Virtualization and Cloud Computing

Guillermo Macias

CIP Security Auditor, Sr.

Virtualization and Cloud Computing

“Security is a Process, not a Product”

Virtualization

● Purpose of Presentation:

 To inform entities about the importance of assessing the benefits and risks related to the incorporation of

virtualization and cloud computing.

 To provide guidance for entities on assessing and incorporating virtualization and cloud computing into production and test environments.

 To assist entities with information about developing and maintaining a detailed documentation set that

demonstrates how virtualization is implemented.

● What are auditors looking for?

 A logical approach and plan toward compliance.

 Practical steps toward compliance that can be demonstrated.

 Verification for how the entity mapped its Information Technology (IT) security controls to the Critical

Infrastructure Protection (CIP) Standards.

Virtualization – continued

● What is virtualization?

“….virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by

applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine

simulation, emulation, quality of service, and many others.”

Source: “http://www.kernelthread.com/publications/virtualization/”

Virtualization - continued

Why are companies moving into virtualization?

Reason Benefit

Sever Consolidation Savings in hardware, environmental costs, management, and administration.

Legacy Applications Ability to run legacy applications that will not run on newer hardware and/or OS.

Build Secure Computing Platforms

Provides secure, isolated sandboxes to run untrusted applications.

Create Operating Systems Resource limits and guarantees.

Simulate hardware and hardware configuration

The illusion of running multiple processors and to simulate networks of independent computers.

Task Management System migration, backup, and recovery.

Virtualization – continued

Four main areas where virtualization is implemented

Server-Based

Network-Based

Virtual Desktop Infrastructure

(VDI) Storage-Based

Virtualization – continued

● Defining Some Terms:

 Host: Virtualization platform running hypervisor software.

 Hypervisor Software: A central program used to manage virtual machines (guests) within a simulated environment (host).

Common host platforms:

VMware ESXi, Microsoft Hyper-V, Citrix

XenServer, Red Hat KVM, and others.

Computer resources such as Random Access Memory (RAM), processors (CPUs), and storage are emulated through the host environment.

The Hypervisor

● Primary component of a server virtualization platform.

● Often referred to as the virtual machine monitor (VMM).

● Central nervous system within a virtual infrastructure.

 Manages the host’s underlying hardware resources and handles all guest-initiated operating system

(OS) and application requests for CPU, memory, I/O, and disk resources.

Virtualization

● Defining Some Terms:

 Virtual guest, virtual machine (VM), or guest system:

 A VM is a group of files that represents a

hardware-based computing platform, complete with storage, memory, and configuration components.

Server Virtualization

Virtual Host:

is a physical server with

virtualized layer

Virtual Machine:

Each guest OS running on

the host

OS App

OS App

Physical Layer

Virtualization layer (The Hypervisor) Virtual Machines

(Virtual OS and Apps)

Storage-Based Virtualization

● Multiple storage devices into what appears to be a single storage unit.

● Storage virtualization helps perform tasks like backup, archiving, and recovery in less time.

● Storage virtualization can be implemented using software and hardware hybrid

appliances.

● Must adhere to the CIP Standards

 Verify technical and procedural controls all the way down to the LUN (Logical Unit Number) of the

Storage Area Network (SAN).

Server Virtualization

MES Server Win 2003 ERP Server

Win 2008 SCADA Server

Linux

MES Server Win 2003 ERP Server

Win 2008 SCADA Server

Linux

H y p e r v i s o r

Virtualized

Server Virtualized

Server Traditional Servers

Virtualization – VDI

● Virtual Desktop Infrastructure (VDI) consists of virtualizing desktops into images that run on centralized hypervisor platforms.

 Similar to server virtualization, but there are many differences in how the images are created,

managed, and in some cases, secured.

 VDI desktops can be accessed in a number of ways. The most common access methods are

standard Remote Desktop Protocol (RDP) services.

Benefits of VDI

● Operational improvements and cost savings.

● Bring your own device (BYOD)

 Employees bring their own laptops and other computing devices to work.

 VDI can help accomplish this because the

operating system, applications, and data access can be controlled by central policies and security technologies within VDI images while a company- controlled client can be installed on the employee's device to permit access.

Benefits of VDI – continued

● Security

 VDI can reduce the cost of compliance and security for desktops.

 VDI supports centralized policy control, ephemeral (short-term) desktop images, and granular and

manageable change and configuration management tools and processes.

 Fighting malware and responding to desktop-

related incidents can be easier because all of the infrastructure is centrally located and controlled.

 Virtual machines can be easily deleted and created.

VDI Challenges

● Operational Issues

 Bandwidth

• When a large number of users need to access desktop images simultaneously, the amount of bandwidth consumed can be significant.

