ISACA Perth: 2011 Annual Conference      Trends in Virtual Security           (Balance Virtual Risk with Reward)    Kim Wi...
The Abstract» Virtualisation has come a long way in the past ten years. We are looking  beyond the pure consolidation bene...
The Abstract»   Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation ben...
Boundaryless IT» Boundaryless Information™ (III-RM)  » Integrated Information Infrastructure Reference    Model  » Ref: TO...
The Next Step:Boundaryless Technology Infrastructure                      Cloud                   Meta-Virtualise         ...
The Abstract» Virtualisation has come a long way in the past ten years. We are looking  beyond the pure consolidation bene...
What does Uncle Sam Say?» Hypervisors have bugs and vulnerabilities too» Physical isolation/separation principles are gone...
In my opinion…» The Management Constructs  associated with virtualisation / cloud  platforms…. The biggest risks  » Your m...
Some Top Virtual Risks»   Prebuilt VMs/appliances containing malicious code»   Improperly configured hypervisor»   Imprope...
Virtual Architecture 101» It all starts with good PARENTING  »   Physical Security  »   Storage Security  »   Network Secu...
Virtual Architecture 102» Management Layer Security  » Virtual Centres, SCVMMs, Remote Consoles» Admin Model  » Management...
The Abstract» Virtualisation has come a long way in the past ten years. We are looking  beyond the pure consolidation bene...
» “I cannot see any security or legal  benefits whatsoever related to cloud  computing…” (A. Lawyer)
» Some NEW possibilities  » Introspection APIs  » Deep collection & visibility  » Antivirus offload (agentless-AV)  » Meta...
» Only SOME and SPECIFIC platforms  evaluated to EAL 4+ Common Criteria,  NIST, DISA STIG, US DoD, NSA CSS  etc…
Principles:Build a solid foundation;Use the vendor’s hardening guides;& ISACA materials (auditors too)Trust your own befor...
The Abstract» Virtualisation has come a long way in the past ten years. We are looking  beyond the pure consolidation bene...
Virtual Architecture 103 Virtualisation: a journey from your data-centre to some cloudy ones, some mixing it up in the mid...
Meta-VirtualisationMeta = describes; is made up of; constituent parts…Meta-Virtualise – Describe the containers,relationsh...
The Virtual Machine     (Amoeba)             VM 1.0             Independent;             Basic environmental awareness    ...
Enhanced VMs         VM 2.0         Increased controls         Improved environmental         awareness         Still oper...
VMs in a Petri Dish            VM 3.0            Collaborating            Groups            Expanded META            bound...
Meta Groups       IntranetDMZ             Research
Tenant MetaDMZ     Intranet      Research
Multi                 Coca-Cola           Tenant                                      MetaACME Corp.InfrastructureCloud   ...
Meta-Virtualisation» Meta defines the principles where VMs  operate» Meta follows where things move» Enforcing Meta across...
Vendor Reference Architecture» Secure Multi Tenancy
The Abstract» Virtualisation has come a long way in the past ten years. We are looking  beyond the pure consolidation bene...
Virtualising Your DMZ» Philosophical Debate» Can & should you host your DMZ VMs on  the same host/partition/environment as...
Virtualising Your DMZ“Last week VMware achieved the status ofbeing the ONLY hypervisor (vSphere 4.0)accredited to run Impa...
Virtualising PCI-DSS» PCI DSS v2.0 – Virtualisation Special  Interest Group (SIG) … formed late 2008» PCI DSS Virtualisati...
The Abstract» Virtualisation has come a long way in the past ten years. We are looking  beyond the pure consolidation bene...
Microsoft Virtualisation»   Hyper-V “Open Source Promise”»   Hyper-V … Cisco 1000V»   Hyper-V Trusted Computing Base (TCB)...
Emerging Technologies» Cloud Connectivity & Portability  »   VMware’s vCloud Connector  »   vCloud Service Providers  »   ...
Emerging Technologies» IaaS Cloud Encryption  » Virtual machines in transit  » Virtual machines runtime  » Customer holds ...
