2. What do these numbers represent in security?
$124 Average cost of a security breach, per
compromised record (2010), with negligence the
main cause
—CA-sponsored survey
48% Percent of all breaches that
involved privileged user misuse
— Verizon report, 2010
87% Percentage of companies that
have experienced a data breach
— IT Compliance
Institute
74% Percentage of breached companies
who lost customers as a result of the
breach
— IT Compliance
Institute
3. NIST Special Publication (SP) 800-125
Guide To Security for Full
Virtualization Technologies
Recommendations of the
National Institute of Standards and Technology
Tim Grance and Murugiah Souppaya
Computer Scientists in the Computer Security Division
These slides and the webinar recording will be made available at:
<URL>
4. Disclaimer
Any mention of commercial products or reference to
commercial organizations is for information only; it
does not imply recommendation or endorsement by
NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.
5. Agenda
• What is SP 800-125
• Why virtualization
• Full virtualization
• Security concerns
• Recommendations for Security for full
virtualization technologies
• Summary
• Questions and answers
• Resources
6. SP 800-125
• Full Virtualization technologies
• Server and desktop virtualization
• Security threats
• Security recommendations for protecting full
virtualization
7. Why Virtualization?
• Reduce hardware footprint
• More efficiency
• Reduce energy, operations, and maintenance
costs, e.g., disaster recovery, dynamic
workload, security benefits, etc.
• Consolidation
8. Forms of Virtualization
• Simulated environment
• Not cover OS and application virtualization
• Full virtualization – CPU, storage, network,
display, etc
• Hypervisor and host OS
• Virtual Machine (VM) – Guest OS
– Isolated
– Encapsulated
– Portable
9. Full Virtualization
• Bare metal virtualization
• Hosted virtualization
• Server virtualization
• Desktop virtualization
10. Virtualization and Security Concerns
• Additional layers of technology
• Many systems on a physical system
• Sharing pool of resources
• Lack of visibility
• Dynamic environment
• May increase the attack surface
11. Recommendations for Security for Full
Virtualization Technologies
• Risk based approach
• Secure all elements of a full virtualization solution
and perform continuous monitoring
• Restrict and protect administrator access to the
virtualization solution
• Ensure that the hypervisor is properly secured
• Carefully plan the security for a full virtualization
solution before installing, configuring, and
deploying it
12. Summary of Threats and
Countermeasures
• Intra-guest vulnerabilities
– Hypervisor partitioning
• Lack of visibility in the guest OS
– Hypervisor instrumentation and monitoring
• Hypervisor management
– Protect management interface, patch management, secure
configuration
• Virtual workload security
– Management of the guest OS, applications, data
protection, patch management, secure configuration, etc
• Virtualized infrastructure exposure
– Manage access control to the hardware, hypervisors,
network, storage, etc.
14. Resources
• Presidential Memorandum, June 10, 2010, Disposing of Unneeded Federal Real Estate, is
available on the following Web page:
http://www.whitehouse.gov/the-press-office/presidential-memorandum-disposing-
unneeded-federal-real-estate
• NIST publications that provide information and guidance on planning, implementing and
managing information system security and protecting information include:
– Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of
Federal Information and Information Systems
– NIST Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach
– NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems
and Organizations
– NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide
– NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle
– NIST SP 800-88, Guidelines for Media Sanitization
– NIST SP 800-115, Technical Guide to Information Security Testing and Assessment
– NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information
(PII)
• For information about these NIST standards and guidelines, as well as other security-related
publications, see NIST’s Web page
http://csrc.nist.gov/publications/index.html
15. Todd Neilson, CISSP, VP, Sr. Advisor – Security, CA
Hemma Prafullchandra, CTO/SVP Products, HyTrust
Chris Boswell, CIS[A,M,SP], CGEIT, Sr Principal, CA
16. Virtualization Security vs Compliance
Compliance: the state of being in accordance with
established guidelines, specifications or legislation or
the process of becoming so.
Compliance Security
(?) (NIST 800-125)
Do you know?
• Whether your organization
has security guidelines
defined for its virtual
environment?
• Which regulations your
organization is subject to?
