Virtualisation Infrastructure Governance Policies
Subject: Virtualization Camran Manikfan (x16137256)
Divyesh Patel (x16135521)
Vikas Sharma (x0162805
Introduction: –
Virtualisation for the information technology sector consists of changing the physical elements of the setup provided into nonphysical elements through the application of a software layer which makes the resources appear as distinct ones. These resources can include computer platforms, operating systems, storage devices, computer network resources, and so on.
Virtualisation is generally implemented through hypervisors, virtual machine monitors, and guest operating systems. These are the most commercially viable and easiest of the different types of virtualisation to implement. The main types of virtualisation platforms and software used by companies are VMware, Citrix XenServer, Microsoft Hyper-V, and RedHat Enterprise Virtualisation.
A glossary of the important terms is given below:-
Virtualisation: It is the process of dividing a computer’s given resources into different logical partitions or elements, allowing servers, instances, and the operating systems/applications on them to be separated into different spaces.
Hypervisor: Also called a virtual machine manager or monitor. It is the program running on the host operating system or the hardware as it is. It manages the whole set of programs and different operating systems which are installed on it, and isolates their resources so they all have a slice of the available memory, disk space, and CPU time. They will appear to have their own separate resources, which are actually allocated at random from any available pool on the host machine.
Virtual Machine: The virtual machine can also be called a guest OS. It is the instance which runs on the hypervisor, and is a self-contained entity with its own resources. While it functions independently of the VMM when seen on its own, it does require the VMM to be up and running before it can be launched.
Out of the four different hypervisor software given above, each of them will have their own governance policy and will usually be different from the other. The licenses and terms/conditions will also differ. We can give a generic example of the ways in which these policies are implemented and how they might cover different functionalities of the company.
The policy will be separated from the other features with its own space and heading. It will generally describe the company, conditions, and the management body’s specifications for the policy. (Shopify.com, 2017)
Data and information classification
Unclassified/Public information: This is the data which can be distributed anonymously and freely among the public. It is mainly for communication purposes with the company, for example, feedback or redressal forms.
Proprietary: This cannot be distributed outside the organisation as it is to be used by internal employees only.
Confidential: This is private data which is to be used by certain employees only.
Sensitive: This is possibly controversial data which is to be used by very specific employees. It also needs to be kept secret from unauthorized parties.
Top Secret: This has to be viewed by even more select employees, and needs the most protection from outside parties. (Shopify.com, 2017)
Security policies
Security policies are generally there to ensure the confidentiality, integrity, and availability of data (CIA).
Confidentiality: The data must be protected from disclosure to unauthorized parties.
Integrity: The information is genuine and can’t be altered easily without security experts knowing about it.
Availability: The data can be accessed by all authorized parties whenever they need it.
Most security categories have three ‘levels of impact’;-
Low: Unauthorized revealing, modification, removal, or destruction of data to outside organisations, as well as its non-availability, results in a limited impact on the organisation.
Medium: Unauthorized revealing, modification, removal, or destruction of data to outside organisations, as well as its non-availability, results in a grave impact on the organisation.
High: Unauthorized revealing, modification, removal, or destruction of data to outside organisations, as well as its non-availability, results in a destructive impact on the organisation. (Shopify.com, 2017)
Other security policies include securing the virtualization platform in different ways.
Access to the host system should be limited to authorized administrators.
To make sure the integrity of the files is not compromised, the hash values of all files need to be checked prior to installation. The hash files can be stored offline.
The basic services can be loaded for installing. Extra components and services are not required, e. g. drivers and printing
Administrators must not be given root access to the system. They must log in with their own accounts, as in macOS or Linux PCs, and allowed the use of sudo or su if administrative tasks are necessary.
The disks need to be partitioned beforehand according to user requirements.
Virtual devices need to be mapped to physical ones.
Authentication must be strong; if possible, all systems should use two-factor authentication (2FA).
It is best to disable file sharing access between the host and guest operating systems to avoid the transfer of potential threats between the systems.
Backups are a staple of every computer user and an absolute necessity for the virtualization servers. They are usually in the form of snapshots and incremental backups.
Guest OSs must be made secure with different credentials and removal of unnecessary services and programs. (Isaca.org, 2017)
Physical security policies
A secure computer room with the servers needs to be set up where only authorized personnel have access.
The server room must be monitored by CCTV or similar mechanisms 24/7.
Security alarms must be in place.
Secure cabinets to contain the machines.
Access control through keycards, badge readers, retina/iris/fingerprint scanners, and perhaps lock and key mechanisms. (Shopify.com, 2017)
Hypervisor security policies
Install important updates to the hypervisor from the vendor.
Secure root privileges.
Use file integrity protection.
Detailed logging of activities.
Disable functions between the host and guest systems, such as copying and pasting.
Limiting access to the hypervisor as it is can be used to control the entire system without barriers. (Shopify.com, 2017)
Guest operating system policies
Install updates to the guest OS which fixes vulnerablilties.
Enforce backup procedures for the guest OS.
Remove unused virtual hardware.
Use network security practices to isolate the different guest OSs. (Shopify.com, 2017)
Remote access
This can only be done by approved personnel and with the appropriate protocols.
SSL or VPNs can be used to ensure confidential access.
Two-factor authentication can be used here as well.
The company and employee workstations should have up-to-date antivirus software. (Shopify.com, 2017)
Backup policies
There should be detailed mechanisms for archival and retrieval of stored material. They can be full, incremental or differential. Snapshots and system images are also required. They may be encrypted for further security and CIA. (Shopify.com, 2017)
Performance and security testing policies which will be conducted afterwards
Annual checks for vulnerabilities.
Penetration testing to find flaws in security.
Test the applications used from outside to ensure they are free of security flaws which could compromise the hypervisor.
Vulnerability assessments and testing for security flaws must be done annually or quarterly as specified in the contract.(Shopify.com, 2017)
References
Isaca.org. (2010). Virtualization Security Checklist. [online] Available at: http://www.isaca.org/Knowledge-Center/Research/Documents/Virtualization-Security-Checklist_res_Eng_1010.pdf [Accessed 23 Jun. 2017].
Shopify.com. (2013). Virtualization. [online] Available at: https://cdn.shopify.com/s/files/1/0235/0907/files/Citrix_XenServer_Virtualization_Policy_and_Procedures.pdf [Accessed 23 Jun. 2017].