Security for v mware


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security for v mware

  1. 1. Industry Brief: Virtualization TrendsEnsuring Security for Virtual Server InfrastructureThe trend toward virtualization of IT infrastructure has been New PCI Virtualization Guidelinesprimarily focused on enterprise servers, especially in data Another factor driving secure virtualization is the increasingcenters where the resulting efficiencies represent significant cost pressure from regulatory requirements to demonstrate effectivesavings for IT organizations. Because virtualization adds layers of protection of server infrastructures that house critical datatechnology, it also necessitates changes in security management. and applications. A good example of how security standardsVirtualization introduces a new level of complexity for information are affecting virtualization efforts is a guidance paper recentlysecurity teams, which are responsible for hardening virtual published by the Payment Card Industry Security Standardssystems while also supporting increased density and dynamic Council (PCI SSC).4 Authored by a PCI special interest groupprovisioning. consisting of more than 30 companies, including merchants,The importance of security in such environments cannot be vendors, and Qualified Security Assessors (QSAs), the paperoverstated. Data protection on server infrastructure has been addresses the security implications of virtualization and mapsa top IT priority for some time, because it is on servers that them against the 12 main requirements of the PCI Data Securitysignificant data breaches are most likely to occur. In fact, Standard (PCI DSS), indicating what actions should constitute best98 percent of compromised records are exposed on servers practice for each of the requirements.5and online applications.¹ The PCI guidelines for the use of virtualization in cardholder dataEven as virtualization adds infrastructure layers, information environments are based on the following four principles:security best practices remain conceptually the same. “In a. If virtualization technologies are used in a cardholder datageneral, organizations should have the same security controls environment, PCI DSS requirements apply to those virtualizationin place for the virtualized operating systems as they have for technologies.the same operating systems running directly on hardware,”according to a recent report from the National Institute of b. Virtualization technology introduces new risks that may not beStandards and Technology (NIST).² The NIST report recommends relevant to other technologies, and that must be assessed whenthat organizations secure virtual systems “based on sound adopting virtualization in cardholder data practices, such as keeping software up-to-date with c. Implementations of virtual technologies can vary greatly, andsecurity patches, using secure configuration baselines, and using entities will need to perform a thorough discovery to identifyhost-based firewalls, antivirus software, or other appropriate and document the unique characteristics of their particularmechanisms to detect and stop attacks.”³ virtualized implementation, including all interactions withIn effect, Information Security must complete the same checklist payment transaction processes and payment card data.of protections for virtual systems as for physical infrastructure. d. There is no one-size-fits-all method or solution to configureIn addition, consideration should also be given to adapting best virtualized environments to meet PCI DSS requirements.practices to any unique requirements potentially introduced by Specific controls and procedures will vary for each environment,the dynamic nature of the virtual server environment. according to how virtualization is used and implemented.6 NIST Secure Virtual System Checklist 1. Keep up-to-date with security patches 2. Use secure configuration baselines 1 2010 Verizon Breach Investigations Report. 3. se host-based firewalls, antivirus U 2 Karen Scarfone, Murugiah Souppaya, and Paul Hoffman, “Guide to Security for Full Virtualization Technologies,” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, software, or other mechanisms to January 2011, 4-1. 3 NIST, op. cit., ES-1. 4 PCI Security Standards Council, PCI DSS Virtualization Guidelines, June 2011. detect and stop attacks 5 Ron Condon, PCI virtualisation: With new guidelines, compliance may be harder,, 14 June 2011. 6 PCI Security Standards Council, op. cit. 1 Symantec Corporation
  2. 2. The new PCI guidelines hold several important implications fororganizations that handle cardholder data. First, virtualization IT Virtual Server Security Challengesadds a dynamic dimension to the traditional best practicescommonly used in physical infrastructures. Since there is no • Management of administration access“one-size-fits-all” approach, organizations will require adaptive • nbound and outbound Isolutions that can accommodate different configurations of virtual communicationsinfrastructure at various points along the adoption curve. The • Interactions between systemsguidelines conclude with a recommendation that all virtualizationcomponents, even those considered to be out-of-scope, be • aintaining patch levels and Mdesigned to meet PCI DSS security requirements, because configuration standardsexposure of one virtual machine (VM) on a host system couldlead to the compromise of other VMs on the same host. Althoughthey do not change the standard, the new guidelines will help introduced by virtualization, policies and controls must beorganizations ensure that the standard is enforced. modernized. In implementing such modernization, the following capabilities should be considered.Secure Virtualization and Private Monitor system behaviors. Virtual machines should be regularlyCloud Computing monitored to discover potential vulnerabilities. Are there servicesCloud computing is a way to provide scalable, elastic IT on a particular VM that should not be running? Has a VM beencapabilities as services using Internet technologies. The cloud moved such that it now has the ability to communicate with newcomputing model enables organizations to consume software, workloads subject to different policy requirements, like PCI audit?platform, and infrastructure resources as services and avoid Can removable media be attached to the VM through a USB port tothe licensing, consulting, and administrative costs associated extract data or introduce malware?with on-premise implementations. While some organizations Control application and system services. It is necessary toadopt public cloud services available from cloud computing see which applications are running on VMs and ensure thatvendors on a multi-tenancy basis, many opt to develop their own only appropriate apps are available on any given VM. Controlsprivate cloud services in order to reduce total cost of ownership should include monitoring, alerts, and preventing executables aswhile minimizing risks to data. Private cloud implementations appropriate.generally involve virtualization and, therefore, require modern, Reduce the scope of virtual system interactions. In casesadaptive approaches to security and compliance of virtual server where multiple VMs coexist on a single host, new VMs may gaininfrastructures. availability to data or applications that should be off-limits. CentralCloud-based service enablement calls for granular control over the visibility across heterogeneous, hybrid environments is necessaryhardening of virtual systems using appropriate policy profiling. to accurately oversee behaviors and activities.To ensure the ongoing integrity and availability of virtual servers, Protect file systems. Organizations should conduct policy-basedpolicies should be designed to enforce the following constraints: monitoring of all file systems on VMs, including applications,• Limit cloud services to only those services required to support a directories, and registry keys. It is common practice for hackers to given system’s function change registry keys to cover their tracks. When that happens, the• Limit user accounts and privilege escalations protection systems should generate an alert and, if necessary, lock• Control rogue behaviors such as file and configuration changes down the file to prevent changes.• Constrain data mobility by monitoring data files Maintain OS integrity. Check to see if any changes have been• Mitigate vulnerabilities due to inconsistent patch management made to an OS that do not conform with configuration or patch standards. Real-time monitoring of VMs between patch windowsOnly by ensuring the security of private cloud infrastructure can can mitigate vulnerabilities and prevent malware from executing.organizations realize the benefits in terms of cost efficiency. Monitor and restrict privileged user access. Privileged users of business-critical applications on VMs should be monitored toRequirements for Virtualized ensure that their behavior and activities are within the scope ofServer Security requisite permissions and do not in any way jeopardize securityIn extending protection to virtualized server infrastructures, IT or compliance posture.Security faces a number of challenges, including management ofadministrator access, inbound and outbound communications,interactions between systems, and maintaining patch levels andconfiguration standards. To adapt to the unique variables 2 Symantec Corporation
  3. 3. Security Solutions for Virtualized Servers ConclusionLike mobile and cloud computing strategies, virtualization is It is a well-established fact that server infrastructure representsrapidly becoming a standard dimension of enterprise IT initiatives. the number one target for cybercriminals and the most likelyWhen it comes to security, it is important to make sure that location of data breaches. Virtualization adds new layers ofsolutions designed to protect data, people, and systems offer complexity to server infrastructure so that ensuring securitythe same capabilities for both virtual and physical servers. The and compliance requires more granular controls and the abilityfollowing Symantec products are successfully employed by to consistently enforce policies across both physical and virtualcustomers today across physical and virtual server environments. environments. Symantec can help seamlessly extend protectionSymantec™ Critical System Protection. Critical System to virtualized servers by discovering, monitoring, and controllingProtection is a host-based intrusion detection and prevention behaviors and activities that may compromise the performancesolution that allows organizations to protect business-critical and availability of virtual systems. With help from Symantec, youservers seamlessly across heterogeneous virtual and physical can confidently pursue the virtualization of your most business-environments while accelerating density goals and reducing critical IT infrastructure.cost. The centrally managed, policy-driven solution monitors filesystems and prevents policy violations with minimum impact About Symantecon server workloads and system performance. The built-in ESX Symantec is a global leader in providing security, storage,Policy Pack protects the ESX console operating system and guest and systems management solutions to help consumers andoperating systems and applications with layered controls to limit organizations secure and manage their information-drivennetworking of non-ESX programs and to block write access to ESX world. Headquartered in Mountain View, Calif., Symantec hasconfiguration and data files. operations in 40 countries. More information is available atSymantec™ Control Compliance Suite. Control Compliance addresses IT risk and compliance challenges by deliveringgreater visibility and control across virtual and physical server Visit our websiteinfrastructure. Capabilities include regulatory and technicalcontent that is automatically mapped to policies and updated as change, as well as automated system discovery and To speak with a Product Specialist in the U.S.vulnerability assessments to identify noncompliant virtual and Call toll-free 1 (800) 745 6054physical systems. To speak with a Product Specialist outside the U.S.Symantec™ Endpoint Protection. Endpoint Protection delivers For specific country offices and contact numbers, please visitunparalleled security and proven superior performance 7 in a single our website.system optimized for both physical and virtual environments.Symantec Endpoint Protection is powered by Symantec’s exclusive Symantec World HeadquartersInsight™ detection technology. Insight catches rapidly mutating 350 Ellis St.malware threats that other approaches miss and reduces scanoverhead by up to 70 percent in high-density environments.8 Mountain View, CA 94043 USASymantec™ Security Information Manager. Security Information +1 (650) 527 8000Manager enables organizations to establish central visibility to 1 (800) 721 3934critical virtual server incidents. It offers broad log data collection physical and virtual servers , including a purpose-builtcollector for ESX environments. Comprehensive, real-timeincident correlation, including content from the Symantec GlobalIntelligence Network, transforms data from physical and virtualenvironments worldwide into actionable intelligence. 7 PassMark Software, Enterprise Endpoint Protection Performance Benchmarks, February 2011. 8 Tolly Enterprises, Symantec Endpoint Protection 12.1 vs. McAfee and Trend Micro, Anti-virus Performance in VMware ESX Virtual Environments, June 2011. Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and Insight are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 07/11 21202606