© Cloud Security Alliance, 2015 CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments Kelvin Ng Tao Yao Sing

© Cloud Security Alliance, 2015

CSA Virtualisation Working Group

Best Practices for Mitigating Risks

in Virtualized Environments Kelvin NgTao Yao Sing

Heng Yiak Por


• Co-Chairs• Kapil Raina, Zscaler• Kelvin Ng , Nanyang Polytechnic• Yao Sing , Tao , IDA Singapore

• Contributors• Abhik Chaudhuri , Tata Consultancy

Services• Heberto Ferrer , HyTrust• Hemma Prafullchandra, HyTrust• J D Sherry , Cavirin• Kelvin Ng , Nanyang Polytechnic• Xiaoyu, Ge, Huawei• Yao Sing , Tao , IDA Singapore• Yiak Por , Heng , Nanyang Polytechnic

• CSA Global Staff• Frank Guanco , Research Analyst• Victor Chin , Research Analyst

Acknowledgements


Agenda• Background• Whitepaper Development• Whitepaper Content• Scope• Introduction• Securing Virtualization

Platforms and establishing Governance

• Virtualization risks and Controls

• Risk Assessment • What next ?• Q&A

© Cloud Security Alliance, 2015.

Background• Project CharterThe CSA Virtualization Working Group provides guidance on implementation best practices for enterprises in the deployment of virtualization in the areas of compute and network.

• Deliverables1. White Paper for the enhancements on Security Guidance for critical areas of focus in cloud computing v 3.0 Domain 132. A guideline for best practices for secure network virtualization design and deployment

• Participation1. Basecamp2. Bi-Weekly Concall3. Open Peer review

© Cloud Security Alliance, 2015.

Whitepaper Development• Working Group formed• Aug 2014

• Reference Documents• Security Guidance for critical

areas of focus in cloud computing v 3.0 2011 Domain 13

• Singapore Standards Council, TR30:2012, Spring Singapore


•Scope• Provides guidance on the

identification and management of security risks specific to compute virtualization technologies that run on server hardware—as opposed to, for example, desktop, network, or storage virtualization. • The audience includes enterprise

information systems and security personnel and cloud service providers, although the primary focus is on the former

Whitepaper Content


•Introduction•Cloud Computing Top Threats 2013 report by CSA• Data breaches • Data loss • Account or service traffic hijacking • Insecure interfaces and APIs • Denial of services • Malicious insiders • Abuse of cloud services • Insufficient due diligence • Shared technology vulnerabilities

Whitepaper Content


•Securing Virtualization Platforms and establishing Governance•Initiation phase • Identify virtualization needs, •Providing an overall vision and create high-level strategy• Identifying platforms and applications that can be virtualized

Whitepaper Content


•Securing Virtualization Platforms and establishing Governance•Planning and Design phase •Major considerations include selection of virtualization software, storage system, network topology, bandwidth availability and business continuity. •Appropriate logical segregation of instances that have sensitive data. •Separate authentication should be established for application / server, guest operating system, hypervisor, and host operating system

Whitepaper Content


•Securing Virtualization Platforms and establishing Governance•Implementation phase •Virtualization platform should be hardened using vendor-provided guidelines and/or 3rd party tools. •Role-based access policies should be enforced to enable segregation of duties, thereby facilitating proof of governance. •Proper VM encryption is required to significantly reduce the risk associated with user access to physical servers and storage containing sensitive data.

Whitepaper Content


•Securing Virtualization Platforms and establishing Governance•Disposition phase • Tasks should be clearly defined in sanitizing media before disposition. • VM retirement process must meet legal and regulatory requirements in order to prevent data leakage and breaches..

