SlideShare una empresa de Scribd logo

Compliance in Virtualized Environments

Seccuris Inc.
Seccuris Inc.

Information Security & compliance issues in Virtualized Environments; presented at CSI 2009

Tecnología
1 de 19
Compliance Challenges in Virtualized Environments
Compliance to best practice and industry standards is challenging for new technologies like virtualization Compliance in Virtualized Environments Compliance Standards Assurance of Control Objectives Prescription of Control Implementations
New technologies introduce new components and processes causing conflict with existing control prescriptions Each server must only have one primary function.[§ 2.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008, v1.2] Key components should be protected by segregating the critical applications from the other applications and information.[CI2.1.4(a), The Standard of Good Practice for Information Security] Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed.[§ 11.5.4, ISO/IEC 27002-2005 Code of practice for information security management] Compliance in Virtualized Environments
Security boundaries within process and technical domains are still being defined and designed for virtualization What consistent best practice exists for virtualized image management? Are there varying levels of granularity regarding access control within different virtualization technologies? Compliance in Virtualized Environments
Virtualized PCI Application Domain Model Relationship Scenarios S1. Untrusted users publicly enter PCI information S2. / S2a. Servers transfer PCI info to provider (S2a. Telephone) S3. Remote locations access applications containing PCI Information S6. Staff access PCI application from LAN/WAN S7. Staff access management interfaces of physical and virtual guests and hosts S9.Staff access management interfaces of the routers/switches S11. Data is transferred between the Web-facing PCI Servers and internal PCI database servers
What do we want to be compliant with? HIPAA, PCI, SOX, GLB, NERC, CFR Do the high level objectives of the compliance standard conflict with virtualization? Does the regulating body allow for interpretation of the standards? Who has the regulating body assigned to attest to the compliance of the standards? Compliance in Virtualized Environments
What specific control objectives are impacted by virtualization? (Improved?) Process and environment classification (NERC CIP-003-1 R4.2) Extension of information asset classification(HIPAA 164.308(a)(7)(ii)(E)) Log Monitoring & Tracking (PCI 4.2 (v1.1)) System boundary definition (NIST 800-53) Are there specific control implementations in conflict? Least Privilege implementation issues Lockout Procedure By-pass Compliance in Virtualized Environments
What design & service management issues in virtualization are related to compliance? Business Continuity Management Security Audit & Assurance Levels Change Control Implementations Security Domain / Boundary Control Access Control & Privilege Administration Security Operation Schedule Management Compliance in Virtualized Environments
Issues with Virtualized Environments and PCI Compliance Understanding of domains,boundaries & access 7.1 – Is access to computing resources and cardholder information limited to only those individuals whose jobs require such access? ,[object Object]
Will “complex” virtualization management components (HA, DRS, Vmotion or VCB) be used in the environment?
How is virtualization platform user administration performed?(ESX/VCenter),[object Object]
Example LogicalDiagram (Better)
Configuration Questions(1-4) ,[object Object]
What do systems currently hosted in the ESX environment do?
Does a logical deployment diagram for PCI systems exist?
Will HA, DRS, Vmotion or VCB be used in this environment?
Are there change management policies in place for system management?
Is there a formal installation procedure for ESX hosts? Guests? Virtual Centre?,[object Object]
How is ESX/VCenter user administration performed? Formally documented?

Recomendados

Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2Nasos Panagiotidis
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
IT Service & Asset Management Better Together
IT Service & Asset Management Better TogetherIT Service & Asset Management Better Together
IT Service & Asset Management Better TogetherIvanti
 
vServe24/7 brochure
vServe24/7 brochurevServe24/7 brochure
vServe24/7 brochureNous Infosystems
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
Radiss Managed Services
Radiss Managed ServicesRadiss Managed Services
Radiss Managed Serviceskesavars
 
Windows 7 And Windows Server 2008 R2 Combined Value
Windows 7 And Windows Server 2008 R2 Combined ValueWindows 7 And Windows Server 2008 R2 Combined Value
Windows 7 And Windows Server 2008 R2 Combined ValueAmit Gatenyo
 

