Based on ISO 27001 control A.12.6.1, timely information about technical vulnerabilities of information systems being used should be obtained, the organization's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the
associated risk.
When there is no vulnerability management in place the organization will not be aware that there are vulnerabilities with application or operating systems. As a result patches
In a traditional environment a regular vulnerability scan and an inventory of servers with detailed information about the operating system and installed software is sufficient to identify vulnerable servers and apply the patches to the right machines.
In a virtualized environment this will be much harder. There can be multiple copies of the same virtual machine at different places in the network. It could be very well that one copy is running and the others are halted. When applying patches according to the traditional way, only the active virtual machine will be patched.
In the risk assessment the following associated risk was identified:
Layer Risk Risk description
Virtual machines
Insufficient vulnerability management
Multiple copies of virtual machines can exist on the network and in different locations. Only one copy is running while the others are halted. The halted virtual machines do not get patched.
To mitigate this risk the patching procedure must be adapted to the following extent: • The inventory must also indicate how many copies there are of a virtual machine
and in what location these copies are stored. This also means that the duplication of virtual machines must be done along recorded guidelines.
• Each virtual machine must be started so that patches can be applied. This must be done in such a manner that running multiple copies of the same application of virtual machine doesn’t interfere with the business. Or copy the master copy of a patched virtual machine to the required locations.
• After patching the additional started copies must be halted.
Another solution is to make use of 3rd party software that on start up verifies if the virtual machine is fully patched. If not patches will be applied. An example of such software is Virtualshield from Bluelane. VirtualShield runs on VMware ESX server and sits between the hypervisor and the virtual machines.
The patching procedure should not only consider the software within the virtual machine, but also the management console and hypervisor that can contain vulnerabilities for which the vendor patches has issued.
The hypervisor and management console must also be part of the vulnerability and patch management process.
5 Conclusion
In this paper I investigated the challenge that virtualization posed to the traditional IT controls. My question was: What will change to the IT control framework when the layer Virtualization is introduced?
I selected 4 ISO 27001 controls for more detailed investigation. The controls can be very well used, but adoption is needed to tailor them for virtualization.
Separation of development, test and operational facilities
Contrary to one of the business drivers for virtualization: “The ability for a company to combine all environments via virtualization on one piece of hardware”. I came to the conclusion that at least physical separation must exist between development/test and acceptance/production.
One sub research question was:
Can a Development, Test, Acceptance and Production (DTAP) environment be combined on the same hardware and to what extent?
Not all Development, Testing, Acceptance and Production environments can be combined on the same hardware.
Information labeling and handling
When deploying virtualization the CIA rating for the application should be considered in order to prevent deploying virtual machines to hardware with a lower rating.
One sub research question was:
Can virtual machines with different Confidentiality, Integrity and Availability ratings (CIA ratings) be combined on the same hardware and under what conditions?
Virtual machines with different CIA ratings can be combined on the same host system but only if the host system meets the CIA requirements of the most critical virtual machine.
Monitoring system use
Virtualization has the ability of inter virtual machine traffic. This traffic is not monitored via intrusion detection systems or firewall. One of the recommendations is to deploy virtualized security appliances, deploy host based firewall, or separate virtual machines that are not allowed to communicate.
Technical Vulnerability Management
The patch management must take into consideration that virtual machines are halted and therefore will not be patched.
Overall
I think in general that with virtualization we are probably talking about the re-introduction of security techniques already well understood by the mainframe crowd (but never learned by the PC generation).
Virtualization on itself can be used for all environments including production. However a risk assessment should be conducted when defining the requirements. Additional controls should be implemented to mitigate the identified risks. The decision to accept residual risks depends on the risk appetite of the business associated with the asset classification of the application involved.
The decision for a company to mitigate the risks is part of the old battle between cost versus efficiency and profit versus security. Still I recommend to keep I mind that IT and security are a business enabler.
