Professional Documents
Culture Documents
Dave Shackleford
IANS
$$$
How Security Sees Virt &
Cloud
101010101010100100001010100101010
Components &
Architecture
Virtualization Architecture
Is the host OS locked down?
Is the hypervisor secure?
Physical NIC
Operations Services
and Traffic
► Data:
► Virtual machine files (at rest)
► Virtual machine files (in transit)
► Management databases + configuration
► Hypervisor configuration and OS
► Equipment:
► Server Hardware
► Virtual appliances (ties in to Data assets)
► Storage hardware
► Network equipment
► Management terminals/endpoints
Asset: Personnel, Services &
Facilities
► Personnel
► Virtualization teams
► Network teams
► Developers / Operations
► Security teams
► SysAdmin teams
► Services include:
► Power
► Cooling
► Network/ISP services
► Facilities:
► Physical locations (data centers)
Threats
Threat Agents
► Insiders:
► Virtualization teams
► Network teams
► Developers / Operations
► Security teams
► SysAdmin teams
► Storage teams
► Outsiders
► Partners/Affiliates
► Nature (disasters)
► Technology (failure/improper function)
Undesirable Events
► Administrative
► People - roles, privileges, hiring
► Technical
► Any technical flaw in software components or design
► Physical
► Focused on access control and facility weaknesses
Administrative Vulnerabilities
http://phys.org/news/2012-11-vm-rude-awakening-virtualization.html
Physical Vulnerabilities
the organization’s
infrastructure?
► Answer:
Absolutely. This is
a HIGH risk, a
classic insider
abuse or mistake
scenario.
Risk Statement Example #2
► Could poorly No
Yes
defined and
controlled IAM
services lead to No
Yes
data exposure in
*aaS services?
► Assets:
Presumed
Yes
sensitive data in No
private *aaS
cloud offerings
Risk Statement Example #2 (2)
Yes
► Could poorly Yes
defined and
controlled IAM Yes
services lead to Yes
data exposure in
*aaS services?
► With Medium
Likelihood, but
High Impact, this
is a potentially
HIGH risk.
Risk Statement Example #3
► Could missing No
No
hypervisor
patches or
updates lead to No
Yes
insider (or internal
attacker)
compromise?
► Assets:
No
Hypervisors and No
virtualization
infrastructure,
VMs
Risk Statement Example #3 (2)
Yes
► Could missing Yes
hypervisor
patches or Yes
updates lead to No
Dave Shackleford
CTO, IANS
dshackleford@iansresearch.com
867-5309