 Power

• A large number of desktop images in use

simultaneously could lead to major power spikes and an increase in overall consumption.

Network-Based Virtualization

● Hypervisors can provide networking

capabilities that allow individual guest OSs to communicate with one another while limiting access to the external physical network.

 The network interfaces that the guest OSs see may be virtual, physical, or both.

Network-Based Virtualization – continued

● Network Bridging

 The guest OS is given direct access to the host’s

network interface cards (NIC) independent of the host OS.

● Network Address Translation (NAT)

 The guest OS is given a virtual NIC that is connected to a simulated NAT inside the hypervisor. As in a traditional NAT, all outbound network traffic is sent through the

virtual NIC to the host OS for forwarding, usually to a physical NIC in the host system.

● Host Only Networking

 The guest OS is given a virtual NIC that does not directly route to a physical NIC. In this scenario, guest OSs can be configured to communicate with one another and, potentially, with the host OS.

Network Virtualization Technologies

● Virtual Switching Systems (VSS)

● Virtual Switches (VSwitch)

● Virtual Private Network (VPN)

● Virtual Storage Area Network (VSAN)

● Virtual Routing and Forwarding (VRF)

● Virtual Local Area Networks (VLAN)

● Virtual Port Channels (VPC)

● Virtual Device Context (VDC)

Network Virtualization

● Device Clustering

 Allows multiple physical devices to be combined into a larger logical device.

 Combines two physical switches into a single logical switch (e.g., VSS series).

 The main benefit of clustering techniques is they allow systems to scale beyond the size of a single system.

• Complexity of the overall system design does not increase.

Virtualization and CIP

● All CIP Standards Apply!

 Virtual Networks need to be just as secure as Physical Networks.

Virtualization and CIP – continued

VMs should be treated no differently than physical machines and all CIP Standards apply:

CIP version 3 CIP version 5

Identification: CIP-002

The same as CIP version 3, including CIP-010-1 and CIP-011-1.

Least Privilege Access: CIP-003

Change Control/Configuration Management: CIP-003 Personnel and Training: CIP-004

Segregation (ESP): CIP-005 Physical Security: CIP-006

Testing, Security Patching, and Malicious Software Prevention:

CIP-007

Proper Disposal/Redeployment: CIP-007 Incident Response: CIP-008

Recovery Plans: CIP-009

Virtualization and CIP Questions

● CIP-002

 Is the Hypervisor hosting Critical Cyber Assets (CCA) VMs? If the answer is yes, then the Hypervisor is a CCA too.

• Since the Host OS interacts with the Guest OS via the Hypervisor, then the Hypervisor is in scope.

• ALL VM Cyber Assets on the Hypervisor, to include non-CCAs should be considered in-scope of CIP Standards.

● CIP-003

 Do you have authorized administrators managing the Hypervisor and VMs in scope?

● CIP-004

 Does the administrator have the specialized security virtualization training?

● CIP-005

 Creating on-the-fly virtualized environments may cause security risks to the ESP.

Virtualization and CIP Questions – continued

● CIP-005 (Continued)

 Does every virtualized CCA reside within an ESP?

• VMs that are functioning as Access Control and Monitoring System.

♦ Virtual IDSs

 Do any hosts or VMs connect to corporate (non-ESP) networks?

 How is remote management performed for the Host and VMs?

● CIP-006

 Are the Hypervisor and the VMs located within the Physical Security Perimeter?

● CIP-007

 Are all security patches/upgrades for the Hypervisor and VMs assessed for applicability?

Virtualization and CIP Questions – continued

● CIP-007 (Continued)

 How is the process of testing VMs different from physical cyber assets?

 How is a complex password implemented on images snapshots?

• Verify security of those images.

 Automated tools required to logging monitors VMs.

● CIP-008

 Make sure VMs follow the same rules as physical machines.

 How does the Incident Respond Plan apply to virtualization?

• Retention of evidence (images).

• Forensic purposes (images can be preserved).

● CIP-009

 Backing up and restoring.

• Hypervisor, host OS, and guest OS.

Virtualization

Threats to a Virtualized Environment

Threats to a Virtualized Environment

● Teams must evaluate and assess

 Vulnerabilities that may exist in the technology.

 Threats to the environment could exploit those vulnerabilities.

 Potential impact of security events.

Threats to a Virtualized Environment – continued

● Operational Threats:

 VM sprawl: Virtual machines can be deployed in seconds, making it easy to create unapproved VMs (for example, short-term testing systems).

• VMs created on-the-fly might not be patched, updated, or configured properly.

 Lack of visibility into virtual environments: Many virtual network environments are not monitored adequately.

• Many virtual networks have quite a bit of internal traffic that is not being monitored adequately by external security and network tools.

