KEMBAR78
Security for v mware | PDF
ReadWrite, profile picture
Uploaded byReadWrite
703 views

Security for v mware

1. Virtualization introduces new security challenges as it adds layers of technology and complexity to server infrastructure. 2. The Payment Card Industry (PCI) has issued new guidelines for securing virtual environments to address risks introduced by virtualization and ensure compliance with PCI data security standards. 3. Adaptive security solutions are needed to enforce policies across dynamic virtual environments and accommodate different virtual infrastructure configurations over time.

Download to read offline
Industry Brief: Virtualization Trends Ensuring Security for Virtual Server Infrastructure The trend toward virtualization of IT infrastructure has been New PCI Virtualization Guidelines primarily focused on enterprise servers, especially in data Another factor driving secure virtualization is the increasing centers where the resulting efficiencies represent significant cost pressure from regulatory requirements to demonstrate effective savings for IT organizations. Because virtualization adds layers of protection of server infrastructures that house critical data technology, it also necessitates changes in security management. and applications. A good example of how security standards Virtualization introduces a new level of complexity for information are affecting virtualization efforts is a guidance paper recently security teams, which are responsible for hardening virtual published by the Payment Card Industry Security Standards systems while also supporting increased density and dynamic Council (PCI SSC).4 Authored by a PCI special interest group provisioning. consisting of more than 30 companies, including merchants, The importance of security in such environments cannot be vendors, and Qualified Security Assessors (QSAs), the paper overstated. Data protection on server infrastructure has been addresses the security implications of virtualization and maps a top IT priority for some time, because it is on servers that them against the 12 main requirements of the PCI Data Security significant data breaches are most likely to occur. In fact, Standard (PCI DSS), indicating what actions should constitute best 98 percent of compromised records are exposed on servers practice for each of the requirements.5 and online applications.¹ The PCI guidelines for the use of virtualization in cardholder data Even as virtualization adds infrastructure layers, information environments are based on the following four principles: security best practices remain conceptually the same. “In a. If virtualization technologies are used in a cardholder data general, organizations should have the same security controls environment, PCI DSS requirements apply to those virtualization in place for the virtualized operating systems as they have for technologies. the same operating systems running directly on hardware,” according to a recent report from the National Institute of b. Virtualization technology introduces new risks that may not be Standards and Technology (NIST).² The NIST report recommends relevant to other technologies, and that must be assessed when that organizations secure virtual systems “based on sound adopting virtualization in cardholder data environments. security practices, such as keeping software up-to-date with c. Implementations of virtual technologies can vary greatly, and security patches, using secure configuration baselines, and using entities will need to perform a thorough discovery to identify host-based firewalls, antivirus software, or other appropriate and document the unique characteristics of their particular mechanisms to detect and stop attacks.”³ virtualized implementation, including all interactions with In effect, Information Security must complete the same checklist payment transaction processes and payment card data. of protections for virtual systems as for physical infrastructure. d. There is no one-size-fits-all method or solution to configure In addition, consideration should also be given to adapting best virtualized environments to meet PCI DSS requirements. practices to any unique requirements potentially introduced by Specific controls and procedures will vary for each environment, the dynamic nature of the virtual server environment. according to how virtualization is used and implemented.6 NIST Secure Virtual System Checklist 1. Keep up-to-date with security patches 2. Use secure configuration baselines 1 2010 Verizon Breach Investigations Report. 3. se host-based firewalls, antivirus U 2 Karen Scarfone, Murugiah Souppaya, and Paul Hoffman, “Guide to Security for Full Virtualization Technologies,” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, software, or other mechanisms to January 2011, 4-1. 3 NIST, op. cit., ES-1. 4 PCI Security Standards Council, PCI DSS Virtualization Guidelines, June 2011. detect and stop attacks 5 Ron Condon, PCI virtualisation: With new guidelines, compliance may be harder, SearchSecurity.co.uk, 14 June 2011. 6 PCI Security Standards Council, op. cit. 1 Symantec Corporation
