SlideShare a Scribd company logo

CIPFA Presentation - Security in a Virtualised Environment

C
Chris Kenny
1 of 24
Download to read offline
© 2015 Grant Thornton UK LLP. All rights reserved. Security in a virtualised environment 25th June 2015 Chris Kenny Assistant Manager Technology Risk Services
© 2015 Grant Thornton UK LLP. All rights reserved. Agenda • Introduction • What is virtualisation and what are the benefits? • Risks and controls • Case study • Final thoughts
© 2015 Grant Thornton UK LLP. All rights reserved. About Grant Thornton Technology Risk Services team provide data analytics and wide range of IT audit and advisory services Outsourcing Data analysis IT operations Data privacy Cyber security IT risk management Project management ERP 3rd party assurance The leading firm in local government audit, with approximately 40% of local authorities in England as external audit clients
© 2015 Grant Thornton UK LLP. All rights reserved. About me • Seven years’ experience in internal audit, five of which working in local government • Manage IT audit engagements for GT for internal and external audit public and private sector clients across the Midlands • CMIIA and CISA qualified
© 2015 Grant Thornton UK LLP. All rights reserved. What is virtualisation and what are the benefits?
© 2015 Grant Thornton UK LLP. All rights reserved. Virtualisation enables the consolidation of multiple systems on to a single piece of hardware Through hardware resource sharing virtualisation helps: • consolidate physical resources • simplify deployment and administration, reduce power and cooling requirements
© 2015 Grant Thornton UK LLP. All rights reserved. Virtualisation adds a software layer (hypervisor) between two layers in a computer system Hypervisors act as a resource manager to enable the sharing of processing power and memory. Physical Hardware Layer Hypervisor VM3VM2VM1 Type 1: native Physical Hardware Layer VM1 VM3VM2 OS Hypervisor Type 2: hosted
© 2015 Grant Thornton UK LLP. All rights reserved. Storage, servers and networks can be virtualised Network Storage Server
© 2015 Grant Thornton UK LLP. All rights reserved. Virtualisation reduces costs and complexity and increases efficiency and agility Reduces complexity Enables standardisation Improves agility Reduces costs Facilitates automation
© 2015 Grant Thornton UK LLP. All rights reserved. Risks and Controls
© 2015 Grant Thornton UK LLP. All rights reserved. There are three categories of security risk Risks Compliance and management challenges Attacks on virtualisation features Attacks on virtualisation infrastructure
© 2015 Grant Thornton UK LLP. All rights reserved. Attacks on virtualisation infrastructure: hyperjacking and hyperjumping Physical Hardware Layer Hypervisor VM3VM2VM1 Rogue hypervisor Physical Hardware Layer Hypervisor VM3VM2VM1 Hyperjacking Hyperjumping
© 2015 Grant Thornton UK LLP. All rights reserved. Attacks on virtualisation features • Vulnerabilities in the physical environment apply in a virtual environment • Mixing VMs of different trust levels • Lack of segregation of duties • Immaturity of monitoring solutions • Information leakage between virtual network segments • Information leakage between virtual components
© 2015 Grant Thornton UK LLP. All rights reserved. Compliance and management challenges • Licensing • Dormant machines • Snapshots and images
© 2015 Grant Thornton UK LLP. All rights reserved. How to audit virtualised environments Audit Topics Purpose Risk Assessment Fact finding Network Map Policies and Procedures Change controls Network Security Communicati on Logical Access Controls Configuration management File sharing
© 2015 Grant Thornton UK LLP. All rights reserved. Case study
© 2015 Grant Thornton UK LLP. All rights reserved. Background • FTSE 100 FMCG business • Had initiated a project to virtualise part of its corporate network hosting its ERP application • Management wanted assurance that the newly virtualised environment was controlled in compliance with organisation standards.
© 2015 Grant Thornton UK LLP. All rights reserved. Case study: FTSE 100 FMCG business Patching Logical access controls Licensing Hardening Host server configuration Network configuration
© 2015 Grant Thornton UK LLP. All rights reserved. Final thoughts
© 2015 Grant Thornton UK LLP. All rights reserved. Best Practices in Virtualisation / Controls Least privilege and separation of duties Hardening Recognise the dynamic nature of VM’s Restrict physical access Implement defence in depth Isolate security functions Evaluate virtualisation risks Evaluate virtualised network security features
© 2015 Grant Thornton UK LLP. All rights reserved. Future developments User virtualisation Storage virtualisation Hosted / virtual / cloud desktops Security abstraction Application delivery
© 2015 Grant Thornton UK LLP. All rights reserved. Summary and Conclusions • Virtualisation can unleash significant benefits BUT: – Don’t replicate your physical risks in the virtualised environment – A secured hypervisor is key!
© 2015 Grant Thornton UK LLP. All rights reserved. Where can you find additional information? CESG PCI DSS ISACA SANS Institute Centre for Internet Security
© 2015 Grant Thornton UK LLP. All rights reserved. Questions

Recommended

ITAM UK 2017_Implementing a global award winning SAM program_Jochen Hagenlocher
ITAM UK 2017_Implementing a global award winning SAM program_Jochen HagenlocherITAM UK 2017_Implementing a global award winning SAM program_Jochen Hagenlocher
ITAM UK 2017_Implementing a global award winning SAM program_Jochen HagenlocherMartin Thompson
 
UK Conference 2018_7 pillars of a HAM practice_Martin Thompson
UK Conference 2018_7 pillars of a HAM practice_Martin ThompsonUK Conference 2018_7 pillars of a HAM practice_Martin Thompson
UK Conference 2018_7 pillars of a HAM practice_Martin ThompsonVictoria Kealy
 
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleMartin Thompson
 
UK Conference 2018_How to engage your IT security team and fund your SAM prog...
UK Conference 2018_How to engage your IT security team and fund your SAM prog...UK Conference 2018_How to engage your IT security team and fund your SAM prog...
UK Conference 2018_How to engage your IT security team and fund your SAM prog...Martin Thompson
 
UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...
UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...
UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...Martin Thompson
 
EXTENT-2016: Network Instrumentation Challenges and Solutions
EXTENT-2016: Network Instrumentation Challenges and SolutionsEXTENT-2016: Network Instrumentation Challenges and Solutions
EXTENT-2016: Network Instrumentation Challenges and SolutionsIosif Itkin
 
UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve Mellings
UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve MellingsUK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve Mellings
UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve MellingsMartin Thompson
 
UK Conference 2018_SaaS Management - How to save your share of $30bn_AJ Witt
UK Conference 2018_SaaS Management - How to save your share of $30bn_AJ WittUK Conference 2018_SaaS Management - How to save your share of $30bn_AJ Witt
UK Conference 2018_SaaS Management - How to save your share of $30bn_AJ WittMartin Thompson
 

Recommended

ITAM UK 2017_Implementing a global award winning SAM program_Jochen Hagenlocher
ITAM UK 2017_Implementing a global award winning SAM program_Jochen HagenlocherITAM UK 2017_Implementing a global award winning SAM program_Jochen Hagenlocher
ITAM UK 2017_Implementing a global award winning SAM program_Jochen HagenlocherMartin Thompson
 
UK Conference 2018_7 pillars of a HAM practice_Martin Thompson
UK Conference 2018_7 pillars of a HAM practice_Martin ThompsonUK Conference 2018_7 pillars of a HAM practice_Martin Thompson
UK Conference 2018_7 pillars of a HAM practice_Martin ThompsonVictoria Kealy
 
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian Scille
ITAM UK 2017 ITAM Risks in Cloud Era Eric Chiu & Ian ScilleMartin Thompson
 
UK Conference 2018_How to engage your IT security team and fund your SAM prog...
UK Conference 2018_How to engage your IT security team and fund your SAM prog...UK Conference 2018_How to engage your IT security team and fund your SAM prog...
UK Conference 2018_How to engage your IT security team and fund your SAM prog...Martin Thompson
 
UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...
UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...
UK Conference 2018_Mastering the management of Sap,Oracle& IBM_James Crosslan...Martin Thompson
 
EXTENT-2016: Network Instrumentation Challenges and Solutions
EXTENT-2016: Network Instrumentation Challenges and SolutionsEXTENT-2016: Network Instrumentation Challenges and Solutions
EXTENT-2016: Network Instrumentation Challenges and SolutionsIosif Itkin
 
UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve Mellings
UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve MellingsUK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve Mellings
UK Conference 2018_Hardware Asset Disposal best practice in 2018_Steve MellingsMartin Thompson
 
UK Conference 2018_SaaS Management - How to save your share of $30bn_AJ Witt
UK Conference 2018_SaaS Management - How to save your share of $30bn_AJ WittUK Conference 2018_SaaS Management - How to save your share of $30bn_AJ Witt
UK Conference 2018_SaaS Management - How to save your share of $30bn_AJ WittMartin Thompson
 
