Temple Inland Implementation - Stage 1

Overcome Hurdles

• Management skeptical of Windows virtualization

Don't Fear the Virtual World

• First year:
  • Built out development only environment
  • Trained staff
  • Developed support processes
  • Showed hard dollar savings

Temple Inland - Stage 2

• Build QA environment
• Improve processes
• Develop rapid provisioning
• Demonstrate advanced functions
  • Vmotion
  • P2V Conversions

Temple Inland - Stage 3

First production environment

Temple-Inland Implementation

• Prior to VMWare. Typical remote facility
  • Physical domain controller
  • Physical application/file server
  • Physical tape drive
• New architecture
  • Single VMWare server
  • No tape drive

• Desktops
  • Virtualize desktops through VMWare
  • No application issues like Citrix Metaframe
  • Quick deployment and repair

How Virtualization Affects Datacenter Security

• Abstraction and Consolidation
  • +Capital and Operational Cost Savings
  • -New infrastructure layer to be secured
  • -Greater impact of attack or misconfiguration
• Collapse of Switches and servers into one device
  • +Flexibility
  • +Cost-savings
  • -Lack of virtual network visibility
  • -No separation-by-default of administration

Temple-Inland split the teams so that there was a virtual network administration team within the server administration team.

How Virtualization Affects Datacenter Security

• Faster deployment of servers
  • + IT responsiveness
  • -Lack of adequate planning
  • -Incomplete knowledge of current state of infrastructure
• VM Mobility
  • +Improved Service Levels
  • -Identity divorced from physical location
• VM Encapsulation
  • +Ease of business continuity
  • +Consistency of deployment
  • +Hardware Independence
  • -Outdated offline systems

Build anti-virus, client firewalls, etc into the offline images so that servers are up-to-date right when they are installed.

If something happens to a system, you can't just pull the plug anymore.  You have to have policies and processes in place.

With virtualization you can have a true "gold image" instead of having different images for all of the different types of hardware.

Security Advantages of Virtualization

• Allows automation of many manual error prone processes
• Cleaner and easier disaster recovery/business continuity
• Better forensics capabilities
• Faster recovery after an attack
• Patching is safer and more effective
• Better control over desktop resources
• More cost effective security devices
• App virtualization allows de-privileging of end users
• Better lifecycle controls
• Future: Security through VM Introspection

Gartner: "Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration"

What Not to Worry About

• Hypervisor Attacks
  • ALL theoretical, highly complex attacks
  • Widely recognized by security community as being only of academic interest
• Irrelevant Architectures
  • Apply only to hosted architecture (ie. Workstation) not bare-metal (ie. ESX)
  • Hosted architecture generally suitable only when you can trust the guest VM
• Contrived Scenarios
  • Involved exploits where best practices around hardening, lockdown, desgin, for virtualization etc not followed or
  • Poor general IT infrastructure security is assumed

Are there any Hypervisor Attack Vectors?

There are currently no known hypervisor attack vectors to date that have lead to "VM Escape"

• Architecture Vulnerability
  • Designed specifically with isolation in mind
• Software Vulnerability - Possible like with any code written by humans
  • Mitigating Circumstances:
    • Small Code Footprint of Hypervisor (~21MB) is easier to audit
    • If a software vulnerability is found, exploit difficulty will be very high
      • Purpose build for virtualization only
      • Non-interactive environment
      • Less code for hackers to leverage
  • Ultimately depends on VMWare security response and patching

Concern: Virtualizing the DMZ/Mixing Trust Zones

Three Primary Configurations

• Physical separation of trust zones
• Virtual separation of trust zones with physical security devices
• Fully collapsing all servers and security devices into a VI3 infrastructure

Also applies to PCI requirement

Physical Separation of Trust Zones

Advantages

• Simpler, less complex configuration
• Less change to physical environment
• Little change to separation of duties
• Less change in staff knowledge requirements
• Smaller chance of misconfiguration

Disadvantages

• Lower consolidation and utilization of resources
• Higher cost

Virtual Separation of Trust Zones with Physical Security Devices

Advantages

• Better utilization of resources
• Take full advantage of virtualization benefits
• Lower cost

Disadvantages (can be mitigated)

• More complexity
• Greater chance of misconfiguration

Getting more toward "the cloud" where web zone, app zone, and DB zone are all virtualized on the same system, but still using physical firewalls.

Fully Collapsed Trust Zones Including Security Devices

Advantages

• Full utilization of resources, replacing physical security devices with virtual
• Lowest-cost option
• Management of entire DMZ and network from a single management workstation

Disadvantages

• Greatest complexity, which in turn creates highest chance of misconfiguration
• Requirement for explicit configuration to define separation of duties to help mitigate risk of misconfiguration; also requires regualar audits of configurations
• Potential loss of certain functionality, such as VMotion (being mitigated by vendors and VMsafe)

How do we secure our Virtual Infrastructure?

