SECURE VIRTUALIZATION - Benefits, Risks and Controls

Mariana Carroll, Paula Kotzé, Alta van der Merwe

2011

Abstract

Cloud computing is changing the IT delivery model to provide on-demand self-service access to a shared pool of computing resources (physical and virtual) via broad network access to offer reduced costs, scalability, flexibility, capacity utilization, higher efficiencies and mobility. In many instances cloud computing builds on the capabilities of a virtualized computing infrastructure enabling multi-tenancy, scalability and a highly abstracted cloud model. Even though cloud computing provides compelling benefits and cost-effective options for IT hosting and expansion, security of applications and data remains a number one business objective. It is therefore essential to ensure adequate security not only for cloud computing, but also for the underlying technologies enabling cloud computing. Management should understand and analyse risks in order to safeguard systems and data. The focus of this paper is on mitigation for virtualization security risks as a fundamental step towards secure cloud computing environments.

References

  1. Avanade. (2009). 2009 Global Survey of Cloud Computing. Available: http://avanade.dk/_uploaded/ pdf/avanadethoughtleadershipcloudsurveyexecutivesu mmary833173.pdf [Accessed 15 June 2010].
  2. Avanade. (2009). 2009 Global Survey of Cloud Computing. Available: http://avanade.dk/_uploaded/ pdf/avanadethoughtleadershipcloudsurveyexecutivesu mmary833173.pdf [Accessed 15 June 2010].
  3. Baldwin, A., Shiu, S. & Beres, Y. (2008). Auditing in shared virtualized environments. Palo Alto: Hewlett Packard Development Company, L.P. Available: http://www.hpl.hp.com/ [Accessed 12 February 2009].
  4. Baldwin, A., Shiu, S. & Beres, Y. (2008). Auditing in shared virtualized environments. Palo Alto: Hewlett Packard Development Company, L.P. Available: http://www.hpl.hp.com/ [Accessed 12 February 2009].
  5. Barrett, L. (2008). Virtualization Craze Brings the Bad with the Good. What to Expect With Virtualization. Jupitermedia Corp.
  6. Barrett, L. (2008). Virtualization Craze Brings the Bad with the Good. What to Expect With Virtualization. Jupitermedia Corp.
  7. Bass, R. (2009). Windows Virtualization - Get Started With Hyper-V. Getting Started with Virtualization. Jupitermedia Corp.
  8. Bass, R. (2009). Windows Virtualization - Get Started With Hyper-V. Getting Started with Virtualization. Jupitermedia Corp.
  9. Berman, M. (2009). Virtualization Audit 101: The top 5 risks and recommendations for protecting your virtual IT. Catbird. Available: http://www.wwpi.com/ [Accessed 4 February 2009].
  10. Berman, M. (2009). Virtualization Audit 101: The top 5 risks and recommendations for protecting your virtual IT. Catbird. Available: http://www.wwpi.com/ [Accessed 4 February 2009].
  11. Boss, G., Malladi, P., Quan, D., Legregni, L. & Hall, H. (2007). Cloud Computing. IBM Corporation. Available: http://www.ibm.com/developerworks/ websphere/hipods/ [Accessed 20 June 2010].
  12. Boss, G., Malladi, P., Quan, D., Legregni, L. & Hall, H. (2007). Cloud Computing. IBM Corporation. Available: http://www.ibm.com/developerworks/ websphere/hipods/ [Accessed 20 June 2010].
  13. C.A. Solutions. (2010). Unleasing the power of virtualization 2010: Cloud computing and the perceptions of European Business. Islandia, N.Y.: CA. Available: http://www.ca.com/Files/SupportingPieces/ ca_virtualisatn_survey_report_228900.pdf [Accessed 30 April 2010].
  14. C.A. Solutions. (2010). Unleasing the power of virtualization 2010: Cloud computing and the perceptions of European Business. Islandia, N.Y.: CA. Available: http://www.ca.com/Files/SupportingPieces/ ca_virtualisatn_survey_report_228900.pdf [Accessed 30 April 2010].
  15. Campbell, S. & Jeronimo, M. (2006). Applied Virtualization Technology: Usage Models for IT Professionals and Software Developers. Intel Press.
  16. Campbell, S. & Jeronimo, M. (2006). Applied Virtualization Technology: Usage Models for IT Professionals and Software Developers. Intel Press.
