12.07.2015 Views

Virtualization Hardening - Cloud Security Alliance

Virtualization Hardening - Cloud Security Alliance

Virtualization Hardening - Cloud Security Alliance

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Physical Devices, Cabling, etc.Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


HypervisorsType 1 Type 2Guest Guest GuestGuest Guest GuestHypervisorOperating SystemHypervisorHardwareHardwareCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Shared Physical ResourcesCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Virtualized ResourcesCPUMemoryDiskNetworkingVideoRandomness[...]Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Virtual Machines/Guest OS >Typical Steps:– Minimization, Patching, <strong>Hardening</strong>, RBAC, Least Privilege, etc.What about Virtual Machine:– Definitions and their storage? The new “physical”!– Configuration opportunities (e.g., administrative networks)Micro-<strong>Virtualization</strong>– The next frontier?Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Micro-<strong>Virtualization</strong>Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Management and MonitoringManagement– Isolation of the control plane– Authenticated and encrypted interaction with control plane– Management access control, role separation, etc.Monitoring– In the VM, in the Hypervisor, on the network? It depends!– Impact of encryption on monitoring– Guest and management activityCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


GovernanceIT Issues– IT Architecture– IT Service ManagementBusiness Issues– Risk management– Policy and regulatory compliance– Export control, data handling requirements– ApplicabilityCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Rethinking ITEffectiveGlobalBusinessServicesCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>Standardization• Secured Golden Images• Well-defined processesConfiguration Mgt.• CMDBs, Modeling “Truth”Assembly / Distribution• Build once, patch oncedeploy everywhereAutomation• Discourage “humans”inside virtual machineswww.cloudsecurityalliance.org


Lingering ConcernsReliable, repeatable security at pace and scaleEntropy sources across virtualized infrastructureTrust management in dynamic architecturesForensic reconstruction of volatile environmentsUnauthorized virtual machine “Hot Spots”Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Contact• www.cloudsecurityalliance.org• info@cloudsecurityalliance.org• Twitter: @cloudsa, #csaguide• LinkedIn: www.linkedin.com/groups?gid=1864210Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org


Thank You!www.cloudsecurityalliance.org

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!