28April2008 Dataquest Insight: Virtualization Market Size Driven by Cost Reduction, Resource Utilization and ManagementAdvantages bygartner,5january2009 TheGuidetoITSearch bysplunk,january2008 TheBusinessModelOntologyaPropositioninaDesignScienceApproach byalexanderosterwalder, UNIVERSITEDELAUSANNE,2004 AbouttheAuthors MichaelBaumco foundedsplunkwithtwofriendsandanambitiontoassisthumansinthebattleagainst increasingitcomplexityandtheonslaughtofmachinegenerateddata.asfoundingceo,michaelledthe teamthatquicklyscaledsplunkfromageekyideatooneofthefastestgrowingprivatesoftwarecompanies in Silicon Valley. The company has transformed how more than 1,100 enterprises, service providers and governmentorganizationsandmorethan350,000usersworldwideunderstandandmanagecomplexit environments.splunkwasthewinnerofdeloitte's2008fastestgrowingrisingstarsinsiliconvalleyand recognizedasoneofthetopplacestoworkinthebayareabythesanfranciscotimes.nowmichaelis leadingtheteambuildingsplunk'sglobalecosystemofconsultants,solutiondevelopers,resellers,managed serviceprovidersandtechnologypartners. ScottShepard,CISSP,CISM,isaPrincipalConsultantforGlassHouseTechnologies,Inc.Heisaninformation securityexpertwhohasledthedevelopmentofabroadportfolioofmarket leading,differentiatedsecurity servicesolutionsandarchitectures.inhispriorpositionasthedirectoryofsecurityarchitectureatmotorola, heledthedevelopmentandtechnicalbuild outofthe E zones architectureinsupportmotorola sseamless Mobility business vision. Scott received recognition for this unique security implementation with multiple industryawards. Allthetrademarksorbrandsinthisdocumentareregisteredbytheirrespectiveowner(s).VMware,theVMwarelogo, VMotionaretrademarksorregisteredtrademarksofVMware,Inc..Allothermarksandnamesmentionedhereinmaybe trademarksoftherespectivecompanies.allrightsreserved. HowDoesVirtualizationChangeYourApproachtoEnterpriseSecurityandCompliance? Copyright2009SplunkInc.andGlassHouseTechnologies,Inc.AllRightsReserved. Page11