Please enable JavaScript.
Coggle requires JavaScript to display documents.
10.5 (Controls IS auditor should also understand these concepts to ensure…
10.5
-
VIRTUALIZED ENVIRONMENTS
-
virtualization allows multiple OSs (guests) to coexist on the same physical server (host) in isolation of one another.
Virtualization creates a layer between the hardware and the guest OSs to manage shared processing and memory resources on the host.
-
main focus of virtualization is to enable a single physical computing environment to run multiple logical, yet independent, systems at the same time.
-
Deployment techniques
• Bare metal/native virtualization occurs when the hypervisor runs directly on the underlying hardware, without a host OS.
• Hosted virtualization occurs when the hypervisor runs on top of the host OS (Windows, Linux or MacOS).
The hosted virtualization architectures usually have an additional layer of software (the virtualization application) running in the guest OS that provides utilities to control the virtualization while in the guest OS, such as the ability to share files with the host OS.
• Containerization: Containers include the application and all of its dependencies but share the kernel with other containers. They run as an isolated process in user space on the host operating system.
Advantages
-
• Multiple OSs can share processing capacity and storage space that often goes to waste in traditional servers, thereby reducing operating costs.
-
• A single host can have multiple versions of the same OS, or even different OSs, to facilitate testing of applications for performance differences.
• Creation of duplicate copies of guests in alternate locations can support business continuity efforts
• Application support personnel can have multiple versions of the same OS, or even different OSs, on a single host to more easily support users operating in different environments.
• A single machine can house a multitier network in an educational lab environment without costly reconfigurations of physical equipment.
• Smaller organizations that had performed tests in the production environment may be better able to set up logically separate, cost-effective development and test environments.
• If set up correctly, a well-built, single access control on the host can provide tighter control for the host’s multiple guests.
Disadvantages
Inadequate configuration of the host could create vulnerabilities that affect not only the host, but also the guests.
Exploits of vulnerabilities within the host’s configuration, or a denial of service attack against the host, could affect all of the host’s guests.
A compromise of the management console could grant unapproved administrative access to the host’s guests
-
Data could leak between guests if memory is not released and allocated by the host in a controlled manner
Insecure protocols for remote access to the management console and guests could result in exposure of administrative credentials.
-
KEY RISK AREAS
If a service has inherent vulnerabilities on a physical server or network product and it is migrated to a virtualized server, the service remains vulnerable to exploitation.
others
• Rootkits on the host installing themselves as a hypervisor below the OS, enabling the interception of any operations of the guest OS (i.e., logging password entry, etc.)
: Antivirus software may not detect this, because the malware runs below the entire OS.
• Default and/or improper configuration of the hypervisor partitioning resources (CPU, memory, disk space and storage): # #
This can lead to unauthorized access to resources, one guest OS injecting malware into another or placing malware code into another guest OS’s memory.
• On hosted virtualization, mechanisms called guest tools enable a guest OS to access files, directories, the copy/paste buffer, and other resources on the host OS or another guest OS: #
This functionality can inadvertently provide an attack vector for malware or allow an attacker to gain access to particular resources. #
• In contrast to bare metal installations, hosted virtualization products rarely have hypervisor access controls: #
Therefore, anyone who can launch an application on the host OS can run the hypervisor. The only access control is whether someone can log into the host OS.
-
Snapshots/images of guests’ environments contain sensitive data (such as passwords, personal data, etc.) like a physical hard drive:
These snapshots pose a greater risk than images because snapshots contain the contents of random access memory (RAM) at the time that the snapshot was taken,
-