1) It controls and logs privileged user access across physical and virtual environments to ensure accountability.
2) It enforces fine-grained authorization and prevents unauthorized access to sensitive resources.
3) It provides centralized auditing and reporting of all privileged user activities for compliance monitoring.
High dependability of the automated systemsAlan Tatourian
This is the second research talk I gave at the Semiconductor Research Corporation (SRC) in September. Here I bring to attention the need to solve problems of SW maintainability and of the self-adaptable but still reliable architectures. State of the art in the industry now is ‘fail-operational’ which is based on redundancy. We can build a better technology which will optimize itself based on some global minimum function and will be able to adapt both to external changes in the environment and internal operating conditions.
High dependability of the automated systemsAlan Tatourian
This is the second research talk I gave at the Semiconductor Research Corporation (SRC) in September. Here I bring to attention the need to solve problems of SW maintainability and of the self-adaptable but still reliable architectures. State of the art in the industry now is ‘fail-operational’ which is based on redundancy. We can build a better technology which will optimize itself based on some global minimum function and will be able to adapt both to external changes in the environment and internal operating conditions.
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
The answer is no for about 90% of the cyber assets due to the very minimal risk reduction achieved. Spend your effort elsewhere. Presentation goes over categories of security patching in ICS and recommends prioritized security patching.
Research talk I gave at Semiconductor Research Corporation workshop in September 2017. Here I set research goals to create a new type of security technology to protect autonomous systems.
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.
Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.
Industrial Control Cyber Security Europe 2015 James Nesbitt
The Industrial Control Cybersecurity conference consists of presentations and debate from some of the energy industry’s leading end users from Operational and IT backgrounds, Government influencers, leading cybersecurity authorities and some of the world’s most influential solution providers.
Key topics of discussion will pivot on convergence of operational and information technology transformation, design, implementation, integration and risks associated with enterprise facing architecture.
Further review includes the development of policy, operational and cultural considerations, maturity models, public and private information sharing and the adoption of cybersecurity controls.
2015 will provide further insight into how industry can further develop organisational priorities, effective methodologies, benchmark return on investment for cybersecurity procurement, supplier relationships and how to effectively deploy defense in-depth strategies.
We will introduce discussion on the latest attacks and hear from those who are responsible for identifying them. The conference will further address penetration testing, the art of detection and threat monitoring, incident response and recovery.
This slideshow was presented February 2, 2016 and developed for the Iowa Infragard team and discusses the Importance of Security Cyber-Physical Control systems, Elements of a control system, the manufacturing supply chain and consequences of cyber attacks in industrial environments. Please feel free to reach out with questions or comments.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills.
Main points covered:
• The SCADA ICS function in critical infrastructure industry
• Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective
• Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment
Presenter:
This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
The answer is no for about 90% of the cyber assets due to the very minimal risk reduction achieved. Spend your effort elsewhere. Presentation goes over categories of security patching in ICS and recommends prioritized security patching.
Research talk I gave at Semiconductor Research Corporation workshop in September 2017. Here I set research goals to create a new type of security technology to protect autonomous systems.
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.
Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.
Industrial Control Cyber Security Europe 2015 James Nesbitt
The Industrial Control Cybersecurity conference consists of presentations and debate from some of the energy industry’s leading end users from Operational and IT backgrounds, Government influencers, leading cybersecurity authorities and some of the world’s most influential solution providers.
Key topics of discussion will pivot on convergence of operational and information technology transformation, design, implementation, integration and risks associated with enterprise facing architecture.
Further review includes the development of policy, operational and cultural considerations, maturity models, public and private information sharing and the adoption of cybersecurity controls.
2015 will provide further insight into how industry can further develop organisational priorities, effective methodologies, benchmark return on investment for cybersecurity procurement, supplier relationships and how to effectively deploy defense in-depth strategies.
We will introduce discussion on the latest attacks and hear from those who are responsible for identifying them. The conference will further address penetration testing, the art of detection and threat monitoring, incident response and recovery.
This slideshow was presented February 2, 2016 and developed for the Iowa Infragard team and discusses the Importance of Security Cyber-Physical Control systems, Elements of a control system, the manufacturing supply chain and consequences of cyber attacks in industrial environments. Please feel free to reach out with questions or comments.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Vulnerability Assessment and Penetration Testing in online SCADA ICS Environm...PECB
This webinar will help you get more informed on PenTesting in SCADA and also best practices and methods used on risk assessment. Learning about the criticality in industry, makes you more flexible to boost the skills.
