Your SlideShare is downloading. ×

Compliance in Virtualized Environments


Published on

Information Security & compliance issues in Virtualized Environments; presented at CSI 2009

Information Security & compliance issues in Virtualized Environments; presented at CSI 2009

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • NOTE!Slide notes are not prepared for public use.
  • Compliance to best practices and industry standards is often difficult for new technologies and service approaches. Although compliance control objectives or control descriptions should remain flexible regarding the specific control implementation, over time some have become too specific regarding technology implementations with little guidance regarding how new technologies or approaches should align.Often new technical components are added to design and new process are added to service management when implementing new technologies leaving many unanswered questions regarding the Scope and Intent of compliance (i.e. Financial Control Compliance VS IT Value for Money)Example of control prescription conflict in virtualization
  • What do we want to be compliant with?HIPPA, PCI, SOX, NERC, CFR?Do the high level objectives of the compliance standard conflict with virtualization trust domains or controls available?Does the regulating body allow for interpretation of control objectives to an environment and technology? - Do they dictate whether or not virtualization can be used as a technology?Who has the regulating body assigned to attest to compliance? Who is accountable for assuring control implementations meet control objectives required by compliance? - Are you allowed to self-attest? - What experience does the third party auditor have with Virtualization? - Will the third party help or hinder (Compliance or Intent?)
  • What specific control objectives are impacted or influenced by virtualization?Understanding the control objectives related to virtualization and your service management model is key to creating a comprehensive compliance strategy.Prioritizing the identified control objectives and determining if explicit controls (physical) and control implementations (component) are prescribed by the compliance standard and regulating body.If explicit implementations are not aligned can we be compliant?
  • What design and service management issues in virtualization are related to compliance with your required objectives?Core Themes
  • What real world issues exist with compliance initiatives in virtualized environments? - Design and service management is maturing at a high rate in relation to virtualization architecture - Experts disagree on effectiveness of controls and implementations - Virtualization allows people and entities to quickly create boundary less service environments where traceable control implementations may become impossibleWhat SLAs exist for core controls and/or infrastructure/data supporting controls?Do contractual agreements allow system risk to be managed or improved?
  • How do I approach a compliance review or gap analysis in my environment?Understand your compliance governance structure - Who regulates compliance? - Who attests to what level? - What type of assurance controls enable compliance?Understand your virtualization environment security architecture - What entities are inManage and compensate for real world management and maintenance issues - Ensure to promote awareness of the need for on-going assurance vs static compliance
  • Transcript

