The use of virtualization technologies has a considerable impact on the security architecture in many organizations. Existing concepts, which are based on network zones and physical separation of resources, cannot be mapped in their entirety and very often they are even conflicting with the IT targets (catch word: consolidation). At the same time, the introduction of virtualization will lead to a changed risk landscape, either through increased complexity and unclear responsibilities/changing operating procedures or due to new attacks — like “Cloudburst” against the hypervisor. In many environments the next degree of abstraction is on the horizon: Cloud Computing.
This workshops covers security aspects of virtualization technologies and cloud computing in detail. The goal is to achieve a reasonable level of risk in a more and more abstract IT environment. In order to reach this goal, it is necessary to gain in-depth knowledge about the used technologies, components and service providers including their security relevant characteristics. The workshop enables you to make substantiated, security related decisions as well as to use virtualization and/or cloud architectures in an efficient and secure way.
Agenda:
- Refreshment: Virtualization technologies and important concepts
- Well-known attacks and risks with an emphasis on VMware ESX
- Attacks from the guest against the hypervisor
- Typical operational problems
- The problem of “Rogue Machines”
- Zone Concepts in Virtualized Environments
- Role concepts (Roles and Responsibilities)
- Three layer computing: Storage, Network and adequate isolation procedures
- vSwitch and possible implementation approaches (dedicated NIC pro VM or pro VLAN, all VLANs via a NIC/Team etc.) and its advantages and disadvantages
- Risk evaluation as a Basis for Efficient Security Work
- What possible security problems are relevant in virtualization scenarios?
- Approaches for the evaluation of consolidation of different security zones
- How much security is necessary for which data classification?
- Security Best Practices in Virtualization Scenarios
- Secure Design
- Hardening
- Secure Operations
- Secure Management
- Management protocols and necessary ports
- Protection and traceability of management access
- Discussion management VLAN versus Jumphost architecture
- How many management infrastructures are necessary in zone models?
- Typical Components of Policies for Virtualization Security
- Data classification and architectural models
- Allocation process and management procedures
- Recovery processes
- Check lists and hardening guidelines
- Overview of available Hardening Guidelines and Internet source (important organizations etc.)
- Preparation and discussion of detailed check lists developed by ERNW which are used regularly in practical audits
- Overview of additional tools like virtualized Firewalls or InMemory IPS
- Benefit cost analyses of such tools
- Microsoft Hyper V: risk evaluation, design methodology and security best practices
- XEN: risk evaluation, design methodology, best practices and security
Cloud Computing Overview
- Types (public, private, community, hybrid)
- Layer (infrastructure, platform, application)
- Exemplary discussion of Amazon EC2, S3 and VPC
- Security Aspects
- Cloud specific attacks
- Threats and vulnerabilities in typical CC scenarios
- Mitigating controls
- Risk Analysis of different Cloud Models
- Organizational risks
- Technical risks
- Risk analysis of ENISA
- Discussion of different use cases and their risks
- Evaluation Models for the Selection of Cloud Vendors
- Trust and control
- Presentation of a trust metric and questionnaires
- Contractual aspects/contractual controls
- Operation Procedures
- Provisioning
- Role concepts
- (Secure) data wiping
- Security reporting
- Relevant Guidelines and Compliance
- Handling of individual-related data/PII
- PCI
- SOX
- Presentation of an Audit Check List
- Cloud standards
The training material and session language is English. In case all participants are German speakers (and this is unlikely to expect) the workshop will be held in German.
Matthias Luft is a security researcher and heads the German security research company ERNW Research. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.