Download - Virtualization Standards and Compliance
![Page 1: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/1.jpg)
Virtualization Standards & Compliance
Niranjana.S.KarandikarMSc IISem 4
![Page 2: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/2.jpg)
Contents• Introduction
• Need
• Standards
• Compliance
• PCI DSS and Virtualization
• Risks in Virtual Environments
• PCI DSS Requirements
![Page 3: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/3.jpg)
Virtualization
• Logical abstraction of computing resources
• Work load equivalent to physical machine
• Same threats
• Security Needed
![Page 4: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/4.jpg)
Need
• Increased use of VMs
• VMs are movable
• Handling of sensitive Data
• Single point of Compromise
![Page 5: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/5.jpg)
Standards
• DMTF(Distributed Management Task Force)
• OVF (Open Virtualization Format)
• VMAN(Virtualization Management Initiative)
![Page 6: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/6.jpg)
DMTF
• 2007• “simplify and provide ease-of-use for the
virtual environment by creating an industry standard for system virtualization management.”-Winston Bumpus, President , DMTF
• DMTF initiated the availability of the OVF standard for delivering VMs, and the new VMAN.
![Page 7: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/7.jpg)
OVF
• Virtualization platform–independent• Supports a full range of current virtual hard
disks and is extensible to deal with future formats
• Not reliant on the use of any specific host platform, virtualization platform, or guest operating system.
• OVF is a portable format that allows deployment of any supporting hypervisor.
![Page 8: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/8.jpg)
VMAN
• The management lifecycle of a virtual environment is addressed in DMTF’s VMAN
• Standardized approach to VM:• Deployment• Discovery and inventory• Lifecycle management• Creation, deletion, and modification• Health and performance monitoring
![Page 9: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/9.jpg)
Compliance
• The ability to act according to an order, set of
rules or request
• Eg: ISO, SOX, HIPAA
![Page 10: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/10.jpg)
PCI DSS and Virtualization
PCI DSS and Virtualization make a good combination as
• Many monetary transactions are being carried out on a virtual environment.
• The PCI Security Standards Council (SSC) is international.
• VMware has joined the PCI SSC
![Page 11: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/11.jpg)
PCI DSS
• A set of comprehensive requirements for• Enhancing payment account data security. • Developed by the founding payment brands of
the PCI SSC, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. International,
• To help facilitate the broad adoption of consistent data security measures on a global basis.
![Page 12: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/12.jpg)
Contd.• PCI DSS is a group of principles and accompanying
directives organized into 12 requirements in the following
six categories:
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
![Page 13: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/13.jpg)
PRINCIPLESa. If virtualization technologies are used in a cardholder
data environment, PCI DSS requirements apply to those virtualization technologies.
b. Virtualization technology introduces new risks that may not be relevant to other technologies
c. Implementations of virtual technologies can vary greatly
d. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements.
![Page 14: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/14.jpg)
Risks for Virtualized Environments1. Vulnerabilities in the Physical Environment Apply in a Virtual
Environment
2. Hypervisor Creates New Attack Surface
3. Increased Complexity of Virtualized Systems and Networks
4. More Than One Function per Physical System
5. Mixing VMs of Different Trust Levels
6. Lack of Separation of Duties
7. Dormant Virtual Machines
8. VM Images and Snapshots
9. Immaturity of Monitoring Solutions
10. Information Leakage between Virtual Network Segments
11. Information Leakage between Virtual Components
![Page 15: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/15.jpg)
PCI DSS REQUIREMENTS1. Install and maintain a firewall configuration
to protect cardholder data.2. Do not use vendor-supplied defaults for
system passwords and other security parameters.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data
across open, public networks.5. Use and regularly update anti-virus software
or programs.
![Page 16: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/16.jpg)
CONTD.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.10. Track and monitor all access to network
resources and cardholder data
![Page 17: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/17.jpg)
CONTD.
11. Regularly test security systems and
processes
12. Maintain a policy that addresses information
security for all personnel
Requirement A.1:
Shared hosting providers must protect the CDE
![Page 18: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/18.jpg)
REFERENCES• Virtualization_InfoSupp_v2.pdf
• Virtualization and Forensics By Diane Barrett,
Greg Kipper
• Virtualization Security Protecting virtualized
environment By Dave Shackleford
• http://searchvmware.techtarget.com/How-
PCI-DSS-20-affects-virtualization-compliance
![Page 19: Virtualization Standards and Compliance](https://reader036.vdocument.in/reader036/viewer/2022081512/55cf922a550346f57b9435cc/html5/thumbnails/19.jpg)
THANK YOU