Professional Documents
Culture Documents
====
// CCSP //
===================================================================================
====
4 main issues
system / resourse isolation
user level permissions
user access management
protection against malware
IaaS issue -
VM attacks
virtual switches / Network
VM based rootkits / malicious hypervisor
single point of access ( a single NIC provide access to
numerous VM)
Performance
network
compute
storage
date
SLA
Availablity
Performance
Security/ privacy of data
RTO/RPO
location of data
access to the data
Portability of the data
support
change management
dispute mediation process
Regulatory
Compliance
liblity
Portability
Security
Resillence
ability to continue operating in the event of a disruption
disruption caused by power outage, equipment faliure,
natural disater
multiple layers of redundancy and fault tolarance must be
in place
Auditablity
third party assurance
allow stakeholders to review assess and report user and
sestyem activity
Governance
Defining the actions assigning the respnosiblity
take into account risk management
virtuallization security
allows logical isolations on multi-tenant servers
Hypervisor
bare metal - cloud
software - runs on host os to provide virtul services
common threats
Data breaches
data loss
account and service hijacking
insecure interface / api
DOS or DDos
malicous insiders
abuse of cloud services
insufficent due dillgence / due care
shared technology vulnerablity
========================================********===================================
====
========================================********===================================
====
3.5 Hypervisor
type1
known as bare matel, embeded or native
work directly with the hardware and can monitor the overlying
guest os
smaller and faster primerlly mangaes and sharing and manageing
hardware
ms hyper v , vmwae esx
type 2
installes on top of the guest operating system
depending upon the host os
more vulnerabl
vm workstation virtual box
Securing Hypervisor
updates to the hypervisor (centrallized patch management)
restrict admin access to th management interface of the
hypervisor
protaect all mangement communication channels using a dedicated
management network
synchronize the virtualized infrastructure to a trusted
authoritive server
disconnect unused physical hardware
disable all hypervisor services such as clipboard file sharing
between guest os and host os unless they are needed\
carefully monitor the hypervisor
VM Theft or modifications
virtual patching
vlan firewall ids / ips
Recommendations -
sla
secure each virtualized OS , vmware vshield
encrypr vm images when not in use
segregation vm
va tools services cover the virtualization technology