Re: Virtualization and Security ?

["St Clair, Jim" <Jim.StClair () GT COM>]

On an additional note, NIST is to consider a Special Publication this year (FY) as a guide to securing cloud computing 
and virtualization.

The Information Security and Privacy Advisory Board (ISPAB) discussed the topic at their December meeting. The link has 
a couple presentations:
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2008-12/December-2008.html


James A. St.Clair, CISM, PMP
Senior Manager
Global Public Sector
Grant Thornton LLP
T  703-637-3078
F  703-637-4455
C  703-727-6332
E  jim.stclair () gt com

[cid:image85dcd3.gif@d6b8403c.1ce54c0e]
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest 
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of 
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton 
International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct 
legal entity.
In the U.S., visit Grant Thornton LLP at www.GrantThornton.com<http://www.grantthornton.com/>.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Alex
Sent: Tuesday, November 25, 2008 3:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: Virtualization and Security ?

Clifford Collins:

You may be interested in the following documents:

Data Security Standard 1.1 - Applied to VMware ESX 3.0.1*
Using VMware and VDI and vmSight for Stronger and Sustainable HIPAA and PCI Compliance
Five Immutable Laws of Virtualization Security*
An Empirical Study into the Security Exposure of Hosts of Hostile Virtualized Environments
VMware Infrastructure 3 Security Hardening*

A company named StoneSoft had a good presentation at an ISSA meeting here. Although, I cant seem to find that 
presentation.

* indicates a good document

-Alex Everett, CISSP
University of North Carolina


________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clifford 
Collins
Sent: Tuesday, November 25, 2008 11:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Virtualization and Security ?
I applaud everybody's efforts to secure their VMware environments. I too am in the process of arguing for similar "best 
practices" as we deploy VMware.  However, I'm getting pushback because the decision-makers have not heard of any 
industry "best practices" to justify the extra work and expense. Would any of you please bring to my attention 
documentation to justify our position? Thanks in advance for the help!

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"

----- Original Message -----
From: "Anand Malwade" <malwadan () SHU EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Sent: Monday, November 10, 2008 5:11:59 PM GMT -05:00 US/Canada Eastern
Subject: [SECURITY] Virtualization and Security ?


Folks,

We are looking into Data Center Consolidation and plan to virtualize most of our servers. Now Virtualization can yield 
sigificant operational advantages, but  also introduces among others network, security complexity and management 
challenges.

My question to the forum is

a) Is anyone fully virtualized ?  If so was a Vendor hired to perform this function and are there any lessons learnt  
that i should be aware of with the deployment?

b) Has anyone run into significant Security and Risk Issues.


Thanks,
Anand


Anand Malwade
Information Security Officer,
Seton Hall University,
Tel: 973 275 2209
malwadan () shu edu

________________________________

In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code.
________________________________

This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities 
other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.