The presentation discusses new security considerations for virtualization as it moves beyond consolidation into cloud computing. It asks what IT professionals should consider when selling, designing, or auditing virtual infrastructure. While virtualization provides some security benefits, it also introduces risks if not implemented properly. Emerging technologies may help address these risks and enable more secure virtual and cloud environments through standards, encryption, and trusted execution. The presentation examines virtualization platforms and security across the infrastructure stack.

1. ISACA Perth: 2011 Annual Conference
Trends in Virtual Security
(Balance Virtual Risk with Reward)
Kim Wisniewski – Senior Consultant, Empired Ltd.

2. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

3. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud
No longer can we see the data-centre
computing and infrastructure-as-a-service.
that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

4. Boundaryless IT
» Boundaryless Information™ (III-RM)
» Integrated Information Infrastructure Reference
Model
» Ref: TOGAF 9

5. The Next Step:
Boundaryless Technology Infrastructure
Cloud
Meta-Virtualise
Infrastructure Mesh
Stack Convergence
Virtual Infrastructure
Legacy (old school)
siloed infrastructure

6. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What
should IT professionals
consider when selling, designing or
auditing a virtual infrastructure? Are there any
security benefits with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

7. What does Uncle
Sam Say?
» Hypervisors have bugs and vulnerabilities too
» Physical isolation/separation principles are gone
» Scoping the Infra. Mesh Audit will be tricky…

8. In my opinion…
» The Management Constructs
associated with virtualisation / cloud
platforms…. The biggest risks
» Your mgmt. tools and users
» …& how much is exposed to them…

9. Some Top Virtual Risks
» Prebuilt VMs/appliances containing malicious code
» Improperly configured hypervisor
» Improperly configured virtual firewalls or networking
» Data leakage through templates/clones
» Administrative or operational error
» Mixing security domains without controls
» Lax hypervisor patching
» Lack of understanding of security principles across
the entire stack
A lack of process & architecture in the beginning?

10. Virtual Architecture 101
» It all starts with good PARENTING
» Physical Security
» Storage Security
» Network Security
» Converged Security (e.g., blades)
» Hypervisor security
» Guests security
» Hypervisor relationship to its guests
» Aggregates – clusters, pools, groups, etc.
» Management Centres
Principles: Isolation, Separation

11. Virtual Architecture 102
» Management Layer Security
» Virtual Centres, SCVMMs, Remote Consoles
» Admin Model
» Management, Controls, Process
» Audit (self audit, independent audit, the more
the merrier…)
Principles: Role Based, Auditability,
Change Logging, treat the Hypervisor
as your engine room…

12. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are
there any
security benefits with virtualisation? How can
we safely deploy our virtual machines in the cloud? Can PCI compliance
be reached in a virtual world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

13. » “I cannot see any security or legal
benefits whatsoever related to cloud
computing…” (A. Lawyer)

14. » Some NEW possibilities
» Introspection APIs
» Deep collection & visibility
» Antivirus offload (agentless-AV)
» Meta-Virtual compliance
» Reporting / compliance tracking
» Compliance Toolkits

15. » Only SOME and SPECIFIC platforms
evaluated to EAL 4+ Common Criteria,
NIST, DISA STIG, US DoD, NSA CSS
etc…

16. Principles:
Build a solid foundation;
Use the vendor’s hardening guides;
& ISACA materials (auditors too)
Trust your own before anybody else's

17. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits are with virtualisation? How
can we safely
deploy our virtual machines in the cloud?
Can PCI compliance be reached in a virtual world? Is it even safe to
virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

18. Virtual Architecture 103
Virtualisation: a journey from your data-centre
to some cloudy ones, some mixing it up in the
middle (hybrid)
» Cloud (IaaS) Security
» Do you trust the providers?
» Do you trust what you’re putting out there?
Principles: Architectural Transparency;
Understand the journey of your VMs

19. Meta-Virtualisation
Meta = describes; is made up of; constituent parts…
Meta-Virtualise – Describe the containers,
relationships, requirements and boundaries between
VMs
• security requirements, compliance goals
• minimum performance levels, SLAs
• their relationship to the environment (the VI)

20. The Virtual Machine
(Amoeba)
VM 1.0
Independent;
Basic environmental awareness
“enough to survive”

21. Enhanced VMs
VM 2.0
Increased controls
Improved environmental
awareness
Still operating independently

22. VMs in a Petri Dish
VM 3.0
Collaborating
Groups
Expanded META
boundary
e.g., VMware vAPP

23. Meta Groups Intranet
DMZ
Research

24. Tenant Meta
DMZ Intranet
Research

25. Multi
Coca-Cola Tenant
Meta
ACME Corp.
Infrastructure
Cloud
Pepsi

26. Meta-Virtualisation
» Meta defines the principles where VMs
operate
» Meta follows where things move
» Enforcing Meta across the converged stack,
mesh, and into clouds is a challenge
Think “Admission Control” – in your DC
or a Cloud Provider

27. Vendor Reference Architecture
» Secure Multi Tenancy

28. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits are with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can
PCI compliance be
reached in a virtual world? Is it even safe to
virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

29. Virtualising Your DMZ
» Philosophical Debate
» Can & should you host your DMZ VMs on
the same host/partition/environment as
your other VMs?
Vendor Reference Architectures aplenty; but
what does the security community say?

30. Virtualising Your DMZ
“Last week VMware achieved the status of
being the ONLY hypervisor (vSphere 4.0)
accredited to run Impact Level 3/Restricted
VMs and Unclassified/Internet facing virtual
machines on the same host/cluster.”
» http://www.cesg.gov.uk/news/docs_pdfs/cesg-
vmware_joint-statement14-09-11.pdf

31. Virtualising PCI-DSS
» PCI DSS v2.0 – Virtualisation Special
Interest Group (SIG) … formed late 2008
» PCI DSS Virtualisation Guidelines released
June 2011

32. The Abstract
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits are with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging
technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.

33. Microsoft Virtualisation
» Hyper-V “Open Source Promise”
» Hyper-V … Cisco 1000V
» Hyper-V Trusted Computing Base (TCB)
» Hyper-V Security Best Practices Podcast
HyperV <> Azure
Convergence (IaaS)

34. Emerging Technologies
» Cloud Connectivity & Portability
» VMware’s vCloud Connector
» vCloud Service Providers
» Long Distance VMotion / VXLAN / OTV
» Microsoft SCVMM 2012
» OpenStack
» Meta-virtualisation: support for & building upon

35. Emerging Technologies
» IaaS Cloud Encryption
» Virtual machines in transit
» Virtual machines runtime
» Customer holds the keys
» TXT/TPM Integrations
» Trusted execution technology
» Trusted platform module
» Hypervisor & cloud stack talking the TXT lingo…

36. Emerging Trends
Standards Based Clouds
» Demonstrating compliance across the
provider’s Infrastructure Mesh
» e.g., FISMA Certified Clouds
» Open Portability between cloud types
» e.g., Azure <> vCloud <> OpenStack ???

37. Case Study: Los Alamos National
Laboratory www.lanl.gov
» Security research institution responsible for
American nuclear deterrence
» Achieved
» NIST Certification and Accreditation
» Authority to operate as FISMA moderate with
VMware vCloud
» Secure Multi-Tenancy (META-Virtual)
» Reference Architecture forthcoming…?

39. What does Uncle Sam Say?

40. Questions
kim.wisniewski@empired.com
www.empired.com