Virtualization Impact on Compliance and Audit

Transcription

1 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems

2 Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance PCI and Virtualization Call to Action Q&A

3 What is Virtualization? Virtualization Layer Application Server Oracle Print File Web Application Operating System Hardware Configuration Virtualization Server

4 What is Virtualization? Virtualization Technology: Hypervisor software emulates physical IT infrastructure, inside of a physical server: Virtualization Layer Virtual servers Virtual Networks Virtualization Benefits: Server consolidation one box instead of many Homogeneous Guest HW configuration Better resource utilization, efficiency Green Power / Cooling / Space Virtualization Server Easier deployment, manageability Better service quality, expense control, ROI

5 Virtualization Market Maturity How many physical servers in your data center run virtualization software? In 2009, on how many additional servers will you deploy virtualization software? Participants: Choices Selected: 598 Total Responses: 598 What percentage of your virtual machines is used for production applications in a production environment? Source: Virtualization Decisions 2009 Survey by TechTarget

6 Virtualization Production Maturity Which applications run within virtual machines? Value Count Percent % Application server % Web server % Network infrastructure services (e.g., DNS, DHCP, firewalls, Active Directory, etc.) % Databases for development % Production databases % % End user home directories/file and print % Business intelligence % Over the next year, how will your use of virtual machines in production change? Customer relationship management (CRM)/sales automation % End user desktops % Enterprise resource planning (ERP) % None % antivirus Source: Virtualization Decisions 2009 Survey by TechTarget

7 What is the Cloud? Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source NIST Draft Cloud is NOT Virtualization

8 Cloud Service Models Service Model Definition Considerations Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party. End user has no control over the underlying infrastructure. Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider Capability to use the provider s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based ). Availability Confidentiality Privacy and legal liability in the event of a security breach (as databases housing sensitive information will now be hosted offsite) Data/Application ownership Geographic Location Source:

9 Virtualization Security Risks Goal of security is to ensure the confidentiality, integrity and availability of information. Virtualization security issues include: Introduction of a new software layer Lack of policy enforcement Data theft and interception Unauthorized access Threat detection and mitigation Confidentiality Availability Integrity

10 Compliance Challenges Visibility and Transparency Challenges Change Management Network Visibility Network Segmentation Compliance Goals Separation of Duty

11 Visibility and Transparency Visibility Basis for All management and security activity Virtualization can create voids in information Transparency Basis of Compliance Audit Stakeholder Confidence Enables Cloud

12 Change Management Primary Problem Change is EASY Documentation Infrastructure Topology Audit Run Book Automation Security Authorization Audit Compliance Evidence

13 Network Visibility Virtualization Creates blind spots virtual networks Existing tools may not be sufficient Regulatory Requirements PCI DSS Pending HIPAA Changes Reconfiguration is trivial

14 Segmentation Same Traditional Reasons Classification / Data Sensitivity Regulation What s Different? Commodity Computing Shared Resource Damage is multiple of Consolidation Ratio Easy to combine data of different sensitivities

15 Separation of Duty Domain Separation Infrastructure Infrastructure Networking Storage Audit Virtual Administrator Sys Admin System Admin Security Why? Checks and Balances Compliance Security How? Apps w/rbac Domain Specific Views

16 Compliance Drivers Internal Policy Regulatory Policy PCI SOX HIPAA Reflex Systems Change Management Audit Evidence & Reporting Network Controls Infrastructure Policy & Control

17 Overview of the PCI DSS o Payment Card Industry Data Security Standard (PCI DSS) o A multifaceted security standard that is intended to help organizations that store, manage, or process payment card information to proactively protect customer account data. o Developed by the PCI Security Standards Council o Founded by AMEX, Discover, JCB, MasterCard, and Visa o Global forum for development, enhancement, storage, dissemination and implementation of security standards for cardholder account data protection o The PCI Security Standards Council s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. ** Reflex is not a Certified PCI QSA. This information is based on our industry experience and opinion

18 PCI DSS Requirements Twelve high-level compliance requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors PCI DSS v1.2 released October 2008 Contains +220 specific requirements For more info

