Educause Security Discussion mailing list archives
Re: Virtualization and Security ?
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Tue, 11 Nov 2008 13:31:52 -0500
Segregation of duties is a very nice auditor concept, provided that all of the people that are responsible for a system are available all of the time :-) .. the problem is that in many cases, the application owners are not available after hours and it falls to the security and systems admins to take care of problems - if they do not have enough access to nicely remove the threat, then they have to resort to brute force - either shut down the box, or pull the network access - in either case, this will take multiple systems down if the problem machine is a virtual host. My point is not really to argue this from a security viewpoint (though, the security implications are obvious) it is from an availability standpoint - when you build your virtual infrastructure, make sure that someone is looking at the mix of systems and how they interact. My 2 cents Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Tuesday, November 11, 2008 6:00 PM +0000 Robert Maxwell <rmaxwell () umd edu> wrote:
I also think there may be some administrative issue there. In working with ESX and the admin console, I can snapshot and suspend or kill VMs even without the admin's help. That may be bad in certain environments, but you eventually have to trust someone to do something, no? Rob ******************************************************************************* Robert Maxwell, CISSP, GCFA Lead Incident Handler OIT Security, University of Maryland rmaxwell at umd dot edu GnuPG Public Key: http://security.umd.edu/contact/Robert_Maxwell.asc ******************************************************************************* -----Original Message----- From: "St Clair, Jim" <Jim.StClair () GT COM> Date: Tue, 11 Nov 2008 12:57:17 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Virtualization and Security ? Joel Rosenblatt wrote:This is what happens when you have too many specialists :-)That's true, but I would also think there is an segregation of duties (SoD) issue - depending on your use of virtual servers, do you want the OS admin to also manage the virtual environment? James A. St.Clair, CISM, PMP Senior Manager Global Public Sector Grant Thornton LLP T 703-637-3078 F 703-637-4455 C 703-727-6332 E jim.stclair () gt com The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joel Rosenblatt Sent: Tuesday, November 11, 2008 12:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: Virtualization and Security ? Because they didn't have access to the EMX console - they were admins for the underlying OS only, not the virtualization. This is what happens when you have too many specialists :-) Joel --On Tuesday, November 11, 2008 10:34 AM -0700 Eric Case <ecase () email arizona edu> wrote:At 09:40 AM 11/11/2008 -0500, Joel Rosenblatt wrote:One thing that we ran into was that the administrator of the hosting system should be able to shut down each virtual machine separately - we had one virtual machine compromised over a weekend and the only person available was the admin of the host - so, the whole system was shut down until we could dig up the admin of the bad virtualhost.Why didn't you suspend the compromised machine? -Eric Eric Case, CISSP <ecase () Arizona edu> Information Technology Services Coordinator Information Security Officer College of Engineering <http://www.Engr.Arizona.edu> 1127 E James E. Rogers Way Room 200 Tucson, AZ 85721-0020 Mobile Phone 520-275-6436Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under the Internal Revenue Code. -------------------------------------------------------------------------- This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Virtualization and Security ?, (continued)
- Re: Virtualization and Security ? randy marchany (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? Youngquist, Jason R. (Nov 11)
- Re: Virtualization and Security ? Bradley, Stephen W. Mr. (Nov 11)
- Re: Virtualization and Security ? HALL, NATHANIEL D. (Nov 11)
- Re: Virtualization and Security ? randy marchany (Nov 11)
- Re: Virtualization and Security ? Eric Case (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? St Clair, Jim (Nov 11)
- Re: Virtualization and Security ? Robert Maxwell (Nov 11)
- Re: Virtualization and Security ? Joel Rosenblatt (Nov 11)
- Re: Virtualization and Security ? Mike Lococo (Nov 11)
- Re: Virtualization and Security ? Jeffrey I. Schiller (Nov 11)
- Re: Virtualization and Security ? Cheng, Wang (Nov 11)
- Re: Virtualization and Security ? Clifford Collins (Nov 25)
- Re: Virtualization and Security ? Alex (Nov 25)