CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments



Similar documents
Best Practices for Mitigating Risks in Virtualized Environments

Cloud Computing Governance & Security. Security Risks in the Cloud

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Security Issues in Cloud Computing

Cloud Security Introduction and Overview

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Virtualization Impact on Compliance and Audit

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Secure Administration of Virtualization - A Checklist ofVRATECH

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Network Access Control in Virtual Environments. Technical Note

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

THE BLUENOSE SECURITY FRAMEWORK

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

05.0 Application Development

Cloud Security. DLT Solutions LLC June #DLTCloud

managing the risks of virtualization

Cloud Security. Securing what you can t touch. Presentation to Malaysia Government Cloud Computing Forum HUAWEI TECHNOLOGIES CO., LTD.

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Making Data Security The Foundation Of Your Virtualization Infrastructure

Tenable Webcast Summary Managing Vulnerabilities in Virtualized and Cloud-based Deployments

State of Oregon. State of Oregon 1

Overcoming Security Challenges to Virtualize Internet-facing Applications

Cloud Security and Managing Use Risks

PICO Compliance Audit - A Quick Guide to Virtualization

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

How To Protect Your Cloud From Attack

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Protect Root Abuse privilege on Hypervisor (Cloud Security)

John Essner, CISO Office of Information Technology State of New Jersey

How to Achieve Operational Assurance in Your Private Cloud

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Security Virtual Infrastructure - Cloud

Security Auditing in a Virtual Environment

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

SERENA SOFTWARE Serena Service Manager Security

What Cloud computing means in real life

Data Protection: From PKI to Virtualization & Cloud

Attachment A. Identification of Risks/Cybersecurity Governance

The Value of Vulnerability Management*

Moving beyond Virtualization as you make your Cloud journey. David Angradi

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Course Outline: Course 6331: Deploying and Managing Microsoft System Center Virtual Machine Manager Learning Method: Instructor-led Classroom Learning

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Deploying and Managing Microsoft System Center Virtual Machine Manager

External Supplier Control Requirements

Keyword: Cloud computing, service model, deployment model, network layer security.

Effective End-to-End Cloud Security

Security Requirements for Wireless Local Area Networks

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

FACING SECURITY CHALLENGES

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

SDN/NFV Position Paper

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Data Storage Security, Cloud Computing and Virtualization

Cloud Security Who do you trust?

Course 6331A: Deploying and Managing Microsoft System Center Virtual Machine Manager

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Can You be HIPAA/HITECH Compliant in the Cloud?

Assessing Risks in the Cloud

Mitigating Information Security Risks of Virtualization Technologies

Cisco Security Optimization Service

Total Cloud Protection

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

RED HAT CLOUDFORMS ENTERPRISE- GRADE MANAGEMENT FOR AMAZON WEB SERVICES

#ITtrends #ITTRENDS SYMANTEC VISION

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) Introduction to Cloud Security. Taniya

Streamlining Patch Testing and Deployment

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

How Data-Centric Protection Increases Security in Cloud Computing and Virtualization

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Chapter 1 The Principles of Auditing 1

Paxata Security Overview

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Implementing Microsoft Azure Infrastructure Solutions

Transcription:

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments Kelvin Ng Tao Yao Sing Heng Yiak Por Acknowledgeme nts Co-Chairs Kapil Raina, Zscaler Kelvin Ng, Nanyang Polytechnic Yao Sing, Tao, IDA Singapore Contributors Abhik Chaudhuri, Tata Consultancy Services Heberto Ferrer, HyTrust Hemma Prafullchandra, HyTrust J D Sherry, Cavirin Kelvin Ng, Nanyang Polytechnic Xiaoyu, Ge, Huawei Yao Sing, Tao, IDA Singapore Yiak Por, Heng, Nanyang Polytechnic CSA Global Staff Frank Guanco, Research Analyst Victor Chin, Research Analyst 1

Agenda Background Whitepaper Development Scope Introduction Securing Virtualization Platforms and establishing Governance Virtualization risks and Controls Risk Assessment What next? Q&A Background Project Charter The CSA Virtualization Working Group provides guidance on implementation best practices for enterprises in the deployment of virtualization in the areas of compute and network. Deliverables 1. White Paper for the enhancements on Security Guidance for critical areas of focus in cloud computing v 3.0 Domain 13 2. A guideline for best practices for secure network virtualization design and deployment Participation 1. Basecamp 2. Bi-Weekly Concall 3. Open Peer review. 2

Whitepaper Development Working Group formed Aug 2014 Reference Documents Security Guidance for critical areas of focus in cloud computing v 3.0 2011 Domain 13 Singapore Standards Council, TR30:2012, Spring Singapore. Scope Provides guidance on the identification and management of security risks specific to compute virtualization technologies that run on server hardware as opposed to, for example, desktop, network, or storage virtualization. The audience includes enterprise information systems and security personnel and cloud service providers, although the primary focus is on the former 3

