Virtualization and Cloud Computing

Similar documents
Security. Environments. Dave Shackleford. John Wiley &. Sons, Inc. s j}! '**»* t i j. l:i. in: i««;

9/26/2011. What is Virtualization? What are the different types of virtualization.

Server Virtualization A Game-Changer For SMB Customers

Learn the Essentials of Virtualization Security

Networking for Caribbean Development

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Learn the essentials of virtualization security

Cloud Computing. Chapter 8 Virtualization

The Art of Virtualization with Free Software

Virtualization. Dr. Yingwu Zhu

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

VIRTUALIZATION 101. Brainstorm Conference 2013 PRESENTER INTRODUCTIONS

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

Remote PC Guide Series - Volume 1

Protecting the Irreplacable. November 2013 Athens Ian Whiteside, F-Secure

STREAM FRBC

Intro to Virtualization

Virtualization for Security

Securing the Physical, Virtual, Cloud Continuum

Enabling Technologies for Distributed Computing

Mitigating Information Security Risks of Virtualization Technologies

Restricted Document. Pulsant Technical Specification

Virtualization and Cloud Computing

Security and Billing for Azure Pack. Presented by 5nine Software and Cloud Cruiser

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

RED HAT ENTERPRISE VIRTUALIZATION FOR SERVERS: COMPETITIVE FEATURES

Enabling Technologies for Distributed and Cloud Computing

Cloud Optimize Your IT

Implementing and Managing Windows Server 2008 Hyper-V

Data Centers and Cloud Computing

Virtualization System Security

TechTarget Windows Media

Understanding Cisco Cloud Fundamentals CLDFND v1.0; 5 Days; Instructor-led

Building the Virtual Information Infrastructure

CompTIA Cloud+ 9318; 5 Days, Instructor-led

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

Managed Hosting is a managed service provided by MN.IT. It is structured to help customers meet:

Presentation for ISACA Chapter NL. Auditing Virtual Servers. VMware: Security and Operations. Gert-Jan Timmer 3. September, 2012

Journey to the Private Cloud. Key Enabling Technologies

IOS110. Virtualization 5/27/2014 1

Lecture 2 Cloud Computing & Virtualization. Cloud Application Development (SE808, School of Software, Sun Yat-Sen University) Yabo (Arber) Xu

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Security Model for VM in Cloud

Virtualization and Disaster Recovery

Windows Server 2008 R2 Hyper V. Public FAQ

Making Data Security The Foundation Of Your Virtualization Infrastructure

Cloud Computing for SCADA

Desktop Virtualization. The back-end

Contents UNIFIED COMPUTING DATA SHEET. Virtual Data Centre Support.

CHAPTER 2 THEORETICAL FOUNDATION

Deployment Options for Microsoft Hyper-V Server

Cloud Courses Description

Guide to Security for Full Virtualization Technologies

Hyper-V R2: What's New?

How To Protect Your Cloud From Attack

Before we can talk about virtualization security, we need to delineate the differences between the

VMware vsphere 5.0 Boot Camp

Virtualization of CBORD Odyssey PCS and Micros 3700 servers. The CBORD Group, Inc. January 13, 2007

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Courses Description

Enterprise Storage Solution for Hyper-V Private Cloud and VDI Deployments using Sanbolic s Melio Cloud Software Suite April 2011

VMware vsphere 5.1 Advanced Administration

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

IT Networking and Security

Virtual Machines and Security Paola Stone Martinez East Carolina University November, 2013.

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

How To Protect A Virtual Desktop From Attack

Fusion Service Schedule Virtual Data Centre ( VDC ) Version FUS-VDC-7.1

Netzwerkvirtualisierung? Aber mit Sicherheit!

MODULE 3 VIRTUALIZED DATA CENTER COMPUTE

Running vtserver in a Virtual Machine Environment. Technical Note by AVTware

Keyword: Cloud computing, service model, deployment model, network layer security.

Secure Cloud-Ready Data Centers Juniper Networks

SCO Virtualization Presentation to Customers

CA ARCserve Replication and High Availability Deployment Options for Hyper-V

Stephen Coty Director, Threat Research

Servervirualisierung mit Citrix XenServer

RUNNING vtvax FOR WINDOWS

LESSON 13 VIRTUALIZATION AND CLOUD COMPUTING

Network Access Control in Virtual Environments. Technical Note

Citrix XenServer 7 Feature Matrix

vsphere 6.0 Advantages Over Hyper-V

Basics of Virtualisation

Business Process Desktop: Acronis backup & Recovery 11.5 Deployment Guide

Lecture 02b Cloud Computing II

White Paper. Recording Server Virtualization

Security Virtual Infrastructure - Cloud

VMware vcloud Networking and Security Overview

Endpoint protection for physical and virtual desktops

Virtualization Technologies. Embrace the new world of healthcare

Secondary DMZ: DMZ (2)

Evaluation of Enterprise Data Protection using SEP Software

Table of Contents. vsphere 4 Suite 24. Chapter Format and Conventions 10. Why You Need Virtualization 15 Types. Why vsphere. Onward, Through the Fog!

