Best Practices for Mitigating Risks in Virtualized Environments
Virtualization has made a dramatic impact in a very short time on IT and networking and has already delivered huge cost savings and return on investment to enterprise data centers and cloud service providers. Typically, the drivers for machine virtualization, including multi-tenancy, are better server utilization, data center consolidation, and relative ease and speed of provisioning. Cloud service providers can achieve higher density, which translates into better margins. Enterprises can use virtualization to shrink capital expenditures on server hardware as well as to increase operational efficiency.
Some think that virtualized environments are more secure than traditional ones for the following reasons:
Others think that the new virtualized environment requires the same type of security as traditional physical environments. As a result, it is not uncommon to see legacy security solutions, processes, and strategies applied to the virtual environment. The bottom line, though, is that the new environment is more complex and requires a new approach to security.
Given the number of notable breaches reported in 2014, virtualization security should be given due consideration in the planning, creation, and management of enterprise and provider environments. This white paper proposes a security framework to help secure your virtual environment and to prevent any threats, including the aforementioned, from exploiting vulnerabilities. This paper primarily considers virtualization security from the hypervisor perspective and briefly mentions related security concerns where appropriate.
Updates:
ISO / IEC International Standard 21878 - Security Guidelines for Design and Implementation of Virtualized Servers Published in November 2018
Under an MOU signed between CSA & SPRING Singapore (now Enterprise Singapore), a collaboration to build upon the Technical Reference No. 30 on “Servers Virtualization” (first published in 2012 by the IT Standards Committee) and CSA’s Cloud Control Domain 13, a joint white paper entitled ‘Best Practices for Mitigating Risks in Virtualized Environments’ was published by CSA in April 2015. The whitepaper drove efforts for international standardization at ISO which started as a study period in 2015. The ISO International Standard has since been published on 12 November 2018.
Further information can be found HERE and HERE.
Some think that virtualized environments are more secure than traditional ones for the following reasons:
- Isolation between virtual machines (VMs) provided by the hypervisor
- No known successful attacks on hypervisors1 save for theoretical ones, which require access to the hypervisor source code and ability to implement it
- Ability to deliver core infrastructure and security technologies as virtual appliances such as network switches and firewalls
- Ability to quarantine and recover quickly from incidents
Others think that the new virtualized environment requires the same type of security as traditional physical environments. As a result, it is not uncommon to see legacy security solutions, processes, and strategies applied to the virtual environment. The bottom line, though, is that the new environment is more complex and requires a new approach to security.
Given the number of notable breaches reported in 2014, virtualization security should be given due consideration in the planning, creation, and management of enterprise and provider environments. This white paper proposes a security framework to help secure your virtual environment and to prevent any threats, including the aforementioned, from exploiting vulnerabilities. This paper primarily considers virtualization security from the hypervisor perspective and briefly mentions related security concerns where appropriate.
Updates:
ISO / IEC International Standard 21878 - Security Guidelines for Design and Implementation of Virtualized Servers Published in November 2018
Under an MOU signed between CSA & SPRING Singapore (now Enterprise Singapore), a collaboration to build upon the Technical Reference No. 30 on “Servers Virtualization” (first published in 2012 by the IT Standards Committee) and CSA’s Cloud Control Domain 13, a joint white paper entitled ‘Best Practices for Mitigating Risks in Virtualized Environments’ was published by CSA in April 2015. The whitepaper drove efforts for international standardization at ISO which started as a study period in 2015. The ISO International Standard has since been published on 12 November 2018.
Further information can be found HERE and HERE.