9. NIST Special Publication (SP) 800-125
Guide To Security for Full Virtualization Technologies
Recommendations of the National Institute of Standards and Technology
Tim Grance
Senior Computer Scientist in the Computer Security Division
1975 W. El Camino Real, Suite 203, Mountain View, CA 94040 Phone: 650-681-8100 / email: info@hytrust.com
9
10. Disclaimer
Any mention of commercial products or reference to
commercial organizations is for information only; it does not
imply recommendation or endorsement by NIST nor does it
imply that the products mentioned are necessarily the best
available for the purpose.
10
11. Agenda
What is SP 800-125
Why virtualization
Full virtualization
Security concerns
Recommendations for Security for full virtualization technologies
Summary
Questions and answers
Resources
11
12. SP 800-125
Full Virtualization technologies
Server and desktop virtualization
Security threats
Security recommendations for protecting full virtualization
12
13. Why Virtualization?
Reduce hardware footprint
More efficiency
Reduce energy, operations, and maintenance costs, e.g., disaster
recovery, dynamic workload, security benefits, etc.
Consolidation
13
14. Forms of Virtualization
Simulated environment
Not cover OS and application virtualization
Full virtualization – CPU, storage, network, display, etc
Hypervisor and host OS
Virtual Machine (VM) – Guest OS
Isolated
Encapsulated
Portable
14
15. Full Virtualization
Bare metal virtualization
Hosted virtualization
Server virtualization
Desktop virtualization
15
16. Virtualization and Security Concerns
Additional layers of technology
Many systems on a physical system
Sharing pool of resources
Lack of visibility
Dynamic environment
May increase the attack surface
16
17. Recommendations for Security for Full Virtualization
Technologies
Risk based approach
Secure all elements of a full virtualization solution and perform
continuous monitoring
Restrict and protect administrator access to the virtualization solution
Ensure that the hypervisor is properly secured
Carefully plan the security for a full virtualization solution before
installing, configuring, and deploying it
17
18. Summary of Threats and Countermeasures
Intra-guest vulnerabilities
Hypervisor partitioning
Lack of visibility in the guest OS
Hypervisor instrumentation and monitoring
Hypervisor management
Protect management interface, patch management, secure configuration
Virtual workload security
Management of the guest OS, applications, data protection, patch
management, secure configuration, etc
Virtualized infrastructure exposure
Manage access control to the hardware, hypervisors, network, storage,
etc.
18
19. Resources
Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real
Estate, is available on the following Web page:
http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing-
unneeded-federal-real-estate
NIST publications that provide information and guidance on planning, implementing
and managing information system security and protecting information include:
Federal Information Processing Standard (FIPS) 199, Standards for Security
Categorization of Federal Information and Information Systems
NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk
Management Framework to Federal Information Systems: A Security Life Cycle Approach
NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information
Systems and Organizations
NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide
NIST SP 800-64 Revision 2, Security Considerations in the System Development Life
Cycle
NIST SP 800-88, Guidelines for Media Sanitization
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment
NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII)
For information about these NIST standards and guidelines, as well as other security-
related publications, see NIST’s Web page
http://csrc.nist.gov/publications/index.html 19