Your SlideShare is downloading. ×

VMWorld 2009 Presentation


Published on

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. TA3901 – Security and the Cloud Ahmed Sallam, Senior Technologist, Software Architecture & Strategy, Chief Software Architect, McAfee Ken Owens, Vice President Security and Virtualization Technology, Savvis
  • 2. Security and Virtualization What The Risks and Opportunities Are Ahmed Sallam Senior Technologist, Software Architecture & Strategy Chief Software Architect
  • 3. What The Session Is About • This secession examines two things: – Virtualization as a new system architecture layer: • Is it secured? • Is there malware targeting virtual environments? • Is it bad for security? • Can it be good for system security and how? • Quick look into VMsafe: More focus on VMsafe CPU/Memory – Securing the virtual infrastructure • Security consideration for cloud environment • Reference Architecture • How to define a SLA for Cloud Security? • How to evaluate the security offerings by cloud providers? Confidential McAfee Internal Use Only
  • 4. Part 1: V12N SECURITY FROM A SYSTEM ARCHITECTURE PERSPECTIVE Confidential McAfee Internal Use Only
  • 5. What Is Systems & Applications Virtualization? • Decoupling of operating systems from the hardware via a VMM • The hardware being: – CPU, memory, I/O (network, storage, graphics, audio, etc.) • Operating systems run concurrently on top of the same hardware • Core virtualization support in the processor – CPUs support I/O and memory virtualization – Reducing the functionality and size of the hypervisor (VMM) – Control access to CPU, memory and I/O resources from underneath the OS • Virtual images: – Entire computing environment in a file: memory, OS, applications, etc. • Hypervisor provisioning: (a) on the fly (b) persisted (c) TXT & TPM • Applications virtualization: – Decoupling of OS from applications via virtual application images – OS and applications in separate virtual image files – Virtual application and OS delivered on the fly • Virtual machines management, single unit of operations: – Snapshot, cloning, migration, powering on/off • Does any of the above impose newer security risks and/or challenges? Confidential McAfee Internal Use Only
  • 6. Risk of New Security Attacks (1) • Malicious hypervisors (hyperjackers) attacks – TXT not present (older systems) and/or disabled – Malicious hypervisor injected on the fly (web surfing, exploitation, local) – Worse if hyperjacker boots first & support nesting of hypervisors • Malware attacking virtual environment from within – Malware can detect the virtual environment: • Vendor’s in-guest modules (processes, services, device drivers) • Changes to processor tables and behavior when virtualization is on – Attacking in-guest virtualization code – Infecting VM memory, registry and files to survive VM operations – Malicious hyper calls • Attacking the hypervisor (Virtual Machine Monitor): – Remote exploitations – Attacking the hypervisor host operating system Confidential McAfee Internal Use Only
  • 7. Risk of New Security Attacks (2) • Attacking the management console application – Exploiting the management console – Tampering with management commands, reporting data (VM Rootkit), user interface, VM configuration, etc. • Malicious use of VM management and configuration APIs • Infecting VM file and memory images on disk – Virtual disk format is documented and public – Virtual disks files may not be protected: • Data is not encrypted • No access control policy • The host is infected with malware • Insider attacks: – Data theft and leakage of virtual memory and disk image files – Tampering with VM configuration and operations • Attacking the VM memory from the host: DMA attacks Confidential McAfee Internal Use Only
  • 8. Virtualization Challenges Traditional Security • Security solutions not ready to a hierarchy of mobile and dynamic VMs belonging to the same parent: – VM OS security software machine identifier no longer unique – Multiple identical reporting and requests to the security cloud – Enterprise management console loosing track of VMs – Misclassification of VM security state: • History of infections (when, wheat, how, etc.) • History of patches deployment • Deployment of local AV signatures – Worse with proactive behavioral protection systems • Mobility of VMs allows malware to cross network boundaries • Isolation from physical network: – Cross VM network traffic not leaving the virtual switch – Network identity of the VM is not present – IPS & Firewall missing routed VMs network traffic Confidential McAfee Internal Use Only
  • 9. Virtualization Opens New Avenues to Security • Hypervisor controls physical resources underneath the OS • Extending hypervisor to allow security software to control & secure: – Memory: read, write and execute – CPU: context switching, memory mapping, debugging – I/O devices: Network, Graphics, Disk, Removable Devices • Security software living outside the OS away from its enemy • Securing VM image files: – Encryption, access control, offline AV scanning, patches • Security as an extension to virtualization infrastructure: – Leveraging virtual storage to support black and white listing – Leveraging virtual network switch to add IPS / Firewall capabilities • Case example: VMSafe – Presenter privileged to be co-designer of VMSafe CPU / Memory – Two flavors: (Covered in next slides) • Memory & CPU security • Network security Confidential McAfee Internal Use Only
