S 3.304 Virtualisation
Description
When IT systems are virtualised, one or several virtual IT systems are operated on a physical computer. Such a physical computer is referred to as virtualisation server. Several of such virtualisation servers may frequently be consolidated to form a virtual infrastructure. In such a virtual infrastructure, the virtualisation servers themselves and the virtual IT systems operated on them can be jointly administrated.
The virtualisation of IT systems provides manifold advantages for IT operations in an information system. Costs savings are possible in the fields of hardware procurement, power, and air conditioning if the resources of the servers are used more efficiently. Thanks to the related centralisation and consolidation, as well as the simplified provision of IT systems, cost benefits may also be achieved in the fields of personnel and administration. However, the possibilities of virtualisation simultaneously constitute a new challenge for information system operations. Since the use of the virtualisation technology affects different areas and fields of work in an information system, knowledge and experiences from diverse areas must be combined.
The use of virtualisation servers and virtual IT systems must be taken into consideration in the protection requirements determination for the corresponding information system. It must be taken into account that the protection requirements of the virtualisation server are influenced by the protection requirements of the virtual IT systems operated on it. Problems on one virtualisation server or virtual IT system could have effects on all other virtual IT systems operated on the same virtualisation server.
This module describes how the virtualisation of IT systems can be introduced in the information system and under which prerequisites virtual infrastructures can be operated securely in the information system.
Scope of the subject area
This module only addresses the virtualisation of entire IT systems; other technologies partially associated with the term "virtualisation" (application virtualisation with the help of terminal servers, storage virtualisation, etc.) are not covered by this module. Virtualisation servers and virtual IT systems are considered which run operating systems that are also commonly run directly on physical IT systems.
In the field of software development, the terms virtual machine and virtual machine monitor (VMM) are also sometimes used for certain runtime environments, for example when using Java or Dot-NET (Microsoft .NET). Such runtime environments are not addressed in this module either.
Threat scenario
Given the manifold functions of the virtualisation servers and the manipulation options for virtual IT systems, there are some new organisational and technical threats for the secure operation of virtualisation servers and virtual IT systems. This is related to the fact that a new infrastructure component, namely the virtualisation infrastructure for IT objects, is created. Virtual IT systems may furthermore adopt new conditions. For example, the system that was shut down may nevertheless be in the running condition if it was only frozen by the virtualisation software. Moreover, the lifecycles of virtual IT systems are normally passed through in significantly shorter intervals.
The following typical threats to IT-Grundschutz are assumed to exist in virtual infrastructures:
Organisational Shortcomings
| T 2.29 | Software testing with production data |
| T 2.32 | Inadequate line bandwidth |
| T 2.37 | Uncontrolled usage of communications lines |
| T 2.60 | Strategy for the network system and management system is not laid down or insufficient |
| T 2.148 | Poor planning of the virtualisation |
| T 2.149 | Insufficient storage capacity for virtual IT systems |
| T 2.150 | Improper integration of guest tools in virtual IT systems |
| T 2.151 | Lack of manufacturer support of applications regarding the use of virtual IT systems |
Human Error
| T 3.16 | Incorrect administration of site and data access rights |
| T 3.28 | Inadequate configuration of active network components |
| T 3.36 | Misinterpretation of events |
| T 3.79 | Incorrect assignment of SAN resources |
| T 3.99 | Incorrect network connections of a virtualisation server |
| T 3.100 | Improper use of snapshots of virtual IT systems |
| T 3.101 | Improper use of guest tools in virtual IT systems |
| T 3.102 | Improper time synchronisation on virtual IT systems |
Technical Failure
| T 4.74 | Failure of IT components in a virtualised environment |
| T 4.75 | Failure of the network infrastructure of virtualisation environments |
| T 4.76 | Failure of administration servers for virtualisation systems |
| T 4.77 | Resource bottlenecks due to improperly functioning guest tools in virtual environments |
| T 4.78 | Failure of virtual machines due to unfinished data backup processes |
Deliberate Acts
| T 5.29 | Unauthorised copying of data media |
| T 5.133 | Unauthorized use of web-based administration tools |
| T 5.147 | Unauthorised reading or disturbance of the virtualisation network |
| T 5.148 | Misuse of virtualisation functions |
| T 5.149 | Misuse of guest tools in virtual IT systems |
| T 5.150 | Compromising the hypervisor of virtual IT systems |
Method recommendation
To secure an IT system, other modules will need to be implemented in addition to this module, with these modules being selected based on the results of the IT-Grundschutz modelling process. The following must be taken into consideration for modelling virtualisation servers and virtual IT systems:
- Module S 3.304 Virtualisation must be applied to each virtualisation server or each group of virtualisation servers. A virtualisation server is a physical IT system (client or server) that virtual IT systems are operated on. Along with module S 3.304, the respective relevant layer 3 server or client modules must also be applied to the virtualisation servers.
