Security Auditing in a Virtual Environment



Similar documents
Control your corner of the cloud.

Taking the Leap to Virtualization

Virtualization Essentials

Securing Virtual Applications and Servers

Mitigating Information Security Risks of Virtualization Technologies

VDI Security for Better Protection and Performance

Virtual Machine Protection with Symantec NetBackup 7

CA Cloud Overview Benefits of the Hyper-V Cloud

Virtualization System Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Secure your Virtual World with Cyberoam

Shavlik NetChk Protect 7.1

HP Virtual Controller and Virtual Firewall for VMware vsphere 1-proc SW LTU

Securely Architecting the Internal Cloud. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Best Practices for Managing Virtualized Environments

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Our Cloud Offers You a Brighter Future

Parallels Virtuozzo Containers

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Effective End-to-End Cloud Security

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

THOUGHT LEADERSHIP. Journey to Cloud 9. Navigating a path to secure cloud computing. Alastair Broom Solutions Director, Integralis

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Virtualized WAN Optimization

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Cloud and Data Center Security

Firewalls Overview and Best Practices. White Paper

Streamlining Patch Testing and Deployment

Securing the Service Desk in the Cloud

International Journal of Scientific & Engineering Research, Volume 5, Issue 1, January-2014 ISSN

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

2010 State of Virtualization Security Survey

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

6422: Implementing and Managing Windows Server 2008 Hyper-V (3 Days)

GUIDELINE. on SERVER CONSOLIDATION and VIRTUALISATION. National Computer Board, 7th Floor Stratton Court, La Poudriere Street, Port Louis

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

How To Secure Your System From Cyber Attacks

Backup Software? Article on things to consider when looking for a backup solution. 11/09/2015 Backup Appliance or

Demystifying Virtualization for Small Businesses Executive Brief

managing the risks of virtualization

Building A Secure Microsoft Exchange Continuity Appliance

Network Access Control in Virtual Environments. Technical Note

Announcing the product launch of a Mitel Virtual Mitel Communication Director (Virtual MCD)

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

How To Protect Your Cloud From Attack

Altaro VM Backup vs. Microsoft s System Center DPM

VIRTUALIZATION SECURITY OPTIONS: CHOOSE WISELY

VIRTUALIZATION SECURITY IN THE REAL WORLD

Enforcing IT Change Management Policy

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Ease Server Support With Pre-Configured Virtualization Systems

Virtualization Impact on Compliance and Audit

Overcoming Security Challenges to Virtualize Internet-facing Applications

Introduction. Setup of Exchange in a VM. VMware Infrastructure

7 Ways OpenStack Enables Automation & Agility for KVM Environments

BMC s Security Strategy for ITSM in the SaaS Environment

Consolidate and Virtualize Your Windows Environment with NetApp and VMware

Learn the Essentials of Virtualization Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Evolving Datacenter Architectures

Host-based Protection for ATM's

Learn the essentials of virtualization security

Deployment Options for Microsoft Hyper-V Server

Symantec NetBackup 7.1 What s New and Version Comparison Matrix

Advanced virtualization management for Hyper-V and System Center environments.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Paragon Protect & Restore

Implementing and Managing Windows Server 2008 Hyper-V

Virtualizing Exchange

VMware ESXi 3.5 update 2

How To Protect A Virtual Desktop From Attack

IT HEALTHCHECK TOP TIPS WHITEPAPER

Benefits of virtualizing your network

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Deploying Firewalls Throughout Your Organization

Service-Oriented Cloud Automation. White Paper

Best Practices for Log File Management (Compliance, Security, Troubleshooting)

Outgoing VDI Gateways:

WHITE PAPER. Net Optics Phantom Virtual Tap Delivers Best-Practice Network Monitoring For Virtualized Server Environs

Veeam Cloud Connect. Version 8.0. Administrator Guide

VIRTUALIZATION SECURITY IS NOT AN OXYMORON. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

Best Practices for VMware ESX Server 2

How to Achieve Operational Assurance in Your Private Cloud

Solutions as a Service N.Konstantinidis Technical Director - MNG

Demystifying Cloud Computing Graham McLean

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Parallels Virtuozzo Containers

