面向高安全等级网络的虚拟化系统安全评估研究
|
摘要
虚拟化技术作为云计算的主要支撑技术之一,实现了以服务的方式为用户提供各种软硬件资源,同时也引入一系列新的安全问题。本文在全面分析虚拟化系统的脆弱性、威胁和风险的基础上,结合高安全等级网络的安全需求,利用风险矩阵与层次分析相结合的方法,构建了能够适用于高安全等级网络环境中的虚拟化系统安全评估框架与量化评分模型。本文通过实际示例,验证了评估方法的可行性。
Virtualization, as one of the main supporting technologies of cloud computing, has implemented convenient ways to provide users with various hardware and software resources. However, virtualization has also introduced a series of new security issues. In this paper, we analyze the vulnerabilities, threats and risks of virtualization system overall in considered of the security requirements of high security level network, and then construct the virtualization system security assessment framework combined with the risk matrix method and the hierarchy analysis method. The feasibility of the assessment framework is verified by practical examples.
Virtualization, as one of the main supporting technologies of cloud computing, has implemented convenient ways to provide users with various hardware and software resources. However, virtualization has also introduced a series of new security issues. In this paper, we analyze the vulnerabilities, threats and risks of virtualization system overall in considered of the security requirements of high security level network, and then construct the virtualization system security assessment framework combined with the risk matrix method and the hierarchy analysis method. The feasibility of the assessment framework is verified by practical examples.
引文
[1]Virtualization,https://en.wikipedia.org/wiki/Virtualization[EB/OL].
[2]项国富,金海,邹德清,陈学广,基于虚拟化的安全监控[J],软件学报,2012,23(8):2173-2187.
[3]英特尔开源软件技术中心,复旦大学并行处理研究所,系统虚拟化--原理与实现[M]北京:清华大学出版社,2009.
[4]Abhik Chaudhuri,Heberto Ferrer,et al.Bes Practices for Mitigating Risks in Virtualized Environments.CSA,2015.
[5]D.F.Cooper,The Australian and New Zealand Standard on Risk Management,AS/NZS4360:2004,Tutorial Notes:Broadleaf Capita International Pty Ltd,2004.
[6]ISO.ISO/IEC Std.ISO 27005:2011,Information technology-Security techniques-Information security risk management.ISO,2011.
[7]Ron Ross,Gary Stoneburner,Jennifer FabiusGreene,Kelley Dempsey,Deborah Bodeau Cheri Caddy,Peter Gouldmann,Arnold Johnson,Peter Williams,Karen Quigg,Richard Graubart,and Christian Enloe.NIST SP800-39,Managing Risk from Information Systems An Organizational Perspective.2011.
[8]Information security technology,Risk assessmen specification for information security,GB/Z20984-2007.
[9]D.Catteddu and G.Hogben,“Cloud Computing Benefits,Risks and Recommendations for Information Security,”ENISA,2009.
[10]D.Catteddu and G.Hogben,”Cloud Computing Information Assurance Framework”,ENISA2009,https://www.enisa.europa.eu/publications cloud-computing-information-assuranceframework/.
[11]G.Hogben and M.Dekker,“Procure Secure:Aguide to monitoring of security service levels in cloud contracts”,ENISA,2012.
[12]张弢,慕德俊,任帅,等.一种基于风险矩阵法的信息安全风险评估模型[J].计算机工程与应用,2010,46(5):93-95.
[13]Tipton H F,Krause M.信息安全管理手册(卷I)[M].王卫卫,杨波,译.北京:电子工业出版社,2004:142-166.
[2]项国富,金海,邹德清,陈学广,基于虚拟化的安全监控[J],软件学报,2012,23(8):2173-2187.
[3]英特尔开源软件技术中心,复旦大学并行处理研究所,系统虚拟化--原理与实现[M]北京:清华大学出版社,2009.
[4]Abhik Chaudhuri,Heberto Ferrer,et al.Bes Practices for Mitigating Risks in Virtualized Environments.CSA,2015.
[5]D.F.Cooper,The Australian and New Zealand Standard on Risk Management,AS/NZS4360:2004,Tutorial Notes:Broadleaf Capita International Pty Ltd,2004.
[6]ISO.ISO/IEC Std.ISO 27005:2011,Information technology-Security techniques-Information security risk management.ISO,2011.
[7]Ron Ross,Gary Stoneburner,Jennifer FabiusGreene,Kelley Dempsey,Deborah Bodeau Cheri Caddy,Peter Gouldmann,Arnold Johnson,Peter Williams,Karen Quigg,Richard Graubart,and Christian Enloe.NIST SP800-39,Managing Risk from Information Systems An Organizational Perspective.2011.
[8]Information security technology,Risk assessmen specification for information security,GB/Z20984-2007.
[9]D.Catteddu and G.Hogben,“Cloud Computing Benefits,Risks and Recommendations for Information Security,”ENISA,2009.
[10]D.Catteddu and G.Hogben,”Cloud Computing Information Assurance Framework”,ENISA2009,https://www.enisa.europa.eu/publications cloud-computing-information-assuranceframework/.
[11]G.Hogben and M.Dekker,“Procure Secure:Aguide to monitoring of security service levels in cloud contracts”,ENISA,2012.
[12]张弢,慕德俊,任帅,等.一种基于风险矩阵法的信息安全风险评估模型[J].计算机工程与应用,2010,46(5):93-95.
[13]Tipton H F,Krause M.信息安全管理手册(卷I)[M].王卫卫,杨波,译.北京:电子工业出版社,2004:142-166.