Security aspects of virtualized IT systems lifecycle

There are five major phases of systems development lifecycle: (1) initiation, (2) acquisition or development, (3) pre-production testing, evaluation and implementation, (4) operation and maintenance; (5) disposal, migration to the replacement solution or utilization.

Information security must be fully integrated into the whole lifecycle and – as such – should be considered as its integral component. There are specific security checkpoints in each of these specified phases. This text describes: what requirements must be met at each stage of the lifecycle (security checkpoints) and the expected outcomes to be achieved by implementing the requirements (deliverables).

The major intent of this text is to have a closer look at security requirements enforcement through the whole lifecycle of the virtualized IT system. The virtualization creates specific circumstances, not only from the operational, but also from security point of view, that have to be taken into consideration and properly addressed.

Security checkpoints in system development lifecycle and their deliverables

Security must be obligatory embedded into systems development lifecycle. Comprehensively and consistently taking into account security requirements in the whole systems development lifecycle is a key determinant of risk management program effectiveness. Negligence and malpractice in this area may lead to the materialization of operational, financial, legal, reputational and security risks.

The table below summarizes security checkpoints corresponding to the particular lifecycle phases and their deliverables.

Phase Security checkpoints Deliverables
Initiation (1) Analysis and opinion on the project documentation in terms of information security standards.(2) Estimate the level of criticality of the system, classification of information, assessment of legal requirements for information security, preparation of BIA.(3) Preparation of threat model and conducting preliminary risk analysis.(4) Training the staff regarding information security.(5) Security requirements specification.
(1) Security requirements specification.
 
 
(2) Threat model and preliminary risk analysis report.
Acquisition or development (1) Final risk assessment of the system.(2) Evaluation and documenting of changes and deviations from the project primary assumptions in terms of their potential impact on security.(3) Documenting of architecture and system security solutions.(4) Conduct security tests and elaboration of corrective measures plan afterwards.(5) Tests results and corrective measures plan communication to appropriate, responsible parties within the organization.
(1) Risk Analysis Report with measures recommendation.
 
(2) The report from security tests.
 
(3) The corrective measures plan.
Pre-production testing, evaluation and implementation (1) Correction of identified vulnerabilities.(2) Documenting the implementation of security requirements (results of the security requirements acceptance tests).(3) Risk Analysis Report approval, taking the decisions by responsible parties on ways of managing residual risks.(4) Approval of business continuity plans.(5) Security Accreditation
Security Accreditation Report
Operation and maintenance Secure management of system: (1) change, (2) configuration, (3) security events and incidents, (4) vulnerabilities and (5) risk.
(1) Reports from security assessments (including compliance assessments).
 
(2) Reports from risk assessment conducted ongoing for changes implemented in the system during its live operation.
 
(3) Reports from security tests and risk measure plans.
Disposal, migration to the replacement solution or utilization (1) Preparation and approval of systems disposal or migration plan.(2) Data protection supervision.(3) Disposal of unneeded data storage media.(4) Withdrawal of the software from production usage.
(1) System disposal or migration plan.
 
(2) Reports from the operations performed.

The effectiveness of systems security mechanisms depends, in a critical way, on security requirements enforcement in every security checkpoint within the lifecycle. Particularly important it is at the earliest stages of lifecycle, since this approach not only results in a higher level of efficiency in risk management, but in addition also brings economic benefits (and/or minimize losses) by:

  • Identifying all of potential vulnerabilities and weaknesses, early enough to take effective remediation at the expense of lower budget and staff involvement;
  • Prevention from labor- and time-consuming need to correct lately discovered errors in already implemented system, by earlier education of technical staff: designers, analysts and software developers on the best practices and standards for the secure systems development;
  • Identification and recognition of the applicability of cost-optimized architecture of security solutions, one in which they can be used as a shared resource for many systems component;
  • Enabling efficient and cost-effective comprehensive risks mitigation throughout the whole system development cycle.

Specific security issues in virtualized systems lifecycle

The simplicity of creation and reconfiguration of virtual IT systems greatly facilitate their management, but it also causes the additional risks to emerge. These risks arise mainly from (1) not keeping the hardening standards, (2) rushing the implementation of the systems which don’t have installed all of the necessary patches correcting critical vulnerabilities, (3) architectural mistakes, such as, for instance, failure to provide high availability and reliability solutions, (4) the lack of adherence to secure networking zone concepts of trust, (5) limited ability to control communication between virtualized systems while they are connected to a host based network type only.

The simplicity of virtual environments often creates actually the results such as ignored security checkpoints in the system lifecycle process which finally result in weakening of the systems security. These problems should be appropriately addressed to effectively manage the virtual IT environments risks.

Summary and conclusions

The virtual IT systems should be managed with security requirements in mind. This is obvious. What is extremely important however, is that approach to security should be based on the concept of making security management an integral part of systems development lifecycle.

The virtual environments have to be created and configured in adherence to formal security requirements specification, whereas security requirements specification should be based on robust threat identification and risk analysis. Security tests for the virtual systems solutions are mandatory and the systems have to be formally accredited in terms of security requirements fulfillment.

Only comprehensive approach to systems security throughout their whole lifecycle provides the effective and economically justified risk management in the organization.

Informacje Janusz Nawrat
Just ordinary man who likes thinking...

One Response to Security aspects of virtualized IT systems lifecycle

  1. MS. pisze:

    Good security checklist of IT system lifecycle. True for all IT systems,
    not only virtualized. I would emphasize two other security issues of
    virtualized IT systems: (1) dynamic nature of the virtualized environment
    that makes it difficult to control (e.g. VMs can be quickly added or moved
    to other location); (2) safety of VMs closely depend on the safety of
    virtualized environment (e.g. a security incident of VMware infrastructure
    effects the safety of all VMs).
    MS.

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Log Out / Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Log Out / Zmień )

Facebook photo

Komentujesz korzystając z konta Facebook. Log Out / Zmień )

Google+ photo

Komentujesz korzystając z konta Google+. Log Out / Zmień )

Connecting to %s

TOMASZ WEŁNA

artysta grafik | wykładowca

PRACOWNIA OKO

Szkoła Rysunku Malarstwa i Grafiki DR TOMASZA WEŁNY | KRAKÓW | Plac Matejki 10 | tel 691 81 75 74

Piękno neurobiologii

Blog Jerzego Vetulaniego

Teoria muzyki, zasady muzyki, podstawy muzyki

Teoria muzyki, zasady muzyki, podstawy muzyki - czyli to co każdy amator muzyki wiedzieć powinien :)

Personal Development & Inspirations

Przemyślenia i refleksje, którymi warto się podzielić (blog by Janusz Nawrat)

Business IT Cooperation Platform

Biznes i IT - dwa światy, które muszą współdziałać

%d bloggers like this: