Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HyTrust-FISMA Compliance in the Virtual Data Center


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

HyTrust-FISMA Compliance in the Virtual Data Center

  1. 1. FISMA Compliance in the Virtual Data CenterFulfilling NIST Requirements© 2012, HyTrust, Inc. 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: 1
  2. 2. NIST Directives on Virtualization Security “ Organizations should have the same security controls in place for virtualized operating systems as they have for the same operating systems running ” directly on hardware. “ Ensure that the hypervisor is properly secured. ” “ Restrict and protect administrator access to the virtualization solution. The security of the entire virtual infrastructure relies on the security of the virtualization management system that controls the hypervisor and allows the operator to start guest OSs, create new ” guest OS images, and perform other administrative actions. Neither physical data center security controls nor the basic controls provided by the virtualization platform were designed to fulfill these requirements for FISMA compliance. © 2012, HyTrust, Inc. 2
  3. 3. HyTrust Role in NIST/FISMA Compliance   6 of 18 NIST 800-53 control families IDENTIFIER FAMILY focus on controlling and tracking infrastructure access or ensuring configuration and system integrity   Compliance in virtual environments requires an approach that addresses the distinct attributes of virtual infrastructure access, configuration, and system integrity   HyTrust is purpose-built to control and log access activity, ensure compliant host configurations, and protect system integrity in virtual environments   HyTrust fills critical gaps in the virtualization platform’s NIST/FISMA Source: NIST Special Publication 800-53, Revision 3 compliance capabilities* * Platform capabilities mentioned in this document are believed to be accurate as of April, 2012, and are subject to revision © 2012, HyTrust, Inc. 3
  4. 4. HyTrust Enables Access Control (AC) ComplianceAC Control NIST Requirement for FISMA Compliance Virtualization Platform HyTrust Requirement Fulfillment for Constraints/Gaps Virtual EnvironmentsAccount Specify access privileges and grant access to • Supports single factor • Supports multi-factor authenticationManagement the system based on: (i) a valid access authentication only • Prevents root account sharing(AC-2) authorization; (ii) intended system usage; and • Allows root account sharing • Prevents use of default passwords (iii) other attributes as required by the • Allows default passwords • Enables limited access privileges based organization or associated missions/business • Defaults to admin privileges on intended system usage and other functions. for all operations attributesAccess Enforce approved authorizations for logical • Enables broad access • Enforces authorization policy defined byEnforcement access to the system in accordance with privileges based on roles granular role-based and attribute-based(AC-3) applicable policy. only access privilegesInformation Enforce approved authorizations for • Allows unfiltered VM-to-VM • Enforces trust zone policies thatFlow controlling the flow of information within the communications, constrain users’ ability to changeEnforcement system and between interconnected systems unconstrained by policy information flows(AC-4) in accordance with policy.Separation of Implement separation of duties through • Provides limited ability to • Provides the authorization granularityDuties (AC-5) assigned information system access enforce access policies needed for effective separation of authorizations. separating duties duties • Provides no pre-defined • Provides 17 pre-defined, customizable roles besides administrator rolesLeast Privilege Employ the concept of least privilege, allowing • Defaults to super user • Allows only the operations and access to(AC-6) only authorized accesses for users which are privileges virtual resources users need to do their necessary to accomplish assigned tasks in jobs accordance with organizational mission.Security Support the binding of security attributes to • Provides no mechanism to • Enables object tagging with securityAttributes information in storage, in process, and in tag virtual objects with attributes that enable robust and(AC-16) transmission. security attributes flexible access control © 2012, HyTrust, Inc. 4
