To view our tutorial, select a question then watch and listen to the answer
|
|
|
|
Ask the Tutor a Question
Got a question about virtualization security? Click here to email it to the tutor. We'll publish the answer, so be sure to include your Internet Evolution Username so you get credit for the question.
Video Tutor Joshua Corman
Video tutor Joshua Corman serves as Principal Security Strategist for IBM Internet Security Systems. With more than a decade in security and networking software, Corman is responsible for driving the strategy for emerging technologies, including secure virtualization and secure cloud computing. NetworkWorld magazine recently chose to recognize Corman as a top 10 influencer of IT for 2009.
Corman has spoken widely at leading industry events such as RSA, Interop, ISACA, Computerworld, InfoSec, and IT Security World. His thought leadership includes 7 Dirty Secrets of the Security Industry and the Evolving Threat education and awareness campaign. Previously, Corman was in product development at vCIS Technology Inc. when IBM Internet Security Systems acquired the company in 2002 for its preemptive behavioral inspection technology.
Questions, and Answers from the Tutor
asked by tdstamulis
Question: Has anyone done an assessment to see if by implementing virtualization, their risks associated with hacking, malware, misuse, error, environmental, and physical concerns, etc., increase or decrease? It's clear that meeting compliance does not make an organization more secure, but reducing risk will. So from a security perspective, I would have to address these issues as well as others in order to provide guidance to senior management whether the move to virtualization would increase risk, decrease it, or keep it fairly the same.
Answer: I appreciate the question and I get this a lot. I think your instincts are sound and I am pleased to see you elevating to risk. I'll answer this in two parts.
In most cases, you won't have a choice. The cost reduction benefits of virtualization are tremendous. As you know, risk-based decisions are about cost/benefit. With virtualization, we have unclear and unidentified costs, but very compelling and measurable benefits. The benefits are so compelling, organizations are going to adopt virtualization regardless. This is especially true in this down economy. Our burden is to take on a role that assures we leverage sound security thinking to safely embrace the benefits of virtualization while maintaining acceptable risk.
In regard to who's done assessments... I've seen several partial sources. This video tutorial represents a subset of a greater amount of analysis that my colleagues and I have done as part of IBM's Project Phantom. We've done a tremendous amount of work on this subject with research, security, the virtualization platform vendors themselves, and our clients in real-world deployments. Additionally, there is a great deal of analysis done by a blogger, Chris Hoff. His "The Four Horsemen of the Virtualization Security Apocalypse” does a great job exploring several risks (link below). Additionally, Chris tells me he is a week or so from posting an anonymized case study, which may address a lot of your concern.
http://rationalsecurity.typepad.com/blog/2008/04/the-four-horsem.html
http://rationalsecurity.typepad.com/blog/virtualization
http://rationalsecurity.typepad.com
Question: Based on the OSI threat model, where do you see the complexity being compartmentalized for security professionals to model for business cases and attack vectors? Or is there currently no single factor, and is it dependent on the operating system (OS) running in virtualization?
Answer: It is an interesting question. I will attempt to answer it this way: I have not seen anyone map the new attacks surfaces to the OSI model. Instead, you'll see on the links to the right, "Virtual Points of Exposure," in which there's a "box and wire" diagram of the new components and new attack surfaces of virtualization. In our presentations, we do explore each in detail.
Your traditional OS and application stack and corresponding risks remain. In addition, you will note that there are new attack surfaces in the form of VMs; hypervisor or virtual machine manager (VMM); specialized hardware used for virtualization assist; management functionality, and even the non-traditional "virtual" network access paradigm.
You still have the risks you do on a physical server. There are additional risks based on the additional components and functionality. There are several new risks to availability. And further, the impact of a successful compromise is now magnified -- as a single compromise threatens the rest of the collocated resources.
Question: Is there a way for virtualization to fit in with the various compliance metrics that are out there for, say, PCI, SOX, GLBA, or HIPAA? In our organization, we are not permitted to work with a new technology/software unless it fits into the various compliance metrics.
Answer: Compliance is lagging behind. By their nature, most compliance and regulatory standards target mature best-practices. Therefore, they will always lag behind evolution in IT and the threat landscape. This is one of the reasons you'll often hear security professionals say "Compliance does not equal security," or "Compliance is necessary, but insufficient," or even "Compliance threatens security."
Let's take PCI as an example. PCI DSS 2.2.1 states: "Implement only one primary function per server." By strict interpretation, you can't virtualize -- period. In reality, auditors have de facto rules of thumb such as "You can mix applications with applications, but not databases with databases." Late last year, many hoped that PCI 1.2 would get more specific about virtualization, but it did not. Although, since then, a special interest group has been launched to look more closely at virtualization.
At this point, the best advice I can give is to consult with your auditors early and often. A lot is this is open to interpretation and negotiation. It is better to know how they plan to audit you -- before you get off course. Measure twice, cut once. Regulators are working on this issue.
Question: Are there any logging solutions that accurately track which users are doing what and for how long on each and every virtual machine (VM)? Some kind of tool/console for network administrators that enables them to view this information separately for each VM would be great.
Answer: The short answer is a qualified "yes." The functionality will vary by vendor. In fact, the virtualization platform vendors are trying to differentiate amongst themselves, in part, based on management and auditing functionality. Some are further along than others on this front.
One thing to keep in mind: These controls will in no way displace your existing frameworks -- as real-world networks will have a heterogeneous mix of platforms (both physical and virtual). The native functionality will contribute to your overall management. Ask your platform vendors about their current and future plans here. Also, be vocal about your requirements -- and you are more likely to get what you need.
Web Wise World Poll: Virtual Impediments
|
