Welcome Kevin Wharram, CISSP, CISM, CEH, EnCE, GCFA, 27001 Lead Auditor Member of the ISACA Security Advisory Group at ISA...
<ul><li>What is Virtualization? </li></ul><ul><li>Server Virtualization Analogy </li></ul><ul><li>Virtualization Security ...
What is Virtualization? Virtualization is the creation of a virtual (rather than actual) version of something, such as an ...
What is Virtualization cont. <ul><li>Virtualization presents hardware resources as virtual resources: </li></ul><ul><li>CP...
<ul><li>Not a new concept </li></ul><ul><li>First developed in the 1960s  and was better known as time-sharing </li></ul><...
<ul><li>Server Virtualization </li></ul><ul><li>Desktop Virtualization or (VDI) </li></ul><ul><li>Application Virtualizati...
Server Virtualization
<ul><li>Encapsulate OS and present “virtual hardware” </li></ul><ul><li>Run many OS on single hardware platform </li></ul>...
Server Virtualization Analogy Hotel VS Holiday Home
Copyright © 2004 VMware, Inc. All rights reserved. Traditional Server Server without Virtualization Holiday Home
Virtualized Server Hotel Server with Virtualization
Desktop Virtualization
<ul><li>Desktop virtualization separates a personal computer desktop environment from a physical machine using a client–se...
<ul><li>Remote Desktop (RDS) is different to VDI </li></ul><ul><li>With (RDS), all users are sharing the same OS. With VDI...
Application Virtualization
<ul><li>Encapsulate applications (run conflicting applications on same system, i.e. IE 7 and IE8) </li></ul><ul><li>Avoid ...
Network Virtualization
<ul><li>Network virtualization is a method used to combine computer network resources into a single platform, known as a v...
Physical Network
VMware Virtual Network
Storage Virtualization
<ul><li>Storage virtualization is the amalgamation of multiple network storage devices into what appears to be a single st...
Virtualization Security
Industry Comments ESG Research indicates that security professionals lack virtualization knowledge and best practice model...
<ul><li>Patching </li></ul><ul><li>Disaster Recovery </li></ul><ul><li>Investigation </li></ul><ul><li>Forensics </li></ul...
<ul><li>Virtual environment misconfiguration </li></ul><ul><li>Processes  </li></ul><ul><li>Lack of Controls </li></ul><ul...
<ul><li>vCenter </li></ul><ul><li>Networking, vSwitches, Cisco Nexus 1000v, vLANs </li></ul><ul><li>Storage </li></ul><ul>...
Virtualization Compliance
<ul><li>New technologies introduce new components and processes causing conflict with standards and policies </li></ul><ul...
Controls Policies & Compliance Processes & Standards Compliance Pyramid
Cloud Computing
What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of ...
<ul><li>Private cloud </li></ul><ul><li>Public cloud </li></ul><ul><li>Community cloud </li></ul><ul><li>Hybrid cloud </li...
What is a Private Cloud? <ul><li>Operated solely for an organization </li></ul><ul><li>May be managed by the organization ...
Private Cloud Security Most of the virtualization controls that we spoke about earlier, would apply to the Private Cloud a...
Controls Organisation Due-Diligence Processes & Standards Compliance Pyramid
Resources NIST guide to Security for Full Virtualization Technologies http://csrc.nist.gov/publications/nistpubs/800-125/S...
Questions? Kevin Wharram [email_address]
Upcoming SlideShare
Loading in...5
×

Kevin wharram

904

Published on

This presentation covers virtualization and private cloud security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
904
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  •   
  •   
  • 03/05/11 Integrated Solutions Management, Inc. Enterprise Governance in a Virtual World
  • Virtual Desktop Infrastructure (VDI)
  • Previously, it made a lot of sense to dedicate a separate physical server to each specific application. By isolating applications on dedicated hardware, you could limit their exposure to potential security threats – and when security failures did happen, you could limit them to a single machine. By dedicating a physical computer and its operating system to a single application, IT departments maintain greater protection against attackers, who have to find another way in. Virtualization platforms have made it far easier and much faster to create and deploy servers and applications than was possible when physical limitations governed system rollouts.
  • Kevin wharram