International Journal of Advancements in Research & Technology, Volume 1, Issue6, November ISSN

Transcription:

Virtualization and Cloud Computing Security is a Process, not a Product Guillermo Macias CIP Security Auditor, Sr.

Virtualization Purpose of Presentation: To inform entities about the importance of assessing the benefits and risks related to the incorporation of virtualization and cloud computing. To provide guidance for entities on assessing and incorporating virtualization and cloud computing into production and test environments. To assist entities with information about developing and maintaining a detailed documentation set that demonstrates how virtualization is implemented. What are auditors looking for? A logical approach and plan toward compliance. Practical steps toward compliance that can be demonstrated. Verification for how the entity mapped its Information Technology (IT) security controls to the Critical Infrastructure Protection (CIP) Standards. 2

Virtualization continued What is virtualization?.virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others. Source: http://www.kernelthread.com/publications/virtualization/ 3

Virtualization - continued Why are companies moving into virtualization? Reason Benefit Sever Consolidation Legacy Applications Build Secure Computing Platforms Create Operating Systems Simulate hardware and hardware configuration Savings in hardware, environmental costs, management, and administration. Ability to run legacy applications that will not run on newer hardware and/or OS. Provides secure, isolated sandboxes to run untrusted applications. Resource limits and guarantees. The illusion of running multiple processors and to simulate networks of independent computers. Task Management System migration, backup, and recovery. 4

Virtualization continued Four main areas where virtualization is implemented Server-Based Storage-Based Network-Based Virtual Desktop Infrastructure (VDI) 5

Virtualization continued Defining Some Terms: Host: Virtualization platform running hypervisor software. Hypervisor Software: A central program used to manage virtual machines (guests) within a simulated environment (host). Common host platforms: VMware ESXi, Microsoft Hyper-V, Citrix XenServer, Red Hat KVM, and others. Computer resources such as Random Access Memory (RAM), processors (CPUs), and storage are emulated through the host environment. 6

The Hypervisor Primary component of a server virtualization platform. Often referred to as the virtual machine monitor (VMM). Central nervous system within a virtual infrastructure. Manages the host s underlying hardware resources and handles all guest-initiated operating system (OS) and application requests for CPU, memory, I/O, and disk resources. 7

Virtualization Defining Some Terms: Virtual guest, virtual machine (VM), or guest system: A VM is a group of files that represents a hardware-based computing platform, complete with storage, memory, and configuration components. 8

Server Virtualization Virtual Host: is a physical server with virtualized layer Virtual Machine: Each guest OS running on the host Virtual Machines (Virtual OS and Apps) App App OS OS Virtualization layer (The Hypervisor) Physical Layer 9

Storage-Based Virtualization Multiple storage devices into what appears to be a single storage unit. Storage virtualization helps perform tasks like backup, archiving, and recovery in less time. Storage virtualization can be implemented using software and hardware hybrid appliances. Must adhere to the CIP Standards Verify technical and procedural controls all the way down to the LUN (Logical Unit Number) of the Storage Area Network (SAN). 10

Server Virtualization MES Server Win 2003 ERP Server Win 2008 Traditional Servers SCADA Server Linux MES Server Win 2003 ERP Server Win 2008 SCADA Server Linux H y p e r v i s o r Virtualized Server Virtualized Server 11

Virtualization VDI Virtual Desktop Infrastructure (VDI) consists of virtualizing desktops into images that run on centralized hypervisor platforms. Similar to server virtualization, but there are many differences in how the images are created, managed, and in some cases, secured. VDI desktops can be accessed in a number of ways. The most common access methods are standard Remote Desktop Protocol (RDP) services. 12

Benefits of VDI Operational improvements and cost savings. Bring your own device (BYOD) Employees bring their own laptops and other computing devices to work. VDI can help accomplish this because the operating system, applications, and data access can be controlled by central policies and security technologies within VDI images while a companycontrolled client can be installed on the employee's device to permit access. 13

