• No results found

managing the risks of virtualization

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "managing the risks of virtualization"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

managing the risks of virtualization

Chris Wraight CA Technologies 28 February 2011

(2)

Virtualization opens the door to a world of opportunities and well managed virtualization sets the course for

cloud. However, in order to get there, organizations must address various risks, including security, that virtualization brings. Some of the security risks are similar to the

physical server environment, but are compounded by virtualization technology. The speaker from CA

Technologies will discuss how keeping the risks in-check and extending security can make this migration fruitful, and pay off for IT.

abstract

(3)

virtualization continues to grow

3

1Gartner; “Q&A: Six Misconceptions About Server Virtualization”, Thomas J. Bittman; 29 July 2010

“By 2015, 40% of the

security controls

used within

enterprise data

centers will be

virtualized, up from

less than 5% in

2010.”

2

“There will be more

virtual machines

deployed on

servers during 2011

than in 2001

through 2009

combined

”!

(4)

Technology Overview

• Identity and Access Management Risks

• Mitigating the Risks

• Session summary

agenda

(5)

virtualization technology overview

Terms Used in this presentation:

• Virtualization “host” platform • “guest” OS VMs, partitions • Privileged partition (admin)

• Hypervisor

Virtualization Architectures:

Hosted - VMware Workstation,

Microsoft Virtual PC

• ‘Bare metal’

• Hypervisor-based – VMWare ESX, IBM LPAR, HP VPAR

(6)

Operating system-based virtualization.

• Virtualization is native to the host operating system

• Multiple isolated, virtual environment instances

• Shared OS kernel.

• Homogeneous OS guests

Example: Sun Solaris 10 Containers (Zones).

(7)

virtualization technology overview

(cont’d)

Hypervisor-based virtualization

• “Bare Metal”

• Embedded or implemented in the hosting OS kernel

• Each guest runs on discrete virtual hardware

• VMs may be referred to as partitions

Example: IBM AIX LPAR, HP-UX VPAR and VMware ESX Server.

(8)

• Technology Overview

Identity and Access Management Risks • Mitigating the Risks

• Session summary

(9)

• Each physical system becomes more critical

• A new level of administration is introduced

• Unstructured physical boundaries

• Unstructured time dimension

• Heterogeneous dynamic environments

how is virtualization different?

(10)

• Hypervisors expose high level of privileges

• Shared resources available to virtualization

• Each virtualized guest has its own hierarchy of privileged access which should be separate from infrastructure

• VM ‘sprawl’

• Structured and unstructured data on virtualized environments is unsecure

• No central authentication source

(11)

• Regulatory requirements still apply

• Auditing access and identities is difficult in virtualized environments

• Privileges in a virtualized environment not well defined

• Decentralized privileged user administration (incl. virtual environments)

(12)

• VM mobility beyond the server room

• VMs can be copied, or cloned

• Machine memory is accessible from the host

• Disk space can be accessed from storage • Challenging physical security

• Copying a VM = Stealing a server from the server room

• The virtual DC is distributed – Not a mainframe

unstructured physical boundaries

(13)

• What happens when we revert to prior snapshot?

Lose audit events

Lose configuration

Lose security policy

• Am I still compliant with my policy?

managing the 4th dimension - time

(14)

• Normal user

• Is identified

• Access is controlled • ‘root’ administrator

• Is anonymous

• Can bypass application security

• Can see and alter application data

• Can change system files

• Can change system configuration

• Can alter logs and erase records

the privileged user

14 Application Security OS Security Privileged User Customer Data Critical services Files & Logs

(15)

the virtualization privileged user

15

Privileged User

Virtualization makes the problem worse by introducing a new

(16)

• Data exposure

• Different business owners

• VMs can be copied exposing sensitive data

• Business continuity and availability - isolation is not enough!

• Halting critical VMs

• Tampering with configurations • Management and Control

• Administrators can deploy new VMs very easily

• Increases the chance for mistakes

• Improperly-configured VMs can be vulnerable

unrestricted privileged access

(17)

• Virtualization: Making the complex appear simple

• Configuration and change management

• Network management

• Storage management

• Capacity management

managing complexity

(18)

• Virtualization: Making the complex appear simple

• Configuration and Change Management

• Network Management

• Storage Management

• Capacity Management

• But what about security management?