• Whether your virtualization
efforts will be subject to
regulatory scrutiny?
• Whether your security
baselines for your virtual
environment incorporate your
regulatory obligations?
17. Traditional Horizontal Controls Rationalization
CSA Cloud Control Matrix IS-08: NIST 800-125 Security
Normal and privileged user access to applications, Recommendation: Restrict and
systems, databases, network configurations, and sensitive
data and functions shall be restricted and approved by protect administrator access to the
management prior to access granted. virtualization solution
NIST 800-53 (AC-3, AC-5, AC-6, IA-2,
IA-4, IA-5, IA-8, MA-5, PS-6, SA-7, SI-9)
CIP-003-3 R5.1.1 - R5.3;
COBIT 4.1 DS5.4 CIP-004-3 R2.3;
CIP-007-3 R5.1 - R5.1.2
45 CFR 164.308 (a)(3)(i)
45 CFR 164.308
(a)(3)(ii)(A)
45 CFR 164.308 (a)(4)(i) PCI DSS 2.0 (7.1, 7.1.1,
45 CFR 164.308 7.1.2, 7.1.3, 7.2.1, 7.2.2,
(a)(4)(ii)(B) 8.5.1, 12.5.4)
45 CFR 164.308
(a)(4)(ii)(C) Source:
45 CFR 164.312 (a)(1) https://cloudsecurityalliance.org/research/ccm/
Other Source: www. unifiedcompliance.com
18. Vertical Controls Rationalization using 800-53 with Overlay
Frameworks
NIST 800- Recommended Security Controls for Federal
Information Systems
53
Subset of 800-53 controls tailored to provide
FedRamp standardized approach to security assessment,
authorization, and continuous monitoring for cloud
products and services
DoD Mapped their DoDi 8500.2 controls used to
secure defense systems to NIST 800-53
Created a set of Acceptable Risk Safeguards
DHHS based on 800-53 controls to secure electronic
protected health information
Issued a special publication 1075 which outlines
IRS a subset of 800-53 controls that need to be
implemented for those systems processing
Federal Taxpayer Information.
Did you know
The Initial Public Draft of 800-53 Revision 4 encourages agencies with
specific security needs to develop their own security “overlays” based on
controls within NIST 800-53?
19. Compliance Impact Moving to the Cloud
[based on applicable FedRamp controls mapped to NIST 800-53 Rev 4]
IMPACT
800-53 Security Control Impact #
Family Controls High
Access Control (AC) 17 Medium
PL
Awareness & Training (AT) 4 Low
Audit and Accountability (AU) 12 IR PS
Security Assessment and
MP
Authorization (CA) 6
Configuration Management
(CM) 9 CP
Contingency Planning (CP) 9
SI
Identification and
8 RA CM
Authentication (IA) CA
Incident Response (IR) 8
Maintenance (MA) 6
Media Protection (MP) 6 MA AU IA
Physical and Environmental SC
Protection (PE) 18
Planning (PL) 5
Personnel Security (PS) 8 AT
Risk Assessment (RA) 4 SA
System and Services
12
Acquisition (SA)
System and Communications PE AC
Protection (SC) 24
System and Information
Integrity (SI) 12
21. Recap Core Security & Compliance Capabilities in Virtual
Environments
Provides account vaulting, two-factor Dynamic isolation of multi-tenant
authentication and fine-grained environments through automated
authorization for privileged user access orchestration with vShield
within the hypervisor policies
Provides seamless auditing of Provides host configuration
user activities across both hardening and continuous
guest and host environments. monitoring and assessment
22. ControlMinder with HyTrust Fills Critical Virtualization
Platform Access Gaps
Virtualization Platform Gap ControlMinder with HyTrust Solution
Multiple administrators can log into guests and
Uses password vaulting (check-in/out) to
hosts anonymously by sharing a privileged
ensure admins are individually accountable
account
An admin can bypass vCenter access controls Controls and logs access via any
and logging by connecting directly to hosts connection method, creating accountability
An admin can access another organization’s Ensures that admins can only access their
virtualized workloads in multi-tenant own organization’s data and applications,
environments enabling secure multi-tenancy
Prevents use of default passwords and
Platform allows access via default password
supports multi-factor authentication to stop
or compromised admin password
unauthorized access
A current or terminated admin can connect to
Controls and logs access to every admin
the platform undetected using a backdoor
account, preventing major security breaches
account
22
23. ControlMinder with HyTrust Fills Critical Virtualization
Platform Authorization Gaps
Virtualization Platform Gap ControlMinder with HyTrust Solution
An administrator can shut down any Protects business continuity by controlling