UK Conference 2018_Data Centre Governance_Chris Morgan
UK Conference 2018_Data Centre Governance_Chris MorganUK Conference 2018_Data Centre Governance_Chris Morgan
UK Conference 2018_Data Centre Governance_Chris MorganMartin Thompson
 
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...Martin Thompson
 
UK Conference 2018_Making ITAM stick - a blue print for organisational change...
UK Conference 2018_Making ITAM stick - a blue print for organisational change...UK Conference 2018_Making ITAM stick - a blue print for organisational change...
UK Conference 2018_Making ITAM stick - a blue print for organisational change...Martin Thompson
 
Empower IT to meet the strategic demands of business
Empower IT to meet the strategic demands of business Empower IT to meet the strategic demands of business
Empower IT to meet the strategic demands of business BSGAfrica
 
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...Martin Thompson
 
Government ICT 2015: Information and Records Management in SharePoint - Randy...
Government ICT 2015: Information and Records Management in SharePoint - Randy...Government ICT 2015: Information and Records Management in SharePoint - Randy...
Government ICT 2015: Information and Records Management in SharePoint - Randy...Lockheed-Martin
 
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...Martin Thompson
 
Australia Conference 2018_The $250BN annual software support and maintenance ...
Australia Conference 2018_The $250BN annual software support and maintenance ...Australia Conference 2018_The $250BN annual software support and maintenance ...
Australia Conference 2018_The $250BN annual software support and maintenance ...Martin Thompson
 
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...Martin Thompson
 
Network Performance Engineering Services
Network Performance Engineering ServicesNetwork Performance Engineering Services
Network Performance Engineering ServicesMartin Geddes
 
Evolving Security in Process Control
Evolving Security in Process ControlEvolving Security in Process Control
Evolving Security in Process ControlLockheed-Martin
 
Evolving Security in Process Control - Cyber Security for Critical Assets 2015
Evolving Security in Process Control - Cyber Security for Critical Assets 2015Evolving Security in Process Control - Cyber Security for Critical Assets 2015
Evolving Security in Process Control - Cyber Security for Critical Assets 2015Lockheed-Martin
 
Cloud Options for a Modern Architecture
Cloud Options for a Modern ArchitectureCloud Options for a Modern Architecture
Cloud Options for a Modern ArchitectureProlifics
 
Bridging the Gap - the Value of Integrated Asset and Service Management
Bridging the Gap - the Value of Integrated Asset and Service ManagementBridging the Gap - the Value of Integrated Asset and Service Management
Bridging the Gap - the Value of Integrated Asset and Service ManagementJon Stevens-Hall
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Knowledge Group
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
Enabling the-Connected-Car-Java
Enabling the-Connected-Car-JavaEnabling the-Connected-Car-Java
Enabling the-Connected-Car-Javaterrencebarr
 
IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution harishgaur
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Network security, firewalls, and vp ns week 5&6vpn fundame
Network security, firewalls, and vp ns week 5&6vpn fundameNetwork security, firewalls, and vp ns week 5&6vpn fundame
Network security, firewalls, and vp ns week 5&6vpn fundameJUST36
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentModu9
 
NOD
NODNOD
NODSarah A. McKinney
 

More Related Content

What's hot

UK Conference 2018_Data Centre Governance_Chris Morgan
UK Conference 2018_Data Centre Governance_Chris MorganUK Conference 2018_Data Centre Governance_Chris Morgan
UK Conference 2018_Data Centre Governance_Chris MorganMartin Thompson
 
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...Martin Thompson
 
UK Conference 2018_Making ITAM stick - a blue print for organisational change...
UK Conference 2018_Making ITAM stick - a blue print for organisational change...UK Conference 2018_Making ITAM stick - a blue print for organisational change...
UK Conference 2018_Making ITAM stick - a blue print for organisational change...Martin Thompson
 
Empower IT to meet the strategic demands of business
Empower IT to meet the strategic demands of business Empower IT to meet the strategic demands of business
Empower IT to meet the strategic demands of business BSGAfrica
 
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...Martin Thompson
 
Government ICT 2015: Information and Records Management in SharePoint - Randy...
Government ICT 2015: Information and Records Management in SharePoint - Randy...Government ICT 2015: Information and Records Management in SharePoint - Randy...
Government ICT 2015: Information and Records Management in SharePoint - Randy...Lockheed-Martin
 