6 Appendix A (used sources)
1. Formal requirements for virtualizable third generation architectures.
Communications of the ACM, Gerald J. Popek and Robert Philip Goldberg, July 1974
2. A virtual machine directed approach to Trusted Computing, Haldar, Chandra and Franz, 2004
3. Hardware Support for Efficient Virtualization, Ogden 4. LPAR For Decision Makers, IBM, 2002
5. Logical Partition Security in the IBM pSeries, IBM, 2002
6. IBM System p Advanced POWER Virtualization Best Practices, IBM, 2006 7. sHype: Secure hypervisor approach to trusted virtualized systems, Sailer,
Valdez, Jaeger, Perz, Van Doorn, Griffin and Berger, 2006 8. LPAR for Power4 Security Target, IBM, 2003
9. Linux® on the Mainframe, Eisenhaendler, Mattheus and Salm, 2003
10. IBM eServer i5 and iseries Logiacal Partitioning FAQs, Dave and Disckey, 2004 11. VMwareESX Server: Advanced Technical Design Guide, Oglesby and Herold 12. How to Secure VMwareESX, Bakman, 2006
13. An Emperical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, Ormandy
14. Thwarting Virtual Machine Detection, Liston and Skoudis, 2006 15. Security Design of the VMware Infrastructure 3 Architecture, VMware 16. z/VM Virtualization Basics, Bitner, 2006
17. Memory Resource Management in VMware ESX Server, Walspurger,
http://www.usenix.org/events/osdi02/tech/waldspurger/waldspurger_html/esx- mem-html.html
18. Public Version of the Security Target for PR/SM for the IBM eServer zseries Z900 GA3 and z9800 EAL5 Certification, Common Criteria for Information Technology Security Evaluation, 2003
19. VMware Virtual Machine File System: Technical Overview and Best Practices, VMware, 2007
20. Analysis of the Intel Pentium’s Ability to Support a Secure Virtual Machine Monitor, Irvine and Robin.
21. z/VM security and Integrity, IBM, 2005 22. Virtualisatie en IT-auditing, Monetro, 2007
23. Virtualization: the other side of the coin, Rutkowska, 2007 24. http://www.ibm.com
25. Breachable virtual machines?, http://www.c0t0d0s0.org/archives/3058- Breachable-virtual-machines.html
26. VMWare Escape Publicized at SANSfire 2007, http://www.foolmoon.net/cgi- bin/blog/index.cgi?mode=viewone&blog=1185593255
27. Virtualisation could slash IT budgets, Gartner, 2004
28. Escaping From The Virtualization Cave, http://www.pauldotcom.com 29. Adam Nosfinger presentation: Operating System Virtualization 30. www.dell.com
31. www.microsoft.com 32. www.novell.com
33. Whatis.com
34. Wikipedia and Mann, Andi, Virtualization 101
35. A Survey on Virtualization Technologies, Susanta Nanda Tzi-cker Chiueh 36. Schawab, Demystifying Virtualization, 2006
37. Marshall, Reynolds and McCrory, Advanced Server Virtualization, 2006 38. Van Veen, Heliview seminar, 2006
39. W. J. Armstrong, Advanced virtualization capabilities of POWER5 systems 40. Understanding Full Virtualization, Paravirtualization and Hardware Assist,
WMware.
7 Definitions
Virtualization allows you to run multiple applications and operating systems independently on a single server. [30]
Microsoft virtualization solutions enable IT managers to run multiple operating systems, applications and middleware on a single physical machine, allowing customers to cut cost and response time out without scarifying resources. [31]
Virtualization refers to the pooling of IT resources in a way that masks the physical nature and boundaries of those resources from resource users. In more concrete terms, virtualization is the decoupling of the software from the hardware. [32]
Virtualization is the creation of a virtual (rather than actual)
version of something, such as an operating system, a server, a storage device or network resources. [33]
Virtualization is] a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource. [34]
Virtualization is a technology that combines or divides computing resources to present one or many operating environments using methodologies like hardware and software partitioning or aggregation, partial or complete machine simulation, emulation, time- sharing, and many others. [35]
Virtualization, in computing, is the process of presenting a logical grouping or subset of computing resources so that they can be accessed by users or systems in ways which give benefits over the original configuration. This virtual view of the resources is not restricted or limited by implementation, geographic location or physical configuration of its
underlying resources. This can include, making a physical resource, such as a server, an Operating System(OS) or a storage device(Storage Area Network) device appear to function as multiple logical resources; or, it can include making multiple physical resources, such as, storage devices or servers, appear as a single logical resource. [36] Virtualization is the creation of substitutes for real resources, that is substitutes that have the same functions and external interfaces as their counterparts, but that differ in
attributes, such as size, performance, and cost. These substitutes are called virtual resources, and their users are typically unaware of the substitution. [24]
Broadly describes the (beneficial) separation of a resource or service from the typical physical means of providing it. [29]
Virtualization technology is a way of making a physical computer to function as if it were two or more computers, each non physical of “virtualized” computer is provided with the same basic architecture as that of a generic physical computer. [37]