virtualized application or switch what resources an admin can manage
An admin can create unapproved VMs, with Prevents damaging outcomes by controlling
negative operations or compliance impacts VM creation privileges
An admin can disable security such as Preserves security by blocking unapproved
virtualized firewalls and antivirus shutdowns of virtual security measures
An admin can copy sensitive data from a Keeps sensitive data confidential by applying
VM to external storage controls to virtual resources
An admin can replace a critical VM with a Exposes tampering by creating a permanent,
compromised copy while leaving no tracks unchangeable record of every operation
An admin can move a low trust virtualized
Mitigates security and compliance risks by
workload to a high trust server or virtual
preventing mixing of trust levels
subnet, and vice versa
23
24. ControlMinder with HyTrust Fills Critical Virtualization
Platform Monitoring Gaps
Virtualization Platform Gap ControlMinder with HyTrust Solution
Separate log files for vCenter, each host and Consolidated, centrally managed logs
guest must be collected and aggregated for covering all aspects of your virtual
complete monitoring. environment.
Captures all activity within the virtual
Failed or blocked authorization attempts
infrastructure, not just authorized, successful
are not captured and recorded in audit logs
transactions.
Automated assessment and remediation
Native configuration management
capabilities enable continuous compliance
capabilities do not promote ongoing
monitoring of hypervisor configuration settings
compliance monitoring for hypervisor
against industry standard or custom-
configuration drift.
configured security templates.
Native platform log entries may lack sufficient
Audit records contain greater detail needed
detail to support operational and security
for compliance and internal audit needs
activities.
24
25. Complete solution for both physical and virtual
environments
CA ControlMinder with HyTrust is actually only one component within a broader
suite of solutions in the ControlMinder family which provides comprehensive
access controls across both physical and virtual infrastructures.
Privileged User
Host Access Control (AC)
CA ControlMinder with HyTrust
Central UNIX
Risk
Management Privileged User Password Management (PUPM)
Session Recording
Audit and Reporting (CA User Activity Reporting Module)
Environment
UNIX/Linux Windows Virtual DATABASES NETWORK
APPLICATIONS
Servers Servers Servers
25
27. Single solution provides best coverage
CA ControlMinder—Premium Edition
1 Privileged User Password Manager 3 UNIX Authentication Broker (UNAB)
— Control access to shared accounts — Centralized UNIX administration
— Authorization workflow including “break — Active Directory (AD) authentication
glass” — Native integration with AD
— Accountability of shared account access — Kerberos-based Single Sign-On
— Manage application passwords
— Windows services/scheduled tasks
2 4 Session Recording and User Activity
Access Control
Reporting
— Server security (physical/virtual) — Centrally managed audit logs across
— Manage fine-grained access physical and virtual environments
— Centralized policy management across — Privileged user access reporting
disparate systems — Unix keystroke logging
— Segregation of duty — Full session recording integration
— Auditing privileged access
28. Questions You Should Be Asking Today
Do you allow shared privileged access to your
sensitive servers? How do you account for privileged
user’s actions?
Can your system administrators access sensitive data
on the servers? Do you have controls to prevent/log
that?
Can you trace administrative action back to
administrative users? Have you had system down
incidents where you needed to do so?
Do you have any controls in place to prevent shared
account access on your sensitive servers?
What server operating systems do you have deployed?
How do you manage security across them?
How do you provide evidence of compliance?
28
28
29. benefits to you
Rapidly achieve Reduce risk and Accelerate new
business agility improve compliance business services
Leverage elastic Protect your Deploy new
service levels, and critical assets services more
flexible cloud across physical, quickly and securely.
virtual, and cloud Retain customers and
deployment
environments. engage with business
options and hybrid
coverage. partners.
29