  • 10. VMsafe CPU/Memory Dedicated Security VM • Protection of memory and processor operations Confidential McAfee Internal Use Only
  • 11. VMSafe Network Filtering Enterprise Virtual Firewall / NIPS The “Virtual World” The “Virtual World” VMWARE ESX VMWARE ESX Web Servers Database Servers Web Servers Database Servers LAN 1 LAN 2 LAN 1 LAN 2 Vswitch vSwitch1 vSwitch2 Vswitch vNic 1 vNic2 All Traffic Entering/Leaving Secure Firewall Physical the Virutal Environment goes Virtual Appliance Physical NIC1 through the firewall as well NIC2 as Inter-LAN traffic vSwitch0 Physical NIC Physical Server Physical Server Physical Network Firewall Network Firewall inspects Inter-lan traffic as well (Virtualized or Not Virtualized) as inbound/outbound traffic Other Networks Other Networks Confidential McAfee Internal Use Only
  • 12. Expected Growth of VMSafe • Protection over all virtualized devices Confidential McAfee Internal Use Only
  • 13. VMsafe CPU/Memory Has Its Own Challenges • Performance due to VM context switching • Stability of guest OS due to triggers processing latency • Loss of guest OS context • Potential solution: using in-guest kernel mode security agent – VMsafe can protect the agent code – Agent relies on OS for event tracking & control – Malware may attack OS components used by the agent • Only Linux is supported as the OS inside protecting VM Confidential McAfee Internal Use Only
  • 14. Short Note on Virtual Applications Security • Known challenges: – Application Virtualization Layer hiding applications’ operations entirely – AV/HIPS does not see virtual application file activities – Proactive behavioral analysis misses application operations – Mobility of applications virtual images allows malware to extend its reach • New opportunities for security: – Security deeply integrated into apps virtualization layer – Enforcing security policy aside from the OS Confidential McAfee Internal Use Only
  • 15. Part 1 Conclusions • Virtualization imposes new security risks and challenges – New avenues for malware to infect corporate networks and infrastructure – Mobility of virtual images is a major security issue – Configuration and auditing of VMs is problematic – Challenges to legacy security systems • Virtualization provides new opportunities to security – Security underneath and on top of the OS – Security away from the enemy – Security controlling CPU and Memory – Security controlling I/O resources: storage, network, audio and graphics • Virtualizations and security: both need each other Confidential McAfee Internal Use Only
  • 16. Ken Owens Vice President Security and Security and the Cloud Virtualization Technology September 2009 Confidential McAfee Internal Use Only
  • 17. Part 2 SECURING THE VIRTUAL INFRASTRUCTURE Savvis Proprietary & Confidential – INTERNAL USE ONLY 18
  • 18. “Be Careful Up There!” • Concerns about cloud computing security abound: – “The cloud is fraught with security risks…” InfoWorld – “Analysts warn that the cloud is becoming particularly attractive to cyber crooks.” – ComputerWeekly – “Corporate use of cloud services slowed by concerns about data security, reliability” – Computerworld – “Privacy, security issues darken cloud computing plans” – IDG – "Cloud computing sounds so sweet and wonderful and safe... we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mindset." – Ron Rivest, co-founder, RSA – “It is a security nightmare and it can't be handled in traditional ways." – John Chambers, CEO, Cisco Savvis Proprietary & Confidential – INTERNAL USE ONLY 19
  • 19. Security Tops Cloud Concerns Source: IDC, 2009 Savvis Proprietary & Confidential – INTERNAL USE ONLY 20
  • 20. Not All Clouds are the Same • Multiple models. Multiple vendors. Multiple policies – Each cloud provider takes a different approach to security – No official security industry-standard has been ratified – Most cloud providers (including Amazon EC2) do not allow vulnerability scanning – Many cloud providers are not forthcoming about their security architectures and policies – Compliance auditors are wary of the cloud, and are awaiting guidelines on audit testing procedures Savvis Proprietary & Confidential – INTERNAL USE ONLY 21
  • 21. What the Industry Is Doing • Several initiatives are underway – DMTF ◦ The Distributed Management Task Force (DMTF), the organization bringing the IT industry together to collaborate on systems management standards development, validation, promotion and adoption, today announced that it has formed a group dedicated to addressing the need for open management standards for cloud computing. The "Open Cloud Standards Incubator" will work to develop a set of informational specifications for cloud resource management – Cloud Security Alliance ◦ A non-profit organization formed to promote the use of standardized practices for providing security assurance within cloud computing – Center for Internet Security ◦ A non-profit enterprise whose mission is to help organizations reduce risk resulting from inadequate technical security controls – PCI Security Standards Council ◦ Has created a special interest group (SIG) to help shape requirements for virtual- and cloud-based cardholder-data environments – NIST ◦ The National Institute of Standards and Technology has created a new team to determine the best way to provide security for agencies that want to adopt the emerging technology called cloud computing. Publication to be issued in 2009. – VMware ◦ Has issued guidelines for security VM configurations Savvis Proprietary & Confidential – INTERNAL USE ONLY 22