Recomendados

Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2Nasos Panagiotidis
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
IT Service & Asset Management Better Together
IT Service & Asset Management Better TogetherIT Service & Asset Management Better Together
IT Service & Asset Management Better TogetherIvanti
 
vServe24/7 brochure
vServe24/7 brochurevServe24/7 brochure
vServe24/7 brochureNous Infosystems
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
Radiss Managed Services
Radiss Managed ServicesRadiss Managed Services
Radiss Managed Serviceskesavars
 
Windows 7 And Windows Server 2008 R2 Combined Value
Windows 7 And Windows Server 2008 R2 Combined ValueWindows 7 And Windows Server 2008 R2 Combined Value
Windows 7 And Windows Server 2008 R2 Combined ValueAmit Gatenyo
 
Overview one pager
Overview one pagerOverview one pager
Overview one pagerAndrew Keenan
 
Healthcare Compliance Software
Healthcare Compliance SoftwareHealthcare Compliance Software
Healthcare Compliance SoftwareJose Ivan Delgado, Ph.D.
 
Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure ManagementPrime Infoserv
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
AMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartAMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartIvanti
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
Afl rim capabilities
Afl rim capabilitiesAfl rim capabilities
Afl rim capabilitiesshaun_raghavan
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
SPS Enterprise Family
SPS Enterprise FamilySPS Enterprise Family
SPS Enterprise FamilySymantec
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Viewfinity Privilege Management
Viewfinity Privilege ManagementViewfinity Privilege Management
Viewfinity Privilege Managementakeophila
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
Securing Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSecuring Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSkoda Minotti
 
Managed Desktop Services
Managed Desktop ServicesManaged Desktop Services
Managed Desktop ServicesGss America
 
Remote Infrastructure Management Services
Remote Infrastructure Management ServicesRemote Infrastructure Management Services
Remote Infrastructure Management ServicesKryptos Technologies
 
Accelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAccelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAppViewX
 
Desktop management and support
Desktop management and supportDesktop management and support
Desktop management and supportStephen Rose
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 
Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affairGeorge Delikouras
 
Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Hassan EL ALLOUSSI
 

Más contenido relacionado

La actualidad más candente

Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure ManagementPrime Infoserv
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetwrix Corporation
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
AMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartAMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartIvanti
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureNetwrix Corporation
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTuan Phan
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
SPS Enterprise Family
SPS Enterprise FamilySPS Enterprise Family
SPS Enterprise FamilySymantec
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Viewfinity Privilege Management
Viewfinity Privilege ManagementViewfinity Privilege Management
Viewfinity Privilege Managementakeophila
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
Securing Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSecuring Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSkoda Minotti
 
Managed Desktop Services
Managed Desktop ServicesManaged Desktop Services
Managed Desktop ServicesGss America
 
Remote Infrastructure Management Services
Remote Infrastructure Management ServicesRemote Infrastructure Management Services
Remote Infrastructure Management ServicesKryptos Technologies
 
Accelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAccelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAppViewX
 
Desktop management and support
Desktop management and supportDesktop management and support
Desktop management and supportStephen Rose
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with SymantecArrow ECS UK
 

La actualidad más candente (20)

Overview one pager
Overview one pagerOverview one pager
Overview one pager
 
Healthcare Compliance Software
Healthcare Compliance SoftwareHealthcare Compliance Software
Healthcare Compliance Software
 
Remote Infrastructure Management
Remote Infrastructure ManagementRemote Infrastructure Management
Remote Infrastructure Management
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
 
AMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to StartAMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
AMB110: IT Asset Management – How to Start When You Don’t Know Where to Start
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
Afl rim capabilities
Afl rim capabilitiesAfl rim capabilities
Afl rim capabilities
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
SPS Enterprise Family
SPS Enterprise FamilySPS Enterprise Family
SPS Enterprise Family
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
Viewfinity Privilege Management
Viewfinity Privilege ManagementViewfinity Privilege Management
Viewfinity Privilege Management
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
 
Securing Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSecuring Your Customers' Credit Card Information
Securing Your Customers' Credit Card Information
 
Managed Desktop Services
Managed Desktop ServicesManaged Desktop Services
Managed Desktop Services
 
Remote Infrastructure Management Services
Remote Infrastructure Management ServicesRemote Infrastructure Management Services
Remote Infrastructure Management Services
 
Accelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery AutomationAccelerate Digital Transformation with Application Delivery Automation
Accelerate Digital Transformation with Application Delivery Automation
 
Desktop management and support
Desktop management and supportDesktop management and support
Desktop management and support
 
IT GRC with Symantec
IT GRC with SymantecIT GRC with Symantec
IT GRC with Symantec
 

Similar a Compliance in Virtualized Environments

Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Hassan EL ALLOUSSI
 
Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxEverestMedinilla2
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixHCLSoftware
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...VMworld
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Zeeve
 
VMworld 2013: Exploring Technology Trends within Financial Services
VMworld 2013: Exploring Technology Trends within Financial Services VMworld 2013: Exploring Technology Trends within Financial Services
VMworld 2013: Exploring Technology Trends within Financial Services VMworld
 
Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...apprize360
 
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB
 
Systemology presentation- System Center & the modern datacenter
Systemology presentation- System Center & the modern datacenterSystemology presentation- System Center & the modern datacenter
Systemology presentation- System Center & the modern datacenterjmustac
 
Whitepaper factors to consider commercial infrastructure management vendors
Whitepaper factors to consider commercial infrastructure management vendorsWhitepaper factors to consider commercial infrastructure management vendors
Whitepaper factors to consider commercial infrastructure management vendorsapprize360
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudVISI
 
VMworld 2013: Architecting the Software-Defined Data Center
VMworld 2013: Architecting the Software-Defined Data Center VMworld 2013: Architecting the Software-Defined Data Center
VMworld 2013: Architecting the Software-Defined Data Center VMworld
 
Secure Desktop Computing In the Cloud
Secure Desktop Computing In the CloudSecure Desktop Computing In the Cloud
Secure Desktop Computing In the CloudIRJET Journal
 
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld
 

Similar a Compliance in Virtualized Environments (20)

Is it an internal affair
Is it an internal affairIs it an internal affair
Is it an internal affair
 
Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...
 
Cloud Security Solution Overview
Cloud Security Solution OverviewCloud Security Solution Overview
Cloud Security Solution Overview
 
Introduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptxIntroduction to the Microsoft Azure Cloud.pptx
Introduction to the Microsoft Azure Cloud.pptx
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
Maintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFixMaintaining Continuous Compliance with HCL BigFix
Maintaining Continuous Compliance with HCL BigFix
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
VMworld 2013: How to Identify if Your vSphere Environment is Configured to Me...
 
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
Webinar-GBA Episode 7-Managing blockchain infrastructure for enterprise-grade...
 
VMworld 2013: Exploring Technology Trends within Financial Services
VMworld 2013: Exploring Technology Trends within Financial Services VMworld 2013: Exploring Technology Trends within Financial Services
VMworld 2013: Exploring Technology Trends within Financial Services
 
Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...Whitepaper factors to consider when selecting an open source infrastructure ...
Whitepaper factors to consider when selecting an open source infrastructure ...
 
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & BarcoMongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
MongoDB IoT City Tour EINDHOVEN: IoT in Healthcare: by, Microsoft & Barco
 
Systemology presentation- System Center & the modern datacenter
Systemology presentation- System Center & the modern datacenterSystemology presentation- System Center & the modern datacenter
Systemology presentation- System Center & the modern datacenter
 
Whitepaper factors to consider commercial infrastructure management vendors
Whitepaper factors to consider commercial infrastructure management vendorsWhitepaper factors to consider commercial infrastructure management vendors
Whitepaper factors to consider commercial infrastructure management vendors
 
Moving Enterprise Applications to the Cloud
Moving Enterprise Applications to the CloudMoving Enterprise Applications to the Cloud
Moving Enterprise Applications to the Cloud
 
VMworld 2013: Architecting the Software-Defined Data Center
VMworld 2013: Architecting the Software-Defined Data Center VMworld 2013: Architecting the Software-Defined Data Center
VMworld 2013: Architecting the Software-Defined Data Center
 
Secure Desktop Computing In the Cloud
Secure Desktop Computing In the CloudSecure Desktop Computing In the Cloud
Secure Desktop Computing In the Cloud
 
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
VMworld 2013: Create a Key Metrics-based Actionable Roadmap to Deliver IT as ...
 