The new PCI guidelines hold several important implications for organizations that handle cardholder data. First, virtualization IT Virtual Server Security Challenges adds a dynamic dimension to the traditional best practices commonly used in physical infrastructures. Since there is no • Management of administration access “one-size-fits-all” approach, organizations will require adaptive • nbound and outbound I solutions that can accommodate different configurations of virtual communications infrastructure at various points along the adoption curve. The • Interactions between systems guidelines conclude with a recommendation that all virtualization components, even those considered to be out-of-scope, be • aintaining patch levels and M designed to meet PCI DSS security requirements, because configuration standards exposure of one virtual machine (VM) on a host system could lead to the compromise of other VMs on the same host. Although they do not change the standard, the new guidelines will help introduced by virtualization, policies and controls must be organizations ensure that the standard is enforced. modernized. In implementing such modernization, the following capabilities should be considered. Secure Virtualization and Private Monitor system behaviors. Virtual machines should be regularly Cloud Computing monitored to discover potential vulnerabilities. Are there services Cloud computing is a way to provide scalable, elastic IT on a particular VM that should not be running? Has a VM been capabilities as services using Internet technologies. The cloud moved such that it now has the ability to communicate with new computing model enables organizations to consume software, workloads subject to different policy requirements, like PCI audit? platform, and infrastructure resources as services and avoid Can removable media be attached to the VM through a USB port to the licensing, consulting, and administrative costs associated extract data or introduce malware? with on-premise implementations. While some organizations Control application and system services. It is necessary to adopt public cloud services available from cloud computing see which applications are running on VMs and ensure that vendors on a multi-tenancy basis, many opt to develop their own only appropriate apps are available on any given VM. Controls private cloud services in order to reduce total cost of ownership should include monitoring, alerts, and preventing executables as while minimizing risks to data. Private cloud implementations appropriate. generally involve virtualization and, therefore, require modern, Reduce the scope of virtual system interactions. In cases adaptive approaches to security and compliance of virtual server where multiple VMs coexist on a single host, new VMs may gain infrastructures. availability to data or applications that should be off-limits. Central Cloud-based service enablement calls for granular control over the visibility across heterogeneous, hybrid environments is necessary hardening of virtual systems using appropriate policy profiling. to accurately oversee behaviors and activities. To ensure the ongoing integrity and availability of virtual servers, Protect file systems. Organizations should conduct policy-based policies should be designed to enforce the following constraints: monitoring of all file systems on VMs, including applications, • Limit cloud services to only those services required to support a directories, and registry keys. It is common practice for hackers to given system’s function change registry keys to cover their tracks. When that happens, the • Limit user accounts and privilege escalations protection systems should generate an alert and, if necessary, lock • Control rogue behaviors such as file and configuration changes down the file to prevent changes. • Constrain data mobility by monitoring data files Maintain OS integrity. Check to see if any changes have been • Mitigate vulnerabilities due to inconsistent patch management made to an OS that do not conform with configuration or patch standards. Real-time monitoring of VMs between patch windows Only by ensuring the security of private cloud infrastructure can can mitigate vulnerabilities and prevent malware from executing. organizations realize the benefits in terms of cost efficiency. Monitor and restrict privileged user access. Privileged users of business-critical applications on VMs should be monitored to Requirements for Virtualized ensure that their behavior and activities are within the scope of Server Security requisite permissions and do not in any way jeopardize security In extending protection to virtualized server infrastructures, IT or compliance posture. Security faces a number of challenges, including management of administrator access, inbound and outbound communications, interactions between systems, and maintaining patch levels and configuration standards. To adapt to the unique variables 2 Symantec Corporation
