Security aspects of virtualized IT systems lifecycle
2013/07/09 1 komentarz
There are five major phases of systems development lifecycle: (1) initiation, (2) acquisition or development, (3) pre-production testing, evaluation and implementation, (4) operation and maintenance; (5) disposal, migration to the replacement solution or utilization.
Information security must be fully integrated into the whole lifecycle and – as such – should be considered as its integral component. There are specific security checkpoints in each of these specified phases. This text describes: what requirements must be met at each stage of the lifecycle (security checkpoints) and the expected outcomes to be achieved by implementing the requirements (deliverables).
The major intent of this text is to have a closer look at security requirements enforcement through the whole lifecycle of the virtualized IT system. The virtualization creates specific circumstances, not only from the operational, but also from security point of view, that have to be taken into consideration and properly addressed.
Security checkpoints in system development lifecycle and their deliverables
Security must be obligatory embedded into systems development lifecycle. Comprehensively and consistently taking into account security requirements in the whole systems development lifecycle is a key determinant of risk management program effectiveness. Negligence and malpractice in this area may lead to the materialization of operational, financial, legal, reputational and security risks.
The table below summarizes security checkpoints corresponding to the particular lifecycle phases and their deliverables.
|Initiation||(1) Analysis and opinion on the project documentation in terms of information security standards.(2) Estimate the level of criticality of the system, classification of information, assessment of legal requirements for information security, preparation of BIA.(3) Preparation of threat model and conducting preliminary risk analysis.(4) Training the staff regarding information security.(5) Security requirements specification.||(1) Security requirements specification. (2) Threat model and preliminary risk analysis report.|
|Acquisition or development||(1) Final risk assessment of the system.(2) Evaluation and documenting of changes and deviations from the project primary assumptions in terms of their potential impact on security.(3) Documenting of architecture and system security solutions.(4) Conduct security tests and elaboration of corrective measures plan afterwards.(5) Tests results and corrective measures plan communication to appropriate, responsible parties within the organization.||(1) Risk Analysis Report with measures recommendation. (2) The report from security tests. (3) The corrective measures plan.|
|Pre-production testing, evaluation and implementation||(1) Correction of identified vulnerabilities.(2) Documenting the implementation of security requirements (results of the security requirements acceptance tests).(3) Risk Analysis Report approval, taking the decisions by responsible parties on ways of managing residual risks.(4) Approval of business continuity plans.(5) Security Accreditation||Security Accreditation Report|
|Operation and maintenance||Secure management of system: (1) change, (2) configuration, (3) security events and incidents, (4) vulnerabilities and (5) risk.||(1) Reports from security assessments (including compliance assessments). (2) Reports from risk assessment conducted ongoing for changes implemented in the system during its live operation. (3) Reports from security tests and risk measure plans.|
|Disposal, migration to the replacement solution or utilization||(1) Preparation and approval of systems disposal or migration plan.(2) Data protection supervision.(3) Disposal of unneeded data storage media.(4) Withdrawal of the software from production usage.||(1) System disposal or migration plan. (2) Reports from the operations performed.|
The effectiveness of systems security mechanisms depends, in a critical way, on security requirements enforcement in every security checkpoint within the lifecycle. Particularly important it is at the earliest stages of lifecycle, since this approach not only results in a higher level of efficiency in risk management, but in addition also brings economic benefits (and/or minimize losses) by:
- Identifying all of potential vulnerabilities and weaknesses, early enough to take effective remediation at the expense of lower budget and staff involvement;
- Prevention from labor- and time-consuming need to correct lately discovered errors in already implemented system, by earlier education of technical staff: designers, analysts and software developers on the best practices and standards for the secure systems development;
- Identification and recognition of the applicability of cost-optimized architecture of security solutions, one in which they can be used as a shared resource for many systems component;
- Enabling efficient and cost-effective comprehensive risks mitigation throughout the whole system development cycle.
Specific security issues in virtualized systems lifecycle
The simplicity of creation and reconfiguration of virtual IT systems greatly facilitate their management, but it also causes the additional risks to emerge. These risks arise mainly from (1) not keeping the hardening standards, (2) rushing the implementation of the systems which don’t have installed all of the necessary patches correcting critical vulnerabilities, (3) architectural mistakes, such as, for instance, failure to provide high availability and reliability solutions, (4) the lack of adherence to secure networking zone concepts of trust, (5) limited ability to control communication between virtualized systems while they are connected to a host based network type only.
The simplicity of virtual environments often creates actually the results such as ignored security checkpoints in the system lifecycle process which finally result in weakening of the systems security. These problems should be appropriately addressed to effectively manage the virtual IT environments risks.
Summary and conclusions
The virtual IT systems should be managed with security requirements in mind. This is obvious. What is extremely important however, is that approach to security should be based on the concept of making security management an integral part of systems development lifecycle.
The virtual environments have to be created and configured in adherence to formal security requirements specification, whereas security requirements specification should be based on robust threat identification and risk analysis. Security tests for the virtual systems solutions are mandatory and the systems have to be formally accredited in terms of security requirements fulfillment.
Only comprehensive approach to systems security throughout their whole lifecycle provides the effective and economically justified risk management in the organization.