S24 – Virtualiza.on Security from the Auditor Perspec.ve


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

S24 – Virtualiza.on Security from the Auditor Perspec.ve

  1. 1. S24  –  Virtualiza.on  Security  from   the  Auditor  Perspec.ve  Rob  Clyde,  CEO,  Adap.ve  Compu.ng;  former  CTO,  Symantec  David  Lu,  Senior  Product  Manager,  Trend  Micro  Hemma  Prafullchandra,  CTO/SVP  Products,  HyTrust   November  7-­‐9,  2011  
  2. 2. Agenda  •  Virtualiza.on  Overview  &  Security  Challenges  •  Industry  Best  Prac.ces   –  ISACA/CObIT  Virtualiza.on  Security  Checklist   –  Center  for  Internet  Security  (hardening  best  prac.ces)   –  Payment  Card  Industry  (Data  Security  Standard  &   Virtualiza.on  Informa.on  Supplement)   –  NIST  Virtualiza.on  Guidance  •  End-­‐to-­‐End  Security  and  Compliance  Guidance  •  Q  &  A  •  Resources   h   2  
  3. 3. Agenda  •  Virtualiza.on  Overview  &  Security  Challenges   h   3  
  4. 4. What  is  Virtualiza2on?   ●   ●   Physical Machine ●   Application Application Virtual Machine Virtual Machine Application Application Operating System Virtual Machine Application Application Application Operating System Application Server Hardware Operating System Operating SystemVirtualization is highly compelling:•  60% reduction in capital expenditure per app* Hypervisor•  Half as many human resources require per app*•  80% reduction in Datacenter outage costs* Server Hardware•  Key to implementation of cloud computing Physical Machine Physical Machine *  VMware  Analysis  2010   h   4  
  5. 5. Virtualiza2on  Progression   100%   Dynamic %  Workloads  Virtualized   Private Cloud Server Mission  Cri.cal  Workloads   Consolidation Non-Mission Critical, Non-Compliance Workloads 0%   Non-­‐Compliant   Compliant   Secure   Best  Prac.ce   Infrastructure  Progression   Despite  high  ROI,  barriers  to  adop.on  remain     •   46%  cite  security  as  primary  reason  that  adop.on  can  be  slowed*   •   35%  worry  about  insider  threats‡   •   28%  “very”  or  “extremely”  concerned  with  security  in  virtual  environment‡‡   *  Jeff  Burt,  eWeek  Ar.cle,  Sept.  2009   ‡  Prism  Microsystems  Survey  of  300  orgs,  2010   ‡‡  Info  Pro  2010  Security  Study   r   5  
  6. 6. Challenge:  Not  All  Hypervisors  are  Equal   Virtual Machine VM VM Virtual Machine Application Application Virtual Machine App App App Application Application Application Operating System Application OS OS Operating System Operating System Type II (Hosted) App App Hypervisor Type I (Bare Metal) Hypervisor Host Operating System Server Hardware Server Hardware Physical Machine Physical Machine h   6  
  7. 7. Security  Challenge:  Resource  Conten2on   Typical  AV     Console   3:00am  Scan  1    Resource  Conten.on   Antivirus Storm Antivirus scans & updates overburden the Hypervisor & SAN d   7  
  8. 8. Security  Challenge:  Instant-­‐on  Gaps  1    Resource  Conten.on   Active Dormant New VMs2    Instant-­‐on  Gaps          Dormant VMs will be missing critical patches and contain out-of-date security controls and are subject to exploitation and compromise d   8  
  9. 9. Security  Challenge:  Inter-­‐VM  AIacks  1    Resource  Conten.on  2    Instant-­‐on  Gaps  3    Inter-­‐VM  Aiacks  /  Blind  Spots   Attacks can spread across VMs d   9  
  10. 10. Security  Challenge:  Management   Provisioning VM Patching Private new VMs Migration Complexity Cloud1    Resource  Conten.on  2    Instant-­‐on  Gaps  3    Inter-­‐VM  Aiacks  /  Blind  Spots  4    Complexity  of  Management   VM sprawl inhibits compliance d   10  
  11. 11. Agenda  •  Industry  Best  Prac.ces   –  ISACA/CObIT  Virtualiza.on  Security  Checklist   –  Center  for  Internet  Security  (hardening  best   prac.ces)   –  Payment  Card  Industry  (Data  Security  Standard  &   Virtualiza.on  Informa.on  Supplement)   –  NIST  Virtualiza.on  Guidance   h   11  
