13.1.1 VM Guest Hardening

advertisement
CSA Guidance Version 3
13: Virtualization
Virtualization is one of the key underpinnings of Infrastructure as a Service (IaaS) cloud
offerings and private clouds, and it’s increasingly used in portions of the back-end of Platform
as a Service (PaaS) and SaaS providers as well. It is also used extensively with virtual desktops,
which are delivered from private or public clouds.
The benefits of virtualization are well known, including multi-tenancy, better server utilization,
and data center consolidation. Cloud providers can achieve higher density which translates to
better margins, and enterprises can use virtualization to shrink capital expenditure on server
hardware as well as increase operational efficiency.
However, virtualization brings with it all the security concerns of the operating system running
as a guest, together with new security concerns about the hypervisor layer, as well as new
virtualization specific threats, inter-VM attacks and blind spots, performance concerns arising
from CPU and memory used for security, and operational complexity from “VM sprawl” as a
security inhibitor. New problems like instant-on gaps, data comingling, the difficulty of
encrypting virtual machine images, and residual data destruction are coming into focus.
This domain covers these security issues. While there are several forms of virtualization, by far
the most common is the virtualized operating system, and this is the focus in this version of
our guidance.
Overview










Virtual machine guest hardening
Hypervisor security
Inter-VM attacks and blind spots
Performance concerns
Operational complexity from VM sprawl
Instant on gaps
Virtual machine encryption
Data comingling
Virtual machine data destruction
Virtual machine image tampering
Copyright © 2011 Cloud Security Alliance
Virtualization brings with it all
the security concerns of the
guest operating system, along
with new virtualizationspecific threats
CSA Guidance Version 3
13.1.1 VM Guest Hardening
Proper hardening and protection of a virtual machine instance, including firewall
(inbound/outbound), HIPS, web application protection, antivirus, file integrity monitoring,
log monitoring. Can be delivered via software in each guest or using an inline virtual
machine combined with hypervisor-based APIs such as VMware Vshield APIs.
13.1.2 Hypervisor Security
The hypervisor itself needs to be locked down and hardened using best practices, with a
primary concern for enterprises and virtualization users being proper management,
configuration and operations, as well as physical security of the server hosting the
hypervisor.
13.1.3 Inter-VM attacks and blind spots
Virtualization has a large impact on network security. Virtual machines now may
communicate with each other over a hardware backplane, rather than a network. As a
result, standard network security controls are blind to this traffic and cannot perform
monitoring or in-line blocking. In-line virtual appliances help to solve this problem, as does
API-level integration with hypervisors and virtualization management frameworks.
Installing a full set of security tools on each virtual machine is another approach.
13.1.4 Performance concerns
Installing security software designed for physical servers onto a virtualized server can result
in severe degradation in performance, as some security tasks like antivirus scanning are
CPU-intensive. The shared environment in virtualized servers leads to resource contention.
Especially with virtual desktops or high density environments, security software needs to
be virtualization-aware or it needs to perform security functions on a single virtual
machine to support other virtual machines. The difference in density can be as much as 20
times, depending on server loading and performance.
13.1.5 Operational complexity from VM sprawl
The ease with which VMs can be provisioned has led to an increase in the number of
requests for VMs in typical enterprises. This creates a larger attack surface and increases
the odds of a misconfiguration or operator error opening a security hole. Policy based
management and use of a virtualization management framework is critical.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
13.1.6 Instant on gaps
The ease with which a virtual machine can be stopped or started, combined with the speed
at which threats change, creates a situation where a virtual machine can be securely
configured when it is turned off, but by the time it is started again, threats have evolved,
leaving the machine vulnerable. Best practices include network based security and “virtual
patching” that inspects traffic for known attacks before it can get to a newly provisioned or
newly started VM. It is also possible to enforce NAC (Network Access Control)-like
capabilities to isolate stale VMs until their rules and pattern files are updated and a scan
has been run.
13.1.7 VM encryption
Virtual machine images are vulnerable to theft or modification when they are dormant or
running. The solution to this problem is to encrypt virtual machine images at all times, but