Virtualisation. A newsletter for IT Professionals. Issue 2. I. Background of Virtualisation. Hardware

Cloud Computing Trends

NetApp OnCommand Management Software Storage and Service Efficiency

CloudControl Support for PCI DSS 3.0

Simplifying Storage Operations By David Strom (published 3.15 by VMware) Introduction

Transcription:

Security Auditing in a Virtual Environment

Security auditing considerations within a Virtual Environment Increasing and widespread use of the virtual platform can be seen as a direct response by enterprises to global cost saving initiatives and the embracing of newer, cleaner and faster technologies. The investment is still available even in the current economic climate. The traditional data centre was the first to embrace the use of virtualisation and with larger businesses changing or planning to change to virtual instances the trickledown effect on smaller scale concerns is inevitable. Virtualisation is seen as the way forward for most organisations. Within these virtual environments the benefits are immediately plain to see with the impact on capacity management due to the consolidation of the old physical model. Although decreasing in physical presence the overall technical model remains the same. The usual IT management platforms and back office systems are there, only now they reside within fewer physical entities. The current growth rate for virtualisation technology is increasing as fast as deployments allow and forecasts show that it will not abate in the coming years. The growth rate has its own drawbacks as the required skills will, in the short term at least, be hard to find as professional communities grapple to get up to speed. The combination of growth rate, the demand for greater scale and complexity and the lack of skills will inevitably create associated risk. It is when the question of security is raised that causes most debate. In addition to rapid uptake, limited understanding of the technology or lack of clearly defined ownership responsibility and the swiftness with which a virtual environment can tear up and tear down, most virtual environments will be less secure than the physical environments they replaced. The impact on the traditional IT operation is worth watching. It would be a keen point for discussion to suggest that the arrival of widespread virtualisation usage is comparable in security terms to the impact of the introduction of networking as a common business initiative a few decades ago. It certainly does work and has multiple benefits but what and where are the risks? From a corporate governance and internal auditing perspective things haven t changed too much and the traditional in-house IT auditing tools may change or adapt but the real question is what do you need to look for?

The following are some commonly discussed top security concerns with virtualisation (sources; www.cio.com and www.isaca.org) 1. Risk Assessment & managing oversight and responsibility Understand the peculiar and particular risks associated with virtualisation and its impacts upon the enterprise. The main concerns are how IT resources are separated and aggregated in a virtual environment, and how the virtual environment security is managed. Risk assessment is the first step in that process and the risk analysis should reflect an understanding of the risks inherent when considering a virtual environment and the potential for impact upon the existing environment and its associated security controls. Business continuity is a prime example. Unlike physical servers, which are the direct responsibility of the data-centre operations or IT managers in whose physical domain they sit, responsibility for virtual servers is often left up in the air. Clearly defined roles and responsibilities for virtual instances within the asset register should help resolve some of the ownership issues. As mentioned before the physical environment has changed but the applications and operating systems remain. 2. Patching and maintenance The most tangible risk that can come out of a lack of responsibility is the failure to keep up with the constant, labour-intensive process of patching, maintaining and securing each virtual instance in a company. Unlike the physical servers on which they sit, which are usually managed and configured by assigned owners who also install the latest patches, virtual machines tend to be launched from images that may have been created, configured and patched weeks or months before. Most companies maintain a small number of standard baseline images from which to launch or relaunch new virtual machines for a variety purposes. They may also keep many server images stored on an array of storage media after being laboriously configured to support specific applications or business requirements. How that media is handled and their associated security controls is also something else that would require some scrutiny. Both Microsoft and VMware supply patch-management schedules with their base infrastructure products. Both require disk images stored in libraries to be launched periodically so they can be patched. In addition to verifying the validity of the patch management process this begs obvious questions about procedures for keeping up to date images and are they securely hardened in keeping with a specific best practice or even regulatory compliance and how that process is managed?