  17. Carroll, M., Kotze, P. & Van Der Merwe, A. (2010). GOING VIRTUAL - Popular Trend or Real Prospect for Enterprise Information Systems. ICEIS 2010: Proceedings of the 12th International Conference on Enterprise Information Systems. Funchal, Madeira, Portugal: 2010 SciTePress - Science and Technology Publications.
  18. Carroll, M., Kotze, P. & Van Der Merwe, A. (2010). GOING VIRTUAL - Popular Trend or Real Prospect for Enterprise Information Systems. ICEIS 2010: Proceedings of the 12th International Conference on Enterprise Information Systems. Funchal, Madeira, Portugal: 2010 SciTePress - Science and Technology Publications.
  19. Centre for the Protection of National Infrastructure (Cpni). (2010). Information Security Briefing 01/2010
  20. Centre for the Protection of National Infrastructure (Cpni). (2010). Information Security Briefing 01/2010
  21. Cloud Computing. CPNI. Available: http:// www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf [Accessed 20 June 2010].
  22. Cloud Computing. CPNI. Available: http:// www.cpni.gov.uk/Docs/cloud-computing-briefing.pdf [Accessed 20 June 2010].
  23. Cloud Security Alliance. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Cloud Security Alliance. Available: www. cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf [Accessed 20 May 2010].
  24. Cloud Security Alliance. (2009). Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. Cloud Security Alliance. Available: www. cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf [Accessed 20 May 2010].
  25. Enterprise Management Associates. (2008). Virtualization and Management: Trends, Forecasts, and Recommendations. Colorado: Enterprise Management Associates, Inc.
  26. Enterprise Management Associates. (2008). Virtualization and Management: Trends, Forecasts, and Recommendations. Colorado: Enterprise Management Associates, Inc.
  27. F5 Networks. (2009). Cloud Computing Survey: June - July 2009. Available: www.f5.com/pdf/reports/cloudcomputing-survey-results-2009.pdf [Accessed 8 August 2010].
  28. F5 Networks. (2009). Cloud Computing Survey: June - July 2009. Available: www.f5.com/pdf/reports/cloudcomputing-survey-results-2009.pdf [Accessed 8 August 2010].
  29. Gadia, S. (2009). Cloud Computing: An Autditor's Perspective. ISACA Journal, 6.
  30. Gadia, S. (2009). Cloud Computing: An Autditor's Perspective. ISACA Journal, 6.
  31. Gardner, B. (2009). Planning Data Protection Into Your Virtual Infrastructure. Getting Started with Virtualization. Jupitermedia Corp.
  32. Gardner, B. (2009). Planning Data Protection Into Your Virtual Infrastructure. Getting Started with Virtualization. Jupitermedia Corp.
  33. Gartner Executive Programs (Exp). (2010). Gartner EXP Worldwide Survey of Nearly 1,600 CIOs Shows IT Budgets in 2010 to be at 2005 Levels. Gartner, Inc. Available: www.gartner.com/exp [Accessed 20 August 2010].
  34. Gartner Executive Programs (Exp). (2010). Gartner EXP Worldwide Survey of Nearly 1,600 CIOs Shows IT Budgets in 2010 to be at 2005 Levels. Gartner, Inc. Available: www.gartner.com/exp [Accessed 20 August 2010].
  35. Harauz, J., Kaufman, L. M. & Potter, B. (2009). Data Security: The world of cloud computing. IEEE Security and Privacy, 61-64.
  36. Harauz, J., Kaufman, L. M. & Potter, B. (2009). Data Security: The world of cloud computing. IEEE Security and Privacy, 61-64.
  37. Hernandez, R. (2009). For Starters: The Virtualization Performance Quandary. Getting Started with Virtualization. Jupitermedia Corp.
  38. Hernandez, R. (2009). For Starters: The Virtualization Performance Quandary. Getting Started with Virtualization. Jupitermedia Corp.
  39. Hoesing, M. (2006). Virtualization Usage, Risks and Audit Tools. Information Systems Control Journal, 3, 1-2.
  40. Hoesing, M. (2006). Virtualization Usage, Risks and Audit Tools. Information Systems Control Journal, 3, 1-2.
  41. Humphreys, J. & Grieser, T. (2006). Mainstreaming Server Virtualization: The Intel Approach. Framingham: IDC Information and Data. Available: http://i.i.com.com/ [Accessed 3 July 2009].
  42. Humphreys, J. & Grieser, T. (2006). Mainstreaming Server Virtualization: The Intel Approach. Framingham: IDC Information and Data. Available: http://i.i.com.com/ [Accessed 3 July 2009].