- in addition to physical IT systems and virtualisation servers, virtual IT systems (virtual machines, VMs) must also be modelled with the help of the modules from the IT-Grundschutz Catalogues. In principle, VMs are modelled similarly to physical IT systems, i.e. the respective relevant layer 3 and 5 modules are used. Since many VMs often are configured in practice, reasonably modelling the VMs is only possible when forming suitable groups. For the formation of groups of VMs, the same rules apply as for physical IT systems. As a matter of principle, those VMs running on different physical IT systems may also be consolidated to form a group. Further information on modelling virtual IT systems can be found in safeguard S 2.392 Modelling of virtualisation servers and virtual IT systems.
Planning and design
When planning a virtual IT infrastructure, a host of general conditions must be taken into consideration. In addition to the questions regarding the virtualisation technology to be used and the corresponding products (see S 2.477 Planning a virtual infrastructure), as well as regarding the suitability of the possible systems in terms of virtualisation (S 2.444 Planning the use of virtual IT systems), the future network infrastructure must be planned in particular (S 5.153 Planning the network for virtual infrastructures). Furthermore, a host of organisational regulations must be adapted.
Since virtualisation servers are particularly appropriate for designing test and development environments, detailed regulations as to how to handle the data processed in these environments should be drawn up (S 2.82 Developing a test plan for standard software).
Purchasing
When selecting the hardware for virtualisation servers, the procurement of systems suitable for the virtualisation solution selected must be ensured The systems must have sufficient power in order to provide all planned virtual IT systems with sufficient performance (S 2.445 Selection of suitable hardware for virtualisation environments).
Implementation
Designing the virtual infrastructure and/or installing the virtualisation servers themselves may be performed in accordance with the trained procedures of the organisation (S 3.1 General server). However, the level of complexity of a virtualisation project as a whole should not be underestimated, which is why a couple of particularities must be taken into account when configuring the networks (S 5.154 Secure configuration of a network for virtual infrastructures) and designing the administrative access to the virtualisation servers (S 2.446 Separation of administrative tasks for virtualisation servers).
Regarding the provision of virtual IT systems on the virtualisation servers, organisational safeguards for installing the virtual IT systems (S 2.447 Secure use of virtual IT systems) must be complemented by technical safeguards (S 4.346 Secure configuration of virtual IT systems) in order to guarantee secure operations.
If possible, the actual virtualisation servers should only run those services belonging to the virtualisation technology. Other services should be provided in the virtualised instances (or on systems outside of the virtual infrastructure).
Operation
The safeguards S 2.448 Monitoring the function and configuration of virtual infrastructures and S 4.349 Secure operation of virtual infrastructures for virtual infrastructures form the basis for secure operations both of the virtualisation servers and of the virtual IT systems. Additionally, safeguard S 4.348 Time synchronisation in virtual IT systems must be taken into consideration.
Contingency Planning
During contingency planning for the virtualisation servers, it should be taken into consideration that the potential extent of damage is higher the more virtual IT systems are operated on a virtualisation server. Therefore, the protection requirements of the entirety of the virtual IT systems must be mapped to the protection requirements of the virtualisation components (S 6.138 Drawing up a business continuity plan for virtualisation component failure).
The bundle of security safeguards for the "virtualisation" module is presented in the following.
Planning and design
| S 2.82 | (B) | Developing a test plan for standard software |
| S 2.314 | (Z) | Use of high-availability architectures for servers |
| S 2.392 | (A) | Modelling of virtualisation servers and virtual IT systems |
| S 2.444 | (A) | Planning the use of virtual IT systems |
| S 2.477 | (A) | Planning a virtual infrastructure |
| S 3.70 | (W) | Introduction to virtualisation |
| S 3.71 | (B) | Virtual environment training for administrators |
| S 5.153 | (B) | Planning the network for virtual infrastructures |
Purchasing
| S 2.445 | (C) | Selection of suitable hardware for virtualisation environments |
Implementation
| S 2.83 | (B) | Testing standard software |
| S 2.446 | (B) | Separation of administrative tasks for virtualisation servers |
| S 2.447 | (A) | Secure use of virtual IT systems |
| S 3.72 | (W) | Basic terminology of virtualisation technology |
| S 4.97 | (Z) | One service per server |
| S 4.346 | (A) | Secure configuration of virtual IT systems |
| S 4.347 | (Z) | Disabling of snapshots of virtual IT systems |
| S 5.154 | (B) | Secure configuration of a network for virtual infrastructures |
Operation
| S 2.448 | (B) | Monitoring the function and configuration of virtual infrastructures |
| S 2.449 | (Z) | Minimum use of console accesses to virtual IT systems |
| S 4.348 | (C) | Time synchronisation in virtual IT systems |
| S 4.349 | (A) | Secure operation of virtual infrastructures |
Contingency Planning
| S 6.138 | (C) | Drawing up a business continuity plan for virtualisation component failure |