This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 Phone: 650-681-8100 / email: [email protected] 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates Tim Grance, Senior Computer Scientist, NIST Sushant Rao, Product Management Director, HyTrust Curtis Salinas, Systems Engineer, HyTrust
* NIST SP 800-125: Guide to Security for Full Virtualization Technologies ** PCI-DSS 2.0 Information Supplement – Virtualization Security *** Neil MacDonald, vice president and Gartner fellow
• “Enforce least privilege and separation of duties”
• “It is critical that independent monitoring of all activities be enforced”
• “Require multi-factor authentication for all administrative functions.”
• “Administrative access to the hypervisor/VMM layer must be tightly controlled”
• “Restrict and protect administrator access to the virtualization solution.”
• “Secure each management interface”
• “Monitor and analyze logs at all layers of the virtualization infrastructure”
5
Secures the administration of the hypervisor & virtual infrastructure: Enforces consistent access and
authorization policies covering all access methods
Provides complete visibility into and control over who accesses the infrastructure, the integrity of the infrastructure, and the validity of the changes requested.
6
HyTrust’s Unique Role in Virtual Infrastructure Security
HyTrust is key "go to" partner for vSphere security and compliance
HyTrust is part of CA Access Control for Virtual Environments
HyTrust is the platform security solution - access control and auditing - for vBlock
HyTrust reporting and controls being integrated with Symantec CCS
HyTrust is part of Intel's trusted cloud architecture based on TXT
HyTrust event reporting and TXT integration being integrated with McAfee ePO
HyTrust provides native integration with SecurID and enVision
HyTrust provides combined reporting with Trend's Deep Security product
8
Admin compliance and controls essential for mission critical workloads
Capabilities not available from the virtual infrastructure Granular, audit-quality administration logs Granular, consistent privileged user and VM control policies Multi-tenancy logical segmentation
9 Phone: 650-681-8100 / email: [email protected] 1975 W. El Camino Real, Suite 203, Mountain View, CA 94040
NIST Special Publication (SP) 800-125
Guide To Security for Full Virtualization Technologies
Recommendations of the National Institute of Standards and Technology
Tim Grance Senior Computer Scientist in the Computer Security Division
10
Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best
available for the purpose.
11
Agenda
What is SP 800-125 Why virtualization Full virtualization Security concerns Recommendations for Security for full virtualization technologies Summary Questions and answers Resources
12
SP 800-125
Full Virtualization technologies Server and desktop virtualization Security threats Security recommendations for protecting full virtualization
13
Why Virtualization?
Reduce hardware footprint More efficiency Reduce energy, operations, and maintenance costs, e.g., disaster
recovery, dynamic workload, security benefits, etc. Consolidation
14
Forms of Virtualization
Simulated environment Not cover OS and application virtualization Full virtualization – CPU, storage, network, display, etc Hypervisor and host OS Virtual Machine (VM) – Guest OS
Isolated Encapsulated Portable
15
Full Virtualization
Bare metal virtualization Hosted virtualization Server virtualization Desktop virtualization
16
Virtualization and Security Concerns
Additional layers of technology Many systems on a physical system Sharing pool of resources Lack of visibility Dynamic environment May increase the attack surface
17
Recommendations for Security for Full Virtualization Technologies
Risk based approach Secure all elements of a full virtualization solution and perform
continuous monitoring Restrict and protect administrator access to the virtualization solution Ensure that the hypervisor is properly secured Carefully plan the security for a full virtualization solution before
Virtual workload security Management of the guest OS, applications, data protection, patch
management, secure configuration, etc
Virtualized infrastructure exposure Manage access control to the hardware, hypervisors, network, storage,
etc.
19
Resources
Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is available on the following Web page: http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing-unneeded-federal-real-estate
NIST publications that provide information and guidance on planning, implementing and managing information system security and protecting information include: Federal Information Processing Standard (FIPS) 199, Standards for Security
Categorization of Federal Information and Information Systems NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life Cycle Approach NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
Systems and Organizations NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide NIST SP 800-64 Revision 2, Security Considerations in the System Development Life
Cycle NIST SP 800-88, Guidelines for Media Sanitization NIST SP 800-115, Technical Guide to Information Security Testing and Assessment NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII)
For information about these NIST standards and guidelines, as well as other security-related publications, see NIST’s Web page http://csrc.nist.gov/publications/index.html
none • Separate log files for vCenter and each host server
• Different log formats for vCenter vs. hosts
HyTrust All of the above, plus: • User ID • Source IP address • Resource reconfigured • Previous resource state • New resource state • Label (Production) • Required privileges • Evaluated rules/
constraints
• User ID • Date/time • Source IP address • Operation requested • Operation denial • Target resource name,