  43. Isaca. (2009). Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. ISACA. Available: http://www.isaca. org/AMTemplate.cfm?Section=Deliverables&Templat e=/ContentManagement/ContentDisplay.cfm&Content ID=53044 [Accessed 15 April 2010].
  44. Isaca. (2009). Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. ISACA. Available: http://www.isaca. org/AMTemplate.cfm?Section=Deliverables&Templat e=/ContentManagement/ContentDisplay.cfm&Content ID=53044 [Accessed 15 April 2010].
  45. Killalea, T. (2008). Meet the Virts. ACM Queue, 6, 14-18.
  46. Killalea, T. (2008). Meet the Virts. ACM Queue, 6, 14-18.
  47. Mell, P. & Grance, T. (2009). The NIST Definition of Cloud Computing. National Institute of Standards and Technology, Information Technology Laboratory.
  48. Mell, P. & Grance, T. (2009). The NIST Definition of Cloud Computing. National Institute of Standards and Technology, Information Technology Laboratory.
  49. Millard, E. (2008). Virtualization's Challenges & Benefits. Processor, 30, 28.
  50. Millard, E. (2008). Virtualization's Challenges & Benefits. Processor, 30, 28.
  51. Newman, A. (2009). Build a Solid Virtual Foundation. Getting Started with Virtualization. Jupitermedia Corp.
  52. Newman, A. (2009). Build a Solid Virtual Foundation. Getting Started with Virtualization. Jupitermedia Corp.
  53. Ormandy, T. (2007). An empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments. Google, Inc. Available: http://taviso.decsystem.org/ [Accessed 10 February 2010].
  54. Ormandy, T. (2007). An empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments. Google, Inc. Available: http://taviso.decsystem.org/ [Accessed 10 February 2010].
  55. Ponemon, L. (2010). Security of Cloud Computing Users: A Study of Practitioners in the US & Europe. Ponemon Institute. Available: http:// www.ca.com//media/Files/IndustryResearch/security -cloud-computing-users_235659.pdf [Accessed 29 September 2010].
  56. Ponemon, L. (2010). Security of Cloud Computing Users: A Study of Practitioners in the US & Europe. Ponemon Institute. Available: http:// www.ca.com//media/Files/IndustryResearch/security -cloud-computing-users_235659.pdf [Accessed 29 September 2010].
  57. Robb, D. (2008). Virtualization Enters the SMB World. What to Expect With Virtualization. Jupitermedia Corp.
  58. Robb, D. (2008). Virtualization Enters the SMB World. What to Expect With Virtualization. Jupitermedia Corp.
  59. Senft, S. & Gallegos, F. (2009). Information Technology Control and Audit. Third ed.: Auerbach Publications.
  60. Senft, S. & Gallegos, F. (2009). Information Technology Control and Audit. Third ed.: Auerbach Publications.
  61. Sgallari, L. (2009). Reducing Infrastructure Cost Through Virtualization. The Architecture Journal, 20, 33-43.
  62. Sgallari, L. (2009). Reducing Infrastructure Cost Through Virtualization. The Architecture Journal, 20, 33-43.
  63. Stratus Technologies. (2009). Server Virtualization and Cloud Computing: Four Hidden Impacts on Uptime and Availability. Stratus Technologies Bermuda Ltd. Available: http://www.status.com [Accessed 8 August 2010].
  64. Stratus Technologies. (2009). Server Virtualization and Cloud Computing: Four Hidden Impacts on Uptime and Availability. Stratus Technologies Bermuda Ltd. Available: http://www.status.com [Accessed 8 August 2010].
  65. Strom, D. (2008). Virtual Servers Update: VMware vs. Microsoft vs. Xen. What to Expect With Virtualization. Jupitermedia Corp.
  66. Strom, D. (2008). Virtual Servers Update: VMware vs. Microsoft vs. Xen. What to Expect With Virtualization. Jupitermedia Corp.
  67. Sun Microsystems Inc. (2009). Take your business to a higher level. Sun Microsystems Inc.,. Available: https: //slx.sun.com/ [Accessed 17 July 2009].
  68. Sun Microsystems Inc. (2009). Take your business to a higher level. Sun Microsystems Inc.,. Available: https: //slx.sun.com/ [Accessed 17 July 2009].
  69. VMware Inc. (2006). Virtualization Overview. California: VMware Inc. Available: http://www.nitro.ca/ [Accessed 3 July 2009].
  70. VMware Inc. (2006). Virtualization Overview. California: VMware Inc. Available: http://www.nitro.ca/ [Accessed 3 July 2009].
Download


