Virtualization Standards and Compliance
-
Upload
niranjana-karandikar -
Category
Documents
-
view
11 -
download
0
description
Transcript of Virtualization Standards and Compliance
Virtualization Standards & Compliance
Niranjana.S.KarandikarMSc IISem 4
Contents• Introduction
• Need
• Standards
• Compliance
• PCI DSS and Virtualization
• Risks in Virtual Environments
• PCI DSS Requirements
Virtualization
• Logical abstraction of computing resources
• Work load equivalent to physical machine
• Same threats
• Security Needed
Need
• Increased use of VMs
• VMs are movable
• Handling of sensitive Data
• Single point of Compromise
Standards
• DMTF(Distributed Management Task Force)
• OVF (Open Virtualization Format)
• VMAN(Virtualization Management Initiative)
DMTF
• 2007• “simplify and provide ease-of-use for the
virtual environment by creating an industry standard for system virtualization management.”-Winston Bumpus, President , DMTF
• DMTF initiated the availability of the OVF standard for delivering VMs, and the new VMAN.
OVF
• Virtualization platform–independent• Supports a full range of current virtual hard
disks and is extensible to deal with future formats
• Not reliant on the use of any specific host platform, virtualization platform, or guest operating system.
• OVF is a portable format that allows deployment of any supporting hypervisor.
VMAN
• The management lifecycle of a virtual environment is addressed in DMTF’s VMAN
• Standardized approach to VM:• Deployment• Discovery and inventory• Lifecycle management• Creation, deletion, and modification• Health and performance monitoring
Compliance
• The ability to act according to an order, set of
rules or request
• Eg: ISO, SOX, HIPAA
PCI DSS and Virtualization
PCI DSS and Virtualization make a good combination as
• Many monetary transactions are being carried out on a virtual environment.
• The PCI Security Standards Council (SSC) is international.
• VMware has joined the PCI SSC
PCI DSS
• A set of comprehensive requirements for• Enhancing payment account data security. • Developed by the founding payment brands of
the PCI SSC, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International,
• To help facilitate the broad adoption of consistent data security measures on a global basis.
Contd.• PCI DSS is a group of principles and accompanying
directives organized into 12 requirements in the following
six categories:
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
PRINCIPLESa. If virtualization technologies are used in a cardholder
data environment, PCI DSS requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies
c. Implementations of virtual technologies can vary greatly
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements.
Risks for Virtualized Environments1. Vulnerabilities in the Physical Environment Apply in a Virtual
Environment
2. Hypervisor Creates New Attack Surface
3. Increased Complexity of Virtualized Systems and Networks
4. More Than One Function per Physical System
5. Mixing VMs of Different Trust Levels
6. Lack of Separation of Duties
7. Dormant Virtual Machines
8. VM Images and Snapshots
9. Immaturity of Monitoring Solutions
10. Information Leakage between Virtual Network Segments
11. Information Leakage between Virtual Components
PCI DSS REQUIREMENTS1. Install and maintain a firewall configuration
to protect cardholder data.2. Do not use vendor-supplied defaults for
system passwords and other security parameters.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data
across open, public networks.5. Use and regularly update anti-virus software
or programs.
CONTD.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.10. Track and monitor all access to network
resources and cardholder data
CONTD.
11. Regularly test security systems and
processes
12. Maintain a policy that addresses information
security for all personnel
Requirement A.1:
Shared hosting providers must protect the CDE
REFERENCES• Virtualization_InfoSupp_v2.pdf
• Virtualization and Forensics By Diane Barrett,
Greg Kipper
• Virtualization Security Protecting virtualized
environment By Dave Shackleford
• http://searchvmware.techtarget.com/How-
PCI-DSS-20-affects-virtualization-compliance
THANK YOU