Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including...
Transcript of Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including...
![Page 1: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/1.jpg)
managing the risks of virtualizationChris WraightCA Technologies
28 February 2011Session Number 8951
![Page 2: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/2.jpg)
Virtualization opens the door to a world of opportunities and well managed virtualization sets the course for cloud. However, in order to get there, organizations must address various risks, including security, that virtualization brings. Some of the security risks are similar to the physical server environment, but are compounded by virtualization technology. The speaker from CA Technologies will discuss how keeping the risks in-check and extending security can make this migration fruitful, and pay off for IT.
abstract
2
![Page 3: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/3.jpg)
virtualization continues to grow
3
1Gartner; “Q&A: Six Misconceptions About Server Virtualization”, Thomas J. Bittman; 29 July 2010
“By 2015, 40% of the security controls used within enterprise data centers will be virtualized, up from less than 5% in 2010.”2
“There will be more virtual machines deployed on servers during 2011 than in 2001 through 2009 combined”!
2Gartner; “From Secure Virtualization to Secure Private Clouds”; Neil MacDonald & Thomas J. Bittman; 13 October 2010
![Page 4: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/4.jpg)
• Technology Overview• Identity and Access Management Risks• Mitigating the Risks• Session summary
agenda
4
![Page 5: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/5.jpg)
virtualization technology overview
Terms Used in this presentation:• Virtualization “host” platform• “guest” OS VMs, partitions• Privileged partition (admin)
• Hypervisor Virtualization Architectures:
• Hosted - VMware Workstation, Microsoft Virtual PC
• ‘Bare metal’• Hypervisor-based – VMWare ESX,
IBM LPAR, HP VPAR • OS-based – Solaris 10
![Page 6: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/6.jpg)
Operating system-based virtualization.
• Virtualization is native to the host operating system
• Multiple isolated, virtual environment instances
• Shared OS kernel.• Homogeneous OS guests
Example: Sun Solaris 10 Containers (Zones).
virtualization technology overview (cont’d)
![Page 7: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/7.jpg)
virtualization technology overview (cont’d)
Hypervisor-based virtualization• “Bare Metal”• Embedded or implemented in
the hosting OS kernel• Each guest runs on discrete
virtual hardware• VMs may be referred to as
partitionsExample: IBM AIX LPAR, HP-UX VPAR and VMware ESX Server.
![Page 8: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/8.jpg)
• Technology Overview• Identity and Access Management Risks• Mitigating the Risks• Session summary
8
![Page 9: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/9.jpg)
• Each physical system becomes more critical• A new level of administration is introduced• Unstructured physical boundaries• Unstructured time dimension• Heterogeneous dynamic environments
how is virtualization different?
9
![Page 10: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/10.jpg)
• Hypervisors expose high level of privileges• Shared resources available to virtualization• Each virtualized guest has its own hierarchy of
privileged access which should be separate from infrastructure
• VM ‘sprawl’• Structured and unstructured data on virtualized
environments is unsecure• No central authentication source
the challenges of virtualization
![Page 11: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/11.jpg)
• Regulatory requirements still apply• Auditing access and identities is difficult in virtualized
environments• Privileges in a virtualized environment not well defined• Decentralized privileged user administration (incl. virtual
environments)
the challenges of virtualization
![Page 12: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/12.jpg)
• VM mobility beyond the server room• VMs can be copied, or cloned• Machine memory is accessible from the host• Disk space can be accessed from storage
• Challenging physical security• Copying a VM = Stealing a server from the server room• The virtual DC is distributed – Not a mainframe
unstructured physical boundaries
12
![Page 13: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/13.jpg)
• What happens when we revert to prior snapshot?• Lose audit events• Lose configuration• Lose security policy
• Am I still compliant with my policy?
managing the 4th dimension - time
13
![Page 14: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/14.jpg)
• Normal user• Is identified• Access is controlled
• ‘root’ administrator• Is anonymous• Can bypass application security• Can see and alter application data• Can change system files• Can change system configuration• Can alter logs and erase records
the privileged user
14
ApplicationSecurity
OS Security
Privileged User
Customer DataCritical servicesFiles & Logs
![Page 15: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/15.jpg)
the virtualization privileged user
15
Privileged User
Virtualization makes the problem worse by introducing a new privilege layer.
![Page 16: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/16.jpg)
• Data exposure• Different business owners• VMs can be copied exposing sensitive data
• Business continuity and availability - isolation is not enough!• Halting critical VMs• Tampering with configurations
• Management and Control• Administrators can deploy new VMs very easily• Increases the chance for mistakes • Improperly-configured VMs can be vulnerable
unrestricted privileged access
16
![Page 17: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/17.jpg)
• Virtualization: Making the complex appear simple• Configuration and change management• Network management• Storage management• Capacity management
managing complexity
17
![Page 18: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/18.jpg)
• Virtualization: Making the complex appear simple• Configuration and Change Management• Network Management• Storage Management• Capacity Management
• But what about security management?• Heterogeneous VMs• Highly-distributed• Dynamically changing
• How do I manage the complexity?
managing complexity
18
![Page 19: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/19.jpg)
• Each virtualization host becomes more important.• One host running many VMs = Critical Infrastructure • Critical infrastructure = Business impact • Business impact = Compliance requirements
• Compliance requirements mandate additional controls!
audit, audit, audit!
19
![Page 20: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/20.jpg)
• Virtualization audit issues haven't yet been flagged• What will drive priorities?
• Education• Compliance and regulatory pressures are expected to
increase• Public exposure
• Will require adjusted controls for separation of management, and control
compliance and audit
20
![Page 21: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/21.jpg)
• Technology Overview• Identity and Access Management Risks• Mitigating the Risks• Session summary
21
![Page 22: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/22.jpg)
best practices: segregate duties - restrict admins
Segregate Administration• System• Virtualization• Audit
Restrict access to logsRestrict access to virtualization resources
• Deny sys admins• Allow only through admin tools
![Page 23: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/23.jpg)
full privileged user management
23
• Restrict privileged access
• Ensure accountability• Restrict access to logs• Restrict access to
virtualization resources
Privileged User
Data & Resource Protection
![Page 24: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/24.jpg)
• Enforce the policy across all VMs and virtualization platform
• Centralization - Do not rely on local policies• Enforce policy change control• Manage deviations from the policy• Report on policy compliance
central access policy management
24
![Page 25: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/25.jpg)
• Monitor the virtualization platform• Monitor administrative activity (including impersonation)• Monitor all access to virtualization resources• Centralize audit logs• Notify on significant events• Integrate with SIEM systems
complete and secure auditing
25
![Page 26: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/26.jpg)
• Technology Overview• Identity and Access Management Risks• Mitigating the Risks• Session summary
26
![Page 27: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/27.jpg)
• Security and control are the number one inhibitors to virtualization/cloud adoption by the enterprise
• Automation is an imperative• Security will become a cloud differentiator• The IT roles are reversing
conclusions
27
![Page 28: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/28.jpg)
• Be aware of the security implications• Physical boundaries are changing• The definition of time is changing• An additional administration layer is introduced• The virtualization host is critical infrastructure
• Organizations should prepare now for increasing audit scrutiny
• Demand visibility and control• Privileged user access management• Consistent security policies• Complete and secure auditing
apply
28
![Page 29: Chris Wraight CA Technologies 28 February 2011 Session …€¦ · address various risks, including security, that virtualization brings. Some of the security risks are similar to](https://reader034.fdocuments.us/reader034/viewer/2022051920/600cf3357f88631c44563ee1/html5/thumbnails/29.jpg)
questions and answers