Main points covered:
• The SCADA ICS function in critical infrastructure industry
• Risk exposure of IT vs. SCADA ICS from Cyber Security Perspective
• Do's and don’ts of Vulnerability Assessment and Penetration Testing in SCADA ICS Environment
Presenter:
This webinar was presented by Pedro Putu Wirya, an IT and ICS Security Consultant with an extensive experience in ISMS, and PECB Certified Trainer.
Link of the recorded session published on YouTube: https://youtu.be/icq-RTwusZ8
Designed to address more mature programs, this tutorial covers the issues and approaches to sustaining Data Governance and value creation over time, amongst a changing business and personnel environment.
Part of the reason many companies launch a Data Governance program again and again is that over time, it is challenging to maintain the enthusiasm and excitement that accompanies a newly initiated program.
Learn about:
• Typical obstacles to sustainable Data Governance
• Re-energizing your program after a key player (or two) leave and other personnel challenges
• Staying relevant to the company as the business evolves over time
• Understanding the role of metrics and why they are critical
• Leveraging Communication and Stakeholder Management practices to maintain commitment
• Embedding Data Governance into the operations of the company
Real-World Data Governance: Agile Data Governance - The Truth Be ToldDATAVERSITY
The concepts of Agile Software Development have been applied in many ways in many organizations with differing levels of success. We should not be surprised that Agile is being used in terms of Data Governance. This application calls into question some of the key concepts of being Agile and Governing Data that are well worth discussing.
Join Bob Seiner and a Special Guest in this installment of the Real-World Data Governance webinar series to explore the idea of staying Agile in our Data Governance efforts and how to Govern Agile efforts. The subject of Agile always seems to spark interest from skeptics and believers alike. All viewpoints will be considered.
This session will cover:
The Agile Manifesto
The value of staying Agile
What is meant by Agile Data Governance
Applying Governance to Agile efforts
Comparison with Other Methods of Governance
Data-Ed: Unlock Business Value through Document & Content ManagementData Blueprint
Organizations must realize what it means to utilize document and content management in support of business strategy. The volume of unstructured data is growing at an enormous pace. While we are still far away from automated content comprehension, increasingly sophisticated technologies are extending our business and data management capabilities into more critical and regulated areas. This presentation provides you with an understanding of the dimensions of these new developments, including electronic and physical document monitoring, storage systems, content analysis and archive, retrieve and purge cycling.
Learning Objectives:
What is Document & Content Management and why is it important?
Planning and Implementing Document & Content Management
Document/Record Management Lifecycle
Levels of Control
Content management building blocks
Guiding principles & best practices
Understanding foundational document & content management concepts based on the Data Management Body of Knowledge (DMBOK)
http://www.datablueprint.com/webinar-schedule
2013 Data Governance Professionals Organization (DGPO) Digital River WebinarDeepak Bhaskar, MBA, BSEE
Hosted by the Data Governance Professionals Organzation (DGPO) for webinar attendees. Successful Data Governance at Digital River. 2013 DGIQ Data Governance Best Practice Award: Finalist
How to Build & Sustain a Data Governance Operating Model DATUM LLC
Learn how to execute a data governance strategy through creation of a successful business case and operating model.
Originally presented to an audience of 400+ at the Master Data Management & Data Governance Summit.
Visit www.datumstrategy.com for more!
This presentation reports on data governance best practices. Based on a definition of fundamental terms and the business rationale for data governance, a set of case studies from leading companies is presented. The content of this presentation is a result of the Competence Center Corporate Data Quality (CC CDQ) at the University of St. Gallen, Switzerland.
Introduction to Data Governance
Seminar hosted by Embarcadero technologies, where Christopher Bradley presented a session on Data Governance.
Drivers for Data Governance & Benefits
Data Governance Framework
Organization & Structures
Roles & responsibilities
Policies & Processes
Programme & Implementation
Reporting & Assurance
Creating a Reliable and Secure Advanced Distribution Management SystemSchneider Electric
As public utilities strive to build an efficient distribution network, they are looking to automated solutions. One such solution is the advanced Distribution Management System (ADMS) that integrates SCADA, DMS and OMS technology, for optimum performance efficiency. Instead of operating with proprietary protocols on isolated networks, this approach applies open-system design – and makes security of the SCADA system paramount.
In the U.S., the National Institute of Standards and Technology (NIST) is leading the efforts toward establishment of security standards for SCADA networks that process unclassified information. The North American Electric Reliability Council (NERC), with oversight by the U.S. Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada, enforces mandatory cyber security standards for the bulk power system in North America. Beyond North America, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) maintain the ISO/IEC 27001 Information Security Management System standard.
It is these standards that make possible the performance efficiency of an interoperable ADMS open system while actually improving the security of older, proprietary SCADA/DMS/OMS systems.
The NERC Critical Infrastructure Protection (CIP) guidelines establish best practices for the minimal level of security required for safe and secure operations of a modern ADMS solution. They fully describe the system’s security objectives but leave to the user the choice of technology that best achieves these objectives for the user’s network. These guidelines describe access control and event logging, personnel training, maintenance of the electronic security perimeter, incident reporting and response planning, and security auditing. The utility that implements an ADMS solution that complies with these guidelines is positioned not only for operational effectiveness and enterprise-wide efficiency but also security of operations. It is recommended that the ADMS solution vendor be actively involved in industry working groups, to support compliance with the latest developments.
An open-architecture, fully configurable ADMS system meeting NERC CIP guidelines will offer security at all operational levels, even as the network grows and software upgrades are applied.
An introduction to Security in Control Systems.
Includes a brief description of what a Control System is, and what the basic constraints that are encountered when attempting to secure these systems
The session will be focusing how cloud-native security platform can continuously discovers workloads, identifies risk, and enforces security policies in any multi-cloud environment. Additionally it will also cover the Automated policy generation through agent-less security controls makes protecting data and applications the easiest thing to do in the cloud.
The Speaker of the session will be Dr. Ratinder Paul Singh Ahuja, Founder and Chief Research and Development Officer, Shield X, USA
Dr. Ratinder leads ShieldX and its mission as its central pivot point. Drawing from a career as a successful serial entrepreneur and corporate leader, he brings his unique blend of business acumen, industry network and deep technical knowledge.
At his previous start-ups, Internet Junction, Webstacks and Reconnex he served as Chief Technology Officer and Vice President of the Mobile and Network Security Business Units. His knowledge of innovation and emerging trends in networking, network security, and data-loss prevention are derived from years of industry experience. Dr. Ahuja holds a BS in Electronics & Electrical Engineering from Thapar University, in India, and a Masters and Ph.D. in Computer Engineering from Iowa State University. Dr. Ahuja has been granted 61 patents for security-based technologies, and has presented in many public forums, including the Content Protection Summit, IC3, IEEE Computer Society, McAfee FOCUS, and the Cloud Expo.
Secure Systems Security and ISA99- IEC62443Yokogawa1
With the new Industrial Network standards like ISA-IEC62443 companies are evolving their IT and OT networks to face evolving threats. This presentation will cover industrial networking best practices, secure architectures and segregation techniques that can be used by all businesses to prevent a minor business network breach from becoming an industrial catastrophe.
Topics Covered in this Seminar Include:
Overview Of Cyber Threat
Introduction - ISA IEC Industrial Control Security Standards
An Example - Advanced Persistent Threat (APT)
ISA/IEC 62443-3-2 Network Separation - An APT countermeasure
The next step in APT defenses System Certification to ISA/IEC 62443 Cybersecurity Standards
ISA/IEC 62443 Cybersecurity Standards Current Efforts
The Future of ISA/IEC 62443 Cybersecurity Standards
Continuous Monitoring: Getting Past Complexity & Reducing RiskTripwire
This presentation on Continuous Monitoring was created by Bryce Schroeder, who leads Tripwire's global presales engineering team at Tripwire.
He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions.
Numerous articles on Continuous Monitoring can be found here:
http://www.tripwire.com/state-of-security/tag/continuous-diagnostics-and-mitigation/
This presentation discusses why cybersecurity is an issue for safety instrumented systems and will examine example architectures when communicating with the SIS.
Secure & Automate AWS Deployments with Next-Generation Security from Palo Alt...Amazon Web Services
Building seamless, consistent security policies across on-premises and cloud IT environments can be challenging without comprehensive workload visibility. Learn how to gain greater control over your applications, automatically create consistent and uniform security policies, and prevent known and unknown threats within application flows.
