All in accordance with GOST. Information security when using virtualization technologies.
06/01/2017 GOST R 56938-2016 “Information protection. Information security when using virtualization technologies. General Provisions. " Somehow it turned out that the review of this GOST in many legislative innovations was lost and now I would like to fill this gap.
This GOST was developed by the Federal Autonomous Institution “State Research and Testing Institute for Technical Information Protection Problems of the Federal Service for Technical and Export Control” (FAA “GNII PTZI FSTEC of Russia”) and introduced by the technical committee for standardization “Information Protection” (TC 362).
Prior to the release of GOST R 56938-2016, to ensure the protection of virtualized environments, the recommendations of the orders of the FSTEC No. 17 and No. 21 were applied. There is a section in these orders that describes the requirements for protecting the virtualization environment. Below is a table from the appendix to the orders listing these requirements.
Xi. Virtualization Environment Protection (ZSV)
Identification and authentication of access subjects and access objects in the virtual infrastructure, including virtualization management administrators
Controlling access of access subjects to access objects in a virtual infrastructure, including inside virtual machines
Logging security events in a virtual infrastructure
Management (filtering, routing, connection control, unidirectional transmission) of information flows between the components of the virtual infrastructure, as well as along the perimeter of the virtual infrastructure
Trusted loading of virtualization servers, virtual machine (container), virtualization management servers
Managing the movement of virtual machines (containers) and the data processed on them
Monitoring the integrity of the virtual infrastructure and its configurations
Data backup, backup of hardware, virtual infrastructure software, as well as communication channels inside the virtual infrastructure
Implementation and management of antivirus protection in a virtual infrastructure
Dividing the virtual infrastructure into segments (virtual infrastructure segmentation) for processing information by an individual user and (or) a group of users
GOST R 56938-2016 defines 2 types of hypervisors:
- Type 1 hypervisor - installed directly on the hardware platform, such hypervisors according to GOST include VMware vSphere , Hyper-V, Citrix XenServer, etc.
- Type 2 hypervisor — Installs into the host operating system. These hypervisors include VirtualBox, VMWare Workstation, etc.
Also in the block of terms the hypervisor of data storage systems is separately allocated :
Программа, устанавливаемая непосредственно на аппаратное обеспечение в качестве системного программного обеспечения или в среде хостовой операционной системы в качестве прикладного программного обеспечения, выполняющая функции посредника между логическим и физическим адресными пространствами для обеспечения высокого уровня управления ресурсами хранения данных.In the same block of terms, GOST provides definitions of a virtual machine, what types of virtualization are, with respect to which resources virtualization happens, etc.
There have been many questions about what virtualization should mean. Now there are specific definitions of terms, and for any discrepancies, you can resort to GOST.
So, according to GOST,
Виртуальная инфраструктура — это композиция иерархически взаимосвязанных групп виртуальных устройств обработки, хранения и/или передачи данных, а также группы необходимых для их работы аппаратных и/или программных средств.GOST defines three levels of hierarchy in a virtual infrastructure:
- at the first (lower) level of the hierarchy (equipment level) is the hardware of the perimeter of the virtual infrastructure - the hardware used to implement virtualization technologies, including those with virtualization hardware support implemented in them;
- at the second level of the hierarchy (virtualization level), there are hypervisors and objects generated by them (virtual machines, virtual servers, virtual processors, virtual disks, virtual memory, virtual active and passive network equipment, virtual information security tools, etc.);
- At the third (upper) level of the hierarchy (management level), there is a centralized management tool for hypervisors within the framework of one virtual infrastructure - the virtual infrastructure management console.
Three levels of hierarchy in virtual infrastructure using the VMware technology stack as an example
Objects of protection
GOST identifies the following main objects of protection when using virtualization technologies:
- tools for creating and managing a virtual infrastructure (type I hypervisor, type II hypervisor, storage system hypervisor, virtual infrastructure management console, etc.);
- virtual computing systems (virtual machines, virtual servers, etc.);
- virtual data storage systems;
- virtual data transmission channels;
- separate virtual devices for processing, storing and transmitting data (virtual processors, virtual disks, virtual memory, virtual active and passive network equipment, etc.);
- virtual means of information protection (ZI) and means of ZI intended for use in a virtualization environment;
- virtual infrastructure perimeter (central processors and their cores involved in the implementation of virtualization technologies, memory address space, network interfaces, ports for connecting external devices, etc.).
