Virtual Environment Security

Overview

Virtual environment security is critical for cloud infrastructure. This lesson covers virtualization security, container security, and isolation mechanisms required by ISO 27017.

Learning Objectives

• Understand virtualization security requirements
• Implement VM hardening controls
• Secure container environments
• Manage virtual networks
• Apply ISO 27017 virtual environment controls

Virtualization Security Fundamentals

Hypervisor Architecture

Types of Hypervisors:

Type 1 (Bare Metal)          Type 2 (Hosted)
┌──────────────┐            ┌──────────────┐
│   VM    VM   │            │   VM    VM   │
├──────────────┤            ├──────────────┤
│  Hypervisor  │            │  Hypervisor  │
├──────────────┤            ├──────────────┤
│   Hardware   │            │     OS       │
└──────────────┘            ├──────────────┤
                            │   Hardware   │
                            └──────────────┘

Used in Cloud               Used in Dev/Test
(VMware ESXi, KVM, Xen)    (VirtualBox, VMware Workstation)

ISO 27017 Control CLD.6.3.1 - Virtual Machine Hardening

VM Hardening Requirements:

VM Template Hardening:

# Example Hardening Checklist
□ Remove unnecessary packages
□ Disable unused services
□ Configure firewall (iptables/nftables)
□ Enable SELinux/AppArmor
□ Configure audit logging (auditd)
□ Set password policies
□ Disable root SSH login
□ Configure NTP
□ Install security agents
□ Apply CIS benchmarks

Multi-Tenant Isolation

Isolation Mechanisms

A.9.4.4 - Use of Privileged Utility Programs

Tenant Isolation Layers:

┌─────────────────────────────────────┐
│  Tenant A          Tenant B          │
├──────────┬──────────┬───────────────┤
│ VM-A1    │ VM-B1    │  Application  │
│ VM-A2    │ VM-B2    │     Layer     │
├──────────┴──────────┴───────────────┤
│      Virtual Network Isolation       │
│  (VLANs, VXLANs, Security Groups)   │
├──────────────────────────────────────┤
│       Compute Resource Isolation     │
│  (CPU scheduling, Memory isolation)  │
├──────────────────────────────────────┤
│        Storage Isolation             │
│  (Encrypted volumes, Logical sep.)   │
├──────────────────────────────────────┤
│           Hypervisor                 │
└──────────────────────────────────────┘

Preventing VM Escape

Security Measures:

• Hardware-assisted virtualization (Intel VT-x, AMD-V)
• Regular hypervisor patching
• Minimal hypervisor attack surface
• Network isolation between management and data planes
• Monitoring for anomalous activity

Container Security

Container Architecture

CLD.6.3.2 - Protection of Virtual Machine Images

Container Stack Security

┌────────────────────────────────────┐
│        Applications                │  ← App vulnerabilities
├────────────────────────────────────┤
│        Container Images            │  ← Image scanning
├────────────────────────────────────┤
│     Container Runtime (containerd) │  ← Runtime security
├────────────────────────────────────┤
│    Orchestration (Kubernetes)      │  ← K8s security
├────────────────────────────────────┤
│    Host OS (Linux)                 │  ← OS hardening
├────────────────────────────────────┤
│         Hardware                   │  ← Physical security
└────────────────────────────────────┘

Container Security Best Practices

1. Image Security:

• Use minimal base images (Alpine, Distroless)
• Scan images for vulnerabilities (Trivy, Clair)
• Sign images (Docker Content Trust)
• Use private registries
• Regular image updates

2. Runtime Security:

• Run containers as non-root
• Use read-only filesystems
• Apply AppArmor/SELinux profiles
• Resource limits (CPU, memory)
• Network policies

3. Orchestration Security (Kubernetes):

# Example Pod Security Policy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false  # No privileged containers
  runAsUser:
    rule: MustRunAsNonRoot  # Non-root user required
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true  # Read-only FS
  allowPrivilegeEscalation: false

Virtual Network Security

CLD.9.5.2 - Virtual Network Environment Protection

Virtual Network Components:

Network Isolation Patterns

1. VPC Isolation (AWS/Azure/GCP):

┌──────────────────────────────────────┐
│           VPC (10.0.0.0/16)          │
│                                       │
│  ┌─────────────┐   ┌──────────────┐ │
│  │Public Subnet│   │Private Subnet│ │
│  │10.0.1.0/24  │   │10.0.2.0/24   │ │
│  │             │   │              │ │
│  │  Web Tier   │   │   DB Tier    │ │
│  │             │   │              │ │
│  └──────┬──────┘   └──────┬───────┘ │
│         │                 │          │
│    ┌────▼─────┐      ┌───▼──────┐  │
│    │ Internet │      │   NAT    │  │
│    │ Gateway  │      │ Gateway  │  │
│    └──────────┘      └──────────┘  │
└──────────────────────────────────────┘

2. Microsegmentation:

• Segment by application tier
• Segment by data sensitivity
• Segment by compliance requirement
• Zero-trust network architecture

Security Group Rules Example

Web Tier Security Group (Inbound)
├─ Allow TCP 443 from 0.0.0.0/0 (HTTPS)
├─ Allow TCP 80 from 0.0.0.0/0 (HTTP - redirect to HTTPS)
└─ Deny all other inbound

Web Tier Security Group (Outbound)
├─ Allow TCP 3306 to DB Security Group (MySQL)
├─ Allow TCP 443 to 0.0.0.0/0 (API calls)
└─ Deny all other outbound

DB Tier Security Group (Inbound)
├─ Allow TCP 3306 from Web Security Group only
└─ Deny all other inbound

DB Tier Security Group (Outbound)
├─ Allow TCP 443 to backup service
└─ Deny all other outbound

Virtual Machine Image Management

CLD.6.3.2 - Protection of Virtual Machine Images

Image Lifecycle:

1. Create Base Image
   ├─ Start with minimal OS
   ├─ Apply security hardening
   ├─ Install security agents
   └─ Document configuration

2. Secure Image
   ├─ Remove sensitive data
   ├─ Scan for vulnerabilities
   ├─ Apply encryption
   └─ Sign image

3. Store Image
   ├─ Private image repository
   ├─ Access controls (RBAC)
   ├─ Version control
   └─ Audit logging

4. Deploy Image
   ├─ Verify signature
   ├─ Check for updates
   ├─ Apply instance-specific config
   └─ Monitor deployment

5. Update Image
   ├─ Regular security updates
   ├─ Rebuild rather than patch
   ├─ Test before deployment
   └─ Deprecate old versions

Golden Image Best Practices

Hardening Standards:

• CIS Benchmarks
• DISA STIGs (Defense Information Systems Agency)
• Vendor security guides
• Industry frameworks (NIST, ISO)

Image Scanning:

• Vulnerability scanning (OpenVAS, Nessus)
• Malware scanning
• Configuration compliance
• License compliance

Snapshot and Backup Security

A.12.3.1 - Information Backup

Snapshot Security:

Monitoring Virtual Environments

CLD.12.4.5 - Monitoring of Cloud Services

Key Metrics:

Performance Monitoring
├─ CPU utilization
├─ Memory usage
├─ Disk I/O
├─ Network throughput
└─ Response times

Security Monitoring
├─ Failed login attempts
├─ Privilege escalation attempts
├─ Unauthorized access attempts
├─ Configuration changes
└─ Anomalous behavior

Compliance Monitoring
├─ Patch compliance
├─ Configuration drift
├─ Encryption status
├─ Access reviews
└─ Audit log completeness

Key Takeaways

1. Hypervisor security is fundamental to multi-tenant isolation
2. VM hardening reduces attack surface
3. Container security requires multiple layers
4. Virtual networks must be properly segmented
5. Image management includes scanning and signing
6. Monitoring detects security issues early
7. Regular patching is essential for virtual environments

Preparation for Next Lesson

Next lesson: Data Segregation and Isolation covering:

• Tenant data isolation techniques
• Database multi-tenancy
• Data encryption strategies
• Access control in multi-tenant environments

Self-Assessment Questions

1. What is the difference between Type 1 and Type 2 hypervisors?
2. Name three VM hardening measures.
3. What is VM escape and how can it be prevented?
4. Why is container image scanning important?
5. What are security groups and how do they work?
6. How should VM images be protected?
7. What monitoring is needed for virtual environments?