Security Solutions for Virtualized Servers Conclusion Like mobile and cloud computing strategies, virtualization is It is a well-established fact that server infrastructure represents rapidly becoming a standard dimension of enterprise IT initiatives. the number one target for cybercriminals and the most likely When it comes to security, it is important to make sure that location of data breaches. Virtualization adds new layers of solutions designed to protect data, people, and systems offer complexity to server infrastructure so that ensuring security the same capabilities for both virtual and physical servers. The and compliance requires more granular controls and the ability following Symantec products are successfully employed by to consistently enforce policies across both physical and virtual customers today across physical and virtual server environments. environments. Symantec can help seamlessly extend protection Symantec™ Critical System Protection. Critical System to virtualized servers by discovering, monitoring, and controlling Protection is a host-based intrusion detection and prevention behaviors and activities that may compromise the performance solution that allows organizations to protect business-critical and availability of virtual systems. With help from Symantec, you servers seamlessly across heterogeneous virtual and physical can confidently pursue the virtualization of your most business- environments while accelerating density goals and reducing critical IT infrastructure. cost. The centrally managed, policy-driven solution monitors file systems and prevents policy violations with minimum impact About Symantec on server workloads and system performance. The built-in ESX Symantec is a global leader in providing security, storage, Policy Pack protects the ESX console operating system and guest and systems management solutions to help consumers and operating systems and applications with layered controls to limit organizations secure and manage their information-driven networking of non-ESX programs and to block write access to ESX world. Headquartered in Mountain View, Calif., Symantec has configuration and data files. operations in 40 countries. More information is available at Symantec™ Control Compliance Suite. Control Compliance www.symantec.com. Suite addresses IT risk and compliance challenges by delivering greater visibility and control across virtual and physical server Visit our website infrastructure. Capabilities include regulatory and technical content that is automatically mapped to policies and updated as www.symantec.com/virtualization regulations change, as well as automated system discovery and To speak with a Product Specialist in the U.S. vulnerability assessments to identify noncompliant virtual and Call toll-free 1 (800) 745 6054 physical systems. To speak with a Product Specialist outside the U.S. Symantec™ Endpoint Protection. Endpoint Protection delivers For specific country offices and contact numbers, please visit unparalleled security and proven superior performance 7 in a single our website. system optimized for both physical and virtual environments. Symantec Endpoint Protection is powered by Symantec’s exclusive Symantec World Headquarters Insight™ detection technology. Insight catches rapidly mutating 350 Ellis St. malware threats that other approaches miss and reduces scan overhead by up to 70 percent in high-density environments.8 Mountain View, CA 94043 USA Symantec™ Security Information Manager. Security Information +1 (650) 527 8000 Manager enables organizations to establish central visibility to 1 (800) 721 3934 critical virtual server incidents. It offers broad log data collection www.symantec.com across physical and virtual servers , including a purpose-built collector for ESX environments. Comprehensive, real-time incident correlation, including content from the Symantec Global Intelligence Network, transforms data from physical and virtual environments worldwide into actionable intelligence. 7 PassMark Software, Enterprise Endpoint Protection Performance Benchmarks, February 2011. 8 Tolly Enterprises, Symantec Endpoint Protection 12.1 vs. McAfee and Trend Micro, Anti-virus Performance in VMware ESX Virtual Environments, June 2011. Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and Insight are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 07/11 21202606