GOST focuses on the fact that the use of virtualization technologies creates the prerequisites for the emergence of security threats that are not characteristic of information systems built without the use of virtualization technologies. Threats that may additionally arise when using virtualization technologies are listed below.
GOST identifies 18 such threats:
- threats of attack on active and / or passive virtual and / or physical network equipment from the physical and / or virtual network;
- threats of attack on virtual transmission channels;
- threats of attack on the hypervisor from the virtual machine and / or physical network;
- threats of attack on protected virtual devices from a virtual and / or physical network;
- threats of attack on protected virtual machines from a virtual and / or physical network;
- threats of attack on protected virtual machines from a virtual and / or physical network; (here in the published copies of GOST found there is a duplicated paragraph, perhaps they made a mistake when typing)
- threats of attack on the storage system from a virtual and / or physical network;
- threats to the process outside the virtual machine;
- threats of unauthorized access to data outside the reserved address space, including those allocated for virtual hardware;
- threats of violation of isolation of user data inside the virtual machine;
- threats of violation of the authentication procedure of subjects of virtual information interaction;
- threats of interception of hypervisor control;
- threats to take control of the virtualization environment;
- threats of uncontrolled growth in the number of virtual machines;
- threats of uncontrolled growth in the number of reserved computing resources;
- threats of violation of information processing technology by unauthorized modification of images of virtual machines;
- threats of unauthorized access to protected information stored in virtual space;
- hypervisor upgrade error threats.
It is worth noting that GOST considers precisely the threats related to virtualization security, other security threats do not lose their relevance, and they also need to be considered when creating a threat model, for example, threats related to physical access to infrastructure, organizational issues of access to information, protection access details, etc. As we can see from the list of threats, the virtualization environment introduces additional threats that are not present at the lower hardware level.
GOST provides only a list of protective measures. ZI measures are divided into several groups depending on the object of protection. The following groups are distinguished:
- protection of virtual infrastructure creation and management tools;
- protection of virtual computing systems;
- virtual storage protection;
- protection of virtual data transmission channels;
- protection of individual virtual devices for processing, storage and data transfer;
- protection of virtual information protection means and information protection means intended for use in a virtualization environment.
Summary data on threats and measures to protect information processed using virtualization technologies are summarized in the table and are given in Appendix B of this GOST.
In addition to traditional protection measures, there are also new ones that are not yet clear what they are being implemented. For example, encryption of transferred virtual machine image files. To date, there are no encryption tools for the images of virtual machines transmitted from the cloud and downloaded to the cloud (for example, during a "move"). It is possible that this functionality will acquire existing virtualization protection tools, such as vGate or Dallas Lock.
It is also worth noting that neither the GOST nor orders examined the concept of snapshots of virtual machines, and as a result, threats related to snapshots were not considered. For example, in the American NIST, a snapshot of a virtual machine is considered as a separate object of protection.
Information security systems created in pursuance of legislation, for example, according to the 17th Order, discussed in the previous article, require consideration of the entire list of possible threats. Based on this GOST, we can not reinvent the wheel when using virtualization technologies in our solutions. As stated in the 17th Order, the choice of protection measures consists of several stages:
- defining a basic set of protective measures;
- adaptation of the basic set of protective measures;
- clarification of the adapted basic set of protection measures;
- Addition of a revised adapted basic set of protection measures.
Thus, when using virtualization technologies, the addition of an updated adapted basic set of protection measures can be carried out with a clear conscience based on the requirements of GOST.
When using this GOST, it must be borne in mind that there is a project, not yet approved, but already quite discussed, “Information protection. Information security when using cloud technology. General Provisions. " The project focuses specifically on information security when interacting with cloud providers. Therefore, you need to understand the difference between the use of virtualization technologies and the consumption and / or provision of cloud services. The GOST project is quite interesting, and, probably, we will consider its provisions in the following articles.
You can test our virtual infrastructure for free by leaving a request . Cloud4Y provides a cloud that complies with information security requirements in accordance with 17 and 21 of the FSTEC Orders.