View
29
Download
0
Category
Preview:
Citation preview
2015. 06. 1
(Daming Wu)
Email: wdm1517@gmail.com
SeoulTech UCS Lab
Copyright ⓒ 2015 by USC Lab All Rights Reserved.
Effects of virtualization on information security
Table of Contents
1. Introduction
2. Literature review
3. Research methods
4. Data analysis
5. Discussion
6. Conclusion
2
3
1. Introduction
1. Introduction
4
The features of cloud computing technology may include super-large scale,
dynamic scalability and on-demand deployment.
How does/can virtualization benefit business?
• Centralized data storage makes data easier to back up, prevents redundancy,
and improves control. Better compliance to IT regulations and management.
• Virtualization helps to reduce the number of servers, and by doing so, it tends
to reduce the usage of power and cooling.
1. Introduction
5
The following 4 viewpoints, does the implementation of virtualization in an
enterprise significantly affect the resulting information security?
1. From the viewpoint of Physical and Environmental Security
2. From the viewpoint of communications and operations management
3. From the viewpoint of Access Control
4. From the viewpoint of Information System Acquisition, Development and
Maintenance
6
2. Literature Review
2.1 ISMS
7
ISO/IEC 27001(Information Security Management Systems Requirements)
specifies the requirements for establishing, implementing, operating, monitoring,
reviewing, maintaining and improving a documented Information Security
Management System within the context of the organization's overall business
risks.
The ISO/IEC 27001 standard provides the important definition and requirements
of an Information Security Management System (ISMS).
It is appropriate to be used and adapted by this study to assess the effects of
virtualization on information security.
2.1 ISMS
8
ISO 27001 Control Domain Objectives Controls
1 Information Security Policy 1 2
2 Organization of Information Security 2 11
3 Asset Management 2 5
4 Human Resources Security 3 9
5 Physical and environmental Security 2 13
6 Communication and Operation Management 10 32
7 Access Control 7 25
8 Information systems acquisition, development and maintenance 6 16
9 Information security incident management 2 5
10 Business Continuity Plan 1 5
11 Compliance 3 10
39 133
ISO/IEC 27001 provide the standard for Information Security Management
Systems Consists of 11 control sections, 39 control objectives, and 133 controls.
2.1 ISMS
9
PDCA Model
2.1 ISMS
10
Information
security issue Topic
Business
network security
• Network security tools, software and products: To enhance internet and
intranet security, security tools, products and/or software may be used.
• User's trust and perceived security in online environment.
• Virtual Private Network (VPN): Online resources can be remotely accessed
via the VPN.
Threats to
information
security
• Malware includes viruses, Trojan horses, spyware, computer worms, rootkits
and adware.
• Hacking tools and tricks: Hackers are always developing new tools, ways
and technologies of attack.
• Application-level attacks: Many hackers now have turned from O.S.-level
attacks to buffer-overflow and cross-site scripting attacks.
Security of
applications and
platforms
• O.S. security: A reasonably secure O.S. for PCs and servers is vital to
security.
• Risk management: The management and examination of weaknesses is
required.
• Cloud security; virtualization security concerns and assessment
regarding virtualization.
Information security issue review(1/2)
2.1 ISMS
11
Information
security issue Topic
Security auditing,
implementation
and standards
• ISO 27001: It includes auditing standards, guidelines and implementation.
• COBIT: It focuses on the IT processes
Enterprise
personnel
identification and
access control
• Personnel identification management: It is suggested to establish an
identification and password management policy.
• User authentication service: Methods such as single sign-on or smart card
authentication may be implemented.
• Web site user authentication: It is suggested that the systems only allow
authorized user to access contents and use single sign-on to prevent threats
from hacking.
Business data
protection
• Hard disk- and file-level encryption: Using encryption tools and/or software
to encrypt disks and/or files may keep data from unauthorized access in the
case of a leak.
• Information leakage prevention: Building an information leakage monitoring
system may uncover and/or prevent hostile eavesdropping.
• Database security control: The encryption of data and auditing of database
access may reduce the likelihood of security breach.
Information security issue review(1/2)
2.2. Virtualization technologies
12
Overview of virtualization environments
Ring 3
Ring 0
None-Root
Mode
Root Mode
2.2. Virtualization technologies
13
Server virtualizati
on issues Topic
Server
virtualization
management
tools
• Virtual machine tuning: Setting up highly-efficient but also responsive virtua
l machines can be very difficult for system administrators.
Backup and
disaster recovery
plans for virtualiz
ed systems
• Backup and disaster recovery: Server virtualization requires planning of bac
kup plans and disaster recovery.
Infrastructure and
framework of
server
virtualization
• Servers and virtualization: If virtualization is used to consolidate server usag
e, some infrastructure problems must be addressed.
• Network virtualization issues: Even if top-grade virtualization software and s
erver hardware are used, networking bottlenecks and/or other technical glitc
hes may bring down the system.
Virtualization literature review(1/2)
2.2. Virtualization technologies
14
Server virtualizati
on issues Topic
Server virtualizat
ion plans and usa
ge
• Cloud computing: The cloud computing architecture demands much more se
rver capacity and raw computing power.
Benefits of server
virtualization
• Server consolidation: Virtualization can reduce server costs.
Security monitori
ng
and policy of
server
virtualization
• Concerns regarding virtualization security. Cloud security through virtualizat
ion.
• Risk monitoring of virtualized servers: Virtualized systems do have their ow
n security risks. The O.S., virtualization tools and the network all have their
own share of risks. Security design for virtualized systems.
• Server virtualization guidelines: In an IT management plan, virtualized serve
rs must follow the policy and rules.
Virtualization literature review(2/2)
15
3. Research methods
3.1 Research Design
16
• Research design
The research framework is developed under ISO/IEC 27001 controls.
• Research subjects and sampling
This study requires that subjects have a certain level of understanding of the
virtualization information environment.
3.3 Designing the measurement tools for this research(1/2)
17
3.3 Designing the measurement tools for this research(2/2)
18
19
4. Data Analysis
4. Data Analysis
20
21
5. Discussion
5. Discussion
22
The four proposed research questions and hence research contributions are
addressed below.
• viewpoint of Physical and Environmental Security no significant differences in
information security.
• viewpoint of communications and operations management,virtualization
provides an isolated information environment for software development and
testing. Another reason may be that the fast backup and recovery enabled in
the virtualized environment allows practitioners to perform modifications and
improvements to information systems in a timely manner.
• viewpoint of Access Control,virtual machines on the hypervisor are well-
isolated and this feature does enable good access control.
• viewpoint of Information System Acquisition, Development and Maintenance
results show that no significant influences.
23
6. Conclusion
6. Conclusion
24
This research studies the influence of virtualized information environment on
information security.
The results of the analysis have shown that the implementation of virtualization in
enterprises may prove to be particularly beneficial to information security.
Q&A
25
Thanks!
26
Recommended