More Related Content

PDF
IT Security Risk Mitigation Report: Virtualization Security
byBooz Allen Hamilton
 
PDF
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
byUnisys Corporation
 
PDF
Solutions for PCI DSS Compliance
byTrend Micro
 
PDF
Security in the cloud planning guide
byYury Chemerkin
 
PDF
PCI DSS & Virtualization
byTobyRobinson13
 
PDF
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
byTrend Micro
 
PDF
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
PDF
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
byIJRES Journal
 
IT Security Risk Mitigation Report: Virtualization Security
byBooz Allen Hamilton
 
Frost & Sullivan 2015 North American Encrypted Network Security Solutions New...
byUnisys Corporation
 
Solutions for PCI DSS Compliance
byTrend Micro
 
Security in the cloud planning guide
byYury Chemerkin
 
PCI DSS & Virtualization
byTobyRobinson13
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
byTrend Micro
 
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
byIJRES Journal
 

What's hot

PDF
Cloud Security Solution Overview
byCisco Service Provider
 
PDF
Information Security Governance
byBooz Allen Hamilton
 
PDF
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
byUnisys Corporation
 
PDF
TRUSTe Online Security Guidelines v2.0
byTRUSTe
 
PDF
Whitepaper - Data Security while outsourcing
byRaghuraman Ramamurthy
 
PDF
Welcome to International Journal of Engineering Research and Development (IJERD)
byIJERD Editor
 
PDF
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
byIRJET Journal
 
PDF
VSD Infotech
byVSD infotech
 
PDF
IRJET- A Survey on SaaS-Attacks and Digital Forensic
byIRJET Journal
 
PPTX
Ramnish Singh Platform Security Briefing
byguestb099f64c
 
PDF
Zimory White Paper: Security in the Cloud pt 2/2
byZimory
 
PDF
OmniNet MDS HIPPA Compliance Info
byJonathan Eubanks
 
PDF
br-security-connected-top-5-trends
byChristopher Bennett
 
PDF
Bi cloud saa_s
byYustinus Malawau
 
PPTX
csec66 a user mode implementation of filtering rule management plane on virtu...
byRuo Ando
 
DOCX
CSEC630 individaul assign
byRonald Jackson, Jr
 
PDF
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
byCisco Security
 
PDF
2_24551_Virtualization_SC_0113
byJim Romeo
 
DOCX
Trends in Cloud Computing
byawais mushtaq
 
PDF
Cisco VMDC Cloud Security 1.0 Design Guide
byCisco Service Provider
 
Cloud Security Solution Overview
byCisco Service Provider
 
Information Security Governance
byBooz Allen Hamilton
 
Never Compromise Your Mission: 5 Ways to Strengthen Data and Network Security...
byUnisys Corporation
 
TRUSTe Online Security Guidelines v2.0
byTRUSTe
 
Whitepaper - Data Security while outsourcing
byRaghuraman Ramamurthy
 
Welcome to International Journal of Engineering Research and Development (IJERD)
byIJERD Editor
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
byIRJET Journal
 
VSD Infotech
byVSD infotech
 
IRJET- A Survey on SaaS-Attacks and Digital Forensic
byIRJET Journal
 
Ramnish Singh Platform Security Briefing
byguestb099f64c
 
Zimory White Paper: Security in the Cloud pt 2/2
byZimory
 
OmniNet MDS HIPPA Compliance Info
byJonathan Eubanks
 
br-security-connected-top-5-trends
byChristopher Bennett
 
Bi cloud saa_s
byYustinus Malawau
 
csec66 a user mode implementation of filtering rule management plane on virtu...
byRuo Ando
 
CSEC630 individaul assign
byRonald Jackson, Jr
 
Gartner Newsletter: Cisco TrustSec Deployed Across Enterprise Campus, Branch ...
byCisco Security
 
2_24551_Virtualization_SC_0113
byJim Romeo
 
Trends in Cloud Computing
byawais mushtaq
 
Cisco VMDC Cloud Security 1.0 Design Guide
byCisco Service Provider
 

Similar to Security for v mware

PDF
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
byHyTrust
 
PDF
Vss Security And Compliance For The Cloud
byGraeme Wood
 
PDF
Vmware Seminar Security & Compliance for the cloud with Trend Micro
byGraeme Wood
 
PDF
Isaca 2011 trends in virtual security v1.0
bykimwisniewski
 
PDF
PCI Compliance and Cloud Reference Architecture
byHyTrust
 
PDF
Securing virtualization in real world environments
byArun Gopinath
 
PDF
What You Need To Know About The New PCI Cloud Guidelines
byCloudPassage
 
PDF
New Solutions for Security and Compliance in the Cloud
byOnline Tech
 
PPTX
Compliance in Virtualized Environments
bySeccuris Inc.
 
