Compliance to best practices and industry standards is often difficult for new technologies and service approaches. Although compliance control objectives or control descriptions should remain flexible regarding the specific control implementation, over time some have become too specific regarding technology implementations with little guidance regarding how new technologies or approaches should align.Often new technical components are added to design and new process are added to service management when implementing new technologies leaving many unanswered questions regarding the Scope and Intent of compliance (i.e. Financial Control Compliance VS IT Value for Money)Example of control prescription conflict in virtualization
What do we want to be compliant with?HIPPA, PCI, SOX, NERC, CFR?Do the high level objectives of the compliance standard conflict with virtualization trust domains or controls available?Does the regulating body allow for interpretation of control objectives to an environment and technology? - Do they dictate whether or not virtualization can be used as a technology?Who has the regulating body assigned to attest to compliance? Who is accountable for assuring control implementations meet control objectives required by compliance? - Are you allowed to self-attest? - What experience does the third party auditor have with Virtualization? - Will the third party help or hinder (Compliance or Intent?)http://www.thewisdomjournal.com/Blog/wp-includes/images/negotiation.jpg
What specific control objectives are impacted or influenced by virtualization?Understanding the control objectives related to virtualization and your service management model is key to creating a comprehensive compliance strategy.Prioritizing the identified control objectives and determining if explicit controls (physical) and control implementations (component) are prescribed by the compliance standard and regulating body.If explicit implementations are not aligned can we be compliant?
What design and service management issues in virtualization are related to compliance with your required objectives?Core Themeshttp://www.icranium.com/blog/wp-content/uploads/2008/12/sabsa_logo.gif
What real world issues exist with compliance initiatives in virtualized environments? - Design and service management is maturing at a high rate in relation to virtualization architecture - Experts disagree on effectiveness of controls and implementations - Virtualization allows people and entities to quickly create boundary less service environments where traceable control implementations may become impossibleWhat SLAs exist for core controls and/or infrastructure/data supporting controls?Do contractual agreements allow system risk to be managed or improved?
How do I approach a compliance review or gap analysis in my environment?Understand your compliance governance structure - Who regulates compliance? - Who attests to what level? - What type of assurance controls enable compliance?Understand your virtualization environment security architecture - What entities are inManage and compensate for real world management and maintenance issues - Ensure to promote awareness of the need for on-going assurance vs static compliance
Compliance in Virtualized Environments
Compliance Challenges in Virtualized Environments<br />
Compliance to best practice and industry standards is challenging for new technologies like virtualization<br />Compliance in Virtualized Environments<br />Compliance Standards<br />Assurance of Control Objectives<br />Prescription of Control Implementations<br />
New technologies introduce new components and processes causing conflict with existing control prescriptions<br />Each server must only have one primary function.[§ 2.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008, v1.2]<br />Key components should be protected by segregating the critical applications from the other applications and information.[CI2.1.4(a), The Standard of Good Practice for Information Security]<br />Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed.[§ 11.5.4, ISO/IEC 27002-2005 Code of practice for information security management]<br />Compliance in Virtualized Environments<br />
Security boundaries within process and technical domains are still being defined and designed for virtualization<br />What consistent best practice exists for virtualized image management? <br />Are there varying levels of granularity regarding access control within different virtualization technologies?<br />Compliance in Virtualized Environments<br />
Virtualized PCI Application Domain Model<br />Relationship Scenarios<br />S1. Untrusted users publicly enter PCI information<br />S2. / S2a. Servers transfer PCI info to provider (S2a. Telephone)<br />S3. Remote locations access applications containing PCI Information <br />S6. Staff access PCI application from LAN/WAN<br />S7. Staff access management interfaces of physical and virtual guests and hosts <br />S9.Staff access management interfaces of the routers/switches <br />S11. Data is transferred between the Web-facing PCI Servers and internal PCI database servers<br />
What do we want to be compliant with?<br />HIPAA, PCI, SOX, GLB, NERC, CFR<br />Do the high level objectives of the compliance standard conflict with virtualization?<br />Does the regulating body allow for interpretation of the standards?<br />Who has the regulating body assigned to attest to the compliance of the standards?<br />Compliance in Virtualized Environments<br />
What specific control objectives are impacted by virtualization? (Improved?)<br />Process and environment classification (NERC CIP-003-1 R4.2)<br />Extension of information asset classification(HIPAA 164.308(a)(7)(ii)(E))<br />Log Monitoring & Tracking (PCI 4.2 (v1.1))<br />System boundary definition (NIST 800-53)<br />Are there specific control implementations in conflict?<br />Least Privilege implementation issues<br />Lockout Procedure By-pass<br />Compliance in Virtualized Environments<br />
What design & service management issues in virtualization are related to compliance?<br />Business Continuity Management<br />Security Audit & Assurance Levels<br />Change Control Implementations<br />Security Domain / Boundary Control<br />Access Control & Privilege Administration<br />Security Operation Schedule Management<br />Compliance in Virtualized Environments<br />
Issues with Virtualized Environments and PCI Compliance<br />Understanding of domains,boundaries & access<br />7.1 – Is access to computing resources and cardholder information limited to only those individuals whose jobs require such access?<br /><ul><li>Does a logical virtualization deployment diagram exist?