VAS - VMware CMP
VAS - VMware CMPVAS - VMware CMP
VAS - VMware CMP
 
Virtuize
VirtuizeVirtuize
Virtuize
 

Más de Seccuris Inc.

Building an enterprise forensics response service
Building an enterprise forensics response serviceBuilding an enterprise forensics response service
Building an enterprise forensics response serviceSeccuris Inc.
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesSeccuris Inc.
 
Outsourcing: A Security Perspective
Outsourcing: A Security PerspectiveOutsourcing: A Security Perspective
Outsourcing: A Security PerspectiveSeccuris Inc.
 
Security Information Management: An introduction
Security Information Management: An introductionSecurity Information Management: An introduction
Security Information Management: An introductionSeccuris Inc.
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionSeccuris Inc.
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesSeccuris Inc.
 
Building Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business RecoveryBuilding Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business RecoverySeccuris Inc.
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 

Más de Seccuris Inc. (11)

Building an enterprise forensics response service
Building an enterprise forensics response serviceBuilding an enterprise forensics response service
Building an enterprise forensics response service
 
Digital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniquesDigital Anti-Forensics: Emerging trends in data transformation techniques
Digital Anti-Forensics: Emerging trends in data transformation techniques
 
Outsourcing: A Security Perspective
Outsourcing: A Security PerspectiveOutsourcing: A Security Perspective
Outsourcing: A Security Perspective
 
Security Information Management: An introduction
Security Information Management: An introductionSecurity Information Management: An introduction
Security Information Management: An introduction
 
Anti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and preventionAnti-Forensics: Real world identification, analysis and prevention
Anti-Forensics: Real world identification, analysis and prevention
 
Data Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective StrategiesData Loss Prevention: Challenges, Impacts & Effective Strategies
Data Loss Prevention: Challenges, Impacts & Effective Strategies
 
Building Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business RecoveryBuilding Critical Infrastructure For Business Recovery
Building Critical Infrastructure For Business Recovery
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualization
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Compliance in Virtualized Environments

  • 1. Compliance Challenges in Virtualized Environments
  • 2. Compliance to best practice and industry standards is challenging for new technologies like virtualization Compliance in Virtualized Environments Compliance Standards Assurance of Control Objectives Prescription of Control Implementations
  • 3. New technologies introduce new components and processes causing conflict with existing control prescriptions Each server must only have one primary function.[§ 2.2.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008, v1.2] Key components should be protected by segregating the critical applications from the other applications and information.[CI2.1.4(a), The Standard of Good Practice for Information Security] Utility programs are programs that may be able to override system and application controls. They should be restricted and controlled. If these system utilities are not needed, they should be disabled or removed.[§ 11.5.4, ISO/IEC 27002-2005 Code of practice for information security management] Compliance in Virtualized Environments
  • 4. Security boundaries within process and technical domains are still being defined and designed for virtualization What consistent best practice exists for virtualized image management? Are there varying levels of granularity regarding access control within different virtualization technologies? Compliance in Virtualized Environments
  • 5. Virtualized PCI Application Domain Model Relationship Scenarios S1. Untrusted users publicly enter PCI information S2. / S2a. Servers transfer PCI info to provider (S2a. Telephone) S3. Remote locations access applications containing PCI Information S6. Staff access PCI application from LAN/WAN S7. Staff access management interfaces of physical and virtual guests and hosts S9.Staff access management interfaces of the routers/switches S11. Data is transferred between the Web-facing PCI Servers and internal PCI database servers
  • 6. What do we want to be compliant with? HIPAA, PCI, SOX, GLB, NERC, CFR Do the high level objectives of the compliance standard conflict with virtualization? Does the regulating body allow for interpretation of the standards? Who has the regulating body assigned to attest to the compliance of the standards? Compliance in Virtualized Environments
  • 7. What specific control objectives are impacted by virtualization? (Improved?) Process and environment classification (NERC CIP-003-1 R4.2) Extension of information asset classification(HIPAA 164.308(a)(7)(ii)(E)) Log Monitoring & Tracking (PCI 4.2 (v1.1)) System boundary definition (NIST 800-53) Are there specific control implementations in conflict? Least Privilege implementation issues Lockout Procedure By-pass Compliance in Virtualized Environments
  • 8. What design & service management issues in virtualization are related to compliance? Business Continuity Management Security Audit & Assurance Levels Change Control Implementations Security Domain / Boundary Control Access Control & Privilege Administration Security Operation Schedule Management Compliance in Virtualized Environments
  • 9.
  • 10. Will “complex” virtualization management components (HA, DRS, Vmotion or VCB) be used in the environment?
  • 11.
  • 13.
  • 14. What do systems currently hosted in the ESX environment do?
  • 15. Does a logical deployment diagram for PCI systems exist?
  • 16. Will HA, DRS, Vmotion or VCB be used in this environment?
  • 17. Are there change management policies in place for system management?
  • 18.
  • 19. How is ESX/VCenter user administration performed? Formally documented?
  • 20. What security measures are place to avoid copying/pasting or adding of devices to the virtual guests?
  • 21. Are templates being used for deploying guests? If so, what security measures are being used for template creation?
  • 22. What system logging policies exist; How is logging deployed within the ESX architecture?
  • 23.
  • 24.
  • 25.
  • 26. What roles and permissions are used/disabled in VC?
  • 27. Is the VC computer placed in a separate management network?
  • 28. Where does the VC database reside and what method of authentication is used on this database?
  • 29. What security practices have been applied to secure the database?
  • 30.
  • 34. Central points of access / collusion for staff
  • 35.
  • 36. Experts disagree on effectiveness of controls and implementations
  • 37.
  • 38. Understand your virtualization security architecture
  • 39.