Benefits of VDI continued Security VDI can reduce the cost of compliance and security for desktops. VDI supports centralized policy control, ephemeral (short-term) desktop images, and granular and manageable change and configuration management tools and processes. Fighting malware and responding to desktoprelated incidents can be easier because all of the infrastructure is centrally located and controlled. Virtual machines can be easily deleted and created. 14

VDI Challenges Operational Issues Bandwidth When a large number of users need to access desktop images simultaneously, the amount of bandwidth consumed can be significant. Power A large number of desktop images in use simultaneously could lead to major power spikes and an increase in overall consumption. 15

Network-Based Virtualization Hypervisors can provide networking capabilities that allow individual guest OSs to communicate with one another while limiting access to the external physical network. The network interfaces that the guest OSs see may be virtual, physical, or both. 16

Network-Based Virtualization continued Network Bridging The guest OS is given direct access to the host s network interface cards (NIC) independent of the host OS. Network Address Translation (NAT) The guest OS is given a virtual NIC that is connected to a simulated NAT inside the hypervisor. As in a traditional NAT, all outbound network traffic is sent through the virtual NIC to the host OS for forwarding, usually to a physical NIC in the host system. Host Only Networking The guest OS is given a virtual NIC that does not directly route to a physical NIC. In this scenario, guest OSs can be configured to communicate with one another and, potentially, with the host OS. 17

Network Virtualization Technologies Virtual Switching Systems (VSS) Virtual Switches (VSwitch) Virtual Private Network (VPN) Virtual Storage Area Network (VSAN) Virtual Routing and Forwarding (VRF) Virtual Local Area Networks (VLAN) Virtual Port Channels (VPC) Virtual Device Context (VDC) 18

Network Virtualization Device Clustering Allows multiple physical devices to be combined into a larger logical device. Combines two physical switches into a single logical switch (e.g., VSS series). The main benefit of clustering techniques is they allow systems to scale beyond the size of a single system. Complexity of the overall system design does not increase. 19

Virtualization and CIP All CIP Standards Apply! Virtual Networks need to be just as secure as Physical Networks. 20

Virtualization and CIP continued VMs should be treated no differently than physical machines and all CIP Standards apply: CIP version 3 CIP version 5 Identification: CIP-002 Least Privilege Access: CIP-003 Change Control/Configuration Management: CIP-003 Personnel and Training: CIP-004 Segregation (ESP): CIP-005 Physical Security: CIP-006 The same as CIP version 3, including CIP-010-1 and CIP-011-1. Testing, Security Patching, and Malicious Software Prevention: CIP-007 Proper Disposal/Redeployment: CIP-007 Incident Response: CIP-008 Recovery Plans: CIP-009 21

Virtualization and CIP Questions CIP-002 Is the Hypervisor hosting Critical Cyber Assets (CCA) VMs? If the answer is yes, then the Hypervisor is a CCA too. Since the Host OS interacts with the Guest OS via the Hypervisor, then the Hypervisor is in scope. ALL VM Cyber Assets on the Hypervisor, to include non-ccas should be considered in-scope of CIP Standards. CIP-003 Do you have authorized administrators managing the Hypervisor and VMs in scope? CIP-004 Does the administrator have the specialized security virtualization training? CIP-005 Creating on-the-fly virtualized environments may cause security risks to the ESP. 22

Virtualization and CIP Questions continued CIP-005 (Continued) Does every virtualized CCA reside within an ESP? VMs that are functioning as Access Control and Monitoring System. Virtual IDSs Do any hosts or VMs connect to corporate (non-esp) networks? How is remote management performed for the Host and VMs? CIP-006 Are the Hypervisor and the VMs located within the Physical Security Perimeter? CIP-007 Are all security patches/upgrades for the Hypervisor and VMs assessed for applicability? 23

Virtualization and CIP Questions continued CIP-007 (Continued) How is the process of testing VMs different from physical cyber assets? How is a complex password implemented on images snapshots? Verify security of those images. Automated tools required to logging monitors VMs. CIP-008 Make sure VMs follow the same rules as physical machines. How does the Incident Respond Plan apply to virtualization? Retention of evidence (images). Forensic purposes (images can be preserved). CIP-009 Backing up and restoring. Hypervisor, host OS, and guest OS. 24

Virtualization Threats to a Virtualized Environment 25

Threats to a Virtualized Environment Teams must evaluate and assess Vulnerabilities that may exist in the technology. Threats to the environment could exploit those vulnerabilities. Potential impact of security events. 26

Threats to a Virtualized Environment continued Operational Threats: VM sprawl: Virtual machines can be deployed in seconds, making it easy to create unapproved VMs (for example, short-term testing systems). VMs created on-the-fly might not be patched, updated, or configured properly. Lack of visibility into virtual environments: Many virtual network environments are not monitored adequately. Many virtual networks have quite a bit of internal traffic that is not being monitored adequately by external security and network tools. 27

