Take a free online course httpwwwmicrosoftvirtualacademycom Microsoft Virtual Academy Module 4 Security Improvements Evolving security threats Rising number of organizations suffer from breaches ID: 697261
Download Presentation The PPT/PDF document "Free, online, technical courses" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Free, online, technical courses
Take a free online course
.
http://www.microsoftvirtualacademy.com
Microsoft Virtual AcademySlide2
Module 4Security ImprovementsSlide3
Evolving security threats
Rising number of organizations suffer from breaches
Cybercrime costs US economy up to $140 billion annually, report says
Los Angeles Times [2014]
How hackers allegedly stole “unlimited” amounts of cash
from banks in just
a few hours
Ars
Technica
[2014]
The biggest
cyberthreat
to companies could come from the inside
Cnet
[2015]
Cyberattacks on
the rise against
US corporations
New York Times [2014]
Espionage malware infects
rafts of governments,
industries around the world
Ars
Technica
[2014]
Forget carjacking, soon it will be
carhacking
The Sydney Morning
Herald [2014]
Malware burrows deep into computer BIOS to escape AV
The Register
[September 2014]
Bigger
motivations
2
Increasing
incidents
1
Bigger
risk
3
1
1
2
2
3
3
3Slide4
We know that administrators have the keys to the kingdom; we gave them those keys decades ago
But those administrators privileges are being compromised through social engineering, bribery, coercion, private initiatives
… each of these
attacks
seeks out & exploits
privileged
accounts.
Central risk: Administrator privileges
Stolen admin
credentials
Insider
attacks
Phishing
attacksSlide5
Conclusion: change the way we think about security We have to “assume breach” – not a position of pessimism, one of security rigor
Problem
A breach will
(already did?)
happen
Lacking the security-analysis manpower
Can’t determine the impact of the breach
Unable to adequately respond to the breach
New approach
(in addition to ‘prevention’)
Limit or block the breach from spreading
Detect the breach
Respond to the breachSlide6
Fabric
Hypervisor
Customer
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Protect virtual machines
Challenges in protecting high value virtual machines
Any seized or infected host administrators can access
guest virtual machines
Impossible to identify
legitimate hosts without a hardware based verification
Tenants VMs are exposed to storage and network attacks while unencrypted
Legitimate host?
Guest VMSlide7
Virtual machine
OS
Data
Workload
Compute
Storage
Network
Hypervisor
Fabric
Host Guardian Service
Enabler to run Shielded
Virtual
Machines on
a legitimate host in the fabric
Shielded VM
Bitlocker enabled VM
Virtual Secure Mode
Process and Memory access protection from the host
Any seized or infected host administrators can access
guest virtual machines
Impossible to identify
legitimate hosts without a hardware based verification
Tenants VMs are exposed to storage and network attacks while unencrypted
Protect virtual machines
Microsoft’s approach
Hardware-rooted technologies
to separate the guest operating system from host administrators
Guarded fabric to identify legitimate hosts and certify them to run shielded tenant VMs
Virtualized trusted platform module (
vTPM
) support to encrypt virtual machines
Host Guardian Service
Fabric
Hypervisor
Customer
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Trust
the host
Guest VMSlide8
So what is a ‘Shielded VM’?
“The data and state of a shielded VM are protected against inspection, theft and tampering from both malware and datacenter administrators1
.”
1
fabric admins, storage admins, server admins, network adminsSlide9
Hypervisor
Fabric
Storage
Host OS
Customer
Guest VM
Guest VM
Logo certified server hardware
(UEFI, TPM v2.0, Virtualization, IOMMU)
Host Guardian Service
vTPM
key
management
Host verification
Trusted administrator
VM provisioning
Host management
Encrypted key + Certificate
Key
Attestation information
Certificate
SCVMM
Shielded VM
Manage
encrypted VM
Manage Legitimate Hosts
Virtual Secure Mode
to protect OS secrets
Secure and
measured boot
Enable
BitLocker
Key management service for
VM TPMs
Protect virtual machines
How it works with Windows Server and System Center
Virtual machine
OS
Data
Workload
Compute
Storage
Network
Hypervisor
FabricSlide10
Host Guardian Service
Storage
HOST without TPM (generic host)
Virtual
hard disk
HOST with TPM
Virtual
hard disk
Virtual
hard disk
Shielded Virtual Machines
Shielded Virtual Machines
Shielded Virtual Machines
Protect virtual machines
Shielded Virtual Machines
Shielded Virtual Machines
can only run in fabrics that are designated as owners of that virtual machine
Shielded Virtual Machines will need to be
encrypted
(by
BitLocker
or other means) in order to ensure that only the designated owners can run this virtual machine
You can
convert
a
running virtual machine
into a Shielded Virtual MachineSlide11