  5. 5. HyTrust Enables Audit and Accountability (AU) Compliance(continued)AU Control NIST Requirement for FISMA Virtualization Platform HyTrust Requirement Fulfillment for Compliance Constraints/Gaps Virtual EnvironmentsAudit Review, Analyze and correlate audit records • Provides basic virtualization • Provides the thorough, fine-grainedAnalysis, and across different repositories to gain event data to SIEM solutions virtualization event data needed byReporting (AU-6) organization-wide situational awareness that may not be detailed SIEM solutions for correlation with enough for correlation with similarly detailed physical data physical data center audit center records recordsNon-Repudiation Protect against an individual falsely • Allows admin anonymity via • Associates unique user ID with every(AU-10) denying having performed a particular sharing of root account event logged action.Audit Generation Provide audit record generation • Creates separate log files for • Consolidates and centrally manages(AU-12) capability for the list of auditable events vCenter and each host server logs covering vCenter and all hosts defined in AU-2. • Uses different log formats for • Uses a single, uniform format for Produce audit records in a standardized vCenter vs. hosts combined vCenter and host log data format. © 2012, HyTrust, Inc. 5
  6. 6. HyTrust Enables Security Assessment and Authorization (CA)ComplianceCA Control NIST Requirement for FISMA Compliance Virtualization Platform HyTrust Requirement Fulfillment Constraints/Gaps for Virtual EnvironmentsContinuous Establish a continuous monitoring strategy • Does not provide functionality • Continuously monitors hypervisorMonitoring (CA-7) and implement a continuous monitoring to continuously monitor and configurations for drift and policy program that includes: manage the hypervisor violations • a configuration management process for configuration • Determines the security impact of the information system • Does not provide functionality configuration changes by • a determination of the security impact of to determine the security continuously comparing changes to the information system impact of changes to the configuration states to baselines hypervisor configuration such as C.I.S. Benchmark • Can only implement standards, VMware Best permissions on virtual Practices, and other frameworks objects in a hierarchical • Can establish permissions and fashion; cannot implement policies that can follow the virtual meaningful permissions in a machine regardless of where it dynamic environment. resides in the environment © 2012, HyTrust, Inc. 6
  7. 7. HyTrust Enables Configuration Management (CM) ComplianceCM Control NIST Requirement for FISMA Virtualization Platform HyTrust Requirement Fulfillment for Virtual Compliance Constraints/Gaps EnvironmentsBaseline Develop, document, and maintain under • Host Profiles functionality • Enables organization to define and automaticallyConfiguration configuration control, a current baseline for maintaining baselines maintain a custom baseline configuration or a pre-(CM-2) configuration. not available with built baseline such as C.I.S. Benchmark standards, Employ automated mechanisms to Standard or Enterprise VMware Best Practices, or other frameworks maintain an up-to-date, complete, versions of platform • Does not require putting hosts in maintenance mode accurate, and readily available baseline • Requires hosts to be put in after remediating baseline variations configuration. maintenance mode and • Provides automated configuration maintenance for all VM’s to be moved to all versions of virtualization platform another host for the duration of the operation.Configuration Audit activities associated with • Logs changes for individual • Centrally logs all hypervisor configuration changeChange configuration-controlled changes. hosts only, and may not event data, including specific user, actionControl Employ automated mechanisms to capture unique user ID attempted (allowed or denied), source IP,(CM-3) implement changes to the current • Puts hosts in maintenance timestamp, target, etc. baseline and deploy the updated mode to deploy changes • Automates deployment of changes to the security baseline across the installed base. configuration of the hypervisor, without putting hosts in maintenance modeAccess Enforce logical access restrictions • Enables broadly defined • Applies granular, user-specific role-based accessRestrictions associated with changes to the system. role-based access controls to the hypervisor configuration andfor Change Employ automated mechanisms to restrictions management interfaces(CM-5) enforce access restrictions and support • Does not log disallowed or • Automatically logs all allowed and denied operations auditing of the enforcement actions. failed operations on the hypervisor configuration • Does not support privileges Limit developer/ integrator privileges to • Enables enforcement of access restrictions tied to objects such as change hardware, software, and customized for roles such as developer and “production” VMs firmware and system information within integrator, and limitation of privileges on virtual a production environment. objects assigned a label such as “production” © 2012, HyTrust, Inc. 7
