cipfa presentation - security in a virtualised environment
TRANSCRIPT
© 2015 Grant Thornton UK LLP. All rights reserved.
Security in a virtualised environment25th June 2015
Chris KennyAssistant ManagerTechnology Risk Services
© 2015 Grant Thornton UK LLP. All rights reserved.
Agenda
• Introduction• What is virtualisation and what are the benefits?• Risks and controls• Case study• Final thoughts
© 2015 Grant Thornton UK LLP. All rights reserved.
About Grant Thornton
Technology Risk Services team provide data analytics and wide range of IT audit and advisory services
Outsourcing
Data analysis
IT operations
Data privacy
Cyber security
IT risk management
Project management
ERP
3rd party assurance
The leading firm in local government audit, with approximately 40% of local authorities in England as external audit clients
© 2015 Grant Thornton UK LLP. All rights reserved.
About me
• Seven years’ experience in internal audit, five of which working in local government
• Manage IT audit engagements for GT for internal and external audit public and private sector clients across the Midlands
• CMIIA and CISA qualified
© 2015 Grant Thornton UK LLP. All rights reserved.
What is virtualisation and what are the benefits?
© 2015 Grant Thornton UK LLP. All rights reserved.
Virtualisation enables the consolidation of multiple systems on to a single piece of hardware
Through hardware resource sharing
virtualisation helps:
• consolidate physical resources
• simplify deployment and administration, reduce power and cooling requirements
© 2015 Grant Thornton UK LLP. All rights reserved.
Virtualisation adds a software layer (hypervisor) between two layers in a computer system
Hypervisors act as a resource manager to enable the sharing of processing power and memory.
Physical Hardware Layer
Hypervisor
VM3VM2VM1
Type 1: native
Physical Hardware Layer
VM1 VM3VM2
OS
Hypervisor
Type 2: hosted
© 2015 Grant Thornton UK LLP. All rights reserved.
Storage, servers and networks can be virtualised
Network
Storage
Server
© 2015 Grant Thornton UK LLP. All rights reserved.
Virtualisation reduces costs and complexity and increases efficiency and agility
Reduces complexity
Enables standardisation
Improves agility
Reduces costs
Facilitates automation
© 2015 Grant Thornton UK LLP. All rights reserved.
There are three categories of security risk
Risks
Compliance and
management challenges
Attacks on virtualisation
features
Attacks on virtualisation infrastructure
© 2015 Grant Thornton UK LLP. All rights reserved.
Attacks on virtualisation infrastructure: hyperjackingand hyperjumping
Physical Hardware Layer
Hypervisor
VM3VM2VM1
Rogue hypervisor
Physical Hardware Layer
Hypervisor
VM3VM2VM1
Hyperjacking Hyperjumping
© 2015 Grant Thornton UK LLP. All rights reserved.
Attacks on virtualisation features
• Vulnerabilities in the physical environment apply in a virtual environment
• Mixing VMs of different trust levels
• Lack of segregation of duties
• Immaturity of monitoring solutions
• Information leakage between virtual network segments
• Information leakage between virtual components
© 2015 Grant Thornton UK LLP. All rights reserved.
Compliance and management challenges
• Licensing
• Dormant machines
• Snapshots and images
© 2015 Grant Thornton UK LLP. All rights reserved.
How to audit virtualised environments
Audit Topics
PurposeRisk
Assessment
Fact finding
Network Map
Policies and Procedures
Change controls
Network Security
Communication
Logical Access Controls
Configuration management
File sharing
© 2015 Grant Thornton UK LLP. All rights reserved.
Background
• FTSE 100 FMCG business
• Had initiated a project to virtualise part of its corporate network hosting its ERP application
• Management wanted assurance that the newly virtualised environment was controlled in compliance with organisation standards.
© 2015 Grant Thornton UK LLP. All rights reserved.
Case study: FTSE 100 FMCG business
Patching
Logical access controls
Licensing
Hardening
Host server configuration
Network configuration
© 2015 Grant Thornton UK LLP. All rights reserved.
Best Practices in Virtualisation / Controls
Least privilege and separation
of dutiesHardening
Recognise the dynamic nature
of VM’s
Restrict physical access
Implement defence in depth
Isolate security functions
Evaluate virtualisation
risks
Evaluate virtualised
network security features
© 2015 Grant Thornton UK LLP. All rights reserved.
Future developments
User virtualisation
Storage virtualisation
Hosted / virtual / cloud desktops
Security abstraction
Application delivery
© 2015 Grant Thornton UK LLP. All rights reserved.
Summary and Conclusions
• Virtualisation can unleash significant benefits BUT:
– Don’t replicate your physical risks in the virtualised environment
– A secured hypervisor is key!
© 2015 Grant Thornton UK LLP. All rights reserved.
Where can you find additional information?
CESG
PCI DSS
ISACA
SANS Institute
Centre for Internet Security