Join us to Learn:
How to protect and automate your AWS deployments while maintaining data segregation
Best practices for creating consistent security for data moving to and from the cloud
How to securely extend your application development testing environment to AWS
Speakers:
AWS Speaker: David Wright, Solution Architect
Palo Alto Networks Speaker: Bisham Kishnani, Senior Consulting Engineer
KnightSentry 2.0 One Pager: Proprietary Security System Health MonitoringKnight Security Systems
Faster than ever resolution for system health issues, Knight’s innovative KnightSentry platform continuously scans the status, activity and performance of every IP-based security device on the client’s network. By making system health visible and easily understandable, KnightSentry speeds time to resolution, mitigates risk and enables more effective management.
RiskWatch for Physical & Homeland Security™CPaschal
RiskWatch for Physical and Homeland Security™ assists the user in conducting automated risk analyses, physical security reviews, audits and vulnerability assessments of facilities and personnel. Security threats addressed include crimes against property, crimes against people, equipment of systems failure, terrorism ,natural disasters, fire and bomb threats. Question sets include entry control, perimeters, fire, facilities management, guards, including a specialized set of questions for the maritime/shipping industry. New ASP functionality allows the organization in question to put the entire questionnaire process on it\'s server, where users can easily log in by ID # and answer questions appropriative to their job. From there, all answers are instantly imported into the RiskWatch for Physical and Homeland Security™ program.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
2. What do these numbers represent in security?
$124 Average cost of a security breach, per
compromised record (2010), with negligence the
main cause
—CA-sponsored survey
48% Percent of all breaches that
involved privileged user misuse
— Verizon report, 2010
87% Percentage of companies that
have experienced a data breach
— IT Compliance
Institute
74% Percentage of breached companies
who lost customers as a result of the
breach
— IT Compliance
Institute
3. NIST Special Publication (SP) 800-125
Guide To Security for Full
Virtualization Technologies
Recommendations of the
National Institute of Standards and Technology
Tim Grance and Murugiah Souppaya
Computer Scientists in the Computer Security Division
These slides and the webinar recording will be made available at:
<URL>
4. Disclaimer
Any mention of commercial products or reference to
commercial organizations is for information only; it
does not imply recommendation or endorsement by
NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.
5. Agenda
• What is SP 800-125
• Why virtualization
• Full virtualization
• Security concerns
• Recommendations for Security for full
virtualization technologies
• Summary
• Questions and answers
• Resources
6. SP 800-125
• Full Virtualization technologies
• Server and desktop virtualization
• Security threats
• Security recommendations for protecting full
virtualization
7. Why Virtualization?
• Reduce hardware footprint
• More efficiency
• Reduce energy, operations, and maintenance
costs, e.g., disaster recovery, dynamic
workload, security benefits, etc.
• Consolidation
8. Forms of Virtualization
• Simulated environment
• Not cover OS and application virtualization
• Full virtualization – CPU, storage, network,
display, etc
• Hypervisor and host OS
• Virtual Machine (VM) – Guest OS
– Isolated
– Encapsulated
– Portable
9. Full Virtualization
• Bare metal virtualization
• Hosted virtualization
• Server virtualization
• Desktop virtualization
10. Virtualization and Security Concerns
• Additional layers of technology
• Many systems on a physical system
• Sharing pool of resources
• Lack of visibility
• Dynamic environment
• May increase the attack surface
11. Recommendations for Security for Full
Virtualization Technologies
• Risk based approach
• Secure all elements of a full virtualization solution
and perform continuous monitoring
• Restrict and protect administrator access to the
virtualization solution
• Ensure that the hypervisor is properly secured
• Carefully plan the security for a full virtualization
solution before installing, configuring, and
deploying it
12. Summary of Threats and
Countermeasures
• Intra-guest vulnerabilities
– Hypervisor partitioning
• Lack of visibility in the guest OS
– Hypervisor instrumentation and monitoring
• Hypervisor management
– Protect management interface, patch management, secure
configuration
• Virtual workload security
– Management of the guest OS, applications, data
protection, patch management, secure configuration, etc
• Virtualized infrastructure exposure
– Manage access control to the hardware, hypervisors,
network, storage, etc.
14. Resources
• Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is
available on the following Web page:
http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing-
unneeded-federal-real-estate
• NIST publications that provide information and guidance on planning, implementing and
managing information system security and protecting information include:
– Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of
Federal Information and Information Systems
– NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach
– NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems
and Organizations
– NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide
– NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle
– NIST SP 800-88, Guidelines for Media Sanitization
– NIST SP 800-115, Technical Guide to Information Security Testing and Assessment
– NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information
(PII)
• For information about these NIST standards and guidelines, as well as other security-related
publications, see NIST’s Web page
http://csrc.nist.gov/publications/index.html
15. Todd Neilson, CISSP, VP, Sr. Advisor – Security, CA
Hemma Prafullchandra, CTO/SVP Products, HyTrust
Chris Boswell, CIS[A,M,SP], CGEIT, Sr Principal, CA
16. Virtualization Security vs Compliance
Compliance: the state of being in accordance with
established guidelines, specifications or legislation or
the process of becoming so.
