Attacks with Virtualization

Virtualization makes the provision and movement virtual machines faster in enterprises today. But the companies should make sure that they have implemented proper security control for the Virtual Machines (VM) and adhere to the compliance requirements and policies of the company. Advances in virtualization technology has also led to new methods to attack and penetrate into the networks of companies. Simple pictorial representation of the different layers in virtual environment and some of the attacks in those layers is given below.

Most common among the type of attacks on virtual environments is Hyper-Jacking. In this type of attack, the hypervisor itself is attacked and used by the attacker for harmful purposes.
Next type of attack is VM escape. This type of attack can cause serious threat to VM security. Here the attacker's code breaks OS of the VM and interacts directly with the hypervisor. With this type of attack they can discover other VM's and eventually take over entire virtual environment.
VM poaching is similar to Denial of  Service attack. The aim for the attacker is to overload the hypervisor, drain all its resources and make eventually make it non functional.

To gain maximum benefit of virtual environments, they should be monitored and managed well. Ensuring  virtual machine software patched, Installing only the resource-sharing features that are really needed and minimizing software installations to a minimum are some the steps the VM administrators can follow to keep it safe from attacks.

Save this article

Security and Complaince issues with Cloud Computing

Cloud computing has become the buzz word of the infosec world now. There are 'n' number of definitions for it and so i would not list them here. Topics discussed along with cloud computing are related to the advantages it brings in to enterprises or the issues/challenges to be faced with it.  Among others, security and compliance are hot topics discussed often.

Let us take the service models in cloud and try to see if there are any security and compliance challenges there. The service models in cloud are SaaS (Software as a Service), PaaS (Platform as a Service), IaaS (Infrastructure as a Service).
In SaaS everything like infrastructure, network, servers, storage, application is owned by provider, the consumer may have limited user-specific permissions. Taking email SaaS as an example, the consumer would just need a web browser to access the service. The consumer should trust the provider for the service being accessed. Secure connection and encryption are the steps to be taken  by the provider to establish it. Next challenge is with 'Muti tenancy' support by which the provider manages multiple instances of  service for different consumers.  The provider is guided by data protection, privacy, retention related regulations and frameworks to comply here.
In PaaS the consumer has control over the application deployed which is developed using provider's platform and some application hosting configurations. Trust and compliance issues as in SaaS apply here too. The consumer is also responsible for ensuring secure inter component communication with the application deployed.
In IaaS the consumer has capabilities to control fundamental computing resources and can deploy software in it. Its certain that trust, multi tenancy, encryption and compliance are key concerns in all the service models.

Next, is the different deployment models in cloud which are Private cloud owned by an enterprise, Community cloud which is shared for specific community, Public cloud which is sold for public and Hybrid cloud which is a composition of two or more clouds. Clearly security requirements, policy and compliance considerations increase for deployments starting from private to hybrid models. Cloud providers here are responsible to protect data. Important laws like HIPAA and GLBA requires the organization to safeguard the data. Also cross border data transfer should consider EU data protection drive or safe harbor which requires at minimum where the data is going to be and its implications. Data security law like Massachusetts requires providers or any third party to maintain security measures for personal information data. Encryption is another requirement to be addressed by the providers. Handling compliance here is related to meeting FISMA, HIPAA, SOX, PCI and SAS 70 Audits by the providers.

Organizations and governments have taken initiatives to address security and compliance challenges in cloud. It is evident that most cloud require strong security controls. As there can not be one cloud which fits all there would be many standards coming up and guide the providers and consumers for taking cloud computing to next level.