Kevin wharram
-
Upload
kevin-wharram -
Category
Technology
-
view
882 -
download
0
description
Transcript of Kevin wharram
![Page 1: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/1.jpg)
![Page 2: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/2.jpg)
Welcome
Kevin Wharram, CISSP, CISM, CEH, EnCE, GCFA, 27001 Lead Auditor
Member of the ISACA Security Advisory Group at ISACA London Chapter
My interests are in – Forensics, Virtualization and Cloud Security
2
![Page 3: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/3.jpg)
3
What is Virtualization? Server Virtualization Analogy Virtualization Security Virtualization Compliance What is Cloud Computing? What is a Private Cloud? Private Cloud Security
Agenda
3
![Page 4: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/4.jpg)
What is Virtualization?
Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system (OS), a server, a storage device or network resource.Source - http://en.wikipedia.org/wiki/Virtualization
4
![Page 5: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/5.jpg)
What is Virtualization cont.
Virtualization presents hardware resources as virtual resources:•CPU•Memory•Storage (Disk)•Network Interface (NIC)
5
![Page 6: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/6.jpg)
• Not a new concept• First developed in the 1960s and was
better known as time-sharing• IBM developed the idea of a Virtual
Machine Monitor (VMM) which is also know as a Hypervisor
History of Virtualization
6
![Page 7: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/7.jpg)
• Server Virtualization• Desktop Virtualization or (VDI)• Application Virtualization• Network Virtualization• Storage Virtualization
Types of Virtualization
7
![Page 8: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/8.jpg)
Server Virtualization
8
![Page 9: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/9.jpg)
What is Server Virtualization?• Encapsulate OS and present “virtual
hardware”• Run many OS on single hardware platform• Consolidate underutilized servers• VMware (vSphere), Microsoft (Hyper-V),
Citrix (XenServer) and Solaris Containers
9
![Page 10: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/10.jpg)
Server Virtualization Analogy
HotelVSHoliday Home
10
![Page 11: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/11.jpg)
Copyright © 2004 VMware, Inc. All rights reserved.
Traditional Server
Server without Virtualization
Holiday Home
11
![Page 12: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/12.jpg)
Virtualized Server Hotel
Server with Virtualization
12
![Page 13: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/13.jpg)
Desktop Virtualization
13
![Page 14: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/14.jpg)
What is Desktop Virtualization?
• Desktop virtualization separates a personal computer desktop environment from a physical machine using a client–server model of computing
• Desktop virtualization is sometimes referred to as Virtual Desktop Infrastructure (VDI)
14
![Page 15: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/15.jpg)
What is Desktop Virtualization cont.
• Remote Desktop (RDS) is different to VDI
• With (RDS), all users are sharing the same OS. With VDI, each user has their own real OS (could be dedicated or from a pool)
• VMware View, Citrix (XenDesktop) and Kaviza
15
![Page 16: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/16.jpg)
Application Virtualization
16
![Page 17: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/17.jpg)
What is Application Virtualization?
• Encapsulate applications (run conflicting applications on same system, i.e. IE 7 and IE8)
• Avoid apps corrupting (OS)
• Application delivery (Stream, ESD, Other)
• VMware (ThinApp), Microsoft (App-V) and Citrix ( XenApp)
17
![Page 18: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/18.jpg)
Network Virtualization
18
![Page 19: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/19.jpg)
What is Network Virtualization?• Network virtualization is a method used to
combine computer network resources into a single platform, known as a virtual network
• Not a new concept• Virtual private networks (VPNs) are widely
used • Virtual Local Area Networks (VLANs) are a
form of network virtualization
19
![Page 20: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/20.jpg)
Physical Network
20
![Page 21: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/21.jpg)
VMware Virtual Network
21
![Page 22: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/22.jpg)
Storage Virtualization
22
![Page 23: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/23.jpg)
What is Storage Virtualization?• Storage virtualization is the amalgamation
of multiple network storage devices into what appears to be a single storage unit. Storage virtualization is often used in SAN (storage area networks).
Source http://www.webopedia.com/TERM/S/storage_virtualization.html
23
![Page 24: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/24.jpg)
Virtualization Security
24
![Page 25: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/25.jpg)
ESG Research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security.
Gartner survey: “40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.”
Gartner analyst Neil MacDonald wrote: “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely.“
25
Industry Comments
![Page 26: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/26.jpg)
Virtualization Security Benefits
• Patching
• Disaster Recovery
• Investigation
• Forensics
26
![Page 27: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/27.jpg)
Virtualization Security Issues
• Virtual environment misconfiguration
• Processes
• Lack of Controls
• Access Controls
• Software Vulnerabilities
• Malware
27
![Page 28: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/28.jpg)
VMware vSphere Security
• vCenter
• Networking, vSwitches, Cisco Nexus 1000v, vLANs
• Storage• Logging
• Monitoring
28
![Page 29: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/29.jpg)
Virtualization Compliance
29
![Page 30: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/30.jpg)
Compliance Issues
• New technologies introduce new components and processes causing conflict with standards and policies
• Internal policies and standards need to be updated to reflect virtualization technology
• Industry standards, PCI DSS, HIPA, etc, sometimes lag technology
30
![Page 31: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/31.jpg)
Controls
Policies & Compliance
Processes&
Standards
Compliance Pyramid
31
![Page 32: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/32.jpg)
Cloud Computing
32
![Page 33: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/33.jpg)
What is Cloud Computing?
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.Source - http://www.nist.gov/itl/cloud/index.cfm
33
![Page 34: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/34.jpg)
• Private cloud• Public cloud• Community cloud• Hybrid cloud
Types of Cloud Computing
34
![Page 35: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/35.jpg)
What is a Private Cloud?
• Operated solely for an organization
• May be managed by the organization or a third party
• May exist on-premise or off-premise
35
![Page 36: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/36.jpg)
Private Cloud Security
Most of the virtualization controls that we spoke about earlier, would apply to the Private Cloud as you control the “Private Cloud.”
36
![Page 37: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/37.jpg)
Controls
OrganisationDue-Diligence
Processes&
Standards
Compliance Pyramid
37
![Page 38: Kevin wharram](https://reader038.fdocuments.in/reader038/viewer/2022110307/55595677d8b42a93708b48bc/html5/thumbnails/38.jpg)
ResourcesNIST guide to Security for Full Virtualization Technologieshttp://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
VMware hardening guides http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html
Cloud Security Alliancehttp://www.cloudsecurityalliance.org/
NIST Definition of Cloud Computing http://www.nist.gov/itl/cloud/index.cfm
Center for Internet Security (CIS) Benchmarks on Server Virtualizationhttp://cisecurity.org/en-us/?route=downloads.benchmarks
Defense Information System Agency (DISA)http://iase.disa.mil/stigs/index.html
38