playing by virtual security rules: how virtualization ......playing by virtual security rules: how...
TRANSCRIPT
![Page 1: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/1.jpg)
Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and
What to Do about It
Steve PateCTO
Vormetric
![Page 2: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/2.jpg)
Agenda
• Virtualization state of play• Do old security rules still apply?y pp y• Vulnerabilities with OS virtualization• How can I protect my virtualizationHow can I protect my virtualization
environment today?• What’s the virtualization security roadmap?What s the virtualization security roadmap?
![Page 3: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/3.jpg)
Where are we today?• OS virtualization moving rapidly into production• OS virtualization moving rapidly into production
environments • Companies concerned about security issues and p y
lack of security products • VMware will dominate for the next few years
– therefore the main focus of attack!– more security violations in Nov 07 than whole of company’s
history
• Hyper-V will make headway but slowly ...• Xen will stay a distant 3rdy
![Page 4: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/4.jpg)
Changing the Security Landscape• Defense in depth model has inherently changedDefense in depth model has inherently changed
– Physical security– Disk encryptionyp– Vulnerability management
• Standards and best practices don’t address virtualization security issues!– NIST
ISO 17799/27001– ISO-17799/27001– Regulations – PCI DSS, HIPAA
![Page 5: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/5.jpg)
Virtualization vulnerabilities• We must not ignore protection in the guest!We must not ignore protection in the guest!
– Traditional security problems are unchanged
![Page 6: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/6.jpg)
Guest and Host are vulnerable!• Two operating systems now need protecting!p g y p g
![Page 7: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/7.jpg)
Full disk encryption?• How useful is this?• How useful is this?
– Physical disk theft now means something different!
![Page 8: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/8.jpg)
VM archives present new challenges• How can we provide separation of duties here?• How do I know where my VMs are located?• How can I manage old VM images?• How can I retire Virtual Machines?
![Page 9: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/9.jpg)
The list of issues continuesThe list of issues continues ...• Hypervisor vulnerabilities • VI infrastructure
– Roles within virtual center– API set usable from any client– Lots of ESX Server Service Console issues
• Same issues exist with Dom0 on XenLack of solid a diting capabilities• Lack of solid auditing capabilities
![Page 10: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/10.jpg)
Solutions available today?• Traditional guest level protection!g p• VMware
– ESXi (Embedded hypervisor)– Determina– Tripwire ConfigCheck– Appliance Marketplace
• XenXen– sHype (MAC capabilities)– XSM (LSM derivative)
• VM image encryptionVM image encryption• Best practices guides
– CIS 75+ page guide for securing ESX server Extensive best practices doc from VMware / Xen– Extensive best practices doc from VMware / Xen
![Page 11: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/11.jpg)
Solutions of tomorrow?• VMsafe
– APIs at hypervisor layer - “provides the transparency to prevent threats and attacks such as viruses, trojans and keyloggers from ever reaching a virtual machine”
– Allows for introspection – 20+ vendors signed up for program
P d t t d ithi th t– Products expected within the next year
![Page 12: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/12.jpg)
Solutions of tomorrowSolutions of tomorrow ...• VMware Pluggable Core Storage Architecture
– Embedded hypervisor encryption
• Protecting the whole virtual infrastructure– VMware VI through Virtual Center to the ESX servers– Consistent access control across the whole environment
F ll a diting– Full auditing
![Page 13: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/13.jpg)
Solutions of tomorrow ...• Security info embedded in OVF• Security info embedded in OVF
– OVF wraps VM images • Describes resources needed by VM
– Embed key and policy information• Defines security requirements for VM• Allows VMs to expire• Allows VMs to expire
– Tamper free stamp
![Page 14: Playing by Virtual Security Rules: How Virtualization ......Playing by Virtual Security Rules: How Virtualization Changes Everything andVirtualization Changes Everything and What to](https://reader030.vdocuments.net/reader030/viewer/2022041004/5ea8044720eb2a1ba8255870/html5/thumbnails/14.jpg)
Summary• Protect the guest!• Protect the guest!
– While running and at rest!• Follow best practicesp• Put strict policies in place - enforce them!• Stay educated - this space is moving fast!
Questions?