isaca 2011 trends in virtual security v1.0
TRANSCRIPT
ISACA Perth: 2011 Annual Conference
Trends in Virtual Security (Balance Virtual Risk with Reward)
Kim Wisniewski – Senior Consultant, Empired Ltd.
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.
The Abstract
» Virtualisation has come a long way in the past ten years. We are looking beyond the pure consolidation benefits of server virtualisation, into a future of cloud
computing and infrastructure-as-a-service. No longer can we see the data-centre
that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.
The Abstract
» Boundaryless Information™ (III-RM)
» Integrated Information Infrastructure Reference
Model
» Ref: TOGAF 9
Boundaryless IT
The Next Step:
Boundaryless Technology Infrastructure
Infrastructure Mesh
Stack Convergence
Meta-Virtualise
Cloud
Legacy (old school)
siloed infrastructure
Virtual Infrastructure
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals
consider when selling, designing or
auditing a virtual infrastructure? Are there any
security benefits with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.
The Abstract
What does Uncle
Sam Say?
» Hypervisors have bugs and vulnerabilities too
» Physical isolation/separation principles are gone
» Scoping the Infra. Mesh Audit will be tricky…
In my opinion…
» The Management Constructs
associated with virtualisation / cloud
platforms…. The biggest risks
» Your mgmt. tools and users
» …& how much is exposed to them…
Some Top Virtual Risks
» Prebuilt VMs/appliances containing malicious code
» Improperly configured hypervisor
» Improperly configured virtual firewalls or networking
» Data leakage through templates/clones
» Administrative or operational error
» Mixing security domains without controls
» Lax hypervisor patching
» Lack of understanding of security principles across
the entire stack
A lack of process & architecture in the beginning?
» It all starts with good PARENTING
» Physical Security
» Storage Security
» Network Security
» Converged Security (e.g., blades)
» Hypervisor security
» Guests security
» Hypervisor relationship to its guests
» Aggregates – clusters, pools, groups, etc.
» Management Centres
Virtual Architecture 101
Principles: Isolation, Separation
» Management Layer Security
» Virtual Centres, SCVMMs, Remote Consoles
» Admin Model
» Management, Controls, Process
» Audit (self audit, independent audit, the more
the merrier…)
Virtual Architecture 102
Principles: Role Based, Auditability,
Change Logging, treat the Hypervisor
as your engine room…
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any
security benefits with virtualisation? How can
we safely deploy our virtual machines in the cloud? Can PCI compliance
be reached in a virtual world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.
The Abstract
» “I cannot see any security or legal
benefits whatsoever related to cloud
computing…” (A. Lawyer)
» Some NEW possibilities
» Introspection APIs
» Deep collection & visibility
» Antivirus offload (agentless-AV)
» Meta-Virtual compliance
» Reporting / compliance tracking
» Compliance Toolkits
» Only SOME and SPECIFIC platforms
evaluated to EAL 4+ Common Criteria,
NIST, DISA STIG, US DoD, NSA CSS
etc…
Principles:
Build a solid foundation;
Use the vendor’s hardening guides;
& ISACA materials (auditors too)
Trust your own before anybody else's
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits are with virtualisation? How can we safely
deploy our virtual machines in the cloud? Can PCI compliance be reached in a virtual world? Is it even safe to
virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.
The Abstract
» Cloud (IaaS) Security
» Do you trust the providers?
» Do you trust what you’re putting out there?
