Red Hat Virtualization and Security

The usage of open source technologies has grown significantly in the public sector. In fact, according to a published memo, open source technologies allow the Department of Defense to “develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements”. Cybersecurity threats are on the rise and organizations need to ensure that the software they use in their environments is safe. IT teams need the ability to quickly identify and mitigate breaches. They also need to deploy preventative measures and ensure that all stakeholders are protected.

Continuous Security

In a world with no perimeters, it is more imperative than ever to maintain security and regulatory compliance. While security fundamentals still apply, the security mindset is changing; security must be a continuous process. To combat cybersecurity, we recommend that organizations include security in every step of the application and infrastructure lifecycle by following the below guidelines:

  • Design

Design your infrastructure and applications with security in mind. An active and current security guidance needs to be in place. This guidance should detail instructions that must be followed in case of an attack – without a prior plan, recovery is long and difficult.

  • Build

Build in security features by integrating and automating security testing. Develop standard configurations and automate them so that new deployments conform to your security guidelines.

  • Run

Run your infrastructure on trusted, tested, and supported platforms with capabilities that minimize attack vectors. Maintain an up-to-date catalog of assets. This catalog simplifies the process of mitigating the consequences of a possible attack.

  • Manage

Deploy a centralized management system. Admins need to be able to perform a security audit on multiple remote systems from a single and centralized environment. This approach minimizes silos that make it difficult to track and prevent threats.

  • Adapt

Ensure that the IT environment is continuously monitored throughout the lifecycle and kept up to date with the latest patches and security fixes.

The Red Hat Security Story

As a leader in open source infrastructure and application development solutions for the enterprise, Red Hat is uniquely positioned to enable IT organizations to leverage the innovation of open source with security, regulatory, and compliance confidence. Red Hat develops, curates, tests, and delivers certified open source infrastructure software and application platforms through a thoroughly documented supply chain. Security is something we have in mind from the beginning. There are no add-ons, security is a part of all Red Hat products. Red Hat Enterprise Linux, the underlying secure operating system, is the lynchpin that unifies all of our products. At Red Hat, we partner with open source communities, industry leaders, and government agencies to provide automated and standardized lockdown tools. Additionally, the open source software process enables Red Hat to deliver safer software that has been tried and tested through many channels.

Red Hat has deep roots in the security space. Red Hat developed SELinux in conjunction with United States National Security Agency (NSA) and the United States Department of Defense. SELinux provides mandatory access controls for every user, application, process, and file.  SELinux enables a system to defend itself and protect applications against tampering and unauthorized access. Red Hat also developed sVirt, a technology that delivers secure virtualization through SELinux.

Moreover, security is baked into the Red Hat’s subscription model in 5 ways:

  1. Technical support
    • Red Hat offers multi-channel, multi-lingual, and unlimited incidents support on a 24/7 schedule.
  2. Security Advisories, Patches, and Stability
    • Red Hat offers stability with a product lifecycle for up to 10 years.
    • The Red Hat Product Security team analyzes threats and vulnerabilities against all of our products and provides relevant advice and updates through the Red Hat Customer portal. In 2015, 96% of Red Hat Enterprise Linux critical issues had updates available the same or next day after public knowledge.
    • Red Hat backports fixes for security flaws from the most recent version of an upstream software package and applies that fix to older package versions. This process minimizes disruption and provides IT organizations with the flexibility to continue to safely work with their currently deployed versions and upgrade to newer versions at the time of their choosing.
  3. Deep expertise
    • Red Hat values knowledge sharing and facilitates conversations through the customer portal and forums. Our customers have access to knowledgebase articles, access labs and we offer a training lab.
    • Red Hat maintains close relationships with component communities that benefit our customers and the open source communities. Red Hat gives back by sharing code and results of quality and secure testing.
  4. Commitment
    • Red Hat provides hardware and software certification as well as software assurance.
  5. Red Hat Insights
    • Red Hat Insights helps you proactively identify, prioritize, and resolve critical issues in your infrastructure before they impact your business operations. The provided intelligence is specific, clear, and actionable with tailored resolution steps presented based on unparalleled Red Hat technical knowledge and expertise.

Virtualization and Security

Virtualization allows organizations to run multiple virtual machines on one host, thus speeding up delivery of services and significantly reducing costs. However, if not properly mitigated, this convenient technology can introduce threats. Virtualization threats include:

  • Denial of Service (DoS) through the termination of the guest. This threat activity occurs when there is activity within an individual guest or host that impacts the ability for the host to effectively run virtual machines.
  • Memory corruption and leakage. This is the ability to corrupt or access guest memory from outside the constraints of the virtual machine.
  • Guest to host escape. This vulnerability occurs when code is executed directly on the hypervisor outside the constraints of a guest virtual machine.

Red Hat Virtualization, the enterprise virtualization platform powered by Red Hat Enterprise Linux, is designed to help organizations mitigate the above threats via various mechanisms:

  • Control Groups: Red Hat Virtualization includes tools and a kernel feature that controls allocation and isolation of resources. This feature enables resource limiting and control through prioritization and accounting measurements.
  • SELinux: Red Hat Virtualization includes SELinux that enforces mandatory access control through a security linux module. SELinux enforces the labeling of all processes and files; and there are restrictions based on role and type. In Red Hat Virtualization, each guest is an individual process on a host. By leveraging sVirt, an extension of SELinux in libvirt, each guest can be isolated through mandatory access control.
  • Encryption: Secure sockets layer(SSL)/transport layer security(TLS) encryption is used extensively within the Red Hat Virtualization environment. Encrypting traffic in the Red Hat Virtualization environment minimizes the attack surface.

To keep virtualization environments secure, we recommend that organizations keep the following in mind:

  • Understand that guest virtual machines are processes that can be compromised. Give them the least possible privileges on the host.
  • Disable devices/services that are not in use – This will ensure that your operations are optimal and secure.
  • Do not disable SELinux.
  • Keep your host and guest software up to date.

Summary

Technology is evolving so much so that sometimes security is an afterthought and not part of the initial adoption discussions. As your organization looks to expand and adopt new technologies to help you meet your customers’ demands, it is imperative to ensure that both your existing infrastructure and your future technologies offer maximum security mechanisms to prevent threats and expansion.

If you would like to learn more information about how Red Hat is building secure products, we invite you to join us at the Red Hat Government Symposium on November 2nd, 2016. Attend the event to hear about how together with our partners and customers, Red Hat is building a foundation for choice and security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s