Virtualization Hardening - Cloud Security Alliance
Virtualization Hardening - Cloud Security Alliance
Virtualization Hardening - Cloud Security Alliance
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Physical Devices, Cabling, etc.Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
HypervisorsType 1 Type 2Guest Guest GuestGuest Guest GuestHypervisorOperating SystemHypervisorHardwareHardwareCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Shared Physical ResourcesCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Virtualized ResourcesCPUMemoryDiskNetworkingVideoRandomness[...]Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Virtual Machines/Guest OS >Typical Steps:– Minimization, Patching, <strong>Hardening</strong>, RBAC, Least Privilege, etc.What about Virtual Machine:– Definitions and their storage? The new “physical”!– Configuration opportunities (e.g., administrative networks)Micro-<strong>Virtualization</strong>– The next frontier?Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Micro-<strong>Virtualization</strong>Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Management and MonitoringManagement– Isolation of the control plane– Authenticated and encrypted interaction with control plane– Management access control, role separation, etc.Monitoring– In the VM, in the Hypervisor, on the network? It depends!– Impact of encryption on monitoring– Guest and management activityCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
GovernanceIT Issues– IT Architecture– IT Service ManagementBusiness Issues– Risk management– Policy and regulatory compliance– Export control, data handling requirements– ApplicabilityCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Rethinking ITEffectiveGlobalBusinessServicesCopyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>Standardization• Secured Golden Images• Well-defined processesConfiguration Mgt.• CMDBs, Modeling “Truth”Assembly / Distribution• Build once, patch oncedeploy everywhereAutomation• Discourage “humans”inside virtual machineswww.cloudsecurityalliance.org
Lingering ConcernsReliable, repeatable security at pace and scaleEntropy sources across virtualized infrastructureTrust management in dynamic architecturesForensic reconstruction of volatile environmentsUnauthorized virtual machine “Hot Spots”Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Contact• www.cloudsecurityalliance.org• info@cloudsecurityalliance.org• Twitter: @cloudsa, #csaguide• LinkedIn: www.linkedin.com/groups?gid=1864210Copyright © 2009 <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong>www.cloudsecurityalliance.org
Thank You!www.cloudsecurityalliance.org