Back

Establish, implement, and maintain a virtual environment and shared resources security program.


CONTROL ID
06551
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Include incident management procedures in the virtual environment and shared resources security program., CC ID: 15715
  • Establish, implement, and maintain procedures for provisioning shared resources., CC ID: 12181
  • Establish, implement, and maintain a shared resources management program., CC ID: 07096
  • Disseminate and communicate any changes in the cryptosystem to interested personnel and affected parties., CC ID: 12346
  • Deactivate user credentials upon agreement termination., CC ID: 12177
  • Sanitize customer data from all shared resources upon agreement termination., CC ID: 12175
  • Release shared resources back to the Information System when they are no longer necessary., CC ID: 05724
  • Store virtual machine device drivers within the virtual machine., CC ID: 16431
  • Implement non-persistent services and components that are initiated in a known state and terminated, as necessary., CC ID: 10685


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Banks need to be aware that using VPNs to allow remote access to their systems can create holes in their security infrastructure. The encrypted traffic can hide unauthorized actions or malicious software that can be transmitted through such channels. Intrusion detection systems and virus scanners ab… (Critical components of information security 25) vi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Implementation of virtual keyboard (Critical components of information security g) ¶ 2 9., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Virtualisation is used by organisations to optimise the use of computing resources and to enhance resilience. The technology allows several virtual machines (VMs) that support different business applications to be hosted on a physical system. A system failure or security breach in one of the VMs cou… (§ 11.4.1, Technology Risk Management Guidelines, January 2021)
  • Implement additional controls for shared computers to prevent access to personal data, e.g. those keyed in by another user. (Annex A1: Security of Personal Computers & Other Computing Devices 41, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • VLANs belonging to different security domains are terminated on separate physical network interfaces. (Security Control: 1364; Revision: 2, Australian Government Information Security Manual, March 2021)
  • VLANs belonging to official and classified networks, or networks of different classifications, do not share VLAN trunks. (Security Control: 0535; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Virtualization technology should not be used for functional separation between network equipment or servers located in different security domains at the same classification. (Control: 0841, Australian Government Information Security Manual: Controls)
  • Virtualization technology must not be used to functionally separate servers or network equipment of different classifications. (Control: 0842, Australian Government Information Security Manual: Controls)
  • Virtual local area networks should not be used between classified networks and other sensitive networks. (Control: 1310, Australian Government Information Security Manual: Controls)
  • The organization must not use virtual local area networks between classified networks and networks of a lower classification. (Control: 0529, Australian Government Information Security Manual: Controls)
  • The organization must not use virtual local area networks between sensitive networks or classified networks and public network infrastructure. (Control: 1138, Australian Government Information Security Manual: Controls)
  • Virtual Local Area Network trunking must not be used for network devices that manage virtual local area networks of different security classifications. (Control: 0535, Australian Government Information Security Manual: Controls)
  • Then, applications having the same protection needs should be operated on a virtualisation cluster correspondingly provided for this. The individual areas should be physically separated from each other and it should be ensured that virtual machines cannot be moved across areas. (§ 8.2.4 Subsection 3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Data is separated securely and strictly on jointly used virtual and physical resources (storage network, memory) according to a documented concept in order to guarantee the confidentiality and integrity of the stored and processed data. (Section 5.6 RB-23 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • How is security and access defined for the virtualized resources used for generation of cryptographic keys? (Appendix D, Protect Cardholder Data Bullet 11, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • There should be documented standards / procedures for establishing the technical security arrangements for customer connections. (CF.05.03.01, The Standard of Good Practice for Information Security)
  • Virtual servers should be deployed in accordance with documented standards / procedures. (CF.07.03.01-1, The Standard of Good Practice for Information Security)
  • Virtual servers should be configured in accordance with documented standards / procedures. (CF.07.03.01-2, The Standard of Good Practice for Information Security)
  • Virtual servers should be maintained in accordance with documented standards / procedures. (CF.07.03.01-3, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover the protection of physical servers that are used to host virtual servers. (CF.07.03.02a, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover the protection of hypervisors associated with Virtual Servers. (CF.07.03.02b, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover the protection of virtual servers that run on a physical server. (CF.07.03.02c, The Standard of Good Practice for Information Security)