PDF
Apani PCI-DSS Compliance
byApani Enterprise Security Software
 
PDF
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
byHyTrust
 
PDF
Trend micro deep security
byTrend Micro
 
PDF
Protecting Virtualized Infrastructures in Cloud Computing Based On Big Data ...
bypmaheswariopenventio
 
PDF
original research papers
byrikaseorika
 
PDF
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
byHyTrust
 
PDF
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
byHyTrust
 
PPTX
Private cloud day session 5 a solution for private cloud security
byMicrosoft TechNet - Belgium and Luxembourg
 
PDF
RSA 2012 Virtualization Security February 2012
bySymantec
 
PDF
Ibm security virtual server protection
byE-Government Center Moldova
 
PDF
NIST SP 800-125 Security for Virtualized Technologies
byDavid Sweigert
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
byHyTrust
 
Vss Security And Compliance For The Cloud
byGraeme Wood
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
byGraeme Wood
 
Isaca 2011 trends in virtual security v1.0
bykimwisniewski
 
PCI Compliance and Cloud Reference Architecture
byHyTrust
 
Securing virtualization in real world environments
byArun Gopinath
 
What You Need To Know About The New PCI Cloud Guidelines
byCloudPassage
 
New Solutions for Security and Compliance in the Cloud
byOnline Tech
 
Compliance in Virtualized Environments
bySeccuris Inc.
 
Apani PCI-DSS Compliance
byApani Enterprise Security Software
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
byHyTrust
 
Trend micro deep security
byTrend Micro
 
Protecting Virtualized Infrastructures in Cloud Computing Based On Big Data ...
bypmaheswariopenventio
 
original research papers
byrikaseorika
 
Secure and Scale Your Virtual Infrastructure While Meeting Compliance Mandates
byHyTrust
 
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
byHyTrust
 
Private cloud day session 5 a solution for private cloud security
byMicrosoft TechNet - Belgium and Luxembourg
 
RSA 2012 Virtualization Security February 2012
bySymantec
 
Ibm security virtual server protection
byE-Government Center Moldova
 
NIST SP 800-125 Security for Virtualized Technologies
byDavid Sweigert
 

More from ReadWrite

PPTX
Networks, Networks Everywhere, And Not A Packet To Drink
byReadWrite
 
PPTX
IoT Standards: The Next Generation
byReadWrite
 
PDF
Designing For Smarties
byReadWrite
 
PPTX
Dude, Where's My Product?
byReadWrite
 
PDF
Senator Al Franken's Letter To Uber CEO Travis Kalanick
byReadWrite
 
PDF
Where In The World Is The Fastest Broadband?
byReadWrite
 
PDF
Our Bodies, Disconnected: The Future Of Fitness APIs
byReadWrite
 
PDF
White paper why they chose integrated hr outsourcing- a look at three small ...
byReadWrite
 
PDF
White paper what is a peo-
byReadWrite
 
PDF
White paper options for handling your hr function[1]
byReadWrite
 
PDF
Tri net wp_buildsuccess
byReadWrite
 
PDF
Tri net wp_10_principles_hc_plan
byReadWrite
 
PDF
Tri net eguide_hiring_2012
byReadWrite
 
PDF
Peo study
byReadWrite
 
PDF
White paper top 5 hr compliance concerns for small business
byReadWrite
 
PDF
Augmented Reality for Marketers and Developers: Analysis of the Leaders, the ...
byReadWrite
 
PDF
The Real-Time Web and its Future
byReadWrite
 
PDF
Guide to Online Community Management
byReadWrite
 
PDF
V mware white paper virtualizing business-critical applications with confidence
byReadWrite
 
PDF
Wp 7108 - 50000 seat vmware view deployment
byReadWrite
 
Networks, Networks Everywhere, And Not A Packet To Drink
byReadWrite
 
IoT Standards: The Next Generation
byReadWrite
 
Designing For Smarties
byReadWrite
 
Dude, Where's My Product?
byReadWrite
 
Senator Al Franken's Letter To Uber CEO Travis Kalanick
byReadWrite
 
Where In The World Is The Fastest Broadband?
byReadWrite
 
Our Bodies, Disconnected: The Future Of Fitness APIs
byReadWrite
 
White paper why they chose integrated hr outsourcing- a look at three small ...
byReadWrite
 