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...Martin Thompson
 
Australia Conference 2018_The $250BN annual software support and maintenance ...
Australia Conference 2018_The $250BN annual software support and maintenance ...Australia Conference 2018_The $250BN annual software support and maintenance ...
Australia Conference 2018_The $250BN annual software support and maintenance ...Martin Thompson
 
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...Martin Thompson
 
Network Performance Engineering Services
Network Performance Engineering ServicesNetwork Performance Engineering Services
Network Performance Engineering ServicesMartin Geddes
 
Evolving Security in Process Control
Evolving Security in Process ControlEvolving Security in Process Control
Evolving Security in Process ControlLockheed-Martin
 
Evolving Security in Process Control - Cyber Security for Critical Assets 2015
Evolving Security in Process Control - Cyber Security for Critical Assets 2015Evolving Security in Process Control - Cyber Security for Critical Assets 2015
Evolving Security in Process Control - Cyber Security for Critical Assets 2015Lockheed-Martin
 

What's hot (12)

UK Conference 2018_Data Centre Governance_Chris Morgan
UK Conference 2018_Data Centre Governance_Chris MorganUK Conference 2018_Data Centre Governance_Chris Morgan
UK Conference 2018_Data Centre Governance_Chris Morgan
 
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
Growing an ITAM Team, Colin Simmons, Kingfisher IT ITAM Review UK Conference ...
 
UK Conference 2018_Making ITAM stick - a blue print for organisational change...
UK Conference 2018_Making ITAM stick - a blue print for organisational change...UK Conference 2018_Making ITAM stick - a blue print for organisational change...
UK Conference 2018_Making ITAM stick - a blue print for organisational change...
 
Empower IT to meet the strategic demands of business
Empower IT to meet the strategic demands of business Empower IT to meet the strategic demands of business
Empower IT to meet the strategic demands of business
 
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
UK Conference 2018_All change - Aligning SAM with your Data Centre change pro...
 
Government ICT 2015: Information and Records Management in SharePoint - Randy...
Government ICT 2015: Information and Records Management in SharePoint - Randy...Government ICT 2015: Information and Records Management in SharePoint - Randy...
Government ICT 2015: Information and Records Management in SharePoint - Randy...
 
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
An ITAM Success Story: Tony Crawley & Gillian Leicester - Synyega (ITAM Revie...
 
Australia Conference 2018_The $250BN annual software support and maintenance ...
Australia Conference 2018_The $250BN annual software support and maintenance ...Australia Conference 2018_The $250BN annual software support and maintenance ...
Australia Conference 2018_The $250BN annual software support and maintenance ...
 
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
UK Conference 2018_Boost up your Oracle audit defence_Richard Spithoven & Cat...
 
Network Performance Engineering Services
Network Performance Engineering ServicesNetwork Performance Engineering Services
Network Performance Engineering Services
 
Evolving Security in Process Control
Evolving Security in Process ControlEvolving Security in Process Control
Evolving Security in Process Control
 
Evolving Security in Process Control - Cyber Security for Critical Assets 2015
Evolving Security in Process Control - Cyber Security for Critical Assets 2015Evolving Security in Process Control - Cyber Security for Critical Assets 2015
Evolving Security in Process Control - Cyber Security for Critical Assets 2015
 

Similar to CIPFA Presentation - Security in a Virtualised Environment

Cloud Options for a Modern Architecture
Cloud Options for a Modern ArchitectureCloud Options for a Modern Architecture
Cloud Options for a Modern ArchitectureProlifics
 
Bridging the Gap - the Value of Integrated Asset and Service Management
Bridging the Gap - the Value of Integrated Asset and Service ManagementBridging the Gap - the Value of Integrated Asset and Service Management
Bridging the Gap - the Value of Integrated Asset and Service ManagementJon Stevens-Hall
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Knowledge Group
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughImperva
 
Enabling the-Connected-Car-Java
Enabling the-Connected-Car-JavaEnabling the-Connected-Car-Java
Enabling the-Connected-Car-Javaterrencebarr
 
IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution harishgaur
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Network security, firewalls, and vp ns week 5&6vpn fundame
Network security, firewalls, and vp ns week 5&6vpn fundameNetwork security, firewalls, and vp ns week 5&6vpn fundame
Network security, firewalls, and vp ns week 5&6vpn fundameJUST36
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentModu9
 
Martin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No SecurityMartin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No SecurityitSMF UK
 