Notas del editor

  1. NOTE!Slide notes are not prepared for public use.
  2. Compliance to best practices and industry standards is often difficult for new technologies and service approaches. Although compliance control objectives or control descriptions should remain flexible regarding the specific control implementation, over time some have become too specific regarding technology implementations with little guidance regarding how new technologies or approaches should align.Often new technical components are added to design and new process are added to service management when implementing new technologies leaving many unanswered questions regarding the Scope and Intent of compliance (i.e. Financial Control Compliance VS IT Value for Money)Example of control prescription conflict in virtualization
  3. http://www.emdstorage.com/solutions/jpg/virtualization_diagram.jpg
  4. What do we want to be compliant with?HIPPA, PCI, SOX, NERC, CFR?Do the high level objectives of the compliance standard conflict with virtualization trust domains or controls available?Does the regulating body allow for interpretation of control objectives to an environment and technology? - Do they dictate whether or not virtualization can be used as a technology?Who has the regulating body assigned to attest to compliance? Who is accountable for assuring control implementations meet control objectives required by compliance? - Are you allowed to self-attest? - What experience does the third party auditor have with Virtualization? - Will the third party help or hinder (Compliance or Intent?)http://www.thewisdomjournal.com/Blog/wp-includes/images/negotiation.jpg
  5. What specific control objectives are impacted or influenced by virtualization?Understanding the control objectives related to virtualization and your service management model is key to creating a comprehensive compliance strategy.Prioritizing the identified control objectives and determining if explicit controls (physical) and control implementations (component) are prescribed by the compliance standard and regulating body.If explicit implementations are not aligned can we be compliant?
  6. What design and service management issues in virtualization are related to compliance with your required objectives?Core Themeshttp://www.icranium.com/blog/wp-content/uploads/2008/12/sabsa_logo.gif
  7. What real world issues exist with compliance initiatives in virtualized environments? - Design and service management is maturing at a high rate in relation to virtualization architecture - Experts disagree on effectiveness of controls and implementations - Virtualization allows people and entities to quickly create boundary less service environments where traceable control implementations may become impossibleWhat SLAs exist for core controls and/or infrastructure/data supporting controls?Do contractual agreements allow system risk to be managed or improved?
  8. How do I approach a compliance review or gap analysis in my environment?Understand your compliance governance structure - Who regulates compliance? - Who attests to what level? - What type of assurance controls enable compliance?Understand your virtualization environment security architecture - What entities are inManage and compensate for real world management and maintenance issues - Ensure to promote awareness of the need for on-going assurance vs static compliance