Emerging Trends           Standards Based Clouds» Demonstrating compliance across the  provider’s Infrastructure Mesh  » e...
Case Study: Los Alamos NationalLaboratory www.lanl.gov» Security research institution responsible for  American nuclear de...
What does Uncle Sam Say?
Questionskim.wisniewski@empired.com     www.empired.com
Isaca 2011 trends in virtual security v1.0
Upcoming SlideShare
Loading in …5
×

Isaca 2011 trends in virtual security v1.0

1,459 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Isaca 2011 trends in virtual security v1.0

  1. 1. ISACA Perth: 2011 Annual Conference Trends in Virtual Security (Balance Virtual Risk with Reward) Kim Wisniewski – Senior Consultant, Empired Ltd.
  2. 2. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud computing and infrastructure-as-a-service. No longer can we see the data-centre that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  3. 3. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud No longer can we see the data-centre computing and infrastructure-as-a-service. that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  4. 4. Boundaryless IT» Boundaryless Information™ (III-RM) » Integrated Information Infrastructure Reference Model » Ref: TOGAF 9
  5. 5. The Next Step:Boundaryless Technology Infrastructure Cloud Meta-Virtualise Infrastructure Mesh Stack Convergence Virtual Infrastructure Legacy (old school) siloed infrastructure
  6. 6. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud computing and infrastructure-as-a-service. No longer can we see the data-centre that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  7. 7. What does Uncle Sam Say?» Hypervisors have bugs and vulnerabilities too» Physical isolation/separation principles are gone» Scoping the Infra. Mesh Audit will be tricky…
  8. 8. In my opinion…» The Management Constructs associated with virtualisation / cloud platforms…. The biggest risks » Your mgmt. tools and users » …& how much is exposed to them…
  9. 9. Some Top Virtual Risks» Prebuilt VMs/appliances containing malicious code» Improperly configured hypervisor» Improperly configured virtual firewalls or networking» Data leakage through templates/clones» Administrative or operational error» Mixing security domains without controls» Lax hypervisor patching» Lack of understanding of security principles across the entire stackA lack of process & architecture in the beginning?
  10. 10. Virtual Architecture 101» It all starts with good PARENTING » Physical Security » Storage Security » Network Security » Converged Security (e.g., blades) » Hypervisor security » Guests security » Hypervisor relationship to its guests » Aggregates – clusters, pools, groups, etc. » Management Centres Principles: Isolation, Separation
  11. 11. Virtual Architecture 102» Management Layer Security » Virtual Centres, SCVMMs, Remote Consoles» Admin Model » Management, Controls, Process » Audit (self audit, independent audit, the more the merrier…) Principles: Role Based, Auditability, Change Logging, treat the Hypervisor as your engine room…
  12. 12. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud computing and infrastructure-as-a-service. No longer can we see the data-centre that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  13. 13. » “I cannot see any security or legal benefits whatsoever related to cloud computing…” (A. Lawyer)
  14. 14. » Some NEW possibilities » Introspection APIs » Deep collection & visibility » Antivirus offload (agentless-AV) » Meta-Virtual compliance » Reporting / compliance tracking » Compliance Toolkits
  15. 15. » Only SOME and SPECIFIC platforms evaluated to EAL 4+ Common Criteria, NIST, DISA STIG, US DoD, NSA CSS etc…
  16. 16. Principles:Build a solid foundation;Use the vendor’s hardening guides;& ISACA materials (auditors too)Trust your own before anybody elses
  17. 17. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud computing and infrastructure-as-a-service. No longer can we see the data-centre that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits are with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  18. 18. Virtual Architecture 103 Virtualisation: a journey from your data-centre to some cloudy ones, some mixing it up in the middle (hybrid)» Cloud (IaaS) Security » Do you trust the providers? » Do you trust what you’re putting out there? Principles: Architectural Transparency; Understand the journey of your VMs