Compliance Security
(?) (NIST 800-125)
Do you know?
• Whether your organization
has security guidelines
defined for its virtual
environment?
• Which regulations your
organization is subject to?
• Whether your virtualization
efforts will be subject to
regulatory scrutiny?
• Whether your security
baselines for your virtual
environment incorporate your
regulatory obligations?
17. Traditional Horizontal Controls Rationalization
CSA Cloud Control Matrix IS-08: NIST 800-125 Security
Normal and privileged user access to applications, Recommendation: Restrict and
systems, databases, network configurations, and sensitive
data and functions shall be restricted and approved by protect administrator access to the
management prior to access granted. virtualization solution
NIST 800-53 (AC-3, AC-5, AC-6, IA-2,
IA-4, IA-5, IA-8, MA-5, PS-6, SA-7, SI-9)
CIP-003-3 R5.1.1 - R5.3;
COBIT 4.1 DS5.4 CIP-004-3 R2.3;
CIP-007-3 R5.1 - R5.1.2
45 CFR 164.308 (a)(3)(i)
45 CFR 164.308
(a)(3)(ii)(A)
45 CFR 164.308 (a)(4)(i) PCI DSS 2.0 (7.1, 7.1.1,
45 CFR 164.308 7.1.2, 7.1.3, 7.2.1, 7.2.2,
(a)(4)(ii)(B) 8.5.1, 12.5.4)
45 CFR 164.308
(a)(4)(ii)(C) Source:
45 CFR 164.312 (a)(1) https://cloudsecurityalliance.org/research/ccm/
Other Source: www. unifiedcompliance.com
18. Vertical Controls Rationalization using 800-53 with Overlay
Frameworks
NIST 800- Recommended Security Controls for Federal
Information Systems
53
Subset of 800-53 controls tailored to provide
FedRamp standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services
DoD Mapped their DoDi 8500.2 controls used to
secure defense systems to NIST 800-53
Created a set of Acceptable Risk Safeguards
DHHS based on 800-53 controls to secure electronic
protected health information
Issued a special publication 1075 which outlines
IRS a subset of 800-53 controls that need to be
implemented for those systems processing
Federal Taxpayer Information.
Did you know
The Initial Public Draft of 800-53 Revision 4 encourages agencies with
specific security needs to develop their own security “overlays” based on
controls within NIST 800-53?
19. Compliance Impact Moving to the Cloud
[based on applicable FedRamp controls mapped to NIST 800-53 Rev 4]
IMPACT
800-53 Security Control Impact #
Family Controls High
Access Control (AC) 17 Medium
PL
Awareness & Training (AT) 4 Low
Audit and Accountability (AU) 12 IR PS
Security Assessment and
MP
Authorization (CA) 6
Configuration Management
(CM) 9 CP
Contingency Planning (CP) 9
SI
Identification and
8 RA CM
Authentication (IA) CA
Incident Response (IR) 8
Maintenance (MA) 6
Media Protection (MP) 6 MA AU IA
Physical and Environmental SC
Protection (PE) 18
Planning (PL) 5
Personnel Security (PS) 8 AT
Risk Assessment (RA) 4 SA
System and Services
12
Acquisition (SA)
System and Communications PE AC
Protection (SC) 24
System and Information
Integrity (SI) 12
21. Recap Core Security & Compliance Capabilities in Virtual
Environments
Provides account vaulting, two-factor Dynamic isolation of multi-tenant
authentication and fine-grained environments through automated
authorization for privileged user access orchestration with vShield
within the hypervisor policies
Provides seamless auditing of Provides host configuration
user activities across both hardening and continuous
guest and host environments. monitoring and assessment
22. ControlMinder with HyTrust Fills Critical Virtualization
Platform Access Gaps
Virtualization Platform Gap ControlMinder with HyTrust Solution
Multiple administrators can log into guests and
Uses password vaulting (check-in/out) to
hosts anonymously by sharing a privileged
ensure admins are individually accountable
account
An admin can bypass vCenter access controls Controls and logs access via any
and logging by connecting directly to hosts connection method, creating accountability
An admin can access another organization’s Ensures that admins can only access their
virtualized workloads in multi-tenant own organization’s data and applications,
environments enabling secure multi-tenancy
Prevents use of default passwords and
Platform allows access via default password
supports multi-factor authentication to stop
or compromised admin password
unauthorized access
A current or terminated admin can connect to
Controls and logs access to every admin
the platform undetected using a backdoor
account, preventing major security breaches
account
22
23. ControlMinder with HyTrust Fills Critical Virtualization
Platform Authorization Gaps
Virtualization Platform Gap ControlMinder with HyTrust Solution