Data Science Case Studies: The Internet of Things: Implications for the Enter...
Data Science Case Studies: The Internet of Things: Implications for the Enter...Data Science Case Studies: The Internet of Things: Implications for the Enter...
Data Science Case Studies: The Internet of Things: Implications for the Enter...VMware Tanzu
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityGlobal Knowledge Training
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseCyren, Inc
 
Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...
Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...
Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...Service Desk Institute
 
Silos Are For Farmers, Not IT
Silos Are For Farmers, Not ITSilos Are For Farmers, Not IT
Silos Are For Farmers, Not ITStonebranch, Inc.
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 
eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...
eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...
eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...eFolder
 
Veritas Managed Enterprise Vault Sales Presentation
Veritas Managed Enterprise Vault Sales PresentationVeritas Managed Enterprise Vault Sales Presentation
Veritas Managed Enterprise Vault Sales PresentationIdeba
 

Similar to CIPFA Presentation - Security in a Virtualised Environment (20)

Cloud Options for a Modern Architecture
Cloud Options for a Modern ArchitectureCloud Options for a Modern Architecture
Cloud Options for a Modern Architecture
 
Bridging the Gap - the Value of Integrated Asset and Service Management
Bridging the Gap - the Value of Integrated Asset and Service ManagementBridging the Gap - the Value of Integrated Asset and Service Management
Bridging the Gap - the Value of Integrated Asset and Service Management
 
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
Daryl Pereira(Compliance & Regulations Stream) Learning From The Expert – Mo...
 
Why Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t EnoughWhy Network and Endpoint Security Isn’t Enough
Why Network and Endpoint Security Isn’t Enough
 
Enabling the-Connected-Car-Java
Enabling the-Connected-Car-JavaEnabling the-Connected-Car-Java
Enabling the-Connected-Car-Java
 
IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution IoT Cloud Service & Partner IoT Solution
IoT Cloud Service & Partner IoT Solution
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Network security, firewalls, and vp ns week 5&6vpn fundame
Network security, firewalls, and vp ns week 5&6vpn fundameNetwork security, firewalls, and vp ns week 5&6vpn fundame
Network security, firewalls, and vp ns week 5&6vpn fundame
 
SOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessmentSOC 2 presentation. Overview of SOC 2 assessment
SOC 2 presentation. Overview of SOC 2 assessment
 
NOD
NODNOD
NOD
 
Martin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No SecurityMartin Huddleston: No Service Management, No Security
Martin Huddleston: No Service Management, No Security
 
Data Science Case Studies: The Internet of Things: Implications for the Enter...
Data Science Case Studies: The Internet of Things: Implications for the Enter...Data Science Case Studies: The Internet of Things: Implications for the Enter...
Data Science Case Studies: The Internet of Things: Implications for the Enter...
 
The Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business CybersecurityThe Unpleasant Truths of Modern Business Cybersecurity
The Unpleasant Truths of Modern Business Cybersecurity
 
Webinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of DefenseWebinar: Cloud-Based Web Security as First/Last Line of Defense
Webinar: Cloud-Based Web Security as First/Last Line of Defense
 
ERP in the cloud for public sector | James Norman | March 2016
ERP in the cloud for public sector | James Norman | March 2016ERP in the cloud for public sector | James Norman | March 2016
ERP in the cloud for public sector | James Norman | March 2016
 
Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...
Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...
Webinar: What is the service desk's role in relation to ITAM control? Jan Obe...
 
Silos Are For Farmers, Not IT
Silos Are For Farmers, Not ITSilos Are For Farmers, Not IT
Silos Are For Farmers, Not IT
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...
eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...
eFolder Partner Chat Webinar – "How We Minimized Risk": An eFolder and OpenDN...
 
Veritas Managed Enterprise Vault Sales Presentation
Veritas Managed Enterprise Vault Sales PresentationVeritas Managed Enterprise Vault Sales Presentation
Veritas Managed Enterprise Vault Sales Presentation
 