Paper Citation


in Harvard Style

Carroll M., Kotzé P. and van der Merwe A. (2011). SECURE VIRTUALIZATION - Benefits, Risks and Controls . In Proceedings of the 1st International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-8425-52-2, pages 15-23. DOI: 10.5220/0003390400150023


in Harvard Style

Carroll M., Kotzé P. and van der Merwe A. (2011). SECURE VIRTUALIZATION - Benefits, Risks and Controls . In Proceedings of the 1st International Conference on Cloud Computing and Services Science - Volume 1: CLOSER, ISBN 978-989-8425-52-2, pages 15-23. DOI: 10.5220/0003390400150023


in Bibtex Style

@conference{closer11,
author={Mariana Carroll and Paula Kotzé and Alta van der Merwe},
title={SECURE VIRTUALIZATION - Benefits, Risks and Controls},
booktitle={Proceedings of the 1st International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2011},
pages={15-23},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003390400150023},
isbn={978-989-8425-52-2},
}


in Bibtex Style

@conference{closer11,
author={Mariana Carroll and Paula Kotzé and Alta van der Merwe},
title={SECURE VIRTUALIZATION - Benefits, Risks and Controls},
booktitle={Proceedings of the 1st International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,},
year={2011},
pages={15-23},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003390400150023},
isbn={978-989-8425-52-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - SECURE VIRTUALIZATION - Benefits, Risks and Controls
SN - 978-989-8425-52-2
AU - Carroll M.
AU - Kotzé P.
AU - van der Merwe A.
PY - 2011
SP - 15
EP - 23
DO - 10.5220/0003390400150023


in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Cloud Computing and Services Science - Volume 1: CLOSER,
TI - SECURE VIRTUALIZATION - Benefits, Risks and Controls
SN - 978-989-8425-52-2
AU - Carroll M.
AU - Kotzé P.
AU - van der Merwe A.
PY - 2011
SP - 15
EP - 23
DO - 10.5220/0003390400150023