CSA CCM IVS-01
Infrastructure and Virtualization Security Policy Guidelines

Keeping your virtual machines secure is crucial, but it can be tricky to get right. Having a solid set of policies and procedures around infrastructure and virtualization security helps ensure nothing falls through the cracks. Make sure to review and update them at least annually to keep pace with the ever-evolving threat landscape.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full matrix here.

The Cloud Security Alliance is a leading organization that promotes best practices for secure cloud computing. Their Cloud Controls Matrix provides a helpful framework for assessing the security posture of cloud providers and guiding security efforts.

For more background, check out the AWS Security Best Practices whitepaper which aligns with many CCM controls.

Who should care?

  • Cloud security architects designing secure virtualized environments
  • DevOps engineers responsible for hardening virtual machine configurations
  • Compliance officers ensuring cloud workloads meet regulatory requirements
  • IT managers overseeing migration of on-prem infrastructure to the cloud

What is the risk?

Without well-defined policies and procedures around virtualization security, you may be exposed to:

  • Unauthorized access to sensitive data processed or stored on VMs
  • Disruption of services running on poorly configured or vulnerable VMs
  • Non-compliance with industry or government regulations (PCI DSS, HIPAA, GDPR, etc.)
  • Reputational damage resulting from security breaches originating from your cloud

Having a structured approach to virtualization security as outlined in this control can significantly reduce the likelihood and impact of these risks. However, policies alone aren't bulletproof - they must be accompanied by proper implementation, enforcement and ongoing maintenance.

What's the care factor?

For most organizations, virtualization security should be a top priority, especially if you:

  • Handle sensitive customer data or provide mission-critical services
  • Operate in highly regulated industries
  • Have complex cloud architectures with many interconnected VMs
  • Allow a wide range of users to provision and manage VMs

The reputational and financial costs of virtualization security failures can be massive, so it's well worth investing the time to get your policies and procedures right. That said, smaller scale or lower risk deployments may be able to get away with a lighter touch approach.

When is it relevant?

This control is most applicable when:

  • Migrating on-premises workloads to virtualized cloud infrastructure
  • Standing up new virtual machines or containers in the cloud
  • Allowing self-service provisioning of VMs by developers or end users
  • Processing or storing sensitive data on cloud hosted VMs
  • Undergoing audits or regulatory assessments of cloud workloads

It's less critical for:

  • Fully serverless architectures that don't utilize VMs
  • Standalone VMs not connected to any network
  • Dev/test VMs that don't handle production data

What are the trade-offs?

Implementing rigorous virtualization security controls requires an up-front and ongoing investment in:

  • Defining policies and procedures
  • Purchasing and configuring security tools
  • Training staff and developers
  • Auditing and penetration testing

This may slow down the pace of development and make the VM provisioning process more cumbersome for users. Highly restrictive virtualization security policies may also hamper the agility and flexibility benefits that the cloud provides.

The key is striking the right balance based on your particular risk tolerance and compliance obligations. Start with a solid foundation and adjust from there as needed.

How to make it happen?

Here's a high-level roadmap to implementing this control in an AWS environment:

  1. Define and document your virtualization security policies covering the key areas outlined in the CCM control (VM lifecycle management, image storage, backups, network security, access control, change management, etc).
  2. Configure AWS Identity and Access Management (IAM) to enforce role-based access control and least privilege permissions for VM management. Restrict access to the EC2 API and Management Console.
  3. Use Amazon Machine Images (AMIs) to create hardened, patched and properly configured VM templates. Utilize AWS EC2 Image Builder to automate image creation and maintenance.
  4. Control the storage and distribution of AMIs and EBS snapshots. Enable EBS encryption and restrict permissions for copying and exporting images.
  5. Implement network security controls like VPC Security Groups, Network ACLs, and VPC Flow Logs to properly segment VMs and monitor traffic.
  6. Utilize AWS Backup to enable automated, policy-driven backups of VMs and create a disaster recovery plan.
  7. Tag VMs with metadata indicating sensitivity level and compliance scope. Use tags to apply security policies at scale.
  8. Integrate with AWS security services like GuardDuty, Inspector, and Security Hub to continuously monitor for misconfigurations and threats across your VM fleet.
  9. Implement a formal change management process with approvals for VM provisioning, modification, and decommissioning. Utilize infrastructure-as-code tools like CloudFormation or Terraform to enforce consistent configurations.
  10. Schedule regular audits and assessments to measure compliance with your virtualization security policies. Update policies and procedures based on audit findings and industry best practices.

What are some gotchas?

  • IAM permissions for VM management are extremely powerful. Misconfiguration can allow attackers to gain full control of your VMs. Follow the principle of least privilege when assigning permissions. Key permissions to restrict include ec2:*, iam:PassRole, and iam:CreateInstanceProfile.
  • Default security group configs allow all outbound traffic. Make sure to restrict this to only necessary ports and protocols. Avoid using broad CIDR ranges like 0.0.0.0/0.
  • EBS volumes are not encrypted by default. Enable EBS encryption to protect data at rest.
  • Managed services like RDS, EMR, etc run on EC2 under the covers. Make sure your virtualization security policies extend to these services as well.

What are the alternatives?

Some potential alternatives or complements to the best practices outlined in this control:

  • Utilizing a 3rd party Cloud Security Posture Management (CSPM) tool like Prisma Cloud or CloudSploit to automatically assess VM security configurations against best practice benchmarks.
  • Implementing a Cloud Workload Protection Platform (CWPP) to provide runtime protection and behavioral monitoring for VMs. Tools like CrowdStrike, SentinelOne, and Trend Micro Deep Security specialize in this area.
  • Adopting immutable infrastructure practices where VMs are never patched or modified after deployment. Instead, changes are made by provisioning new VMs from updated golden images. This can limit the attack surface and make it easier to enforce secure configurations.
  • Moving to a serverless architecture that abstracts away VM management to the cloud provider. This can reduce the virtualization security burden but requires a different approach to application security.

Explore further

?

Blog

Learn cloud security with our research blog