3. Visibility, compliance and effective Access Controls Virtual servers are designed to be, if not invisible, then at least very low profile, at least within the data centre. All the storage or bandwidth or floor space or electricity they need comes from the physical server on which they sit. To data-centre managers not specifically tasked with monitoring all the minute interactions of the VMs inside each host, a set of virtual servers becomes an invisible network within which there are few controls. Check for best practices or controls for traffic from one server to other servers, and from server to external devices. Also, evaluate the sufficiency of controls such as a (virtual) firewall and (virtualised) intrusion detection system, where applicable. A developing best practice is to exclude the use of virtualisation in the DMZ (the layer between the Internet and the entity s LAN). The fact that several partitions normally are physically located on a single server increases the risk of malicious activities. In a regular host/server of the past, if an attack occurred, it would normally be restricted to the data on that machine. In virtualisation, an attack could penetrate several different databases located on various VMs on the host machine. Thus, the risk of malicious attack in virtualisation is greater due to scope. The same is true about administrative access to the host machine. Because administrative (admin) rights could affect all partitions, the management console needs to have tight access controls, locked down to specific users and specific partitions or machines. Once access is gained, the person with admin rights could gain access to any of the databases or applications in any of the several partitions. A typical mistake in virtualisation management is to allow too much access to users, for example, a developer given admin rights to a virtual partition. Segregation in networks and virtualisation instances would need to be controlled and those controls must be rigorously and regularly tested. In addition the access control policies need to be robust and strictly adhered to. 4. VM sprawl and Change Management Another consequence of the lack of oversight of virtual machines is sprawl the uncontrolled proliferation of virtual machines launched, and often forgotten, by IT managers, developers or businessunit managers who want extra servers for some specific purpose, and lose track of them later. This may be particularly tricky to spot given the lack of a singular and uniquely identifying physical entity. The already mentioned ease of tear up and tear down for virtualisation is a real cause of concern when it comes to the change management. How is virtualisation managed within the identified change control process?

The understanding of the virtual environment and subsequent evaluation and testing of controls will likely focus on the network map. Determine where in the virtualisation world the following types of systems are located, if they exist: Systems development Systems testing (staging or sandbox environment) Production systems (the larger the company, the more of these will exist) Regional or remote business unit servers (if applicable) Evaluate the completeness and accuracy of virtualisation documentation. For instance, evaluate/test change controls. In the virtualisation world, make sure the documents for change control being validated are from the right partition and on the right server. It is also necessary to know with certainty how to determine completeness and accuracy of the change documentation. The bottom line is that a mechanism must exist to be able to evaluate the process of creating, deploying, managing and making changes to virtual machines. 5. Managing Virtual Appliances A primary concern is that of the management console. Best practice calls for management tools to run on a separate network. Such a configuration has the potential to prevent VMs from prying into the console communications with which it is trying to control the VM. A similar best practice is the hypervisor, the software tool that houses the VM servers. There is an embedded type of hypervisor that comes with the physical VM and is not part of a general purpose operating system. VMware s embedded hypervisor is only 32 MB (skinny by comparison; and the smaller the code, the safer it is from breaches). This, combined with the fact that it is not part of an operating system, increases the security of the hypervisor One of the very best things about virtual infrastructures is the ability to buy or test a product from a third-party vendor and have it up and running in minutes, rather than having to clear space on a test server, install the software, get it to talk to the operating system and the network and then, hours later, see whether it does what it's supposed to. There is an operating system and application in every package, each one with its own configuration and patch status and you have no idea what's in there or who's going to maintain it or what the long-term risk is going to be. It has a full application and operating system all configured and ready to run. In five minutes you can try out that new anti-spam server. But what operating system is in the package and is it patched, and if not, who is going to give you the patch?

Conclusion Much of what currently exists for corporate governance, compliance and auditing can work in virtualisation. What is important is to apply what already works effectively in the traditional physical environment. Use specific analysis and give careful consideration to the peculiarities of the virtual environment not forgetting collection of evidence and assurance regarding controls over those unique aspects of virtualisation. Become aware of best practices in virtualisation using the many easily accessible and readily available sources of information. Without introducing too much unnecessary complexity and using basic and existing techniques, adapting and applying them to the special circumstances of the virtualisation world, the same quality of security will replicate that of the physical environment.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information