White paper what is a peo-
byReadWrite
 
White paper options for handling your hr function[1]
byReadWrite
 
Tri net wp_buildsuccess
byReadWrite
 
Tri net wp_10_principles_hc_plan
byReadWrite
 
Tri net eguide_hiring_2012
byReadWrite
 
Peo study
byReadWrite
 
White paper top 5 hr compliance concerns for small business
byReadWrite
 
Augmented Reality for Marketers and Developers: Analysis of the Leaders, the ...
byReadWrite
 
The Real-Time Web and its Future
byReadWrite
 
Guide to Online Community Management
byReadWrite
 
V mware white paper virtualizing business-critical applications with confidence
byReadWrite
 
Wp 7108 - 50000 seat vmware view deployment
byReadWrite
 

Recently uploaded

PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PPTX
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Data Structure - 12 Graph
byAndiNurkholis1
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
2025 October Patch Tuesday
byIvanti
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
BioVault.net ADW 2025 CODATA: SyftBox: a General Purpose Solution for Data Vi...
byMadhava Jay
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Beyond Generative AI: Creating Demand for Compute in the 2030s
byReidar Wasenius
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 

Security for v mware

  • 1.
    Industry Brief: VirtualizationTrends Ensuring Security for Virtual Server Infrastructure The trend toward virtualization of IT infrastructure has been New PCI Virtualization Guidelines primarily focused on enterprise servers, especially in data Another factor driving secure virtualization is the increasing centers where the resulting efficiencies represent significant cost pressure from regulatory requirements to demonstrate effective savings for IT organizations. Because virtualization adds layers of protection of server infrastructures that house critical data technology, it also necessitates changes in security management. and applications. A good example of how security standards Virtualization introduces a new level of complexity for information are affecting virtualization efforts is a guidance paper recently security teams, which are responsible for hardening virtual published by the Payment Card Industry Security Standards systems while also supporting increased density and dynamic Council (PCI SSC).4 Authored by a PCI special interest group provisioning. consisting of more than 30 companies, including merchants, The importance of security in such environments cannot be vendors, and Qualified Security Assessors (QSAs), the paper overstated. Data protection on server infrastructure has been addresses the security implications of virtualization and maps a top IT priority for some time, because it is on servers that them against the 12 main requirements of the PCI Data Security significant data breaches are most likely to occur. In fact, Standard (PCI DSS), indicating what actions should constitute best 98 percent of compromised records are exposed on servers practice for each of the requirements.5 and online applications.¹ The PCI guidelines for the use of virtualization in cardholder data Even as virtualization adds infrastructure layers, information environments are based on the following four principles: security best practices remain conceptually the same. “In a. If virtualization technologies are used in a cardholder data general, organizations should have the same security controls environment, PCI DSS requirements apply to those virtualization in place for the virtualized operating systems as they have for technologies. the same operating systems running directly on hardware,” according to a recent report from the National Institute of b. Virtualization technology introduces new risks that may not be Standards and Technology (NIST).² The NIST report recommends relevant to other technologies, and that must be assessed when that organizations secure virtual systems “based on sound adopting virtualization in cardholder data environments. security practices, such as keeping software up-to-date with c. Implementations of virtual technologies can vary greatly, and security patches, using secure configuration baselines, and using entities will need to perform a thorough discovery to identify host-based firewalls, antivirus software, or other appropriate and document the unique characteristics of their particular mechanisms to detect and stop attacks.”³ virtualized implementation, including all interactions with In effect, Information Security must complete the same checklist payment transaction processes and payment card data. of protections for virtual systems as for physical infrastructure. d. There is no one-size-fits-all method or solution to configure In addition, consideration should also be given to adapting best virtualized environments to meet PCI DSS requirements. practices to any unique requirements potentially introduced by Specific controls and procedures will vary for each environment, the dynamic nature of the virtual server environment. according to how virtualization is used and implemented.6 NIST Secure Virtual System Checklist 1. Keep up-to-date with security patches 2. Use secure configuration baselines 1 2010 Verizon Breach Investigations Report. 3. se host-based firewalls, antivirus U 2 Karen Scarfone, Murugiah Souppaya, and Paul Hoffman, “Guide to Security for Full Virtualization Technologies,” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, software, or other mechanisms to January 2011, 4-1. 3 NIST, op. cit., ES-1. 4 PCI Security Standards Council, PCI DSS Virtualization Guidelines, June 2011. detect and stop attacks 5 Ron Condon, PCI virtualisation: With new guidelines, compliance may be harder, SearchSecurity.co.uk, 14 June 2011. 6 PCI Security Standards Council, op. cit. 1 Symantec Corporation