  12. 12. CObIT   CObIT  Control   ISACA  Checklist  Mapping  To   Objec2ve(s)  1.  Securing  the  virtualiza2on  plaSorm  a.  Plajorm  and  installa.on  requirements    1.a.1  Limit  physical  access  to  the  host:  only  authorized  administra.ve   PO4.9,  DS12.3    personnel  should  have  physical  access  to  the  host  system  to  prevent  unauthorized  changes.    1.a.2    Verify  integrity  of  files  prior  to  installa.on:  verify  the  hash  values  of   PO2.4,  AI3.2    system  files,  as  provided  by  the  vendor,  prior  to  installa.on  to  ensure  integrity.    1.a.3  Load  and  enable  only  required  opera.ng  system  components  and   AI3.2    services:  no  unnecessary  opera.ng  systems  components  (e.g.,  drivers)  should  be  loaded,  and  no  unnecessary  services  should  be  enabled  (e.g.,  prin.ng  services,  file  sharing  services).    1.a.4  BIOS,  bootloader  passwords:  passwords  should  be  used  for  BIOS  and   DS5.3  bootloaders  (e.g.,  GRUB)  for  both  hosts  and  guests.     Source:  ISACA  Virtualiza.on-­‐Security-­‐Checklist-­‐26Oct2010-­‐Research.pdf   h   12  
  13. 13. Center  for  Internet  Security  (CIS)  •  Working  on  VMware  vSphere  4.1  benchmark,   schedule  dependent  on  volunteers  •  vSphere  5  already  released,  no  hardening   guide  from  vendor  or  CIS  or  NSA  or  DISA   s.gs…  •  Use  vendor  supplied  benchmark:  more  current   and  vendor  aligned  with  CIS  and  government   requirements   d   13  
  14. 14. Automate  Configura2on  Compliance  Repor2ng   h   14  
  15. 15. Automate  Comprehensive  Compliance  Repor2ng   h   15  
  16. 16. PCI  Data  Security  Standard  •  PCI  Data  Security  Standard  for  protec.ng  Cardholder  Data  •  Changes  in  PCI  Data  Security  Standard  version  2.0   –  Released    October  2010;  all  assessments  from  Jan.  1,  2012  must  be   against  2.0   –  Explicitly  states  that  System  components  include  any  virtualiza.on   components   –  Detailed  virtualiza.on  guidance  released  as  an  Informa.on  Supplement   in  July  2011   Source:  PCI  DSS  2.0    Quick  Reference  Guide     r   16  
  17. 17. Challenges  &  Concerns  When  Virtualizing  CDE   Virtualized  Datacenter   Administrators   •  Use  of  the  hypervisor  &  its  •  Scope:  iden.fy  &  consider   management  systems/interfaces/ ‘included  in  or  connected  to’   consoles  •  Segmenta.on  of  different   •  Storage  of  cardholder  data   security/trust  zones  and   •  Access  control  &  separa.on  of  du.es   workload  .ers   •  Logging  and  aler.ng   r   17  
  18. 18. CDE  Virtualiza2on  Checklist  •  Take  a  risk-­‐based  approach:  iden.fy  all  CDE  system  components  and  note  if   virtual  or  physical,  and  their  primary  func.on  and  owner   –  Consider  the  risk  aggregated  when  running  mul.ple  in-­‐scope  virtual   machines/appliances/security  appliances  on  a  single  or  cluster  of   hypervisors  and  implement  adequate  PCI  DSS  controls   •  Secure  the  hypervisor  as  it  is  most  cri.cal  system  component  (including  its  management   system/interfaces/consoles)   –  Manage  complete  life-­‐cycle  of  in-­‐scope  VMs   •  Secure  VM-­‐to-­‐VM  traffic  that  remains  within  the  hypervisor(s)   •  Ensure  in-­‐scope  VMs  or  other  objects  are  not  moved  to  non-­‐compliant  environments   •  Leverage  op.mized,  virtualiza.on-­‐aware  firewall  and  an.-­‐virus  solu.ons  •  Update  processes  to  account  for  the  greater  management  flexibility   –  Pay  aien.on  to  roles  defini.on,  access  control  and  logging   •  Privileged  access  to  the  hypervisor   h   18  
  19. 19. NIST  SP  800-­‐125:  Virtualiza2on  and  Security  Concerns  •  Addi.onal  layers  of  technology  •  Many  systems  on  a  physical  system  •  Sharing  pool  of  resources  •  Lack  of  visibility  •  Dynamic  environment  •  May  increase  the  aiack  surface   d   19  
  20. 20. Recommenda2ons  for  Security  for  Full  Virtualiza2on  Technologies  •  Risk-­‐based  approach  •  Secure  all  elements  of  a  full  virtualiza.on   solu.on  and  perform  con.nuous  monitoring  •  Restrict  and  protect  administrator  access  to   the  virtualiza.on  solu.on  •  Ensure  that  the  hypervisor  is  properly  secured  •  Carefully  plan  the  security  for  a  full   virtualiza.on  solu.on  before  installing,   configuring,  and  deploying  it   r   20  
  21. 21. Summary  of  Threats  and  Countermeasures  •  Intra-­‐guest  vulnerabili.es   –  Hypervisor  par..oning  •  Lack  of  visibility  in  the  guest  OS   –  Hypervisor  instrumenta.on  and  monitoring  •  Hypervisor  management   –  Protect  management  interface,  patch  management,  secure   configura.on  •  Virtual  workload  security   –  Management  of  the  guest  OS,  applica.ons,  data   protec.on,  patch  management,  secure  configura.on,  etc  •  Virtualized  infrastructure  exposure   –  Manage  access  control  to  the  hardware,  hypervisors,   network,  storage,  etc.   d   21  
  22. 22. Agenda  •  End-­‐to-­‐End  Security  and  Compliance  Guidance   h   22  
  23. 23. Compliance  Challenge:  Moving  Workloads   PCI Network Segment Other Network Segment VM √  PCI  Compliant   VM App App VM App OS VM OS VM App VM OS App App OS OS OS VM ⊗  Not  PCI  Compliant   VM App PCI Workload Dynamically Moved App OS OS PCI  =  Payment  Card  Industry  Data  Security  Standard   r   23  
  24. 24. Non-­‐Compliant  VM  Movement   r   24  
  25. 25. VM  is  now  moved  to  the  wrong  cluster!   Require  Policy-­‐based  Controls  for  all   Change  Management  Ac;vity   r   25  
  26. 26. VM  reconfigura2on:  network  change   Require  Policy-­‐based  Controls  to  ensure   that  authorized  users  do  not  accidentally/ inten;onal  break  compliance   Changing  Network  adapter  1   From  eCommerce  Network   To  Infrastructure  Network   h   26  
  27. 27. Compliance  Challenge:  Insufficient  Logging   Missing  IP  address  and  no  indica.on   that  the  network  adapter  was   reconfigured   r   27  
  28. 28. Insufficient  Logging  Confusing  host  logs  with  insufficient  details  to  iden.fy  specific  ac.on,  no  IP  address  or  user   Require  log  records  with   sufficient  details  for  all   virtual  admin  ac7ons  to   allow  for  monitoring/   inves7ga7on/forensics   r   28  
  29. 29. Compliance  Challenge:  Insufficient  Log  Records   Require  Log  Records  of  all   Change  Management  Ac7vity   (denied/failed  and  allowed)  No  log  message  is  recorded.    Violates  most  policies  and  standards.   d   29  
  30. 30. End-­‐to-­‐End  Security  &  Compliance  Guidance  •  Virtualization increases the risk and complexity of compliance so engage your auditors early to streamline the audit process•  Look beyond traditional security vendors for solutions that address virtualization specific requirements (hypervisor/VM controls)•  View virtualization as an opportunity to improve your current processes –  reporting, monitoring, inter-VM controls, etc. –  achieve objectives that you always wanted in physical environments but could not afford or were restricted by legacy infrastructure•  Embrace virtualization with a virtualization by default approach and build compliance into the default mode of operation h   30  
  31. 31. Ques2ons?   h   31  
  32. 32. Resources  •  ISACA  Virtualiza.on  Checklist  -­‐   hip://www.isaca.org/Knowledge-­‐Center/Research/Documents/ Virtualiza.on-­‐Security-­‐Checklist-­‐26Oct2010-­‐Research.pdf  •  hip://www.isaca.org/Knowledge-­‐Center/Research/ResearchDeliverables/ Pages/Virtualiza.on-­‐Benefits-­‐and-­‐Challenges.aspx    •  PCI  Security  Standards  Council:   hips://www.pcisecuritystandards.org/index.php    •  NIST:  hip://csrc.nist.gov/publica.ons/index.html  •  Adap.ve  Compu.ng:  hip://www.adap.vecompu.ng.com  •  HyTrust:  hip://www.hytrust.com/resources/main  •  Trend  Micro:     hip://us.trendmicro.com/us/solu.ons/enterprise/security-­‐solu.ons/ compliance/   r   32