More Related Content
Similar to CIPFA Presentation - Security in a Virtualised Environment
Similar to CIPFA Presentation - Security in a Virtualised Environment (20)
CIPFA Presentation - Security in a Virtualised Environment
- 1. © 2015 Grant Thornton UK LLP. All rights reserved.
Security in a virtualised
environment
25th June 2015
Chris Kenny
Assistant Manager
Technology Risk Services
- 2. © 2015 Grant Thornton UK LLP. All rights reserved.
Agenda
• Introduction
• What is virtualisation and what are the benefits?
• Risks and controls
• Case study
• Final thoughts
- 3. © 2015 Grant Thornton UK LLP. All rights reserved.
About Grant Thornton
Technology Risk Services team provide data
analytics and wide range of IT audit and
advisory services
Outsourcing
Data analysis
IT operations
Data privacy
Cyber security
IT risk management
Project management
ERP
3rd party assurance
The leading firm in local government audit, with
approximately 40% of local authorities in England
as external audit clients
- 4. © 2015 Grant Thornton UK LLP. All rights reserved.
About me
• Seven years’ experience in internal audit, five of which working in local
government
• Manage IT audit engagements for GT for internal and external audit
public and private sector clients across the Midlands
• CMIIA and CISA qualified
- 5. © 2015 Grant Thornton UK LLP. All rights reserved.
What is
virtualisation and
what are the
benefits?
- 6. © 2015 Grant Thornton UK LLP. All rights reserved.
Virtualisation enables the consolidation of multiple
systems on to a single piece of hardware
Through hardware resource sharing
virtualisation helps:
• consolidate physical resources
• simplify deployment and
administration, reduce power and
cooling requirements
- 7. © 2015 Grant Thornton UK LLP. All rights reserved.
Virtualisation adds a software layer (hypervisor)
between two layers in a computer system
Hypervisors act as a resource manager to enable the sharing of
processing power and memory.
Physical Hardware Layer
Hypervisor
VM3VM2VM1
Type 1: native
Physical Hardware Layer
VM1 VM3VM2
OS
Hypervisor
Type 2: hosted
- 8. © 2015 Grant Thornton UK LLP. All rights reserved.
Storage, servers and networks can be virtualised
Network
Storage
Server
- 9. © 2015 Grant Thornton UK LLP. All rights reserved.
Virtualisation reduces costs and complexity and
increases efficiency and agility
Reduces complexity
Enables standardisation
Improves agility
Reduces costs
Facilitates automation
- 10. © 2015 Grant Thornton UK LLP. All rights reserved.
Risks and Controls
- 11. © 2015 Grant Thornton UK LLP. All rights reserved.
There are three categories of security risk
Risks
Compliance
and
management
challenges
Attacks on
virtualisation
features
Attacks on
virtualisation
infrastructure
- 12. © 2015 Grant Thornton UK LLP. All rights reserved.
Attacks on virtualisation infrastructure: hyperjacking
and hyperjumping
Physical Hardware Layer
Hypervisor
VM3VM2VM1
Rogue hypervisor
Physical Hardware Layer
Hypervisor
VM3VM2VM1
Hyperjacking Hyperjumping
- 13. © 2015 Grant Thornton UK LLP. All rights reserved.
Attacks on virtualisation features
• Vulnerabilities in the physical environment apply in a virtual
environment
• Mixing VMs of different trust levels
• Lack of segregation of duties
• Immaturity of monitoring solutions
• Information leakage between virtual network segments
• Information leakage between virtual components
- 14. © 2015 Grant Thornton UK LLP. All rights reserved.
Compliance and management challenges
• Licensing
• Dormant machines
• Snapshots and images
- 15. © 2015 Grant Thornton UK LLP. All rights reserved.
How to audit virtualised environments
Audit
Topics
Purpose
Risk
Assessment
Fact finding
Network Map
Policies and
Procedures
Change
controls
Network
Security
Communicati
on
Logical
Access
Controls
Configuration
management
File sharing
- 16. © 2015 Grant Thornton UK LLP. All rights reserved.
Case study
- 17. © 2015 Grant Thornton UK LLP. All rights reserved.
Background
• FTSE 100 FMCG business
• Had initiated a project to virtualise part of its corporate
network hosting its ERP application
• Management wanted assurance that the newly virtualised
environment was controlled in compliance with organisation
standards.
- 18. © 2015 Grant Thornton UK LLP. All rights reserved.
Case study: FTSE 100 FMCG business
Patching
Logical access controls
Licensing
Hardening
Host server configuration
Network configuration
- 19. © 2015 Grant Thornton UK LLP. All rights reserved.
Final thoughts
- 20. © 2015 Grant Thornton UK LLP. All rights reserved.
Best Practices in Virtualisation / Controls
Least privilege
and separation
of duties
Hardening
Recognise the
dynamic nature
of VM’s
Restrict physical
access
Implement
defence in depth
Isolate security
functions
Evaluate
virtualisation
risks
Evaluate
virtualised
network security
features
- 21. © 2015 Grant Thornton UK LLP. All rights reserved.
Future developments
User virtualisation
Storage virtualisation
Hosted / virtual / cloud desktops
Security abstraction
Application delivery
- 22. © 2015 Grant Thornton UK LLP. All rights reserved.
Summary and Conclusions
• Virtualisation can unleash significant benefits BUT:
– Don’t replicate your physical risks in the virtualised environment
– A secured hypervisor is key!
- 23. © 2015 Grant Thornton UK LLP. All rights reserved.
Where can you find additional information?
CESG
PCI DSS
ISACA
SANS Institute
Centre for Internet Security
- 24. © 2015 Grant Thornton UK LLP. All rights reserved.
Questions