  • 2.
    The new PCIguidelines hold several important implications for organizations that handle cardholder data. First, virtualization IT Virtual Server Security Challenges adds a dynamic dimension to the traditional best practices commonly used in physical infrastructures. Since there is no • Management of administration access “one-size-fits-all” approach, organizations will require adaptive • nbound and outbound I solutions that can accommodate different configurations of virtual communications infrastructure at various points along the adoption curve. The • Interactions between systems guidelines conclude with a recommendation that all virtualization components, even those considered to be out-of-scope, be • aintaining patch levels and M designed to meet PCI DSS security requirements, because configuration standards exposure of one virtual machine (VM) on a host system could lead to the compromise of other VMs on the same host. Although they do not change the standard, the new guidelines will help introduced by virtualization, policies and controls must be organizations ensure that the standard is enforced. modernized. In implementing such modernization, the following capabilities should be considered. Secure Virtualization and Private Monitor system behaviors. Virtual machines should be regularly Cloud Computing monitored to discover potential vulnerabilities. Are there services Cloud computing is a way to provide scalable, elastic IT on a particular VM that should not be running? Has a VM been capabilities as services using Internet technologies. The cloud moved such that it now has the ability to communicate with new computing model enables organizations to consume software, workloads subject to different policy requirements, like PCI audit? platform, and infrastructure resources as services and avoid Can removable media be attached to the VM through a USB port to the licensing, consulting, and administrative costs associated extract data or introduce malware? with on-premise implementations. While some organizations Control application and system services. It is necessary to adopt public cloud services available from cloud computing see which applications are running on VMs and ensure that vendors on a multi-tenancy basis, many opt to develop their own only appropriate apps are available on any given VM. Controls private cloud services in order to reduce total cost of ownership should include monitoring, alerts, and preventing executables as while minimizing risks to data. Private cloud implementations appropriate. generally involve virtualization and, therefore, require modern, Reduce the scope of virtual system interactions. In cases adaptive approaches to security and compliance of virtual server where multiple VMs coexist on a single host, new VMs may gain infrastructures. availability to data or applications that should be off-limits. Central Cloud-based service enablement calls for granular control over the visibility across heterogeneous, hybrid environments is necessary hardening of virtual systems using appropriate policy profiling. to accurately oversee behaviors and activities. To ensure the ongoing integrity and availability of virtual servers, Protect file systems. Organizations should conduct policy-based policies should be designed to enforce the following constraints: monitoring of all file systems on VMs, including applications, • Limit cloud services to only those services required to support a directories, and registry keys. It is common practice for hackers to given system’s function change registry keys to cover their tracks. When that happens, the • Limit user accounts and privilege escalations protection systems should generate an alert and, if necessary, lock • Control rogue behaviors such as file and configuration changes down the file to prevent changes. • Constrain data mobility by monitoring data files Maintain OS integrity. Check to see if any changes have been • Mitigate vulnerabilities due to inconsistent patch management made to an OS that do not conform with configuration or patch standards. Real-time monitoring of VMs between patch windows Only by ensuring the security of private cloud infrastructure can can mitigate vulnerabilities and prevent malware from executing. organizations realize the benefits in terms of cost efficiency. Monitor and restrict privileged user access. Privileged users of business-critical applications on VMs should be monitored to Requirements for Virtualized ensure that their behavior and activities are within the scope of Server Security requisite permissions and do not in any way jeopardize security In extending protection to virtualized server infrastructures, IT or compliance posture. Security faces a number of challenges, including management of administrator access, inbound and outbound communications, interactions between systems, and maintaining patch levels and configuration standards. To adapt to the unique variables 2 Symantec Corporation