Will “complex” virtualization management components (HA, DRS, Vmotion or VCB) be used in the environment?
How is virtualization platform user administration performed?(ESX/VCenter)</li></li></ul><li>Example EnvironmentDiagram (Poor / No information)<br />
Configuration Questions(1-4)<br /><ul><li>What legacy systems will be migrated to the ESX environment?
What do systems currently hosted in the ESX environment do?
Does a logical deployment diagram for PCI systems exist?
Will HA, DRS, Vmotion or VCB be used in this environment?
Are there change management policies in place for system management?
Is there a formal installation procedure for ESX hosts? Guests? Virtual Centre?</li></li></ul><li>Configuration Questions (2-4)<br /><ul><li>What resource limiting and share assignment exists in the design?
How is ESX/VCenter user administration performed? Formally documented?
What security measures are place to avoid copying/pasting or adding of devices to the virtual guests?
Are templates being used for deploying guests? If so, what security measures are being used for template creation?
What system logging policies exist; How is logging deployed within the ESX architecture?
What is currently being done internally for system clock synchronization?</li></li></ul><li>Configuration Questions(3-4)<br /><ul><li> Is there a formal policy in place for physical access to the data centre?
What security measures will be applied virtual machines: System hardening, antivirus agents, spyware filters, intrusion detection </li></ul> systems, etc.<br /><ul><li> What policy for vulnerability management within the virtualized </li></ul>architecture has been defined?<br /><ul><li> Is SAN zoning and masking configured and managed properly to ensure </li></ul> unauthorized presentation of data to virtual machines?<br />
Configuration Questions (4-4)<br />The Windows host running VirtualCentre (VC) must have strict security measures enforced in order to protect access to the management of the virtual infrastructure.<br /><ul><li>What account is used to run VirtualCentre in the management stations?
What roles and permissions are used/disabled in VC?
Is the VC computer placed in a separate management network?
Where does the VC database reside and what method of authentication is used on this database?
What security practices have been applied to secure the database?
Are self-signed certificates used?</li></li></ul><li>General Thoughts around Virtualization & PCI<br /><ul><li>The fallacy of cost reduction
Central points of access / collusion for staff
LEGAL LIABILITY </li></li></ul><li>Compliance in Virtualized Environments<br />Real world issues in virtualization compliance:<br /><ul><li>Design & Service Management standards are changing rapidly
Experts disagree on effectiveness of controls and implementations
Virtualization allows people and entities to quickly create boundary less service environments</li></li></ul><li>Compliance in Virtualized Environments<br />How do I approach a compliance review in my environment?<br /><ul><li>Understand your compliance governance structure
Understand your virtualization security architecture
Manage and compensate for real world issues</li></li></ul><li>Thanks<br /> Michael Legary, CISSP, CISM, CISA, CCSA, CSA, GCIHFounder & CIOSeccuris Inc.Email: Michael.Legary@seccuris.comDirect: 204-255-4490Main: 204-255-4136Fax: 204-942-6705<br />This presentation contains reference material and direct content from multiple copyright holders. References available on request / within presentation slide notes.<br />Resources<br />Center for Internet Security<br />http://www.cisecurity.org/<br />VMware Security Center<br />http://www.vmware.com/security/<br />