    • 1. Compliance Challenges in Virtualized Environments
    • 2. Compliance to best practice and industry standards is challenging for new technologies like virtualization
      Compliance in Virtualized Environments
      Compliance Standards
      Assurance of Control Objectives
      Prescription of Control Implementations
    • 3. New technologies introduce new components and processes causing conflict with existing control prescriptions
      Each server must only have one primary function.[§ 2.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008, v1.2]
      Key components should be protected by segregating the critical applications from the other applications and information.[CI2.1.4(a), The Standard of Good Practice for Information Security]
      Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed.[§ 11.5.4, ISO/IEC 27002-2005 Code of practice for information security management]
      Compliance in Virtualized Environments
    • 4. Security boundaries within process and technical domains are still being defined and designed for virtualization
      What consistent best practice exists for virtualized image management?
      Are there varying levels of granularity regarding access control within different virtualization technologies?
      Compliance in Virtualized Environments
    • 5. Virtualized PCI Application Domain Model
      Relationship Scenarios
      S1. Untrusted users publicly enter PCI information
      S2. / S2a. Servers transfer PCI info to provider (S2a. Telephone)
      S3. Remote locations access applications containing PCI Information
      S6. Staff access PCI application from LAN/WAN
      S7. Staff access management interfaces of physical and virtual guests and hosts
      S9.Staff access management interfaces of the routers/switches
      S11. Data is transferred between the Web-facing PCI Servers and internal PCI database servers
    • 6. What do we want to be compliant with?
      Do the high level objectives of the compliance standard conflict with virtualization?
      Does the regulating body allow for interpretation of the standards?
      Who has the regulating body assigned to attest to the compliance of the standards?
      Compliance in Virtualized Environments
    • 7. What specific control objectives are impacted by virtualization? (Improved?)
      Process and environment classification (NERC CIP-003-1 R4.2)
      Extension of information asset classification(HIPAA 164.308(a)(7)(ii)(E))
      Log Monitoring & Tracking (PCI 4.2 (v1.1))
      System boundary definition (NIST 800-53)
      Are there specific control implementations in conflict?
      Least Privilege implementation issues
      Lockout Procedure By-pass
      Compliance in Virtualized Environments
    • 8. What design & service management issues in virtualization are related to compliance?
      Business Continuity Management
      Security Audit & Assurance Levels
      Change Control Implementations
      Security Domain / Boundary Control
      Access Control & Privilege Administration
      Security Operation Schedule Management
      Compliance in Virtualized Environments
    • 9. Issues with Virtualized Environments and PCI Compliance
      Understanding of domains,boundaries & access
      7.1 – Is access to computing resources and cardholder information limited to only those individuals whose jobs require such access?
      • Does a logical virtualization deployment diagram exist?
      • 10. Will “complex” virtualization management components (HA, DRS, Vmotion or VCB) be used in the environment?
      • 11. How is virtualization platform user administration performed?(ESX/VCenter)
    • Example EnvironmentDiagram (Poor / No information)
    • 12. Example LogicalDiagram (Better)
    • 13. Configuration Questions(1-4)
      • What legacy systems will be migrated to the ESX environment?
      • 14. What do systems currently hosted in the ESX environment do?
      • 15. Does a logical deployment diagram for PCI systems exist?
      • 16. Will HA, DRS, Vmotion or VCB be used in this environment?
      • 17. Are there change management policies in place for system management?
      • 18. Is there a formal installation procedure for ESX hosts? Guests? Virtual Centre?
    • Configuration Questions (2-4)
      • What resource limiting and share assignment exists in the design?
      • 19. How is ESX/VCenter user administration performed? Formally documented?
      • 20. What security measures are place to avoid copying/pasting or adding of devices to the virtual guests?
      • 21. Are templates being used for deploying guests? If so, what security measures are being used for template creation?
      • 22. What system logging policies exist; How is logging deployed within the ESX architecture?
      • 23. What is currently being done internally for system clock synchronization?
    • Configuration Questions(3-4)
      • Is there a formal policy in place for physical access to the data centre?
      • 24. What security measures will be applied virtual machines: System hardening, antivirus agents, spyware filters, intrusion detection
      systems, etc.
      • What policy for vulnerability management within the virtualized
      architecture has been defined?
      • Is SAN zoning and masking configured and managed properly to ensure
      unauthorized presentation of data to virtual machines?
    • 25. Configuration Questions (4-4)
      The Windows host running VirtualCentre (VC) must have strict security measures enforced in order to protect access to the management of the virtual infrastructure.
      • What account is used to run VirtualCentre in the management stations?
      • 26. What roles and permissions are used/disabled in VC?
      • 27. Is the VC computer placed in a separate management network?
      • 28. Where does the VC database reside and what method of authentication is used on this database?
      • 29. What security practices have been applied to secure the database?
      • 30. Are self-signed certificates used?
    • General Thoughts around Virtualization & PCI
      • The fallacy of cost reduction
      • 31. Increased complexity
      • 32. Increase in exposure to:
      • 33. Technical misconfiguration
      • 34. Central points of access / collusion for staff
    • Compliance in Virtualized Environments
      Real world issues in virtualization compliance:
      • Design & Service Management standards are changing rapidly
      • 36. Experts disagree on effectiveness of controls and implementations
      • 37. Virtualization allows people and entities to quickly create boundary less service environments
    • Compliance in Virtualized Environments
      How do I approach a compliance review in my environment?
      • Understand your compliance governance structure
      • 38. Understand your virtualization security architecture
      • 39. Manage and compensate for real world issues
    • Thanks
      Michael Legary, CISSP, CISM, CISA, CCSA, CSA, GCIHFounder & CIOSeccuris Inc.Email: Michael.Legary@seccuris.comDirect: 204-255-4490Main: 204-255-4136Fax: 204-942-6705
      This presentation contains reference material and direct content from multiple copyright holders. References available on request / within presentation slide notes.
      Center for Internet Security
      VMware Security Center