19 Virtualization s Impact on PCI PCI DSS does not specifically address virtualization Unique challenges faced by organizations that choose to deploy virtualization technology within its PCI environment Traditional security processes and tools Not adequate for protecting and monitoring virtualized environments Focus on managing higher layers of the network No visibility inside virtualized environments Some organizations have misinterpreted PCI DSS to mean that virtualization is incompatible with PCI DSS compliance There are challenges but with the right approach, PCI compliance is in reach

20 Network Segmentation and Monitoring Requirement 1- Install and Maintain a Firewall Configuration to Protect Cardholder Data Sub requirements 1.1, 1.2, Issue: Can virtual firewalls be deployed to meet these requirements and provide appropriate segregation? Virtual switches on the same host cannot exchange packets within the VM Virtual firewalls may be configured to allow data exchange Proper configuration is critical to avoid unauthorized traffic between virtual switches Policy enforcement must be based on defined security policies

21 Network Segmentation and Monitoring (continued) Requirement 2.2 Develop configuration standards for all system components Sub requirements 2.2.1, , 2.2.3, Implement only one primary function per server. Mistaken belief that prohibits all virtualization What is intent of the requirement? Real risk is unauthorized access to CHD through a compromise of guest-tohost or guest-to-guest segmentation Intent can still be achieved through appropriate segmentation and policy monitoring and enforcement Determined on case-by-case basis by PCI QSA s

22 Patch Management and Change Control Requirement 5 Use and regularly update ant-virus software and programs. Sub requirement 5.2 Requirement 6 - Develop and maintain secure systems and applications. Sub requirements 6.1, 6.2 Extremely simple to deploy, copy, store, and move VM s All deployed VM s must conform to PCI requirements when deployed Risks Anti-virus updates and patches may not be deployed to VM s Use of snapshot and rollback" features may revert a VM to unpatched and therefore non-compliant state VM image files with CHD may not be adequately controlled Traditional network monitoring tools may not have visibility within the VM environment Best practice - continuous monitoring and periodic audits

23 Auditing and Logging Requirement Implement automated audit trails for all system components. Sub requirements , , Native software tools may not be adequate to meet the audit, configuration, management, and ongoing log monitoring of virtualized environments Don t forget to log and store hypervisor configuration settings and administration rights Auditing and logging can consume resources - CPU cycles, memory, disk space and network bandwidth Consider storing all host log files on a secure remote syslog server

24 Security Testing Requirement 11- Regularly Test Security Systems and Processes Sub requirements 11.3 and 11.4 Penetration testing Must address unique risks associated with virtual environments Traditional IDS/IPS may not be adequate for VM s Need to monitor traffic within the VM Emerging threats unique to virtual environments May require specialized detection and mitigation

25 Policy Enforcement Requirement Assign information security management responsibilities Sub requirements and Many organizations fail to implement this requirement appropriately Virtual environments may require application aware monitoring Must have appropriate context to assess potential security threats and attacks

26 Call to Action Does your enterprise use virtualization? Any regulated components virtualized? What steps have been taken specific to virtualization? Updated Process / Procedures? New Compensating Controls? Virtualization Specific Audit / Monitoring tools?

27 About Reflex ISV Focused on Virtualization First to market with Reflex Virtual Security Appliance (VSA) in 2006 Highly scalable integrated management platform (Chosen by Savvis in 2009) Management, compliance regulation and auditing for virtual infrastructure Network visibility, control, and policy management and enforcement Security through network segmentation and infrastructure policy VMware VMsafe Certified Solution Recognized award-winning leader in the virtualization ecosystem

28 Reflex Cloud Command & Control Enable Cloud Computing Command & Control Enforce Business, IT & Security Policies Data Center Public/Private Cloud Ensure Security, Compliance & Audit Requirements Improve Efficiency & Agility Increase Flexibility & Scalability

29 Enterprise Management Capabilities Change Control Revision every change of virtual infrastructure Who/What/When Remediate, Automate, Self Heal Infrastructure Security Dynamic Security Policy VMsafe Capable Management Improved Mean Time to Innocence Performance, Network Services, Alarm Management, SOD Scale Large scale environments Quickly Search, Find, and Automate Decisions (VQL)

30 Thank You! Web: Mike Wronski