VIRTUALIZATION
The benefits of virtualization are well known, including multi-tenancy, better server utilization, and data center consolidation. Cloud providers can achieve higher density, which translates to better margins, and enterprises can use virtualization to shrink capital expenditure on server hardware as well as increase operational efficiency.
However, virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM (Virtual Machine) attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of encrypting virtual machine images, and residual data destruction are coming into focus.
Overview:. While there are several forms of virtualization, by far the most common is the virtualized operating system, and that is the focus for this domain. This domain covers these virtualization-related security issues:
1) Virtual machine guest hardening
2) Hypervisor security
3) Inter-VM attacks and blind spots
4) Performance concerns
5) Operational complexity from VM sprawl
6) Instant-on gaps
7) Virtual machine encryption
8) Data comingling
9) Virtual machine data destruction
10) Virtual machine image tampering
11) In-motion virtual machines
13.1 Hypervisor Architecture Concerns
13.1.1 VM Guest Hardening
Proper hardening and protection of a virtual machine instance, including firewall (inbound/outbound), HIPS, web application protection, antivirus, file integrity monitoring, and log monitoring can be delivered via software in each guest or using an inline virtual machine combined with hypervisor-based API’s
13.1.2 Hypervisor Security
13.1.3 Inter-VM Attacks and Blind Spots
13.1.4 Performance Concerns
13.1.5 Operational Complexity from VM Sprawl
The ease with which VM’s can be provisioned has led to an increase in the number of requests for VM’s in typical enterprises. This creates a larger attack surface and increases the odds of a misconfiguration or operator error opening a security hole. Policy-based management and use of a virtualization management framework is critical.
13.1.6 Instant-On Gaps
The ease with which a virtual machine can be stopped or started, combined with the speed at which threats change, creates a situation where a virtual machine can be securely configured when it is turned off, but by the time it is started again, threats have evolved, leaving the machine vulnerable. Best practices include network-based security and “virtual patching” that inspects traffic for known attacks before it can get to a newly provisioned or newly started VM. It is also possible to enforce NAC (Network Access Control)-like capabilities to isolate stale VM’s until their rules and pattern files are updated and a scan has been run.
13.1.7 VM Encryption
Virtual machine images are vulnerable to theft or modification when they are dormant or running. The solution to this problem is to encrypt virtual machine images at all times, but there are performance concerns at this time. For high security or regulated environments, the performance cost is worth it. Encryption must be combined with administrative controls, DLP, and audit trails to prevent a snapshot of a running VM from “escaping into the wild,” which would give the attacker access to the data in the VM snapshot.
13.1.8 Data Comingling
There is concern that different classes of data (or VM’s hosting different classes of data) may be intermixed on the same physical machine. In PCI terms, we refer to this as a mixed-mode deployment. We recommend using a combination of VLANs, firewalls, and IDS/IPS 139 to ensure VM isolation as a mechanism for supporting mixed mode deployments. We also recommend using data categorization and policy-based management (e.g., DLP) to prevent this. In cloud computing environments, all tenants in the multi-tenant virtual environment could potentially share the lowest common denominator of security.
139 IDS - Intrusion Detection Systems; IPS- Intrusion Prevention Systems
13.1.11 In-Motion VM
The unique ability to move virtual machines from one physical server to another creates a complexity for audits and security monitoring. In many cases, virtual machines can be relocated to another physical server (regardless of geographic location) without creating an alert or track-able audit trail.
13.2 Recommendations
B) Implementers should consider a zoned approach with production environments separate from test/development and highly sensitive data/workloads.
C) Implementers should consider performance when testing and installing virtual machine security tools, as performance varies widely. Virtualization-aware server and network security tools are also important to consider.
D) Customer should evaluate, negotiate, and refine the licensing agreements with major vendors in virtualized environments.
E) Implementers should secure each virtualized OS by using hardening software in each guest instance or use an inline virtual machine combined with hypervisor-based API’s.
F) Virtualized operating systems should be augmented by built-in security measures, leveraging third party security technology to provide layered security controls and reduce dependency on the platform provider alone.
G) Implementers should ensure that secure by default configurations follow or exceed available industry baselines.
H) Implementers should encrypt virtual machine images when not in use.
I) Implementers should explore the efficacy and feasibility of segregating VM’s and creating security zones by type of usage (e.g., desktop vs. server), production stage (e.g., development, production, and testing), and sensitivity of data on separate physical hardware components such as servers, storage, etc.
J) Implementers should make sure that the security vulnerability assessment tools or services cover the virtualization technologies used.
K) Implementers should consider implementing data automated discovery and labeling solutions (e.g., DLP) organization-wide to augment the data classification and control between virtual machines and environments.
L) Implementers should consider patching virtual machine images at rest or protect newly spun-up virtual machines until they can be patched.
M) Implementers should understand which security controls are in place external to the VM’s to protect administrative interfaces (web-based, API’s, etc.) exposed to the customers.
13.3 Requirements
2) Implementers must update the security policy to reflect the new coming security challenges of virtualization.
3) implementers must encrypt data accessed by virtual machines using policy-based key servers that store the keys separately from the virtual machine and the data.
4) Customers must be aware of multi-tenancy situations with your VM’s where regulatory concerns may warrant segregation.
5) Users must validate the pedigree and integrity of any VM image or template originating from any third party, or better yet, create your own VM instances.
6) Virtualized operating systems must include firewall (inbound/outbound), Host Intrusion Prevention System(HIPS)141, Network Intrusion Prevention System (NIPS)142, web application protection, antivirus, file integrity monitoring, and log monitoring, etc. Security countermeasures can be delivered via software in each guest virtual instance or by using an inline virtual machine combined with hypervisor-based API’s.
7) Providers must clean any backup and failover systems when deleting and wiping the VM images.
8) Providers must have a reporting mechanism in place that provides evidence of isolation and raises alerts if there is a breach of isolation.
141 HIPS - Host Intrusion Prevention System
142 NIPS - Network Intrusion Prevention System
===/ END //========
No comments:
Post a Comment