An administrator can shut down any Protects business continuity by controlling
virtualized application or switch what resources an admin can manage
An admin can create unapproved VMs, with Prevents damaging outcomes by controlling
negative operations or compliance impacts VM creation privileges
An admin can disable security such as Preserves security by blocking unapproved
virtualized firewalls and antivirus shutdowns of virtual security measures
An admin can copy sensitive data from a Keeps sensitive data confidential by applying
VM to external storage controls to virtual resources
An admin can replace a critical VM with a Exposes tampering by creating a permanent,
compromised copy while leaving no tracks unchangeable record of every operation
An admin can move a low trust virtualized
Mitigates security and compliance risks by
workload to a high trust server or virtual
preventing mixing of trust levels
subnet, and vice versa
23
24. ControlMinder with HyTrust Fills Critical Virtualization
Platform Monitoring Gaps
Virtualization Platform Gap ControlMinder with HyTrust Solution
Separate log files for vCenter, each host and Consolidated, centrally managed logs
guest must be collected and aggregated for covering all aspects of your virtual
complete monitoring. environment.
Captures all activity within the virtual
Failed or blocked authorization attempts
infrastructure, not just authorized, successful
are not captured and recorded in audit logs
transactions.
Automated assessment and remediation
Native configuration management
capabilities enable continuous compliance
capabilities do not promote ongoing
monitoring of hypervisor configuration settings
compliance monitoring for hypervisor
against industry standard or custom-
configuration drift.
configured security templates.
Native platform log entries may lack sufficient
Audit records contain greater detail needed
detail to support operational and security
for compliance and internal audit needs
activities.
24
25. Complete solution for both physical and virtual
environments
CA ControlMinder with HyTrust is actually only one component within a broader
suite of solutions in the ControlMinder family which provides comprehensive
access controls across both physical and virtual infrastructures.
Privileged User
Host Access Control (AC)
CA ControlMinder with HyTrust
Central UNIX
Risk
Management Privileged User Password Management (PUPM)
Session Recording
Audit and Reporting (CA User Activity Reporting Module)
Environment
UNIX/Linux Windows Virtual DATABASES NETWORK
APPLICATIONS
Servers Servers Servers
25
27. Single solution provides best coverage
CA ControlMinder—Premium Edition
1 Privileged User Password Manager 3 UNIX Authentication Broker (UNAB)
— Control access to shared accounts — Centralized UNIX administration
— Authorization workflow including “break — Active Directory (AD) authentication
glass” — Native integration with AD
— Accountability of shared account access — Kerberos-based Single Sign-On
— Manage application passwords
— Windows services/scheduled tasks
2 4 Session Recording and User Activity
Access Control
Reporting
— Server security (physical/virtual) — Centrally managed audit logs across
— Manage fine-grained access physical and virtual environments
— Centralized policy management across — Privileged user access reporting
disparate systems — Unix keystroke logging
— Segregation of duty — Full session recording integration
— Auditing privileged access
28. Questions You Should Be Asking Today
Do you allow shared privileged access to your
sensitive servers? How do you account for privileged
user’s actions?
Can your system administrators access sensitive data
on the servers? Do you have controls to prevent/log
that?
Can you trace administrative action back to
administrative users? Have you had system down
incidents where you needed to do so?
Do you have any controls in place to prevent shared
account access on your sensitive servers?
What server operating systems do you have deployed?
How do you manage security across them?
How do you provide evidence of compliance?
28
28
29. benefits to you
Rapidly achieve Reduce risk and Accelerate new
business agility improve compliance business services
Leverage elastic Protect your Deploy new
service levels, and critical assets services more
flexible cloud across physical, quickly and securely.
virtual, and cloud Retain customers and
deployment
environments. engage with business
options and hybrid
coverage. partners.
29