1. Implementing ID Governance inComplex Environments
2. What do these numbers represent in security? $124 Average cost of a security breach, per compromised record (2010), with negligence the main cause —CA-sponsored survey 48% Percent of all breaches that involved privileged user misuse — Verizon report, 2010 87% Percentage of companies that have experienced a data breach — IT Compliance Institute 74% Percentage of breached companies who lost customers as a result of the breach — IT Compliance Institute
3. NIST Special Publication (SP) 800-125 Guide To Security for FullVirtualization Technologies Recommendations of the National Institute of Standards and Technology Tim Grance and Murugiah Souppaya Computer Scientists in the Computer Security Division These slides and the webinar recording will be made available at: <URL>
4. Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement byNIST nor does it imply that the products mentioned are necessarily the best available for the purpose.
5. Agenda• What is SP 800-125• Why virtualization• Full virtualization• Security concerns• Recommendations for Security for full virtualization technologies• Summary• Questions and answers• Resources
6. SP 800-125• Full Virtualization technologies• Server and desktop virtualization• Security threats• Security recommendations for protecting full virtualization
8. Forms of Virtualization• Simulated environment• Not cover OS and application virtualization• Full virtualization – CPU, storage, network, display, etc• Hypervisor and host OS• Virtual Machine (VM) – Guest OS – Isolated – Encapsulated – Portable
9. Full Virtualization• Bare metal virtualization• Hosted virtualization• Server virtualization• Desktop virtualization
10. Virtualization and Security Concerns• Additional layers of technology• Many systems on a physical system• Sharing pool of resources• Lack of visibility• Dynamic environment• May increase the attack surface
11. Recommendations for Security for Full Virtualization Technologies• Risk based approach• Secure all elements of a full virtualization solution and perform continuous monitoring• Restrict and protect administrator access to the virtualization solution• Ensure that the hypervisor is properly secured• Carefully plan the security for a full virtualization solution before installing, configuring, and deploying it
12. Summary of Threats and Countermeasures• Intra-guest vulnerabilities – Hypervisor partitioning• Lack of visibility in the guest OS – Hypervisor instrumentation and monitoring• Hypervisor management – Protect management interface, patch management, secure configuration• Virtual workload security – Management of the guest OS, applications, data protection, patch management, secure configuration, etc• Virtualized infrastructure exposure – Manage access control to the hardware, hypervisors, network, storage, etc.
13. Questions and Answers
14. Resources• Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is available on the following Web page: http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing- unneeded-federal-real-estate• NIST publications that provide information and guidance on planning, implementing and managing information system security and protecting information include: – Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems – NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach – NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations – NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide – NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle – NIST SP 800-88, Guidelines for Media Sanitization – NIST SP 800-115, Technical Guide to Information Security Testing and Assessment – NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)• For information about these NIST standards and guidelines, as well as other security-related publications, see NIST’s Web page http://csrc.nist.gov/publications/index.html
15. Todd Neilson, CISSP, VP, Sr. Advisor – Security, CAHemma Prafullchandra, CTO/SVP Products, HyTrustChris Boswell, CIS[A,M,SP], CGEIT, Sr Principal, CA
16. Virtualization Security vs Compliance Compliance: the state of being in accordance with established guidelines, specifications or legislation or the process of becoming so. Compliance Security (?) (NIST 800-125)Do you know?• Whether your organization has security guidelines defined for its virtual environment?• Which regulations your organization is subject to?• Whether your virtualization efforts will be subject to regulatory scrutiny?• Whether your security baselines for your virtual environment incorporate your regulatory obligations?
17. Traditional Horizontal Controls RationalizationCSA Cloud Control Matrix IS-08: NIST 800-125 SecurityNormal and privileged user access to applications, Recommendation: Restrict andsystems, databases, network configurations, and sensitivedata and functions shall be restricted and approved by protect administrator access to themanagement prior to access granted. virtualization solution NIST 800-53 (AC-3, AC-5, AC-6, IA-2, IA-4, IA-5, IA-8, MA-5, PS-6, SA-7, SI-9) CIP-003-3 R5.1.1 - R5.3; COBIT 4.1 DS5.4 CIP-004-3 R2.3; CIP-007-3 R5.1 - R5.1.245 CFR 164.308 (a)(3)(i)45 CFR 164.308(a)(3)(ii)(A)45 CFR 164.308 (a)(4)(i) PCI DSS 2.0 (7.1, 7.1.1,45 CFR 164.308 7.1.2, 7.1.3, 7.2.1, 7.2.2,(a)(4)(ii)(B) 8.5.1, 12.5.4)45 CFR 164.308(a)(4)(ii)(C) Source:45 CFR 164.312 (a)(1) https://cloudsecurityalliance.org/research/ccm/ Other Source: www. unifiedcompliance.com
18. Vertical Controls Rationalization using 800-53 with OverlayFrameworks NIST 800- Recommended Security Controls for Federal Information Systems 53 Subset of 800-53 controls tailored to provide FedRamp standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services DoD Mapped their DoDi 8500.2 controls used to secure defense systems to NIST 800-53 Created a set of Acceptable Risk Safeguards DHHS based on 800-53 controls to secure electronic protected health information Issued a special publication 1075 which outlines IRS a subset of 800-53 controls that need to be implemented for those systems processing Federal Taxpayer Information. Did you know The Initial Public Draft of 800-53 Revision 4 encourages agencies with specific security needs to develop their own security “overlays” based on controls within NIST 800-53?