  19. 19. Meta-VirtualisationMeta = describes; is made up of; constituent parts…Meta-Virtualise – Describe the containers,relationships, requirements and boundaries betweenVMs• security requirements, compliance goals• minimum performance levels, SLAs• their relationship to the environment (the VI)
  20. 20. The Virtual Machine (Amoeba) VM 1.0 Independent; Basic environmental awareness “enough to survive”
  21. 21. Enhanced VMs VM 2.0 Increased controls Improved environmental awareness Still operating independently
  22. 22. VMs in a Petri Dish VM 3.0 Collaborating Groups Expanded META boundary e.g., VMware vAPP
  23. 23. Meta Groups IntranetDMZ Research
  24. 24. Tenant MetaDMZ Intranet Research
  25. 25. Multi Coca-Cola Tenant MetaACME Corp.InfrastructureCloud Pepsi
  26. 26. Meta-Virtualisation» Meta defines the principles where VMs operate» Meta follows where things move» Enforcing Meta across the converged stack, mesh, and into clouds is a challenge Think “Admission Control” – in your DC or a Cloud Provider
  27. 27. Vendor Reference Architecture» Secure Multi Tenancy
  28. 28. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud computing and infrastructure-as-a-service. No longer can we see the data-centre that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits are with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  29. 29. Virtualising Your DMZ» Philosophical Debate» Can & should you host your DMZ VMs on the same host/partition/environment as your other VMs?Vendor Reference Architectures aplenty; butwhat does the security community say?
  30. 30. Virtualising Your DMZ“Last week VMware achieved the status ofbeing the ONLY hypervisor (vSphere 4.0)accredited to run Impact Level 3/RestrictedVMs and Unclassified/Internet facing virtualmachines on the same host/cluster.”» http://www.cesg.gov.uk/news/docs_pdfs/cesg- vmware_joint-statement14-09-11.pdf
  31. 31. Virtualising PCI-DSS» PCI DSS v2.0 – Virtualisation Special Interest Group (SIG) … formed late 2008» PCI DSS Virtualisation Guidelines released June 2011
  32. 32. The Abstract» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud computing and infrastructure-as-a-service. No longer can we see the data-centre that our virtual machines are running in, the safety cord is broken. This opens the door to a plethora of new security considerations that security professionals need to be aware of to remain competitive.» This presentation looks at the current state of virtualisation asking the following questions: What should IT professionals consider when selling, designing or auditing a virtual infrastructure? Are there any security benefits are with virtualisation? How can we safely deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to virtualise my DMZ?» The presentation will look at these objectives within the context of the common virtualisation platforms on the market today, concluding with a look into the future at emerging technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
  33. 33. Microsoft Virtualisation» Hyper-V “Open Source Promise”» Hyper-V … Cisco 1000V» Hyper-V Trusted Computing Base (TCB)» Hyper-V Security Best Practices Podcast HyperV <> Azure Convergence (IaaS)
  34. 34. Emerging Technologies» Cloud Connectivity & Portability » VMware’s vCloud Connector » vCloud Service Providers » Long Distance VMotion / VXLAN / OTV » Microsoft SCVMM 2012 » OpenStack » Meta-virtualisation: support for & building upon
  35. 35. Emerging Technologies» IaaS Cloud Encryption » Virtual machines in transit » Virtual machines runtime » Customer holds the keys» TXT/TPM Integrations » Trusted execution technology » Trusted platform module » Hypervisor & cloud stack talking the TXT lingo…
  36. 36. Emerging Trends Standards Based Clouds» Demonstrating compliance across the provider’s Infrastructure Mesh » e.g., FISMA Certified Clouds» Open Portability between cloud types » e.g., Azure <> vCloud <> OpenStack ???
  37. 37. Case Study: Los Alamos NationalLaboratory www.lanl.gov» Security research institution responsible for American nuclear deterrence» Achieved » NIST Certification and Accreditation » Authority to operate as FISMA moderate with VMware vCloud» Secure Multi-Tenancy (META-Virtual)» Reference Architecture forthcoming…?
  38. 38. What does Uncle Sam Say?
  39. 39. Questionskim.wisniewski@empired.com www.empired.com

×