CSA Guidance Version 3 13: Virtualization Virtualization is one of the key underpinnings of Infrastructure as a Service (IaaS) cloud offerings and private clouds, and it’s increasingly used in portions of the back-end of Platform as a Service (PaaS) and SaaS providers as well. It is also used extensively with virtual desktops, which are delivered from private or public clouds. The benefits of virtualization are well known, including multi-tenancy, better server utilization, and data center consolidation. Cloud providers can achieve higher density which translates to better margins, and enterprises can use virtualization to shrink capital expenditure on server hardware as well as increase operational efficiency. However, virtualization brings with it all the security concerns of the operating system running as a guest, together with new security concerns about the hypervisor layer, as well as new virtualization specific threats, inter-VM attacks and blind spots, performance concerns arising from CPU and memory used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of encrypting virtual machine images, and residual data destruction are coming into focus. This domain covers these security issues. While there are several forms of virtualization, by far the most common is the virtualized operating system, and this is the focus in this version of our guidance. Overview Virtual machine guest hardening Hypervisor security Inter-VM attacks and blind spots Performance concerns Operational complexity from VM sprawl Instant on gaps Virtual machine encryption Data comingling Virtual machine data destruction Virtual machine image tampering Copyright © 2011 Cloud Security Alliance Virtualization brings with it all the security concerns of the guest operating system, along with new virtualizationspecific threats CSA Guidance Version 3 13.1.1 VM Guest Hardening Proper hardening and protection of a virtual machine instance, including firewall (inbound/outbound), HIPS, web application protection, antivirus, file integrity monitoring, log monitoring. Can be delivered via software in each guest or using an inline virtual machine combined with hypervisor-based APIs such as VMware Vshield APIs. 13.1.2 Hypervisor Security The hypervisor itself needs to be locked down and hardened using best practices, with a primary concern for enterprises and virtualization users being proper management, configuration and operations, as well as physical security of the server hosting the hypervisor. 13.1.3 Inter-VM attacks and blind spots Virtualization has a large impact on network security. Virtual machines now may communicate with each other over a hardware backplane, rather than a network. As a result, standard network security controls are blind to this traffic and cannot perform monitoring or in-line blocking. In-line virtual appliances help to solve this problem, as does API-level integration with hypervisors and virtualization management frameworks. Installing a full set of security tools on each virtual machine is another approach. 13.1.4 Performance concerns Installing security software designed for physical servers onto a virtualized server can result in severe degradation in performance, as some security tasks like antivirus scanning are CPU-intensive. The shared environment in virtualized servers leads to resource contention. Especially with virtual desktops or high density environments, security software needs to be virtualization-aware or it needs to perform security functions on a single virtual machine to support other virtual machines. The difference in density can be as much as 20 times, depending on server loading and performance. 13.1.5 Operational complexity from VM sprawl The ease with which VMs can be provisioned has led to an increase in the number of requests for VMs in typical enterprises. This creates a larger attack surface and increases the odds of a misconfiguration or operator error opening a security hole. Policy based management and use of a virtualization management framework is critical. Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 13.1.6 Instant on gaps The ease with which a virtual machine can be stopped or started, combined with the speed at which threats change, creates a situation where a virtual machine can be securely configured when it is turned off, but by the time it is started again, threats have evolved, leaving the machine vulnerable. Best practices include network based security and “virtual patching” that inspects traffic for known attacks before it can get to a newly provisioned or newly started VM. It is also possible to enforce NAC (Network Access Control)-like capabilities to isolate stale VMs until their rules and pattern files are updated and a scan has been run. 13.1.7 VM encryption Virtual machine images are vulnerable to theft or modification when they are dormant or running. The solution to this problem is to encrypt virtual machine images at all times, but there are performance concerns at this time. For high security or regulated environments, the performance cost is worth it. Encryption must be combined with administrative controls and audit trails to prevent a snapshot of a running VM from “escaping into the wild,” which would give the attacker access to the data in the VM snapshot. 13.1.8 Data comingling There is concern that different classes of data (or VMs hosting different classes of data) may be intermixed on the same physical machine. In PCI terms, we refer to this as a mixedmode deployment. We recommend using a combination of VLANs, firewalls, and IDS/IPS to ensure VM isolation as a mechanism for supporting mixed mode deployments. We also recommend using data categorization and policy based management to prevent this. In Cloud Computing environments, the lowest common denominator of security could potentially be shared by all tenants in the multi-tenant virtual environment. 13.1.9 VM data destruction When a VM is moved from one physical server to another, enterprises need assurances that no bits are left behind on the disk that could be recovered by another user or when the disk is deprovisioned. Encryption of all data is the solution to this problem, with keys stored on a policy-based keyserver away from the virtual environment. In addition, if a VM is migrated while it is running it may be at risk itself during the migration if encryption is not used. Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 13.1.10 Virtual machine image tampering Pre-configured virtual appliances and machine images may be misconfigured or may have been tampered with before you start them. Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 13.3 Recommendations Recommendations o Identify which types of virtualization your cloud provider uses, if any. o Consider a zoned approach, with production separate from test/dev, and highly sensitive data/workloads in different environments than low-need content. o Consider performance when testing and installing virtual machine security tools, as performance varies widely. Virtualization-aware server security tools are important to consider. o .Evaluate, negotiate and refine the licensing agreements with major vendors for virtualized environment. o Secure each virtualized OS by using software in each guest or using an inline virtual machine combined with hypervisor-based APIs such as VMware vShield. o Virtualized operating systems should be augmented by built-in security measures, leveraging third party security technology to provide layered security controls and reduce dependency on the platform provider alone. o Secure by default configuration must be assured by following or exceeding available industry baselines. o Encrypt virtual machine images when not in use. o Explore the efficacy and feasibility of segregating VMs and creating security zones by type of usage (e.g., desktop vs. server), production stage (e.g., development, production, and testing) and sensitivity of data on separate physical hardware components such as servers, storage, etc. o Make sure that the security vulnerability assessment tools or services cover the virtualization technologies used. o Consider to implement data automated discovery and labeling at organization wide to augment the data classification and control between virtual machines and environments. o Consider patching virtual machine images at rest or protect newly spun-up virtual machines until they can be patched. o Understand which security controls are in place external to the VMs to protect administrative interfaces (web-based, APIs, etc.) exposed to the customers. 13.4 Requirements Requirements Copyright © 2011 Cloud Security Alliance CSA Guidance Version 3 VM-specific security mechanisms embedded in hypervisor APIs must be utilized to provide granular monitoring of traffic crossing VM backplanes, which will be opaque to traditional network security controls. Update the security policy to reflect the new coming security challenges of virtualization. Encrypt data accessed by virtual machines using policy-based key servers that store the keys separately from the virtual machine and the data Be aware of multi-tenancy situations with your VMs where regulatory concerns may warrant segregation. Validate the pedigree and integrity of any VM image or template originating from any third party, or better yet, create your own VM instances. Virtualized operating systems should include firewall (inbound/outbound), Host Intrusion Prevension System(HIPS), web application protection, antivirus, file integrity monitoring, and log monitoring, etc. These can be delivered via software in each guest or using an inline virtual machine combined with hypervisor-based APIs such as VMware vShield. Clean any backup and failover systems when destruction/wiping the VM images Have a reporting mechanism in place that provides evidence of isolation and raises alerts if there is a breach of isolation. Copyright © 2011 Cloud Security Alliance