Shielded VMs: Security Assurance GoalsEncryption & data at-rest/in-flight protectionVirtual TPM enables the use of disk encryption within a VM (e.g. BitLocker)Both Live Migration and VM-state are encryptedAdmin-lockoutHost administrators cannot access guest VM secrets (e.g. can’t see disks or video)
Host administrators cannot run arbitrary kernel-mode codeAttestation of healthVM-workloads can only run on “healthy” hostsSlide12
Attestation Modes: mutually exclusiveAdmin-trusted
(Active Directory-based)Simplified deployment and
configurationSetup an Active Directory trust + register groupAuthorize a Hyper-V host to run shielded VMs by adding it to the Active Directory groupExisting
H/W likely to meet requirementsScenarios enabledData-protection at rest and on-the-wire
Secure DR to a hoster (VM already shielded)Weaker levels of assuranceFabric-admin is trusted
No hardware-rooted trust or measured-boot No enforced code-integrity
H/W-trusted attestation
(
TPM-based)
More
complex setup/configurationRegister each Hyper-V host’s TPM (EKpub) with the HGSEstablish baseline CI policy for each different H/W SKU
Deploy HSM and use HSM-backed certificatesNew Hyper-V host hardware requiredNeeds to support TPM v2.0 and UEFI 2.3.1Highest levels of assurance
Trust rooted in hardwareCompliance with code-integrity policy required for key-release (attestation)Fabric-admin untrusted
Typical for Service Providers
Typical for EnterprisesSlide13
Attestation Workflow (hardware-trusted)
Attestation Service
(IIS WebApp)
Key Protection Service
(IIS WebApp)
Guarded Host
Host Guardian Service node
REST API
1
Start Shielded VM
2
Attestation Client initiates Attestation Protocol
Attestation Protocol
3
Host sends boot & CI measurements
4Validates host measurements
5
Issues signed Attestation Certificate encrypted to hostSlide14
Attestation Workflow (admin-trusted)
Attestation Service
(IIS WebApp)
Key Protection Service
(IIS WebApp)
Guarded Host
Host Guardian Service node
REST API
1
Start Shielded VM
2
Attestation Client initiates Attestation Protocol
Attestation Protocol
3
Host presents Kerberos service ticket
4
Validates group membership
5
Issues signed Attestation Certificate encrypted to hostSlide15
Hypervisor
Protect virtual machines
Virtual Secure Mode
CPU
Memory
Virtual Secure Mode
enabled virtual machines prevents infected hosts accessing physical memory data, physical processor. Virtual Secure Mode introduces the concept of
Virtual Trust Levels
, which consist Memory Access Protections, Virtual Processor State and Interrupt Subsystem
Virtual Trust Levels (VTLs):
Security mechanism on top of existing privilege enforcement (ring 0/ring 3)
Memory Access Protections:
A VTL’s memory access protections can only be changed by software running at a higher VTL
Virtual Processor State:
Isolation of processor state between VTL’s
Interrupt Subsystem:
Interrupts to be managed securely at a particular VTL without risk of a lower VTL generating unexpected interrupts or masking interrupts
Virtual Machine
Virtual Machine
HOSTSlide16
Host Guardian Service
vTPM
key
management
Host attestation
Protect virtual machines
Host Guardian Service
Host Guardian Service
holds keys of the legitimate fabrics as well as encrypted virtual machines
Host Guardian Service runs as a service
to verify if it is a trusted machine
Host Guardian Service can
live anywhere
even as a virtual machine
HOSTS
Shielded VMs
Hyper-V based code integrity
Verification
Customer
Service
provider
Microsoft
FABRIC
GUARDIANSlide17
Demo
VM SecuritySlide18
Providing kernel code integrity protections for Linux guest operating systemsWorks with:Ubuntu 14.04 and laterSUSE Linux Enterprise Server 12PowerShell to enable:Set-
VMFirmware “Ubuntu”-
SecureBootTemplate MicrosoftUEFICertificateAuthorityLinux Secure BootSlide19
Demo
Linux Secure BootSlide20
Deep technical content and free product evaluations
Hands-on deep technical labs
Free, online,
technical courses
Download Microsoft software trials today.
Find Hand On Labs.
Take a free online course.
Technet.microsoft.com/evalcenter
Technet.microsoft.com/
virtuallabs
microsoftvirtualacademy.com
At the TechNet Evaluation Center you can download free, trial versions of Microsoft software, with no feature limits. Dozens of trials are available – all at no cost.
Try Windows Server 2012 R2 for up to 180 days. Download the Windows 8.1 Enterprise 90-day evaluation. Or try Microsoft Azure at no-cost for up to 90 days.
Microsoft Hands On Labs offer virtual environments that will take you through guided, technically deep product learning experience.
Learn at your own pace in labs that you can complete in 90 minutes or less. There is no complex setup or installation is required to use TechNet Virtual Labs.
Microsoft Virtual Academy provides free online training on the IT scenarios that are important to your company and your career. Learn at your own pace and boost your IT skills with over 100 courses across more than 15 Microsoft technologies including Windows Server, Windows 8, Microsoft Azure, Office 365, virtualization, Windows Phone, and more.
TechNet Virtual LabsSlide21
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.