CIPFA Presentation - Security in a Virtualised Environment

  • 1. © 2015 Grant Thornton UK LLP. All rights reserved. Security in a virtualised environment 25th June 2015 Chris Kenny Assistant Manager Technology Risk Services
  • 2. © 2015 Grant Thornton UK LLP. All rights reserved. Agenda • Introduction • What is virtualisation and what are the benefits? • Risks and controls • Case study • Final thoughts
  • 3. © 2015 Grant Thornton UK LLP. All rights reserved. About Grant Thornton Technology Risk Services team provide data analytics and wide range of IT audit and advisory services Outsourcing Data analysis IT operations Data privacy Cyber security IT risk management Project management ERP 3rd party assurance The leading firm in local government audit, with approximately 40% of local authorities in England as external audit clients
  • 4. © 2015 Grant Thornton UK LLP. All rights reserved. About me • Seven years’ experience in internal audit, five of which working in local government • Manage IT audit engagements for GT for internal and external audit public and private sector clients across the Midlands • CMIIA and CISA qualified
  • 5. © 2015 Grant Thornton UK LLP. All rights reserved. What is virtualisation and what are the benefits?
  • 6. © 2015 Grant Thornton UK LLP. All rights reserved. Virtualisation enables the consolidation of multiple systems on to a single piece of hardware Through hardware resource sharing virtualisation helps: • consolidate physical resources • simplify deployment and administration, reduce power and cooling requirements
  • 7. © 2015 Grant Thornton UK LLP. All rights reserved. Virtualisation adds a software layer (hypervisor) between two layers in a computer system Hypervisors act as a resource manager to enable the sharing of processing power and memory. Physical Hardware Layer Hypervisor VM3VM2VM1 Type 1: native Physical Hardware Layer VM1 VM3VM2 OS Hypervisor Type 2: hosted
  • 8. © 2015 Grant Thornton UK LLP. All rights reserved. Storage, servers and networks can be virtualised Network Storage Server
  • 9. © 2015 Grant Thornton UK LLP. All rights reserved. Virtualisation reduces costs and complexity and increases efficiency and agility Reduces complexity Enables standardisation Improves agility Reduces costs Facilitates automation
  • 10. © 2015 Grant Thornton UK LLP. All rights reserved. Risks and Controls
  • 11. © 2015 Grant Thornton UK LLP. All rights reserved. There are three categories of security risk Risks Compliance and management challenges Attacks on virtualisation features Attacks on virtualisation infrastructure
  • 12. © 2015 Grant Thornton UK LLP. All rights reserved. Attacks on virtualisation infrastructure: hyperjacking and hyperjumping Physical Hardware Layer Hypervisor VM3VM2VM1 Rogue hypervisor Physical Hardware Layer Hypervisor VM3VM2VM1 Hyperjacking Hyperjumping
  • 13. © 2015 Grant Thornton UK LLP. All rights reserved. Attacks on virtualisation features • Vulnerabilities in the physical environment apply in a virtual environment • Mixing VMs of different trust levels • Lack of segregation of duties • Immaturity of monitoring solutions • Information leakage between virtual network segments • Information leakage between virtual components
  • 14. © 2015 Grant Thornton UK LLP. All rights reserved. Compliance and management challenges • Licensing • Dormant machines • Snapshots and images
  • 15. © 2015 Grant Thornton UK LLP. All rights reserved. How to audit virtualised environments Audit Topics Purpose Risk Assessment Fact finding Network Map Policies and Procedures Change controls Network Security Communicati on Logical Access Controls Configuration management File sharing
  • 16. © 2015 Grant Thornton UK LLP. All rights reserved. Case study
  • 17. © 2015 Grant Thornton UK LLP. All rights reserved. Background • FTSE 100 FMCG business • Had initiated a project to virtualise part of its corporate network hosting its ERP application • Management wanted assurance that the newly virtualised environment was controlled in compliance with organisation standards.
  • 18. © 2015 Grant Thornton UK LLP. All rights reserved. Case study: FTSE 100 FMCG business Patching Logical access controls Licensing Hardening Host server configuration Network configuration
  • 19. © 2015 Grant Thornton UK LLP. All rights reserved. Final thoughts
  • 20. © 2015 Grant Thornton UK LLP. All rights reserved. Best Practices in Virtualisation / Controls Least privilege and separation of duties Hardening Recognise the dynamic nature of VM’s Restrict physical access Implement defence in depth Isolate security functions Evaluate virtualisation risks Evaluate virtualised network security features
  • 21. © 2015 Grant Thornton UK LLP. All rights reserved. Future developments User virtualisation Storage virtualisation Hosted / virtual / cloud desktops Security abstraction Application delivery
  • 22. © 2015 Grant Thornton UK LLP. All rights reserved. Summary and Conclusions • Virtualisation can unleash significant benefits BUT: – Don’t replicate your physical risks in the virtualised environment – A secured hypervisor is key!
  • 23. © 2015 Grant Thornton UK LLP. All rights reserved. Where can you find additional information? CESG PCI DSS ISACA SANS Institute Centre for Internet Security
  • 24. © 2015 Grant Thornton UK LLP. All rights reserved. Questions