Use the principles of Information Security

• Hardening and lockdown
• Defense in depth
• Authorization, authentication, and accounting
• Separation of duties and least privileges
• Administrative controls

Protect your management interfaces (VCenter)!  They are the keys to the kingdom.

Fundamental Design Principles

• Isolate all management networks
• Disable all unneeded services
• Tightly regualte all administrative access

Summary

• Define requirements and ensure vendor/product can deliver
  • Consider culture, capability, maturity, architecture and security needs
• Implement under controlled conditions using a defined methodology
  • Use the opportunity to improve control deficiencies in existing physical server areas if possible
  • Implement processes for review and validation of controls to prevent the introduction of weaknesses
• Round corners where your control environment allows
  • Sustain sound practices that maintain required controls
  • Leverage the technology to achieve efficiency and improve scale

Agenda

• About the Cloud Security Alliance
• Getting Involved
• Guidance 1.0
• Call to Action

About the Cloud Security Alliance

• Not-for-profit organization
• Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc
• We believe in Cloud Computing, we want to make it better

Getting Involved

• Individual membership (free)
  • Subject matter experts for research
  • Interested in learning about the topic
  • Administrative & organizational help
• Corporate Sponsorship
  • Help fund outreach, events
• Affiliated Organizations (free)
  • Joint projects in the community interest
• Contact information on website

Download version 1.0 of the Security Guidance at http://www.cloudsecurityalliance.org/guidance

Overview of Guidance

• 15 domains
• #1 is Architecture & Framework
• Covers Governing in the Cloud (2-7) and Operating in the Cloud (8-15) as well

Assumptions & Objectives

• Trying to bridge gap between cloud adopters and security practitioners
• Broad "security program" view of the problem

Architecture Framework

• Not "One Cloud": Nuanced definition critical to understanding risks & mitigation
• 5 principal characteristics (abstration, sharing, SOA, elasticity, consumption/allocation)
• 3 delivery models
  • Infrastructure as a Service
  • Platform as a Service
  • Software as a Service
• 4 deployment models: Public, Private, Managed, Hybrid

Governance & ERM

• A portion of cloud cost savings must be invested into provider security
• Third party transparency of cloud provider
• Financial viability of cloud provider
• Alignment of key performance indicators
• PII best suited in private/hybrid cloud outside of significant due diligence of public cloud provider
• Increased frequency of 3rd party risk assessments

Important thing to consider is the financial viability of your provider.  You never want to have your data held hostage in a court battle.

Legal

• Contracts must have flexible structure for dynamic cloud relationships
• Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets
• Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer

Compliance & Audit

• Classify data and systems to understand compliance requirements
• Understand data locations, copies

Information Lifecycle Management

• Understand the logical segregation of information and protective controls imnplemented in storage, transfers, backups

Summary

• Cloud Computing is real and transformational
• Cloud Computing can and will be secured
• Broad governance approach needed
• Tactical fixes needed
• Combination of updating existing best practices and creating completely new best practices
• Common sense is not optional

Call to Action

• Join us, help make our work better
• www.cloudsecurityalliance.org
• info@cloudsecurityalliance.org
• Twitter: @cloudsa, #csaguide

5 Key Cloud Characteristics

• On-demand self-service
• Ubiquitous network access
• Location independent resource pooling
• Rapid elasticity
• Pay per use

3 Cloud Delivery Models

• Software as a Service (SaaS): Providers applications over a network
• Platform as a Service (PaaS): Deploy customer-created apps to a cloud
• Infrastructure as a Service (IaaS): Rent processing, storage, etc

4 Cloud Deployment Models

• Private cloud: Enterprise owned or leased
• Community cloud: Shared infrastructure for a specific community
• Public cloud: Sold to the public, Mega-scale infrastructure
• Hybrid cloud: Composition of two or more clouds

• Two types: internal and external
• http://csrc.nist.com/groups/SNS/cloud-computing/index.html

Common Cloud Characteristics

• Massive scale
• Virtualization
• Free software
• Autonomic computing
• Multi-tenancy
• Geographically distributed systems
• Advanced security technologies
• Service oriented software

Pros

• Lower central processing unit (CPU) density
• Flexible use of resources
• Rapid deployment of new servers
• Simplified recovery
• Virtual network connections

Cons

• Complexity
• Potential impact of a single component failure
• Hypervisor security issues
• Keeping virtual machine (VM) images current
• Virtual network connections

Virtualization Security Concerns

• Protecting the virtual fabric
• Patching off-line VM images
• Configuration Management
• Firewall configurations
• Complicating Audit and Forensics