Top virtualization security risks and how to prevent them



Similar documents
Evaluating IaaS security risks

Uniting IAM and data protection for greater security

Virtualization System Security

Network Access Control in Virtual Environments. Technical Note

Securing Virtual Applications and Servers

The Technical Differential: Why Service Providers Choose VMware for Cloud-Hosted Desktops as a Service

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

Learn the essentials of virtualization security

Server Virtualization A Game-Changer For SMB Customers

Learn the Essentials of Virtualization Security

How To Protect A Virtual Desktop From Attack

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

VIRTUALIZATION SECURITY IN THE REAL WORLD

What Do You Mean My Cloud Data Isn t Secure?

The Challenges of Securing Hosting Hyper-V Multi-Tenant Environments

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Deployment Options for Microsoft Hyper-V Server

Protecting the Irreplacable. November 2013 Athens Ian Whiteside, F-Secure

How To Prevent Hacker Attacks With Network Behavior Analysis

Simplified Private Cloud Management

CA Automation Suite for Data Centers

CA Cloud Overview Benefits of the Hyper-V Cloud

Making Data Security The Foundation Of Your Virtualization Infrastructure

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Virtualization and Cloud: Orchestration, Automation, and Security Gaps

VIRTUALIZATION SECURITY OPTIONS: CHOOSE WISELY

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Overview. Firewall Security. Perimeter Security Devices. Routers

Comprehensive security platform for physical, virtual, and cloud servers

CA Virtual Assurance for Infrastructure Managers

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

NETWORK FUNCTIONS VIRTUALIZATION. The Top Five Virtualization Mistakes

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

PICO Compliance Audit - A Quick Guide to Virtualization

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Security and Billing for Azure Pack. Presented by 5nine Software and Cloud Cruiser

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Public Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

FACING SECURITY CHALLENGES

How To Protect Your Cloud From Attack

Proactively Secure Your Cloud Computing Platform

Stay ahead of insiderthreats with predictive,intelligent security

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Where every interaction matters.

5 Best Practices to Protect Your Virtual Environment

Web Application Firewall

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

WildFire. Preparing for Modern Network Attacks

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

VMware vcloud Air Security TECHNICAL WHITE PAPER

PCI DSS and the A10 Solution

Security Practices for Online Collaboration and Social Media

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

White Paper. Juniper Networks. Enabling Businesses to Deploy Virtualized Data Center Environments. Copyright 2013, Juniper Networks, Inc.

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

Virtualization Technology

Safeguarding the cloud with IBM Dynamic Cloud Security

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

The Role of the Operating System in Cloud Environments

Securing the Intelligent Network

Best Practices for Security and Compliance with Amazon Web Services. A Trend Micro White Paper I April 2013

Vyatta Network OS for Network Virtualization

IT Security at the Speed of Business: Security Provisioning with Symantec Data Center Security

International Journal of Scientific & Engineering Research, Volume 5, Issue 1, January-2014 ISSN

A Look at the New Converged Data Center

Before we can talk about virtualization security, we need to delineate the differences between the

Why Choose VMware vsphere for Desktop Virtualization? WHITE PAPER

Cloud Security Overview

HOW TO PROTECT YOUR VIRTUAL DESKTOPS AND SERVERS? Security for Virtual and Cloud Environments

How to Achieve Operational Assurance in Your Private Cloud

Enterprise Security Platform for Government

Secure your Virtual World with Cyberoam

ILLUMIO ADAPTIVE SECURITY PLATFORM TM

Cloud security CS642: Computer Security Professor Ristenpart h9p:// rist at cs dot wisc dot edu University of Wisconsin CS 642

The True Story of Data-At-Rest Encryption & the Cloud

Virtualization and Cloud Computing

Cloud and Data Center Security

Bitdefender GravityZone Sales Presentation

Transcription:

E-Guide Top virtualization security risks and how to prevent them There are multiple attack avenues in virtual environments, but this tip highlights the most common threats that are likely to be experienced by all. In addition, you ll find best practices for preventing hypervisor malware. Sponsored By:

E-Guide Top virtualization security risks and how to prevent them Table of Contents Virtualization security concerns: The threat of hypervisor malware Resources from CA Technologies Sponsored By: Page 2 of 9

Top virtualization security risks and how to prevent them By Philip Cox One of the top cloud computing threats involves one of its core enabling technologies: virtualization. In virtual environments, there are multiple attack avenues, but this tip will look at ones that are most likely to be experienced by users of the technology: Prebuilt virtual machines/virtual appliances containing malicious code (Trojaned) Improperly configured virtual firewalls or networking Improperly configured hypervisor Data leakage through offline images When building security defenses against these virtualization security risks, it s important to keep in mind a concept that is typically understood and yet often overlooked: The hypervisor and its guests are really just one big pile of code on one physical box. There is no guarantee that the hypervisor is more secure or less buggy than any other software of comparable size (unless evaluated, according to e.g., United States Government Department of Defense (DoD) Trusted Computer System Evaluation Criteria). The physical isolation/separation that was relied upon (at some level) for security is gone, and we need to take that into account when thinking about threats. Trojaned virtual machines/virtual appliances The presence of untrusted virtual machines or Trojaned virtual appliances in the environment should be the first virtualization security risk you address. The untrusted virtual machine will manifest itself in public clouds (i.e., multitenant), and is a bad guy bringing up a malicious system that will attempt to identify proximity related vulnerabilities. The threats are created because the VM is either running on the same hypervisor or within the same cloud, and the cloud provider has created some level of trust between the virtual machines that the consumer is not aware of. If those vulnerabilities exist, the likelihood of exploit increases significantly. Sponsored By: Page 3 of 9

Malicious virtual appliances (an appliance in this sense is anything that is pre-packaged for you to just download and run as a VM) would be a threat in public or private cloud environments. Since you install/use these appliances, there s an element of trust you have given them. The malicious system would then attempt to find vulnerabilities through its trust and exploit them. Now an attacker would have a compromised machine in your environment, thus the intrusion succeeded. Recently, Amazon notified its Elastic Compute Cloud customers that it had identified compromised Amazon Machine Images (AMI) in its community set of AMIs, which are combinations (i.e., stacks) of software created to help users deploy servers quickly in EC2. The notification reminded users about the danger of compromised AMIs. Amazon realized that a compromised appliance or build image provides a trusted foothold in obtaining critical information, such as credentials for further exploit. The keys to preventing these threats are to only use verified and tested appliances/images, and have assurance that your cloud provider has properly configured hypervisor and networking configurations that do not create unintended proximity trust. Further, keep in mind the nature of physical isolation/separation in the virtualized environment and configure systems accordingly. Improperly configured virtual firewalls or networking Traditionally, the networking team handled the configuration of firewalls and network equipment. They understand the intricacies and security implications of VLANs, tagging, routing, stateful connections, how inbound vs. outbound apply to interfaces, etc. This may or may not be true for many host administrators. In a virtual environment, many of the host administrators are now configuring and managing these network security devices. If these devices are not configured correctly, you can have traffic meant for one VM being seen or delivered to another VM or an outside entity. While tools exist to do this right, it is primarily a people issue, in that administrators are being asked to manage security devices they do not understand. Overlook this, and you can have your underbelly exposed. Sponsored By: Page 4 of 9