  • Physical servers that are used to host virtual servers should be protected against unmanaged and ad hoc deployment (often referred to as 'virtual server sprawl'). (CF.07.03.04a, The Standard of Good Practice for Information Security)
  • Physical servers that are used to host Virtual Servers should be protected against resource overload (e.g., excessive use of the Central Processing Unit, memory, hard disk, and network) by restricting the maximum number of virtual servers that can be created on each physical server. (CF.07.03.04b, The Standard of Good Practice for Information Security)
  • Hypervisors should be configured to encrypt communications between Virtual Servers (e.g., using Secure Socket Layer or Internet Protocol Security). (CF.07.03.05d, The Standard of Good Practice for Information Security)
  • Virtual servers should be protected by applying standard security management practices to hypervisors, which include reporting administrator activities to help ensure actions and privileges that they are allowed to perform are specifically aligned to their duties. (CF.07.03.06b-2, The Standard of Good Practice for Information Security)
  • Each Virtual Server should be protected by applying standard security management practices (including restricting physical access, system hardening, applying Change Management and malware protection, monitoring and performing regular reviews, and applying network-based security controls (e.g., firew… (CF.07.03.07, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for establishing the technical security arrangements for customer connections. (CF.05.03.01, The Standard of Good Practice for Information Security, 2013)
  • Virtual servers should be deployed in accordance with documented standards / procedures. (CF.07.03.01-1, The Standard of Good Practice for Information Security, 2013)
  • Virtual servers should be configured in accordance with documented standards / procedures. (CF.07.03.01-2, The Standard of Good Practice for Information Security, 2013)
  • Virtual servers should be maintained in accordance with documented standards / procedures. (CF.07.03.01-3, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover the protection of physical servers that are used to host virtual servers. (CF.07.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover the protection of hypervisors associated with Virtual Servers. (CF.07.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover the protection of virtual servers that run on a physical server. (CF.07.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Physical servers that are used to host virtual servers should be protected against unmanaged and ad hoc deployment (often referred to as 'virtual server sprawl'). (CF.07.03.04a, The Standard of Good Practice for Information Security, 2013)
  • Physical servers that are used to host Virtual Servers should be protected against resource overload (e.g., excessive use of the Central Processing Unit, memory, hard disk, and network) by restricting the maximum number of virtual servers that can be created on each physical server. (CF.07.03.04b, The Standard of Good Practice for Information Security, 2013)
  • Hypervisors should be configured to encrypt communications between Virtual Servers (e.g., using Secure Socket Layer or Internet Protocol Security). (CF.07.03.05d, The Standard of Good Practice for Information Security, 2013)
  • Virtual servers should be protected by applying standard security management practices to hypervisors, which include reporting administrator activities to help ensure actions and privileges that they are allowed to perform are specifically aligned to their duties. (CF.07.03.06b-2, The Standard of Good Practice for Information Security, 2013)
  • Each Virtual Server should be protected by applying standard security management practices (including restricting physical access, system hardening, applying Change Management and malware protection, monitoring and performing regular reviews, and applying network-based security controls (e.g., firew… (CF.07.03.07, The Standard of Good Practice for Information Security, 2013)
  • Verify that all high-value business logic flows, including authentication, session management and access control, do not share unsynchronized state. (1.11.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Virtual machines and/or air-gapped systems should be used to isolate and run applications that are required for business operations but based on higher risk should not be installed within a networked environment. (Control 2.4, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should use air-gapped systems and/or virtual machines to isolate and run required applications that should not be installed on a networked environment. (Critical Control 2.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for infrastructure and virtualization security. Review and update the policies and procedures at least annually. (IVS-01, Cloud Controls Matrix, v4.0)
  • Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization. (CIS Control 2: Sub-Control 2.10 Physically or Logically Segregate High Risk Applications, CIS Controls, 7.1)
  • Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization. (CIS Control 2: Sub-Control 2.10 Physically or Logically Segregate High Risk Applications, CIS Controls, V7)