Threats to a Virtualized Environment – continued

● Operational Threats - continued

 Separation of duties not maintained: Separation of duties for people managing systems, networks, and applications in a virtual environment is often

lacking.

• Different teams may not understand how they should manage their parts of the virtual infrastructure.

• Granting unilateral access to any one group could be a big security risk.

Virtualization

● Change and configuration management is a key area to focus on for virtualized

organizations.

 Configuration details

 Network settings

 Security-specific settings

Malware-Based Threats

● VM-Aware Malware: Various strains and

versions of bots, worms, rootkits, and other malicious code formats are capable of

determining whether they are running on a

physical or virtual host by looking at memory

and hardware attributes, memory locations,

and process and function behavior.

VM Escape Threat

● VM Escape: Malicious code runs within a VM and is able to “break out” onto the underlying host.

 In a VM escape, trust zones are violated, access controls are circumvented, and the confidentiality and integrity of Elastic Sky X (ESX) hosts is

suspect as soon as it happens.

• Directory Traversal Attack

♦ Vmchat

♦ Vmcat

♦ VM Drag-n-Sploit

♦ VMftp

Virtualization Challenges

● Adapting Anti-malware Tools for Hosts and Guests

 Two primary concerns for anti-malware protection include host scanning and guest scanning.

 The main issues are performance impacts and integrity problems that result from scanning

particular virtualization-specific file structures such as virtual machine disk (VMDK) files in VMware environments.

Cloud Computing

Cloud Computing

Cloud Computing

● “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing

resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal

management effort or service provider interaction” (NIST, 2010).

In the simplest of terms, cloud computing is

basically internet-based computing.

Cloud Benefits

● Pay as you go (Utility Computing Systems).

● On-demand self-service.

● Shared resources.

● Focus on business rather than IT.

● Elasticity-Scale up and down based on business need.

● Cloud computing introduces a level of abstraction between the physical infrastructure and the owner of the information being stored and processed.

● The large variety of devices that can connect to the internet, such as PDAs, mobile phones and handheld and static devices, all expanded the number of ways the cloud can be accessed.

● What about the Service Level Agreement (SLA)?

Cloud Models

● Deployment Models

 Public cloud

 Private cloud

 Hybrid cloud

 Community cloud

● Service Models

 IaaS (Infrastructure as a Service)

 PaaS (Platform as a Service)

 SaaS (Software as a Service)

Cloud Models – Service Models

OS

Hardware

Storage

Network Database Management

Developers Studios Groupware

Web Hosting Operating

System Enterprise Resources

E-Commerce

Knowledge Management

Accounting Systems

Office

Automation

Risks, Threats, and Vulnerabilities

Risks, Threats, and Vulnerabilities

Non-Cloud Specific

Cloud Specific

Organization

Technical

Legal

Other

Risks, Threats, and Vulnerabilities – continued

● Organization Risk: Loss of business reputation due to co-tenant activities (or the tenants sharing the same resource), and any

organizational change that can happen to the cloud provider (as a business organization) including provider failure, termination or acquisition.

● Technical Risk: The technical risks classification includes problems or failures associated with the provided services or technologies contacted from the cloud service provider.

● Legal Risk: Issues that surround data being exchanged across multiple countries that have different laws and regulations

concerning data traversal, protection requirements, and privacy laws. Examples of such risks include, but not limited to, risks resulting from possible changes of jurisdiction and the liability or obligation of the vendor in case of loss of data and/or business interruption.

● Other: Data Leakage on Upload/Download: When the data is being transferred across the cloud unencrypted, it is subject for traffic sniffing, spoofing, and man-in–the-middle attacks, amongst others.

Cloud Computing and CIP

● CIP-002: Identification of CAs, CCAs, EACMS and PCS

● CIP-003: Access Control Management

● CIP-004: Information Protection Program, cloud computing training and PRAs

● CIP-005: Design and protection of the Electronic Security Perimeter

● CIP-006: Design and protection of the Physical Security Perimeter

● CIP-007: Security patches/upgrades on cloud servers assessed for applicability

● CIP-008: How is the Incident Respond Plan applies cloud computing

● CIP-009: Backing up and restoring Critical Cyber Assets

Questions

Virtualization and Cloud Computing

● References:

 http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

 Information Resources Management Association, USA. Grid and Cloud Computing, 2012.

Safari Online Books. 2013. http://safaribooksonline.com/

 Shackleford, Dave. Virtualization Security: Protecting Virtualized Environments. 2012. Safari Online Books. 2013. http://safaribooksonline.com/

 Tiso, John. Designing Cisco Network Service Architectures. 2011. Safari Online Books.

2013. http://safaribooksonline.com