Threats to a Virtualized Environment continued Operational Threats - continued Separation of duties not maintained: Separation of duties for people managing systems, networks, and applications in a virtual environment is often lacking. Different teams may not understand how they should manage their parts of the virtual infrastructure. Granting unilateral access to any one group could be a big security risk. 28

Virtualization Change and configuration management is a key area to focus on for virtualized organizations. Configuration details Network settings Security-specific settings 29

Malware-Based Threats VM-Aware Malware: Various strains and versions of bots, worms, rootkits, and other malicious code formats are capable of determining whether they are running on a physical or virtual host by looking at memory and hardware attributes, memory locations, and process and function behavior. 30

VM Escape Threat VM Escape: Malicious code runs within a VM and is able to break out onto the underlying host. In a VM escape, trust zones are violated, access controls are circumvented, and the confidentiality and integrity of Elastic Sky X (ESX) hosts is suspect as soon as it happens. Directory Traversal Attack Vmchat Vmcat VM Drag-n-Sploit VMftp 31

Virtualization Challenges Adapting Anti-malware Tools for Hosts and Guests Two primary concerns for anti-malware protection include host scanning and guest scanning. The main issues are performance impacts and integrity problems that result from scanning particular virtualization-specific file structures such as virtual machine disk (VMDK) files in VMware environments. 32

Cloud Computing Cloud Computing 33

Cloud Computing Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (NIST, 2010). In the simplest of terms, cloud computing is basically internet-based computing. 34

Cloud Benefits Pay as you go (Utility Computing Systems). On-demand self-service. Shared resources. Focus on business rather than IT. Elasticity-Scale up and down based on business need. Cloud computing introduces a level of abstraction between the physical infrastructure and the owner of the information being stored and processed. The large variety of devices that can connect to the internet, such as PDAs, mobile phones and handheld and static devices, all expanded the number of ways the cloud can be accessed. What about the Service Level Agreement (SLA)? 35

Cloud Models Deployment Models Public cloud Private cloud Hybrid cloud Community cloud Service Models IaaS (Infrastructure as a Service) PaaS (Platform as a Service) SaaS (Software as a Service) 36

Cloud Models Service Models Enterprise Resources E-Commerce Office Automation Knowledge Management Operating System Groupware Web Hosting Developers Studios Accounting Systems Network Storage OS Database Management Hardware 37

Risks, Threats, and Vulnerabilities Organization Risks, Threats, and Vulnerabilities Non-Cloud Specific Cloud Specific Technical Legal Other 38

Risks, Threats, and Vulnerabilities continued Organization Risk: Loss of business reputation due to co-tenant activities (or the tenants sharing the same resource), and any organizational change that can happen to the cloud provider (as a business organization) including provider failure, termination or acquisition. Technical Risk: The technical risks classification includes problems or failures associated with the provided services or technologies contacted from the cloud service provider. Legal Risk: Issues that surround data being exchanged across multiple countries that have different laws and regulations concerning data traversal, protection requirements, and privacy laws. Examples of such risks include, but not limited to, risks resulting from possible changes of jurisdiction and the liability or obligation of the vendor in case of loss of data and/or business interruption. Other: Data Leakage on Upload/Download: When the data is being transferred across the cloud unencrypted, it is subject for traffic sniffing, spoofing, and man-in the-middle attacks, amongst others. 39

Cloud Computing and CIP CIP-002: Identification of CAs, CCAs, EACMS and PCS CIP-003: Access Control Management CIP-004: Information Protection Program, cloud computing training and PRAs CIP-005: Design and protection of the Electronic Security Perimeter CIP-006: Design and protection of the Physical Security Perimeter CIP-007: Security patches/upgrades on cloud servers assessed for applicability CIP-008: How is the Incident Respond Plan applies cloud computing CIP-009: Backing up and restoring Critical Cyber Assets 40

Questions 41

Virtualization and Cloud Computing References: http://www.nerc.com/pa/stand/pages/cipstandards.aspx Information Resources Management Association, USA. Grid and Cloud Computing, 2012. Safari Online Books. 2013. http://safaribooksonline.com/ Shackleford, Dave. Virtualization Security: Protecting Virtualized Environments. 2012. Safari Online Books. 2013. http://safaribooksonline.com/ Tiso, John. Designing Cisco Network Service Architectures. 2011. Safari Online Books. 2013. http://safaribooksonline.com 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information