Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kevin wharram

1,092 views

Published on

This presentation covers virtualization and private cloud security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Kevin wharram

  1. 2. Welcome Kevin Wharram, CISSP, CISM, CEH, EnCE, GCFA, 27001 Lead Auditor Member of the ISACA Security Advisory Group at ISACA London Chapter My interests are in – Forensics, Virtualization and Cloud Security
  2. 3. <ul><li>What is Virtualization? </li></ul><ul><li>Server Virtualization Analogy </li></ul><ul><li>Virtualization Security </li></ul><ul><li>Virtualization Compliance </li></ul><ul><li>What is Cloud Computing? </li></ul><ul><li>What is a Private Cloud? </li></ul><ul><li>Private Cloud Security </li></ul>Agenda
  3. 4. What is Virtualization? Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system (OS), a server, a storage device or network resource. Source - http://en.wikipedia.org/wiki/Virtualization
  4. 5. What is Virtualization cont. <ul><li>Virtualization presents hardware resources as virtual resources: </li></ul><ul><li>CPU </li></ul><ul><li>Memory </li></ul><ul><li>Storage (Disk) </li></ul><ul><li>Network Interface (NIC) </li></ul>
  5. 6. <ul><li>Not a new concept </li></ul><ul><li>First developed in the 1960s and was better known as time-sharing </li></ul><ul><li>IBM developed the idea of a Virtual Machine Monitor (VMM) which is also know as a Hypervisor </li></ul>History of Virtualization
  6. 7. <ul><li>Server Virtualization </li></ul><ul><li>Desktop Virtualization or (VDI) </li></ul><ul><li>Application Virtualization </li></ul><ul><li>Network Virtualization </li></ul><ul><li>Storage Virtualization </li></ul>Types of Virtualization
  7. 8. Server Virtualization
  8. 9. <ul><li>Encapsulate OS and present “virtual hardware” </li></ul><ul><li>Run many OS on single hardware platform </li></ul><ul><li>Consolidate underutilized servers </li></ul><ul><li>VMware (vSphere), Microsoft (Hyper-V), Citrix (XenServer) and Solaris Containers </li></ul>What is Server Virtualization?
  9. 10. Server Virtualization Analogy Hotel VS Holiday Home
  10. 11. Copyright © 2004 VMware, Inc. All rights reserved. Traditional Server Server without Virtualization Holiday Home
  11. 12. Virtualized Server Hotel Server with Virtualization
  12. 13. Desktop Virtualization
  13. 14. <ul><li>Desktop virtualization separates a personal computer desktop environment from a physical machine using a client–server model of computing </li></ul><ul><li>Desktop virtualization is sometimes referred to as Virtual Desktop Infrastructure (VDI) </li></ul>What is Desktop Virtualization?
  14. 15. <ul><li>Remote Desktop (RDS) is different to VDI </li></ul><ul><li>With (RDS), all users are sharing the same OS. With VDI, each user has their own real OS (could be dedicated or from a pool) </li></ul><ul><li>VMware View, Citrix (XenDesktop) and Kaviza </li></ul>What is Desktop Virtualization cont.
  15. 16. Application Virtualization
  16. 17. <ul><li>Encapsulate applications (run conflicting applications on same system, i.e. IE 7 and IE8) </li></ul><ul><li>Avoid apps corrupting (OS) </li></ul><ul><li>Application delivery (Stream, ESD, Other) </li></ul><ul><li>VMware (ThinApp), Microsoft (App-V) and Citrix ( XenApp) </li></ul>What is Application Virtualization?
  17. 18. Network Virtualization
  18. 19. <ul><li>Network virtualization is a method used to combine computer network resources into a single platform, known as a virtual network </li></ul><ul><li>Not a new concept </li></ul><ul><li>Virtual private networks (VPNs) are widely used </li></ul><ul><li>Virtual Local Area Networks (VLANs) are a form of network virtualization </li></ul>What is Network Virtualization?
  19. 20. Physical Network
  20. 21. VMware Virtual Network
  21. 22. Storage Virtualization
  22. 23. <ul><li>Storage virtualization is the amalgamation of multiple network storage devices into what appears to be a single storage unit. Storage virtualization is often used in SAN (storage area networks). </li></ul><ul><li>Source http :// www.webopedia.com/TERM/S/storage_virtualization.html </li></ul>What is Storage Virtualization?
  23. 24. Virtualization Security
  24. 25. Industry Comments ESG Research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security. Gartner survey: “ 40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.” Gartner analyst Neil MacDonald wrote: “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely.“
  25. 26. <ul><li>Patching </li></ul><ul><li>Disaster Recovery </li></ul><ul><li>Investigation </li></ul><ul><li>Forensics </li></ul>Virtualization Security Benefits
  26. 27. <ul><li>Virtual environment misconfiguration </li></ul><ul><li>Processes </li></ul><ul><li>Lack of Controls </li></ul><ul><li>Access Controls </li></ul><ul><li>Software Vulnerabilities </li></ul><ul><li>Malware </li></ul>Virtualization Security Issues
  27. 28. <ul><li>vCenter </li></ul><ul><li>Networking, vSwitches, Cisco Nexus 1000v, vLANs </li></ul><ul><li>Storage </li></ul><ul><li>Logging </li></ul><ul><li>Monitoring </li></ul>VMware vSphere Security
  28. 29. Virtualization Compliance
  29. 30. <ul><li>New technologies introduce new components and processes causing conflict with standards and policies </li></ul><ul><li>Internal policies and standards need to be updated to reflect virtualization technology </li></ul><ul><li>Industry standards, PCI DSS, HIPA, etc, sometimes lag technology </li></ul>Compliance Issues
  30. 31. Controls Policies & Compliance Processes & Standards Compliance Pyramid
  31. 32. Cloud Computing
  32. 33. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source - http://www.nist.gov/itl/cloud/index.cfm
  33. 34. <ul><li>Private cloud </li></ul><ul><li>Public cloud </li></ul><ul><li>Community cloud </li></ul><ul><li>Hybrid cloud </li></ul>Types of Cloud Computing
  34. 35. What is a Private Cloud? <ul><li>Operated solely for an organization </li></ul><ul><li>May be managed by the organization or a third party </li></ul><ul><li>May exist on-premise or off-premise </li></ul>
  35. 36. Private Cloud Security Most of the virtualization controls that we spoke about earlier, would apply to the Private Cloud as you control the “Private Cloud.”
  36. 37. Controls Organisation Due-Diligence Processes & Standards Compliance Pyramid
  37. 38. Resources NIST guide to Security for Full Virtualization Technologies http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf VMware hardening guides http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html Cloud Security Alliance http://www.cloudsecurityalliance.org/ NIST Definition of Cloud Computing http://www.nist.gov/itl/cloud/index.cfm Center for Internet Security (CIS) Benchmarks on Server Virtualization http://cisecurity.org/en-us/?route=downloads.benchmarks Defense Information System Agency (DISA) http://iase.disa.mil/stigs/index.html
  38. 39. Questions? Kevin Wharram [email_address]

×