Whitepaper Content


• Virtualization Risks and Controls•Risks and controls of using VM• VM Sprawl• Sensitive Data within a VM• Security of Offline and Dormant VMs• Security of Pre-Configured (Golden Image)

VM / Active VMs • Lack of Visibility Into and Controls Over

Virtual Networks • Resource Exhaustion

Whitepaper Content


• Virtualization Risks and Controls•Risks and controls on using hypervisor•Hypervisor Security •Unauthorized Access to Hypervisor

•Risks and controls due to changes in operation procedures•Account or Service Hijacking Through the Self-Service Portal •Workload of Different Trust Levels Located on the Same Server •Risk Due to Cloud Service Provider API

Whitepaper Content


• Virtualization Risks and Controls•VM Sprawl

Whitepaper Content

Risk Name VM Sprawl

Risk Description VM sprawl describes the uncontrolled proliferation of VMs. Because VM instances can be easily created and existing instances can be easily cloned and copied to physical servers, the number of dormant VM disk files is likely to increase. In addition, the unique ability to move VMs from one physical server to another creates audit and security monitoring complexity and loss of potential control. As a result, a number of VMs may be unmanaged, unpatched, and unsecured.

Relevant Security Aspect Risk to confidentiality, integrity, and availability

Relevant Governance Risk Area

Architectural and configuration risk

Vulnerabilities ● Proper policy and control processes to manage VM lifecycle do not exist.

● Placement / zoning policies or enforcement of where a dormant VM can instantiate or reside does not exist.

● A discovery tool for identification of unauthorized VMs does not exist.

Affected Assets VM

CCM v3.0.1 CCC-05



Whitepaper Content

Potential security impact

In a traditional IT environment, physical servers must be procured. This requirement enforces effective controls, because change requests must be created and approved before hardware and software can be acquired and connected to the data center.

In the case of virtualization, however, VMs can be allocated quickly, self-provisioned, or moved between physical servers, avoiding the conventional change management process. Without an effective control process in place, VMs and other virtual systems with unknown configurations can quickly proliferate, consuming resources, degrading overall system performance, and increasing liability and risk of exposure. Because these machines may not be readily detectable or visible, they may not be effectively monitored or tracked for the application of security patches or effectively investigated should a security incident occur.



Whitepaper Content

Security Controls for Mitigating Risks

To mitigate risk, consider implementing the following security controls:

● Put effective policies, guidelines, and processes in place to govern and control VM lifecycle management, including self-service and automated scripts / DevOps tools.

● Control the creation, storage, and use of VM images by a formal change management process and tools. Approve additions only when necessary.

● Keep a small number of known-good—and timely patched—images of a guest operating system separately and use them for fast recovery and restoration of systems to the desired baseline.

● Discover virtual systems, including dormant ones and the applications running on them, regularly. Discovering, classifying, and implementing appropriate security controls for each VM and its associated network connections is critical. This process includes quarantine or rollback capability in case a compromise occurs.

● Use virtualization products with management solutions to examine, patch, and apply security configuration changes to VMs.


• Asset risk evaluation based on :-• Identified vulnerabilities• Likelihood• Impact due confidentiality• Impact due to integrity• Impact due availability• Average risk level rating

• For any risk level above acceptance criteria • Mitigate risk items via recommended controls in

whitepaper

• Continuously monitor and mitigate risks

• Risk Assessment

Whitepaper Content


• Evaluation of Risk• Risk Assessment

Whitepaper Content

Type of Risk

Asset exposed to risk

Vulnerability Likelihood Impact Due to Confidentiality Compromise

Impact Due to Integrity Compromise

Impact Due to Availability Compromise

Evaluate Risk Level

Risk Treatment Control to be implemented

Evaluate Residual Risk Level

1. VM Sprawl

VM Lack of effective control process to manage VM lifecycle

LowMedium

High

LowMedium

High

LowMedium

High

LowMedium

High

Lack of placement / zoning policies or enforcement of where a dormant VM can instantiate or reside

LowMedium

High

LowMedium

High

LowMedium

High

LowMedium

High

Lack of discovery tool to identify unauthorized VMs

LowMedium

High

LowMedium

High

LowMedium

High

LowMedium

High


• Update Security Guidance for critical areas of focus in cloud computing v 3.0 Domain 13

• Plan to use it as a support document for ISO• May 2015, Kuching Malaysia• ISO Working Group 4• Either 6 month study period• Or launch new WG item with enough

support

What Next ?

??? ?© Cloud Security Alliance, 2015