Re: Virtualization and Security ?

[Richard Hopkins <Richard.Hopkins () BRISTOL AC UK>]

Recently published...

<http://www.cpni.gov.uk/Docs/tn-01-09-security-server-virtualisation.pdf>

(The CPNI is the UK's Centre for the Protection of National Infrastructure
- "the Government authority which provides protective security advice to
businesses and organisations across the national infrastructure")

Richard

--On 11 February 2009 08:25 -0600 "St Clair, Jim" <Jim.StClair () GT COM>
wrote:

> On an additional note, NIST is to consider a Special Publication this
> year (FY) as a guide to securing cloud computing and virtualization.
>
> The Information Security and Privacy Advisory Board (ISPAB) discussed the
> topic at their December meeting. The link has a couple presentations:
> http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2008-12/December-
> 2008.html
>
>
> James A. St.Clair, CISM, PMP
> Senior Manager
> Global Public Sector
> Grant Thornton LLP
> T  703-637-3078
> F  703-637-4455
> C  703-727-6332
> E  jim.stclair () gt com
>
> [cid:image85dcd3.gif@d6b8403c.1ce54c0e]
> The people in the independent firms of Grant Thornton International Ltd
> provide personalized attention and the highest quality service to public
> and private clients in more than 100 countries. Grant Thornton LLP is the
> U.S. member firm of Grant Thornton International Ltd, one of the six
> global audit, tax and advisory organizations. Grant Thornton
> International Ltd and its member firms are not a worldwide partnership,
> as each member firm is a separate and distinct legal entity. In the U.S.,
> visit Grant Thornton LLP at
> www.GrantThornton.com<http://www.grantthornton.com/>.
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex Sent: Tuesday,
> November 25, 2008 3:04 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: Virtualization and Security ?
>
> Clifford Collins:
>
> You may be interested in the following documents:
>
> Data Security Standard 1.1 - Applied to VMware ESX 3.0.1*
> Using VMware and VDI and vmSight for Stronger and Sustainable HIPAA and
> PCI Compliance Five Immutable Laws of Virtualization Security*
> An Empirical Study into the Security Exposure of Hosts of Hostile
> Virtualized Environments VMware Infrastructure 3 Security Hardening*
>
> A company named StoneSoft had a good presentation at an ISSA meeting
> here. Although, I cant seem to find that presentation.
>
> * indicates a good document
>
> -Alex Everett, CISSP
> University of North Carolina
>
>
> ________________________________
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clifford Collins
> Sent: Tuesday, November 25, 2008 11:06 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Virtualization and Security ?
> I applaud everybody's efforts to secure their VMware environments. I too
> am in the process of arguing for similar "best practices" as we deploy
> VMware.  However, I'm getting pushback because the decision-makers have
> not heard of any industry "best practices" to justify the extra work and
> expense. Would any of you please bring to my attention documentation to
> justify our position? Thanks in advance for the help!
>
> Clifford A. Collins
> Information Security Officer
> Franklin University
> 201 South Grant Avenue
> Columbus, Ohio 43215
> "Security is a process, not a product"
>
> ----- Original Message -----
> From: "Anand Malwade" <malwadan () SHU EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Sent: Monday, November 10, 2008 5:11:59 PM GMT -05:00 US/Canada Eastern
> Subject: [SECURITY] Virtualization and Security ?
>
>
> Folks,
>
> We are looking into Data Center Consolidation and plan to virtualize most
> of our servers. Now Virtualization can yield sigificant operational
> advantages, but  also introduces among others network, security
> complexity and management challenges.
>
> My question to the forum is
>
> a) Is anyone fully virtualized ?  If so was a Vendor hired to perform
> this function and are there any lessons learnt  that i should be aware of
> with the deployment?
>
> b) Has anyone run into significant Security and Risk Issues.
>
>
> Thanks,
> Anand
>
>
> Anand Malwade
> Information Security Officer,
> Seton Hall University,
> Tel: 973 275 2209
> malwadan () shu edu
>
> ________________________________
>
> In accordance with applicable professional regulations, please understand
> that, unless expressly stated otherwise, any written advice contained in,
> forwarded with, or attached to this e-mail is not intended or written by
> Grant Thornton LLP to be used, and cannot be used, by any person for the
> purpose of avoiding any penalties that may be imposed under the Internal
> Revenue Code. ________________________________
>
> This e-mail is intended solely for the person or entity to which it is
> addressed and may contain confidential and/or privileged information. Any
> review, dissemination, copying, printing or other use of this e-mail by
> persons or entities other than the addressee is prohibited. If you have
> received this e-mail in error, please contact the sender immediately and
> delete the material from any computer.



Richard Hopkins
Information Services
University of Bristol