The key to minimizing this virtualization security risk is to have the network team handle the networking in the virtual environment, even though the virtual networking devices are not physical pieces of networking equipment. If you don t have that luxury, then training the host administrator in the security aspects of network configurations is the next best mitigation. Improperly configured hypervisor The security of the environment is linked to the security of the hypervisor; any unauthorized access to the hypervisor compromises the environment. The main threat here is a lack of controls to limit who can gain access, and once in, what access they have. These are pretty straightforward threats, in that allowing unrestricted access to hypervisors, especially one that can be reached from an untrusted network (e.g., the Internet) increases the threat of attack. Secondly, if you do not restrict what legitimate users can access once they authenticate, you open yourself up to attack. The first vulnerability is easy to deal with by restricting what systems can get access to the management functions (GUI, API, login, etc.). The second is not quite as easy, because you need a robust access control mechanism to allow the access/management of the users VMs (workloads), but not to the host. Further, you likely want to allow certain operations on the host to some users, but not all operations. The underlying access control mechanism must be able to support this. Since many cloud providers (e.g., Amazon) are building hypervisors almost from the ground up, getting the necessary access control mechanisms is difficult. The key to minimizing this threat is the use of granular role-based access control mechanisms to the hypervisor and management applications. Data leakage through offline images When guest images are suspended, unlike physical systems that would need physical access to pull data out of memory, the memory footprint now is in a file, and for all intents, searchable. Take an application securing Social Security or credit card numbers: The VM may be solid and secure, however, when the system is suspended, any information put in memory is likely not protected and assumed to be volatile. The problem arises when the Sponsored By: Page 5 of 9

image suspends and writes that memory to disk. Also, with migration, information states that would never have existed before now exist. We need to protect against that. The nice thing about virtual security is that if you have a good security program in general, you will likely have a secure virtual environment as well. The fact is that if you apply old system administration practices (as they relate to security) to virtual environments, you will be well on the way to minimizing virtualization security risks and a secure environment. Sponsored By: Page 6 of 9

cloud security. can you see beyond the problem? you can The #1 issue for companies migrating to the cloud is identity and access management. But for the agile business, know-ing users is always better than no-ing them. In fact, agile businesses, using our Content-Aware Identity and Access Management solutions, have been able to reduce security risk while improving productivity, access and efficiency. More effective compliance, reduced IT risk, broader, more secure customer and partner relationships. That s what happens when no becomes know. And security turns into agility. To see how we can help make your business more agile and secure, visit ca.com Copyright 2011 CA. All rights reserved.

Virtualization security concerns: The threat of hypervisor malware By Nick Lewis Malware for hypervisors is rare, but could have a significant effect on the trustworthiness of the system as reported. For hypervisor malware to increase in occurrence, it's likely that criminals would need to find ways to more easily monetize attacks on the hypervisor. However, given the high level of access that could be gained by compromising a hypervisor, these types of attacks are one of several virtualization security concerns that are likely to increase in occurrence and could cause significant disruptions, such as denial-of-service (DoS) attacks or compromises of sensitive data. Also, some hypervisors are vulnerable to malware attacks because of the platform they run on. Microsoft Hyper-V, VirtualPC and certain versions of VMware, run on top of Windows, and other hypervisors run on top of Linux-based systems. The Linux or Windows server components could be attacked to compromise the security of the virtual infrastructure. A new method that can be used to prevent malware from infecting a hypervisor was discussed in a recent technical report by researchers at North Carolina State University and IBM, but some other best practices can be taken. These could include isolating the management interfaces of, and connections to the hypervisor to only the systems that need access, not running un-trusted code on the hypervisor, such as software not provided by the hypervisor vendor and keeping the hypervisor software up to date. This excludes any security measures that should be taken on the guest OSes on the virtual infrastructure to ensure the guests cannot be used to attack the hypervisor. Sponsored By: Page 8 of 9

Resources from CA Technologies Securing Virtualized Environments and Accelerating Cloud Computing Webinar: Powerful Control of Privileged Users Controlling Privileged Users with CA Access Control About CA Technologies CA is one of the world's largest IT management software providers. Our software and expertise unify and simplify complex IT environments-in a secure way-across the enterprise for greater business results. We call this Enterprise IT Management (EITM)-our clear vision for the future of IT. It's how you can manage systems, networks, security, storage, applications and databases securely and dynamically. You can build on your IT investments, rather than replacing them, and do it at your own pace. Our more than 5,300 developers worldwide create and deliver IT management software that keeps our vision real. And we've taken our decades of experience solving complicated IT problems and developed practical paths for you to get from where you are today to where you want to be. Sponsored By: Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information