Virtual Architecture 103
Principles: Architectural Transparency;
Understand the journey of your VMs
Virtualisation: a journey from your data-centre
to some cloudy ones, some mixing it up in the
middle (hybrid)
Meta-Virtualisation
Meta = describes; is made up of; constituent parts…
Meta-Virtualise – Describe the containers,
relationships, requirements and boundaries between
VMs
• security requirements, compliance goals
• minimum performance levels, SLAs
• their relationship to the environment (the VI)
The Virtual Machine
(Amoeba)
VM 1.0
Independent;
Basic environmental awareness
“enough to survive”
Enhanced VMs
VM 2.0
Increased controls
Improved environmental
awareness
Still operating independently
VMs in a Petri Dish
VM 3.0
Collaborating
Groups
Expanded META
boundary
e.g., VMware vAPP
» Meta defines the principles where VMs
operate
» Meta follows where things move
» Enforcing Meta across the converged stack,
mesh, and into clouds is a challenge
Meta-Virtualisation
Think “Admission Control” – in your DC
or a Cloud Provider
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits are with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be
reached in a virtual world? Is it even safe to
virtualise my DMZ? » The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging technologies and virtualisation standards
that may help those in pursuit of the ultimate secure virtual world.
The Abstract
» Philosophical Debate
» Can & should you host your DMZ VMs on
the same host/partition/environment as
your other VMs?
Vendor Reference Architectures aplenty; but
what does the security community say?
Virtualising Your DMZ
“Last week VMware achieved the status of
being the ONLY hypervisor (vSphere 4.0)
accredited to run Impact Level 3/Restricted
VMs and Unclassified/Internet facing virtual
machines on the same host/cluster.”
» http://www.cesg.gov.uk/news/docs_pdfs/cesg-
vmware_joint-statement14-09-11.pdf
Virtualising Your DMZ
» PCI DSS v2.0 – Virtualisation Special
Interest Group (SIG) … formed late 2008
» PCI DSS Virtualisation Guidelines released
June 2011
Virtualising PCI-DSS
» Virtualisation has come a long way in the past ten years. We are looking
beyond the pure consolidation benefits of server virtualisation, into a
future of cloud computing and infrastructure-as-a-service. No longer can
we see the data-centre that our virtual machines are running in, the safety
cord is broken. This opens the door to a plethora of new security
considerations that security professionals need to be aware of to remain
competitive.
» This presentation looks at the current state of virtualisation asking the
following questions: What should IT professionals consider when selling,
designing or auditing a virtual infrastructure? Are there any security
benefits are with virtualisation? How can we safely deploy our virtual
machines in the cloud? Can PCI compliance be reached in a virtual
world? Is it even safe to virtualise my DMZ?
» The presentation will look at these objectives within the context of the
common virtualisation platforms on the market today, concluding with a
look into the future at emerging
technologies and virtualisation standards that may help those in pursuit of the ultimate secure virtual world.
The Abstract
Microsoft Virtualisation
» Hyper-V “Open Source Promise”
» Hyper-V … Cisco 1000V
» Hyper-V Trusted Computing Base (TCB)
» Hyper-V Security Best Practices Podcast
HyperV <> Azure
Convergence (IaaS)
» Cloud Connectivity & Portability
» VMware’s vCloud Connector
» vCloud Service Providers
» Long Distance VMotion / VXLAN / OTV
» Microsoft SCVMM 2012
» OpenStack
» Meta-virtualisation: support for & building upon
Emerging Technologies
» IaaS Cloud Encryption
» Virtual machines in transit
» Virtual machines runtime
» Customer holds the keys
» TXT/TPM Integrations
» Trusted execution technology
» Trusted platform module
» Hypervisor & cloud stack talking the TXT lingo…
Emerging Technologies
» Demonstrating compliance across the
provider’s Infrastructure Mesh
» e.g., FISMA Certified Clouds
» Open Portability between cloud types
» e.g., Azure <> vCloud <> OpenStack ???
Emerging Trends
Standards Based Clouds
Case Study: Los Alamos National
Laboratory www.lanl.gov
» Security research institution responsible for
American nuclear deterrence
» Achieved
» NIST Certification and Accreditation
» Authority to operate as FISMA moderate with
VMware vCloud
» Secure Multi-Tenancy (META-Virtual)
» Reference Architecture forthcoming…?
What does Uncle Sam Say?