• Heterogeneous VMs

• Highly-distributed

• Dynamically changing

• How do I manage the complexity?

managing complexity

(19)

• Each virtualization host becomes more important.

• One host running many VMs = Critical Infrastructure

• Critical infrastructure = Business impact

• Business impact = Compliance requirements

• Compliance requirements mandate additional controls!

audit, audit, audit!

(20)

• Virtualization audit issues haven't yet been flagged

• What will drive priorities?

• Education

• Compliance and regulatory pressures are expected to increase

• Public exposure

• Will require adjusted controls for separation of management, and control

compliance and audit

(21)

• Technology Overview

• Identity and Access Management Risks

Mitigating the Risks • Session summary

(22)

best practices: segregate duties - restrict

admins

Segregate Administration • System • Virtualization • Audit

Restrict access to logs

Restrict access to virtualization resources

• Deny sys admins

(23)

full privileged user management

23

• Restrict privileged access

• Ensure accountability

• Restrict access to logs

• Restrict access to

virtualization resources

Privileged User

(24)

• Enforce the policy across all VMs and virtualization platform

Centralization - Do not rely on local policies

• Enforce policy change control

• Manage deviations from the policy

• Report on policy compliance

central access policy management

(25)

• Monitor the virtualization platform

• Monitor administrative activity (including impersonation)

• Monitor all access to virtualization resources

• Centralize audit logs

• Notify on significant events

• Integrate with SIEM systems

complete and secure auditing

(26)

• Technology Overview

• Identity and Access Management Risks

• Mitigating the Risks

Session summary

(27)

• Security and control are the number one inhibitors to virtualization/cloud adoption by the enterprise

• Automation is an imperative

• Security will become a cloud differentiator

• The IT roles are reversing

conclusions

(28)

• Be aware of the security implications

• Physical boundaries are changing

• The definition of time is changing

• An additional administration layer is introduced

• The virtualization host is critical infrastructure

• Organizations should prepare now for increasing audit scrutiny

• Demand visibility and control

• Privileged user access management

• Consistent security policies

• Complete and secure auditing

apply

(29)
(30)

thank you

Chris Wraight

chris.wraight@ca.com +1 508 628 8134

References

Download now ( PDF - 30 Page - 1.53 MB )

Related documents

Selection Tournaments, Sabotage, and Participation

The e¤ect is most pronounced if the production function is linear in sabotage, and the cost function depends only on the sum of all sabo- tage activities: in an interior

APT Privileged Account Exploitation

managing all privileged accounts with a comprehensive privileged account security solution eliminates the cloak of anonymity inherent in privileged and shared accounts, providing

Securing Data in Oracle Database 12c

| Apps Users Advanced Security Data Redaction Data Masking TDE Database Vault Privilege Analysis Database Vault Privileged User Controls|.

Cost-effectiveness of robotic surgery for rectal cancer focusing on short-term outcomes: a propensity score-matching analysis

These results suggest that the postoperative course of the patients who underwent RS might be milder than after LS in cases in which complications developed, whereas the post-

Copyright 2015 EMC Corporation. All rights reserved. 1

Users Data Application Middleware OS Virtualization Hardware Network Middleware Middleware OS OS Virtualization Hardware Network On-Premises SaaS Virtualization Hardware

Securing the Journey to the Private Cloud. Dominique Dessy RSA, the Security Division of EMC

Information-centric security, risk-driven policies, IT and security operations alignment, information compliance Visibility into virtualization infrastructure, privileged

USG6300 Next-Generation Firewall

• Virtualization: The USG6300 supports virtualization of multiple security services, such as firewall, intrusion prevention, antivirus, and VPN services and implements

2015-F01-V1. Factsheet INTERNAL. Subject: QBS Hosting Services DIVIDE TASKS, DOUBLE SUCCESS!

QBS Partner Managed Hosting is the easiest and most affordable way to move your Microsoft Dynamics NAV ERP clients onto the Azure platform whilst taking advantage of extending