virtualization and cloud computing
Skip this Video
Download Presentation
Virtualization and Cloud Computing

Loading in 2 Seconds...

play fullscreen
1 / 50

Virtualization and Cloud Computing - PowerPoint PPT Presentation

  • Uploaded on

Virtualization and Cloud Computing. Virtualization, Cloud and Security Michael Grafnetter. Agenda. Virtualization Security Risks and Solutions Cloud Computing Security Identity Management. Virtualization and Cloud Computing. Virtualization Security Risks and Solutions. Blue Pill Attack.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Virtualization and Cloud Computing' - gamma

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
virtualization and cloud computing

Virtualization and Cloud Computing

Virtualization, Cloud and Security

Michael Grafnetter

  • Virtualization Security Risks and Solutions
  • Cloud Computing Security
  • Identity Management
virtualization and cloud computing1

Virtualization and Cloud Computing

Virtualization SecurityRisks and Solutions

blue pill attack1
Blue Pill Attack
  • Presented in 2006 by Joanna Rutkowska at Black Hat conference
  • Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this)
  • Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)
red pill
Red Pill
  • Blue Pill is detectable by timing attack
    • Trap-and-Emulate takes much longer than native instructions
    • External time sources (NTP) need to be used, because system time could be spoofed
vmm vulnerability
VMM Vulnerability
  • By attacking a VMM, one could attack multiple servers at once
datacenter management sw
Datacenter Management SW
  • Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hostsat once
web access to dcs
Web Access to DCs
  • Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.
one ring to rule them all
One Ring to rule them all…
  • Management commands available using PowerShell or Web APIs
    • Get-VM –Name * | Stop-VM
    • Get-VM –Name * | Remove-VM
    • Copy-VMGuestFile
    • Invoke-VMScript–Type Bash


DoS attack on virtualization infrastructure

physical vs virtual firewall
Physical vs. Virtual Firewall
  • With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)


Configuring traffic isolationon VmwareESXi

other risks of virtualization
Other risks of virtualization
  • Introduction of yet another OS
  • Reliance on traditional barriers
  • Accelerated provisioning
  • Security left to non-traditional security staff
  • Audit scope creep
security solutions
Security Solutions
  • Virtual Firewall
    • Live migration
    • Stretched clusters
  • Agentless Antivirus
  • Extensible Switches
  • Mobile Virtualization Platform
  • Virtual Desktop Infrastructure (VDI)
virtualization and cloud computing2

Virtualization and Cloud Computing

Cloud Computing Security Risks

other cloud risks
Other Cloud Risks
  • Unclear data location
  • Regulatory compliance
  • Data segregation
  • Lack of investigative support
  • Disaster recovery
  • Long-term viability, vendor lock-in
identity management
Identity Management
  • Basic Concepts
    • External user DBs
    • Two-factor authentication
    • Role-Based Access Control (RBAC)
  • Identity Federation
    • OAuth
    • OpenID
    • SAML
    • RADIUS Proxy
    • Identity Bridges
external user dbs
External User DBs
  • Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures
  • Used to delegate user authorizationto a 3rd-party service provider


Creating a web applicationwith Facebook/Twitter/Microsoft Account authentication


  • Similar to OpenID, but targeted to the enterprise
  • Security Assertion Markup Language
  • XML-based
  • Supports Single sign-on
  • Requires mutual trust between IdP and SP
  • Multiple bindings, not just HTTP
  • Supports Identity provider initiated authentication
saml example
SAML Example

ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac“ Version="2.0"



NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05">



microsoft active directory federation services
Microsoft Active Directory Federation Services
  • SAML-based
  • Typically used to give access to intranet portals to business partners
  • SAML-based federation portal
  • Open Source


Signing in to a federatedweb application