    1. 2. Welcome Kevin Wharram, CISSP, CISM, CEH, EnCE, GCFA, 27001 Lead Auditor Member of the ISACA Security Advisory Group at ISACA London Chapter My interests are in – Forensics, Virtualization and Cloud Security
    2. 3. <ul><li>What is Virtualization? </li></ul><ul><li>Server Virtualization Analogy </li></ul><ul><li>Virtualization Security </li></ul><ul><li>Virtualization Compliance </li></ul><ul><li>What is Cloud Computing? </li></ul><ul><li>What is a Private Cloud? </li></ul><ul><li>Private Cloud Security </li></ul>Agenda
    3. 4. What is Virtualization? Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system (OS), a server, a storage device or network resource. Source - http://en.wikipedia.org/wiki/Virtualization
    4. 5. What is Virtualization cont. <ul><li>Virtualization presents hardware resources as virtual resources: </li></ul><ul><li>CPU </li></ul><ul><li>Memory </li></ul><ul><li>Storage (Disk) </li></ul><ul><li>Network Interface (NIC) </li></ul>
    5. 6. <ul><li>Not a new concept </li></ul><ul><li>First developed in the 1960s and was better known as time-sharing </li></ul><ul><li>IBM developed the idea of a Virtual Machine Monitor (VMM) which is also know as a Hypervisor </li></ul>History of Virtualization
    6. 7. <ul><li>Server Virtualization </li></ul><ul><li>Desktop Virtualization or (VDI) </li></ul><ul><li>Application Virtualization </li></ul><ul><li>Network Virtualization </li></ul><ul><li>Storage Virtualization </li></ul>Types of Virtualization
    7. 8. Server Virtualization
    8. 9. <ul><li>Encapsulate OS and present “virtual hardware” </li></ul><ul><li>Run many OS on single hardware platform </li></ul><ul><li>Consolidate underutilized servers </li></ul><ul><li>VMware (vSphere), Microsoft (Hyper-V), Citrix (XenServer) and Solaris Containers </li></ul>What is Server Virtualization?
    9. 10. Server Virtualization Analogy Hotel VS Holiday Home
    10. 11. Copyright © 2004 VMware, Inc. All rights reserved. Traditional Server Server without Virtualization Holiday Home
    11. 12. Virtualized Server Hotel Server with Virtualization
    12. 13. Desktop Virtualization
    13. 14. <ul><li>Desktop virtualization separates a personal computer desktop environment from a physical machine using a client–server model of computing </li></ul><ul><li>Desktop virtualization is sometimes referred to as Virtual Desktop Infrastructure (VDI) </li></ul>What is Desktop Virtualization?
    14. 15. <ul><li>Remote Desktop (RDS) is different to VDI </li></ul><ul><li>With (RDS), all users are sharing the same OS. With VDI, each user has their own real OS (could be dedicated or from a pool) </li></ul><ul><li>VMware View, Citrix (XenDesktop) and Kaviza </li></ul>What is Desktop Virtualization cont.
    15. 16. Application Virtualization
    16. 17. <ul><li>Encapsulate applications (run conflicting applications on same system, i.e. IE 7 and IE8) </li></ul><ul><li>Avoid apps corrupting (OS) </li></ul><ul><li>Application delivery (Stream, ESD, Other) </li></ul><ul><li>VMware (ThinApp), Microsoft (App-V) and Citrix ( XenApp) </li></ul>What is Application Virtualization?
    17. 18. Network Virtualization
    18. 19. <ul><li>Network virtualization is a method used to combine computer network resources into a single platform, known as a virtual network </li></ul><ul><li>Not a new concept </li></ul><ul><li>Virtual private networks (VPNs) are widely used </li></ul><ul><li>Virtual Local Area Networks (VLANs) are a form of network virtualization </li></ul>What is Network Virtualization?
    19. 20. Physical Network
    20. 21. VMware Virtual Network
    21. 22. Storage Virtualization
    22. 23. <ul><li>Storage virtualization is the amalgamation of multiple network storage devices into what appears to be a single storage unit. Storage virtualization is often used in SAN (storage area networks). </li></ul><ul><li>Source http :// www.webopedia.com/TERM/S/storage_virtualization.html </li></ul>What is Storage Virtualization?
    23. 24. Virtualization Security
    24. 25. Industry Comments ESG Research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security. Gartner survey: “ 40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.” Gartner analyst Neil MacDonald wrote: “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely.“
    25. 26. <ul><li>Patching </li></ul><ul><li>Disaster Recovery </li></ul><ul><li>Investigation </li></ul><ul><li>Forensics </li></ul>Virtualization Security Benefits
    26. 27. <ul><li>Virtual environment misconfiguration </li></ul><ul><li>Processes </li></ul><ul><li>Lack of Controls </li></ul><ul><li>Access Controls </li></ul><ul><li>Software Vulnerabilities </li></ul><ul><li>Malware </li></ul>Virtualization Security Issues
    27. 28. <ul><li>vCenter </li></ul><ul><li>Networking, vSwitches, Cisco Nexus 1000v, vLANs </li></ul><ul><li>Storage </li></ul><ul><li>Logging </li></ul><ul><li>Monitoring </li></ul>VMware vSphere Security
    28. 29. Virtualization Compliance
    29. 30. <ul><li>New technologies introduce new components and processes causing conflict with standards and policies </li></ul><ul><li>Internal policies and standards need to be updated to reflect virtualization technology </li></ul><ul><li>Industry standards, PCI DSS, HIPA, etc, sometimes lag technology </li></ul>Compliance Issues
    30. 31. Controls Policies & Compliance Processes & Standards Compliance Pyramid
    31. 32. Cloud Computing
    32. 33. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source - http://www.nist.gov/itl/cloud/index.cfm
    33. 34. <ul><li>Private cloud </li></ul><ul><li>Public cloud </li></ul><ul><li>Community cloud </li></ul><ul><li>Hybrid cloud </li></ul>Types of Cloud Computing
    34. 35. What is a Private Cloud? <ul><li>Operated solely for an organization </li></ul><ul><li>May be managed by the organization or a third party </li></ul><ul><li>May exist on-premise or off-premise </li></ul>
    35. 36. Private Cloud Security Most of the virtualization controls that we spoke about earlier, would apply to the Private Cloud as you control the “Private Cloud.”
    36. 37. Controls Organisation Due-Diligence Processes & Standards Compliance Pyramid
    37. 38. Resources NIST guide to Security for Full Virtualization Technologies http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf VMware hardening guides http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html Cloud Security Alliance http://www.cloudsecurityalliance.org/ NIST Definition of Cloud Computing http://www.nist.gov/itl/cloud/index.cfm Center for Internet Security (CIS) Benchmarks on Server Virtualization http://cisecurity.org/en-us/?route=downloads.benchmarks Defense Information System Agency (DISA) http://iase.disa.mil/stigs/index.html
    38. 39. Questions? Kevin Wharram [email_address]
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×