A virtualized server platform—like a physical server platform—needs to be protected against attacks from hackers who might want to steal information or take control of parts of the server. NIST is releasing a publication that addresses this issue by providing recommendations to ensure that the core software used in a virtual server, the hypervisor, remains secure against such attacks. Draft NIST Special Publication 800-125A Revision 1, Security Recommendations for Server-based Hypervisor Platforms, analyzes the potential threats to the secure execution of the functions of a hypervisor and provides a series of recommendations to provide assurance against such potential threats.
The approach taken in this publication is to identify the baseline functions that a hypervisor performs, the tasks involved in each baseline function, the potential threats to the secure execution of the task, and the countermeasures that can provide assurance against exploitation of these threats in the form of security recommendations. In addition to these security recommendations, a recommendation for ensuring the overall integrity of all components of a hypervisor platform is also provided.
The target audience for the security recommendations in this document are the Chief Security Officer (CSO) or the Chief Technology Officer (CTO) of an Enterprise IT department in a private enterprise or government agency who wants to develop a virtualization infrastructure, as well as managers of data centers who want to offer a virtualization infrastructure for hosting cloud offerings and who want to provide security assurance for that infrastructure to cloud service clients.
It has been found that to deploy virtualized servers for high performance applications (e.g., big data, analytics etc.), other forms of device virtualization besides the “emulation” approach covered in this document are required. This publication captures these additional technologies for device virtualization, such as para-virtualization, passthrough and self-virtualizing hardware devices as well as associated security recommendations. Major content changes in this publication, which is a revision of NIST SP 800-125A, Security Recommendations for Hypervisor Deployment on Servers, can be found in Sections 1.1, 2.2.2 and 5.
A public comment period for this draft document is open until May 2, 2018.