there are performance concerns at this time. For high security or regulated environments,
the performance cost is worth it. Encryption must be combined with administrative
controls and audit trails to prevent a snapshot of a running VM from “escaping into the
wild,” which would give the attacker access to the data in the VM snapshot.
13.1.8 Data comingling
There is concern that different classes of data (or VMs hosting different classes of data)
may be intermixed on the same physical machine. In PCI terms, we refer to this as a mixedmode deployment. We recommend using a combination of VLANs, firewalls, and IDS/IPS
to ensure VM isolation as a mechanism for supporting mixed mode deployments. We also
recommend using data categorization and policy based management to prevent this. In
Cloud Computing environments, the lowest common denominator of security could
potentially be shared by all tenants in the multi-tenant virtual environment.
13.1.9 VM data destruction
When a VM is moved from one physical server to another, enterprises need assurances
that no bits are left behind on the disk that could be recovered by another user or when
the disk is deprovisioned. Encryption of all data is the solution to this problem, with keys
stored on a policy-based keyserver away from the virtual environment. In addition, if a VM
is migrated while it is running it may be at risk itself during the migration if encryption is
not used.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
13.1.10 Virtual machine image tampering
Pre-configured virtual appliances and machine images may be misconfigured or may have
been tampered with before you start them.
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
13.3 Recommendations
Recommendations
o Identify which types of virtualization your cloud provider uses, if any.
o Consider a zoned approach, with production separate from test/dev, and highly
sensitive data/workloads in different environments than low-need content.
o Consider performance when testing and installing virtual machine security tools, as
performance varies widely. Virtualization-aware server security tools are important
to consider.
o .Evaluate, negotiate and refine the licensing agreements with major vendors for
virtualized environment.
o Secure each virtualized OS by using software in each guest or using an inline virtual
machine combined with hypervisor-based APIs such as VMware vShield.
o Virtualized operating systems should be augmented by built-in security measures,
leveraging third party security technology to provide layered security controls and
reduce dependency on the platform provider alone.
o Secure by default configuration must be assured by following or exceeding
available industry baselines.
o Encrypt virtual machine images when not in use.
o Explore the efficacy and feasibility of segregating VMs and creating security zones
by type of usage (e.g., desktop vs. server), production stage (e.g., development,
production, and testing) and sensitivity of data on separate physical hardware
components such as servers, storage, etc.
o Make sure that the security vulnerability assessment tools or services cover the
virtualization technologies used.
o Consider to implement data automated discovery and labeling at organization wide
to augment the data classification and control between virtual machines and
environments.
o Consider patching virtual machine images at rest or protect newly spun-up virtual
machines until they can be patched.
o Understand which security controls are in place external to the VMs to protect
administrative interfaces (web-based, APIs, etc.) exposed to the customers.
13.4 Requirements
Requirements
Copyright © 2011 Cloud Security Alliance
CSA Guidance Version 3
 VM-specific security mechanisms embedded in hypervisor APIs must be utilized to
provide granular monitoring of traffic crossing VM backplanes, which will be
opaque to traditional network security controls.
 Update the security policy to reflect the new coming security challenges of
virtualization. Encrypt data accessed by virtual machines using policy-based key
servers that store the keys separately from the virtual machine and the data

 Be aware of multi-tenancy situations with your VMs where regulatory concerns
may warrant segregation.
 Validate the pedigree and integrity of any VM image or template originating from
any third party, or better yet, create your own VM instances.
 Virtualized operating systems should include firewall (inbound/outbound), Host
Intrusion Prevension System(HIPS), web application protection, antivirus, file
integrity monitoring, and log monitoring, etc. These can be delivered via software
in each guest or using an inline virtual machine combined with hypervisor-based
APIs such as VMware vShield.
 Clean any backup and failover systems when destruction/wiping the VM images
 Have a reporting mechanism in place that provides evidence of isolation and raises
alerts if there is a breach of isolation.
Copyright © 2011 Cloud Security Alliance
Download