Introduction Cloud Computing Top Threats 2013 report by CSA Data breaches Data loss Account or service traffic hijacking Insecure interfaces and APIs Denial of services Malicious insiders Abuse of cloud services Insufficient due diligence Shared technology vulnerabilities Securing Virtualization Platforms and establishing Governance Initiation phase Identify virtualization needs, Providing an overall vision and create high-level strategy Identifying platforms and applications that can be virtualized 4

Securing Virtualization Platforms and establishing Governance Planning and Design phase Major considerations include selection of virtualization software, storage system, network topology, bandwidth availability and business continuity. Appropriate logical segregation of instances that have sensitive data. Separate authentication should be established for application / server, guest operating system, hypervisor, and host operating system Securing Virtualization Platforms and establishing Governance Implementation phase Virtualization platform should be hardened using vendor-provided guidelines and/or 3rd party tools. Role-based access policies should be enforced to enable segregation of duties, thereby facilitating proof of governance. Proper VM encryption is required to significantly reduce the risk associated with user access to physical servers and storage containing sensitive data. 5

Securing Virtualization Platforms and establishing Governance Disposition phase Tasks should be clearly defined in sanitizing media before disposition. VM retirement process must meet legal and regulatory requirements in order to prevent data leakage and breaches.. Virtualization Risks and Controls Risks and controls of using VM VM Sprawl Sensitive Data within a VM Security of Offline and Dormant VMs Security of Pre-Configured (Golden Image) VM / Active VMs Lack of Visibility Into and Controls Over Virtual Networks Resource Exhaustion 6

Virtualization Risks and Controls Risks and controls on using hypervisor Hypervisor Security Unauthorized Access to Hypervisor Risks and controls due to changes in operation procedures Account or Service Hijacking Through the Self- Service Portal Workload of Different Trust Levels Located on the Same Server Risk Due to Cloud Service Provider API Virtualization Risks and Controls VM Sprawl Risk Name VM Sprawl Risk Description VM sprawl describes the uncontrolled proliferation of VMs. Because VM instances can be easily created and existing instances can be easily cloned and copied to physical servers, the number of dormant VM disk files is likely to increase. In addition, the unique ability to move VMs from one physical server to another creates audit and security monitoring complexity and loss of potential control. As a result, a number of VMs may be unmanaged, unpatched, and unsecured. Relevant Security Aspect Relevant Governance Risk Area Vulnerabilities Affected Assets CCM v3.0.1 Risk to confidentiality, integrity, and availability Architectural and configuration risk Proper policy and control processes to manage VM lifecycle do not exist. Placement / zoning policies or enforcement of where a dormant VM can instantiate or reside does not exist. A discovery tool for identification of unauthorized VMs does not exist. VM CCC-05 7

Virtualization Risks and Controls VM Sprawl Potential security impact In a traditional IT environment, physical servers must be procured. This requirement enforces effective controls, because change requests must be created and approved before hardware and software can be acquired and connected to the data center. In the case of virtualization, however, VMs can be allocated quickly, self-provisioned, or moved between physical servers, avoiding the conventional change management process. Without an effective control process in place, VMs and other virtual systems with unknown configurations can quickly proliferate, consuming resources, degrading overall system performance, and increasing liability and risk of exposure. Because these machines may not be readily detectable or visible, they may not be effectively monitored or tracked for the application of security patches or effectively investigated should a security incident occur. Virtualization Risks and Controls VM Sprawl Security Controls for Mitigating Risks To mitigate risk, consider implementing the following security controls: Put effective policies, guidelines, and processes in place to govern and control VM lifecycle management, including self-service and automated scripts / DevOps tools. Control the creation, storage, and use of VM images by a formal change management process and tools. Approve additions only when necessary. Keep a small number of known-good and timely patched images of a guest operating system separately and use them for fast recovery and restoration of systems to the desired baseline. Discover virtual systems, including dormant ones and the applications running on them, regularly. Discovering, classifying, and implementing appropriate security controls for each VM and its associated network connections is critical. This process includes quarantine or rollback capability in case a compromise occurs. Use virtualization products with management solutions to examine, patch, and apply security configuration changes to VMs. 8

Risk Assessment Asset risk evaluation based on :- Identified vulnerabilities Likelihood Impact due confidentiality Impact due to integrity Impact due availability Average risk level rating For any risk level above acceptance criteria Mitigate risk items via recommended controls in whitepaper Continuously monitor and mitigate risks Risk Assessment Evaluation of Risk Type of Risk Asset exposed to risk Vulnerability Likelihood Impact Due to Confidentiality Compromise Impact Due to Integrity Compromise Impact Due to Availability Compromise Evaluate Risk Risk Level Treatment Control to be implemented Evaluate Residual Risk Level 1. VM Sprawl VM Lack of effective control process to manage VM lifecycle Lack of placement / zoning policies or enforcement of where a dormant VM can instantiate or reside Lack of discovery tool to identify unauthorized VMs 9

What Next? Update Security Guidance for critical areas of focus in cloud computing v 3.0 Domain 13 Plan to use it as a support document for ISO May 2015, Kuching Malaysia ISO Working Group 4 Either 6 month study period Or launch new WG item with enough support??? 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information