  • 3.
    Security Solutions forVirtualized Servers Conclusion Like mobile and cloud computing strategies, virtualization is It is a well-established fact that server infrastructure represents rapidly becoming a standard dimension of enterprise IT initiatives. the number one target for cybercriminals and the most likely When it comes to security, it is important to make sure that location of data breaches. Virtualization adds new layers of solutions designed to protect data, people, and systems offer complexity to server infrastructure so that ensuring security the same capabilities for both virtual and physical servers. The and compliance requires more granular controls and the ability following Symantec products are successfully employed by to consistently enforce policies across both physical and virtual customers today across physical and virtual server environments. environments. Symantec can help seamlessly extend protection Symantec™ Critical System Protection. Critical System to virtualized servers by discovering, monitoring, and controlling Protection is a host-based intrusion detection and prevention behaviors and activities that may compromise the performance solution that allows organizations to protect business-critical and availability of virtual systems. With help from Symantec, you servers seamlessly across heterogeneous virtual and physical can confidently pursue the virtualization of your most business- environments while accelerating density goals and reducing critical IT infrastructure. cost. The centrally managed, policy-driven solution monitors file systems and prevents policy violations with minimum impact About Symantec on server workloads and system performance. The built-in ESX Symantec is a global leader in providing security, storage, Policy Pack protects the ESX console operating system and guest and systems management solutions to help consumers and operating systems and applications with layered controls to limit organizations secure and manage their information-driven networking of non-ESX programs and to block write access to ESX world. Headquartered in Mountain View, Calif., Symantec has configuration and data files. operations in 40 countries. More information is available at Symantec™ Control Compliance Suite. Control Compliance www.symantec.com. Suite addresses IT risk and compliance challenges by delivering greater visibility and control across virtual and physical server Visit our website infrastructure. Capabilities include regulatory and technical content that is automatically mapped to policies and updated as www.symantec.com/virtualization regulations change, as well as automated system discovery and To speak with a Product Specialist in the U.S. vulnerability assessments to identify noncompliant virtual and Call toll-free 1 (800) 745 6054 physical systems. To speak with a Product Specialist outside the U.S. Symantec™ Endpoint Protection. Endpoint Protection delivers For specific country offices and contact numbers, please visit unparalleled security and proven superior performance 7 in a single our website. system optimized for both physical and virtual environments. Symantec Endpoint Protection is powered by Symantec’s exclusive Symantec World Headquarters Insight™ detection technology. Insight catches rapidly mutating 350 Ellis St. malware threats that other approaches miss and reduces scan overhead by up to 70 percent in high-density environments.8 Mountain View, CA 94043 USA Symantec™ Security Information Manager. Security Information +1 (650) 527 8000 Manager enables organizations to establish central visibility to 1 (800) 721 3934 critical virtual server incidents. It offers broad log data collection www.symantec.com across physical and virtual servers , including a purpose-built collector for ESX environments. Comprehensive, real-time incident correlation, including content from the Symantec Global Intelligence Network, transforms data from physical and virtual environments worldwide into actionable intelligence. 7 PassMark Software, Enterprise Endpoint Protection Performance Benchmarks, February 2011. 8 Tolly Enterprises, Symantec Endpoint Protection 12.1 vs. McAfee and Trend Micro, Anti-virus Performance in VMware ESX Virtual Environments, June 2011. Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, and Insight are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 07/11 21202606