This presentation covers virtualization and private cloud security

2. Welcome Kevin Wharram, CISSP, CISM, CEH, EnCE, GCFA, 27001 Lead Auditor Member of the ISACA Security Advisory Group at ISACA London Chapter My interests are in – Forensics, Virtualization and Cloud Security

4. What is Virtualization? Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system (OS), a server, a storage device or network resource. Source - http://en.wikipedia.org/wiki/Virtualization

8. Server Virtualization

10. Server Virtualization Analogy Hotel VS Holiday Home

11. Copyright © 2004 VMware, Inc. All rights reserved. Traditional Server Server without Virtualization Holiday Home

12. Virtualized Server Hotel Server with Virtualization

13. Desktop Virtualization

16. Application Virtualization

18. Network Virtualization

20. Physical Network

21. VMware Virtual Network

22. Storage Virtualization

24. Virtualization Security

25. Industry Comments ESG Research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security. Gartner survey: “ 40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.” Gartner analyst Neil MacDonald wrote: “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely.“

29. Virtualization Compliance

31. Controls Policies & Compliance Processes & Standards Compliance Pyramid

32. Cloud Computing

33. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source - http://www.nist.gov/itl/cloud/index.cfm

36. Private Cloud Security Most of the virtualization controls that we spoke about earlier, would apply to the Private Cloud as you control the “Private Cloud.”

37. Controls Organisation Due-Diligence Processes & Standards Compliance Pyramid

38. Resources NIST guide to Security for Full Virtualization Technologies http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf VMware hardening guides http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html Cloud Security Alliance http://www.cloudsecurityalliance.org/ NIST Definition of Cloud Computing http://www.nist.gov/itl/cloud/index.cfm Center for Internet Security (CIS) Benchmarks on Server Virtualization http://cisecurity.org/en-us/?route=downloads.benchmarks Defense Information System Agency (DISA) http://iase.disa.mil/stigs/index.html

39. Questions? Kevin Wharram [email_address]