Secure configuration of the virtualization management toolset is one of the most important steps when building a cloud environment. A compromise of the management tools may allow an attacker unlimited access to the virtual machine, the host, and the enterprise network. Therefore, the management tools must be securely installed and configured and adequately monitored.
NOTE: All management should take place on an isolated management network.
- The virtualization platform will determine what management tools need to be installed on the host.
- Updating of these tools must be included in the configuration management plan.
- Updating of these tools may require server downtime, so sufficient server resources should be deployed to allow for the movement of virtual machines when updating the virtualization platform.
- External vulnerability testing of the tools should be conducted.
- Follow the vendor security guidance when configuring and deploying these tools. Access to these management tools should be role based. Auditing and logging of the management tools should be conducted.
Virtual Hardware-specific Security Configuration Requirements and Systems Protection
The traditional approach to securing a data center by physical air-gap design and having well-defined, protected internal and external perimeters is not sufficient to meet the challenges or granularity of the virtualized resources in use today.
Ideally, having layers of defense dictates that adequate protection measures will include using design measures and technology that didn’t exist when many data centers were built.
Virtual Private Cloud (VPC)
While it is possible that a virtual private cloud can be implemented in a true “private cloud” (as defined in NIST SP 800-145 and ISO/IEC 17788), a virtual private cloud is not a private cloud. It is implemented in the more commonly consumed public cloud, thus the term virtual. Keep in mind that the major CSP platforms all have VPC offerings on their public cloud platforms.
Virtual private clouds provide cloud consumers with the following benefits and capacities:
- Manage private IP addresses and define subnets
- Interconnect virtual machines to communicate across subnets
- Define access control policies for ingress and egress rules
- Implement traffic optimizers, load balancers, and application firewalls
- Interconnect hybrid clouds
- Extend traditional data center reach into cloud services
Security Groups
A major control element of a VPC is a security group. The security group allows for granularity of control for the ingress/egress traffic flow by the cloud customer. The following is a general and common list of capabilities provided by security groups:
- Default security groups are typically associated with VM at creation unless otherwise specified
- Each VPC network consists of one or more useful IP range partitions called subnetworks or subnets
- Allow for IP address and port number traffic filtering to and from VM instance via access control list (ACL)
- Grants application-specific access management configuration
- Maintains label/tag mapping for components and subcomponents of security group
- Creates association of private/public DNS names