  • For a Level 4 PA, the CSP must provide evidence of strong virtual separation controls and monitoring in support of the ability to meet "search and seizure" requests for non-DoD information and data without the release of DoD information and data and vice-versa. Additionally the strong virtual separa… (Section 5.2.2.2 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • DoD's usage of commercial cloud services means that the DoD joins an ecosystem of Internet connected CSPs/CSOs. While DoD leverages Internet connected CSOs for the dissemination or processing of public information (Level 2), DoD also leverages private connectivity to the same CSOs for the protection… (Section 5.10 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Fully maintaining, patching, monitoring, and protecting the infrastructure, operating systems, and applications supporting all service offerings. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Although the control baselines for all levels are based on those from CNSSI 1253, only impact Level 5 and 6 are designed to accommodate NSS categorized up to M-M-x. NSS-specific C/CEs have been included at these levels along with those required for the slightly higher impact of these systems at the … (Section 5.1.4 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • In general, a CAP is required to mitigate risks to the DISN (or other DoD network) posed by connecting commercial CSOs to it except under certain restrictions. A CAP is a system of network boundary protection and monitoring devices (e.g., firewall, IPS, IDS, proxy, etc.), otherwise known as a Cybers… (Section 5.10.1 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • To support BCAP connections between DoD and an off-premises Level 4/5 CSP, the CSP must offer a private connection service to the CSO that does not traverse the Internet. The CSP's network must include a PoP in a carrier agnostic commercial network interconnection facility or commercial carrier's co… (Section 5.10.1.1.3 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • USCYBERCOM or JFHQ-DoDIN disseminates Warnings, Tactical Directives, and Orders to the organizations performing BCD and MCD Actions. The organizations performing BCD and MCD Actions will analyze them for their applicability to individual CSPs, and then communicate with USCYBERCOM or JFHQ-DoDIN, and … (Section 6.6 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Protect the DoDIN and DoD mission systems in commercial cloud infrastructure through cross-BCAP correlation and analysis of events/data. (Section 6.3 ¶ 1 Bullet 1, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • MPEs that utilize network(s) other than NIPRNet or SIPRNet (e.g., DRSN), will need to implement BCAPs or ICAPs for those network(s) that provide equivalent protections to those defined in the SCCA Functional Requirements Document (FRD)85 when connecting CSP infrastructure to their networks. MPEs imp… (Section 5.10.1.4 ¶ 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Fully maintaining, patching, monitoring, and protecting SaaS service offering OSs and applications including DoD data/information in them. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • CSP personnel may not use the same GFE to manage the CSO as is used to perform general business functions such as email or those that might require surfing the Internet. (Section 5.10.1.2 ¶ 9 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Fully maintaining, patching, monitoring, and protecting the portions of PaaS service offering OSs and applications for which they are responsible (which may vary from none to all) as defined in the service offering SLA/description and/or the Mission Owner's SLA/contract. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • DoD uses the concept of defense-in-depth when protecting its networks and data/information. This includes, but is not limited to, hardening host OSs and applications, implementing host firewalls and intrusion detection, strong access control, robust auditing of events, while protecting the networks … (Section 5.10.3 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Monitor, protect, and defend Mission Owners' cloud-based data in the CSO. (Section 6.3 ¶ 1 Bullet 3, sub-bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Protects DoD systems/applications instantiated in one CSP's infrastructure from incidents that affect a different CSP's infrastructure or supported missions. (Section 5.10.1.1 ¶ 2 Bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Monitor, protect, and defend Mission Owners' cloud-based systems, applications, and virtual networks in the CSP's IaaS/PaaS infrastructure (Section 6.3 ¶ 1 Bullet 3, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Implement HBSS agents on all VMs with a supported general purpose OS. (Section 5.10.6 ¶ 1 Bullet 12, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Utilize an HBSS agent control server (EPO) within NIPRNet or an associated common virtual services environment in the same CSO (e.g., VDMS). (Section 5.10.6 ¶ 1 Bullet 12, sub-bullet 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Utilize an ACAS Security Center server within NIPRNet or within an associated common virtual services environment in the same CSO (e.g., VDMS). (Section 5.10.6 ¶ 1 Bullet 13, sub-bullet 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • High-risk applications should not be operating in the same environment as non-validated software functions, even if those functions are not being used. (§ 6.1 ¶ 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The agency shall isolate the host from the virtual machine in a virtual environment. (§ 5.10.3.2 ¶ 1(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible. (§ 5.10.3.2 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Drivers that serve critical functions shall be stored within the specific VM they service. In other words, do not store these drivers within the hypervisor, or host operating system, for sharing. Each VM is to be treated as an independent system – secured as independently as possible. (§ 5.10.3.2 ¶ 1 4., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Adequate approvals are required before deployment of remote, Internet, or VPN access for employees, vendors, and other; ("TIER II OBJECTIVES AND PROCEDURES D.1. Bullet 15, FFIEC IT Examination Handbook - Audit, April 2012)
  • The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of {organizationally documented personnel}. (SI-7(13), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of {organizationally documented roles}. (SI-7(13), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)