19. Compliance Impact Moving to the Cloud [based on applicable FedRamp controls mapped to NIST 800-53 Rev 4] IMPACT800-53 Security Control Impact #Family Controls High Access Control (AC) 17 Medium PLAwareness & Training (AT) 4 Low Audit and Accountability (AU) 12 IR PSSecurity Assessment and MPAuthorization (CA) 6Configuration Management(CM) 9 CPContingency Planning (CP) 9 SIIdentification and 8 RA CMAuthentication (IA) CAIncident Response (IR) 8Maintenance (MA) 6Media Protection (MP) 6 MA AU IAPhysical and Environmental SCProtection (PE) 18Planning (PL) 5Personnel Security (PS) 8 ATRisk Assessment (RA) 4 SASystem and Services 12Acquisition (SA)System and Communications PE ACProtection (SC) 24System and InformationIntegrity (SI) 12
21. Recap Core Security & Compliance Capabilities in Virtual EnvironmentsProvides account vaulting, two-factor Dynamic isolation of multi-tenantauthentication and fine-grained environments through automatedauthorization for privileged user access orchestration with vShieldwithin the hypervisor policiesProvides seamless auditing of Provides host configurationuser activities across both hardening and continuousguest and host environments. monitoring and assessment
22. ControlMinder with HyTrust Fills Critical VirtualizationPlatform Access Gaps Virtualization Platform Gap ControlMinder with HyTrust Solution Multiple administrators can log into guests and Uses password vaulting (check-in/out) to hosts anonymously by sharing a privileged ensure admins are individually accountable account An admin can bypass vCenter access controls Controls and logs access via any and logging by connecting directly to hosts connection method, creating accountability An admin can access another organization’s Ensures that admins can only access their virtualized workloads in multi-tenant own organization’s data and applications, environments enabling secure multi-tenancy Prevents use of default passwords and Platform allows access via default password supports multi-factor authentication to stop or compromised admin password unauthorized access A current or terminated admin can connect to Controls and logs access to every admin the platform undetected using a backdoor account, preventing major security breaches account 22
23. ControlMinder with HyTrust Fills Critical VirtualizationPlatform Authorization Gaps Virtualization Platform Gap ControlMinder with HyTrust Solution An administrator can shut down any Protects business continuity by controlling virtualized application or switch what resources an admin can manage An admin can create unapproved VMs, with Prevents damaging outcomes by controlling negative operations or compliance impacts VM creation privileges An admin can disable security such as Preserves security by blocking unapproved virtualized firewalls and antivirus shutdowns of virtual security measures An admin can copy sensitive data from a Keeps sensitive data confidential by applying VM to external storage controls to virtual resources An admin can replace a critical VM with a Exposes tampering by creating a permanent, compromised copy while leaving no tracks unchangeable record of every operation An admin can move a low trust virtualized Mitigates security and compliance risks by workload to a high trust server or virtual preventing mixing of trust levels subnet, and vice versa 23
24. ControlMinder with HyTrust Fills Critical VirtualizationPlatform Monitoring Gaps Virtualization Platform Gap ControlMinder with HyTrust Solution Separate log files for vCenter, each host and Consolidated, centrally managed logs guest must be collected and aggregated for covering all aspects of your virtual complete monitoring. environment. Captures all activity within the virtual Failed or blocked authorization attempts infrastructure, not just authorized, successful are not captured and recorded in audit logs transactions. Automated assessment and remediation Native configuration management capabilities enable continuous compliance capabilities do not promote ongoing monitoring of hypervisor configuration settings compliance monitoring for hypervisor against industry standard or custom- configuration drift. configured security templates. Native platform log entries may lack sufficient Audit records contain greater detail needed detail to support operational and security for compliance and internal audit needs activities. 24
25. Complete solution for both physical and virtual environments CA ControlMinder with HyTrust is actually only one component within a broader suite of solutions in the ControlMinder family which provides comprehensive access controls across both physical and virtual infrastructures. Privileged User Host Access Control (AC) CA ControlMinder with HyTrust Central UNIXRisk Management Privileged User Password Management (PUPM) Session Recording Audit and Reporting (CA User Activity Reporting Module) Environment UNIX/Linux Windows Virtual DATABASES NETWORK APPLICATIONS Servers Servers Servers 25
27. Single solution provides best coverageCA ControlMinder—Premium Edition1 Privileged User Password Manager 3 UNIX Authentication Broker (UNAB)— Control access to shared accounts — Centralized UNIX administration— Authorization workflow including “break — Active Directory (AD) authentication glass” — Native integration with AD— Accountability of shared account access — Kerberos-based Single Sign-On— Manage application passwords— Windows services/scheduled tasks2 4 Session Recording and User Activity Access Control Reporting— Server security (physical/virtual) — Centrally managed audit logs across— Manage fine-grained access physical and virtual environments— Centralized policy management across — Privileged user access reporting disparate systems — Unix keystroke logging— Segregation of duty — Full session recording integration— Auditing privileged access
28. Questions You Should Be Asking Today Do you allow shared privileged access to your sensitive servers? How do you account for privileged user’s actions? Can your system administrators access sensitive data on the servers? Do you have controls to prevent/log that? Can you trace administrative action back to administrative users? Have you had system down incidents where you needed to do so? Do you have any controls in place to prevent shared account access on your sensitive servers? What server operating systems do you have deployed? How do you manage security across them? How do you provide evidence of compliance?28 28
29. benefits to youRapidly achieve Reduce risk and Accelerate newbusiness agility improve compliance business services Leverage elastic Protect your Deploy new service levels, and critical assets services more flexible cloud across physical, quickly and securely. virtual, and cloud Retain customers and deployment environments. engage with business options and hybrid coverage. partners. 29