  8. 8. HyTrust Enables Configuration Management (CM) Compliance(continued)CM Control NIST Requirement for FISMA Compliance Virtualization Platform HyTrust Requirement Fulfillment for Constraints/Gaps Virtual EnvironmentsConfiguration Monitor and control changes to configuration • Does not provide • Verifies, monitors, and controlsSettings settings in accordance with organizational functionality that hypervisor configuration changes(CM-6) policies and procedures. verifies, monitors, or • Provides configuration change request Employ automated mechanisms to centrally controls hypervisor logs to SIEM solutions that can be manage, apply, and verify configuration settings. configurations used to trigger alerts Employ automated mechanisms to respond to • Does not provide means • Enables organization to check if a unauthorized changes to organization’s to generate alerts for configuration conforms with a configuration settings unauthorized customized configuration policy or configuration changes with guidance such as C.I.S. Demonstrate conformance to security configuration guidance (i.e., security checklists), • Is not able to check if a Benchmark standards, VMware Best prior to being introduced into a production configuration conforms Practices, or other frameworks environment. with policy or checklistLeast Configure the information system to prohibit or • Enables some • Centrally enforces hypervisor accessFunctionality restrict the use of specified functions, ports, configuration of access policy via protocol (SSH, vSphere(CM-7) protocols, and/or services. restrictions on client, SOAP) and hypervisor IP individual hosts address controls on all hosts © 2012, HyTrust, Inc. 8
  9. 9. HyTrust Enables Identification and Authentication (IA)ComplianceIA Control NIST Requirement for FISMA Compliance Virtualization Platform HyTrust Requirement Fulfillment Constraints/Gaps for Virtual EnvironmentsIdentification and Uniquely identify and authenticate • Permits root account • Requires a unique ID for access byAuthentication organizational users, including organizational sharing, enabling an organizational user and(Organizational employees or individuals the organization anonymous access associates the unique ID withUsers) deems to have equivalent status of employees • Requires password for every operation performed by(IA-2) (e.g., contractors, guest researchers, access; does not the user individuals from allied nations). support multi-factor • Supports multi-factor, replay- Use multifactor, replay-resistant authentication authentication resistant authentication such as for network and local access to privileged RSA SecurID and hardware accounts. For network accounts, one of the tokens for network and local factors is provided by a device separate from access to privileged accounts the information system being accessed. Allow the use of group authenticators only when used in conjunction with an individual/ unique authenticator.Identification and Uniquely identify and authenticate non- • Permits potential root • Requires a unique ID for access byAuthentication (Non- organizational users. account sharing by non- a non-organizational user andOrganizational Users) organizational users, associates the unique ID with(IA-2) enabling anonymous every operation performed by access the user © 2012, HyTrust, Inc. 9
  10. 10. HyTrust Enables System and Information Integrity (SI)ComplianceSI Control NIST Requirement for FISMA Compliance Virtualization Platform HyTrust Requirement Fulfillment for Constraints/Gaps Virtual EnvironmentsInformation Restricts the capability to input information • Does not restrict the ability to • Restricts the capability to inputInput to the information system to authorized input information based on information, via any access method,Restrictions personnel. Restrictions may extend beyond specific operational/project using role-based authorization(SI-9) the typical access controls employed by the responsibilities sufficiently fine-grained to system and include limitations based on distinguish between users’ specific operational/project responsibilities. operational/project responsibilities © 2012, HyTrust, Inc. 10
  11. 11. HyTrust Fills Critical FISMA Audit Data Gaps Log Data Data for Allowed Data for Denied Usability and Provider Operation (example) Reconfig Attempt Productivity (example) Virtualization User: root none •  Separate log files for Platform Time/date vCenter and each host Target resource name, server URL Operation executed •  Different log formats for vCenter vs. hosts HyTrust All of the above, plus: •  User ID •  Consolidated, centrally •  User ID •  Date/time managed logs covering •  Source IP address •  Source IP address vCenter and all hosts •  Resource reconfigured •  Operation requested •  Previous resource state •  Operation denied •  Single, uniform format for •  New resource state •  Target resource name, combined vCenter and host •  Label (Production) IP address, port, and log data •  Required privileges protocol •  Evaluated rules/ •  Required privileges •  Logs sent to central constraints •  Missing privileges repository or SIEM via •  Evaluated rules/ syslog constraints © 2012, HyTrust, Inc. 11