CISO Perspectives | Securing virtual government environments

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The Way Forward: Essential Steps for Strategic Planning Success
Presented By Euna Solutions
Download Now
 

Connecting state and local government leaders

By

Guest commentary: By using proven IT security benchmarks, federal chief information security officers can limit their exposures risks from virtualized environments.

Federal CISOs can expect the explosive adoption rates ofvirtualization to continue. Unfortunately, the flexibility thatmakes virtual machines such a useful technology can also underminesecurity within organizations and individual hosts.

Related Links

CISO Perspectives: Deep packet inspection

CISO Perspectives: The Einstein Program

Buyer beware with virtualization technology

Securing the virtual world

Virtualization for your DMZ?

Virtualization security resources

The year of virtualization

With the explosive adoption rates of virtualized computing environments due to their promise of less costly data center hardware, quicker provisioning and increased flexibility, federal government CISOs are faced with the challenge of effectively securing these virtualized environments while balancing the constant pressure on IT to respond quickly to urgent business needs. The CISO's challenge is further complicated by the fact that there's a marked absence in guidance from the standards bodies, very little from the vendor community and a very serious knowledge gap in the systems administration, security practitioner, and audit communities. This article will explore some of the virtualization security best practices that hold the most promise for government systems.

This is the first of three commentary articles written for GCN by a group of writers who make up the (ISC)2 U.S. Government Advisory Board Executive Writers Bureau. The Bureau includes volunteer federal information security experts from government and industry. A full list of Bureau members can be found here.

The unmistakable and obvious appeal of reducing the data-center
footprint and realizing significant cost savings by converting 20
or 30 physical servers into virtual machines running on a single
system is hard for even the most conservative and risk-averse
government organizations to resist.


Beyond the many compelling traditionally IT-based benefits
— fewer servers, lower energy bills, faster hardware, ease of
use — there are also a few information security-focused
benefits that should appeal to both government and private-industry
CISOs.


Virtual environments provide the capability to encapsulate an
operating system, an application and its associated data into the
equivalent of an application running on top of an operating system.
The package, which can be saved as an image file that can be easily
transmitted to an off-site location, can potentially address the
disaster recovery and business continuity problem currently
crippling most federal CISOs.


In addition, the appeal of sandboxing — creating
virtualized environments for today’s cyber forensic
practitioners who must examine and dissect potentially hostile
programs such as spyware, Trojans and computer viruses — is
also unmistakable.


However, with the rise of virtual machine adoption rates,
federal government CISOs are faced with the challenge of
effectively securing virtualized environments with little
overarching guidance from the standards-setting bodies. And there
are very serious knowledge gaps in the systems administration,
security practitioner and audit communities.


Virtual machines also expose organizations to the possibility of
massive data breaches because entire applications can be stored as
a disk that can be transferred off-site and installed on another
system — a sobering fact with massive security implications.
Combine that with the number of virtual machines that can be
created — each with open ports — and it’s clear
that virtual environments introduce huge new security concerns.
Virtual servers present new avenues for employees to circumvent
established data security policy and regulations for servers and
overall network and data security. The fact that virtual servers
are so easy to deploy means anyone can create a server without
going through the proper channels. The results can be unauthorized,
untested and noncompliant servers deployed to the operational
environment unbeknownst to the IT department.


Although Office of Management and Budget Memo M-07-11 directed
the implementation of National Institute of Standards and
Technology configuration checklists in NIST Special Publication
800-70, many of today’s configuration assessment tools are
not designed to work in virtual environments. Additionally, federal
network security specialists are still getting up to speed on
configuring network security settings for virtual machines and
learning the tools for managing virtual environments. That
increases the opportunity for the release of configuration settings
that introduce risk.


Federal CISOs also need to be aware that a primary benefit of
virtual machines — their ease of deployment to meet peak
demands — quickly becomes a detriment when they are used and
removed without any record of the administrative activity that has
occurred on them. Once a virtual server is removed, obtaining a
trail for compliance-audit purposes becomes nearly impossible.


Furthermore, virtual environments are subject to regulatory
compliance and require the same IT controls. From a certification
and accreditation perspective, the literal interpretation of NIST
SP 800-37 guidance on system recertification requirements due to
“significance of change” could imply that each
instantiation of a virtual machine should trigger a system
recertification due to the impact on existing security controls in
the otherwise accredited system or new vulnerabilities likely
introduced into the system by the new virtual machine.


In addition, the annual configuration compliance reporting
requirements of the Federal Information Security Management Act
would imply that individual instantiations of virtual machines
should be included in agency reports to be included in the tally
for the FISMA score card.


There are some proven benchmarks federal CISOs can apply to
limit their risks from virtualized environments, including:



  • Limiting physical access to the host.
  • Hardening the base operating system.
  • Installing firewalls between virtual machine layer service
    ports.
  • Encrypting communication.
  • Implementing virtualization server authentication.
  • Disabling features, including screensavers and suspend
    mode.
  • Securing file sharing between host and guests.
  • Using time synchronization.
  • Following NIST SP 800-70 guidelines for hardening guest
    operating systems.
  • Disconnecting unused devices.
  • Implementing secure remote management.
  • Implementing vulnerability and patch management.
  • Implementing auditing.
  • Implementing file integrity checking.





Current research efforts on virtual machines have focused
largely on the implementation of virtualization and its
applications. However, further attention is needed due to the
security risks that accompany the technology and should focus on
developing security tools, tactics, techniques and procedures to
better address those risks.



NEXT STORY: Fujitsu Mag EraSure erases hard drives in a snap

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.