RE: Deny access to copy files

[Craig Wright <Craig.Wright () bdo com au>]

No even a single system

Risk = hypervisor_risk + Host_risk

As the VM host and the System host are configured exactly the same other than the underlying system;
Host_risk =VM_ Host_risk = System_ Host_risk

What you seem to be suggesting is have several VMs with each assigned to a developer. What you are forgetting is 
development systems are not production systems. By their nature, developers have access to email and browsers and you 
are deluding yourself if you think otherwise as the development tools themselves provide this level of functionality.

Developers also interact. A pile of insecure VMs on a host only compound the issue.

When making a risk model, you need to add the condition that VMs act not as an independent factor, but statistically as 
a dependent one. This provides both the additive risk and a multiplicative factor.

Each developer will have their own system in a MS model. This will link to the server. Having multiple server instances 
with the workstation adds no additional mitigation.

So to address the comment "the alternative may in fact be multiple developers sharing the same operating system", 
remember that this is an MS environment and not a Unix one firstly. Each set of developer workstations needs to be 
factored.

Next internal systems development should mirror production. In this event, VMs do not equate to multiple real systems 
and this adds a level of coding risk. Take all the factors and run a simple MCMC simulation and the risk is rarely if 
ever reduced in the VM case. The issue is not risk reduction, but cost.

Craig

From: Gregory Boyce [mailto:gregory.boyce () gmail com]
Sent: Wednesday, 4 June 2008 10:57 PM
To: Craig Wright
Subject: Re: Deny access to copy files

On Tue, Jun 3, 2008 at 5:50 PM, Craig Wright <Craig.Wright () bdo com au> wrote:

Well scientifically, you should be able to advocate why a VM is a security device if this is to be propounded.

But to prove the negative (and to paraphrase a little from the Burton group).

1. All the attacks and vulnerabilities are the same. From the host perspective - nothing has changed being on a VM. The 
same vulnerabilities exist.
2. Risk is additive. The hypervisor has its own risks. These are added to 1.
3. Separation reduces risk. Running several systems on the same hypervisor makes them more (not less vulnerable). All 
of the systems are just as vulnerable as a locked down host on a system with the added benefit of also having the risk 
from the hypervisor abstracted onto them.
4. Aggregation of content increase risk.
5. The more layers are added - the more risk. Having a system on a bios has risk, adding bios and (potentially nested) 
VMs adds risk.

What you just proved is that multiple VM instances is less secure than multiple pieces of physical hardware.  Without 
the budget for that many systems, the alternative may in fact be multiple developers sharing the same operating system. 
 The comparison of security levels there turns out a bit different.

--
Greg
them.\lin?Zi?
Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
http://www.bdo.com.au/

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au.

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.