  • 22. Security Design Considerations • Integrated Cloud Security – Cloud environments provide limited visibility to inter-VM traffic flows – Specific architecture and configuration decisions ◦ Physical Segmentation ◦ Integrated (vmSafe) Security • Cloud Burst Security – Security Policies – Baseline information • Compliance Concerns – Auditing events – VM Mobility • Defense in Depth – Continue to leverage proven security strategies Savvis Proprietary & Confidential – INTERNAL USE ONLY 23
  • 23. Reference Architecture Savvis Proprietary & Confidential – INTERNAL USE ONLY 24
  • 24. Reference Architecture 1. Security profile per compute profile – Corporate security policy and server tier firewall rules that are defined within a vApp need to be communicated to the service provider – This should include corporate server security patch levels, anti-virus status, and file level access restrictions 2. Security DMZ for vApp – The service provider needs to validate the patch level and security level prior to bringing into a vApp into their production environment 3. OS Management – It is important to understand security hardening the service provider performs around their library of OS’ and their patching policies – VM’s that are not at the correct patch level need to be updated to the correct path level through a DMZ for example. 4. Resource Management – The service provider needs to separate and isolate the resources each customer VM uses from other customers VM resources to prevent DDOS attacks Savvis Proprietary & Confidential – INTERNAL USE ONLY 25
  • 25. Reference Architecture 5. Security Authentication, Authorization, and Auditing – Cloud service provider environments should provide tight integration with enterprise policies around individual and group access, authentication, and auditing (AAA) policies – This involves integration of corporate directories and group policies with the service providers to ensure adequate access policies are enforced. Service providers should offer stronger authentication methods, 2-factor hard or soft tokens or certificates to enterprises that are leveraging a cloud provider 6. Identity Management (SSO, Entitlements) – Cloud environments’ should require control over user access – Cloud providers must define a VM identity that ties each VM to a asset identity within the service provider infrastructure – Based upon this identity, service providers are able to assign user, role, and privilege access within the extended infrastructure to provide role- based access controls – Enterprises also want to prevent unauthorized cloning or copying of the data on a VM to a USB device or CD. Service providers can prevent the VM from being cloned or copied by utilizing a combination of the VM identity and server configuration management policies Savvis Proprietary & Confidential – INTERNAL USE ONLY 26
  • 26. Reference Architecture 7. Security profile per network – In addition to the vApp having a compute security profile, there should also be a network security profile to ensure perimeter and web access security functionality – Enterprises need to ensure that service providers implement separate management networks and data networks per customer – Service providers should have a separate network for vMotiion and vmSafe. Enterprises should request service providers to encrypt all management traffic, including vMotion events – Enterprises should require encryption of their data packets via SSL/IPSec or management connectivity via SSL or SSH 8. Data Security – Enterprises should request service providers to provide assess paths to only the physical servers that must have access to maintain the desired functionality – Service providers should accomplish this through the use of zoning via SAN N-Port ID virtualization (NPIV), LUN masking, access lists, and permission configurations Savvis Proprietary & Confidential – INTERNAL USE ONLY 27
  • 27. How to Define SLA for Security? • Security Policy SLAs – Firewall Rule Auditing – Firewall Change Request implementation SLA – Firewall log availability SLA • Patch Level SLAs – Time to patch SLAs – Remediation SLAs • Threat Management SLAs – Vulnerabilities against VM Asset Auditing – Threats detected and prevented SLAs • Availability SLAs Savvis Proprietary & Confidential – INTERNAL USE ONLY 28
  • 28. How to Evaluate the Security Offering by a Cloud Partner? • The evaluation should be performed based on the following criteria: – Security profile per compute profile – Security DMZ per vApp – OS Management – Resource Management – Security profile per network – Data Security – Security Authentication, Authorization, and Auditing – Identity Management Savvis Proprietary & Confidential – INTERNAL USE ONLY 29
  • 29. Part 2 Conclusions 1. Security tops the list of cloud concerns 2. Not all cloud providers security capabilities are the same 3. Define an acceptable level of risk 4. Define measurable parameters that enable monitoring and assessment of the level of risk 5. Evaluate cloud providers security offerings and controls – Security Capabilities – Measurable parameters (SLAs) – Reference Architecture Savvis Proprietary & Confidential – INTERNAL USE ONLY 30
  • 30. Thank You. Savvis Proprietary & Confidential – INTERNAL USE ONLY © 2009 Savvis, Inc. All rights reserved. Savvis® is the registered trademark of Savvis Communications Corporation. 31