This bulletin outlines the security recommendations that NIST recently provided in Special Publication (SP) 800-125A – security recommendations for Hypervisor Deployment on Servers. The document provides technical guidelines about the secure execution of baseline functions of the hypervisor, regardless of the hypervisor architecture. In the past, a user wishing to set up a computing server generally needed to use a dedicated host with dedicated resources such as a central processing unit (CPU), memory, network and storage. Modern systems have technology that lets one create virtual machines to emulate what used to be physical, dedicated resources. This practice is known as virtualization and supports more scalable and dynamic environments. A critical component of this technology is the hypervisor, the collection of software modules that enables this virtualization and thus enables multiple computing stacks – each made of an operating system (OS) and application programs – to be run on a single physical host. Such a physical host is called a Virtualized Host and is also referred to as a Hypervisor Host. The individual computing stacks are encapsulated in an artifact called a Virtual Machine (VM). To make a VM an independent executable entity, its definition should include resources such as CPU and memory, allocated to it. The VMs are also called ‘Guests,’ and the OS running inside each of them is called ‘Guest OS.’ The resources associated with a VM are virtual resources, as opposed to physical resources associated with a physical host. The hypervisor forms part of the virtualization layer in a virtualized host and plays many of the same roles that a conventional OS does on a non-virtualized host, or server. Just as a conventional OS provides isolation between the various applications, or processes, running on a server, the hypervisor provides isolation between one or more VMs running on it. Also, like an OS, the hypervisor mediates access to physical resources across multiple VMs. Therefore, all other functions needed to support virtualization – such as emulation of network and storage devices and the management of VMs and the hypervisor itself – can be accomplished using kernel-loadable modules, although some hypervisor architectures accomplish these tasks using dedicated VMs. The hypervisor can be installed either directly on the hardware, or bare metal (Type 1 Hypervisor), or on top of a fullfledged conventional OS, called Host OS (Type 2 Hypervisor). Here, we discuss the baseline functions of a hypervisor, how these functions are distributed in a hypervisor, and how this information is used to develop security recommendations that provide assurance against potential threats to the secure execution of tasks involved in the hypervisor’s baseline functions. Hypervisor baseline functions It might appear that all activities related to the secure management of a hypervisor and its hardware host – collectively called the hypervisor platform – should simply consist of established best practices for any server class software and its hosting environment. However, closer examination reveals that the unique functions provided by the Hypervisor Platform require a dedicated set of security considerations. These functions are called hypervisor baseline functions (HY-BF) and are labeled HY-BF1, HY-BF2, HY-BF3, HYBF4, and HY-BF5. They are described below: HY-BF1: VM process isolation Scheduling of VMs for execution, management of the application processes running in VMs (e.g., CPU and memory management), and context switching between various processor states during the running of applications in VMs; HY-BF2: Devices mediation & access control Mediates access to all devices (e.g., network interface card [NIC], storage device such as IDE drive etc). One mediation approach is to emulate network and storage (block) devices that are expected by different native drivers in VMs by using emulation programs that run in the hypervisor kernel; HY-BF3: Direct execution of commands from guest VMs Certain commands from Guest OSs are executed directly by the hypervisor instead of being triggered through in terrupts and context switching. This function applies to hypervisors that have implemented para-virtualization instead of full virtualization; HY-BF4: VM lifecycle management This baseline function involves all functions from creation and management of VM images, control of VM states (start, pause, stop etc), VM migration, VM monitoring, and policy enforcement; and HY-BF5: Management of Hypervisor This baseline function involves defining some artefacts and setting values for various configuration parameters in hypervisor software modules including those for configuration of a Virtual Network inside the hypervisor. NIST SP 800-125A provides detailed security guidance based on an analysis of threats to the integrity of all the above functions. The only exceptions are the set of guidelines for configuration of virtual network (subset of HYBF5), which are covered in a separate document (NIST SP 800-125B). The above functions are carried out by different hypervisor components, or software modules. There are some minor differences among hypervisor products in the way that they distribute these functions. The mapping of these functions to hypervisor components and the location of these components within a hypervisor architecture are described in the table below: Approach for developing security recommendations Developing security recommendations for the deployment and use of a complex software such as the hypervisor requires knowledge of potential threats which, when exploited, would affect the three basic security properties – confidentiality, integrity, and availability – of hypervisor functions. The approach adopted for developing security recommendations for the deployment of hypervisors in NIST SP 800125A is as follows: Ensure the integrity of all components of the hypervisor platform, starting from the host BIOS to all software modules of the hypervisor. This action is accomplished through a secure boot process, outlined as recommendation HY-SR1; Identify the threat sources in a typical hypervisor platform. The nature of threats from rogue or compromised VMs is briefly discussed in SP 800-125A; and For each of the five baseline functions HY-BF1 through HY-BF5 (except for HY-BF3, the direct execution of certain commands from guest VMs by the hypervisor), identify the different tasks under each function, and for each of the tasks, identify the potential threats to the secure execution of the task. The countermeasures that will provide assurance against exploitation of these threats…

Access management can be defined as the process of granting authorized users the rights to use a service, while preventing access to non-authorized users. Following are the key access management growth factors over the next five years. GDPR deadline fast approaching Traditionally, finance, banking, insurance, government, utilities and other heavily regulated end-user sectors have focused on identity- and accessmanagement solutions. However, over the past year there has been growth in non-traditional markets. Not only have the manufacturing and retail sectors become more security conscious, but the increase in the number of data breaches and the looming legislation around General Data Protection Regulation (GDPR) in May 2018 has also piqued renewed interest in security and identity and access management (IAM) solutions. ● Highlight ● The global access management market is projected to increase from $5.4 billion in 2016 to $9.6 billion in 2021. ● Companies with 5,000 or more employees are projected to contribute the largest revenue growth to the access management market over the next five years. ● Over the past year, there has been growth in non-traditional market sectors such as manufacturing and retail. Smaller organizations using access management solutions Access management solutions have traditionally been deployed by larger organizations. In fact, companies with 5,000 or more employees are projected to contribute the largest revenue growth over the next five years, increasing from $4.38 billion in 2016 to $5.4 billion in 2021. The proportional importance of this segment is forecast to decline from 80 percent of total access management revenue in 2016 to around 56 percent in 2021. Small and medium-sized enterprises (SMEs) will steadily increase the amount of access management solutions they deploy. For example, revenue from companies with between 1 and 499 employees is projected to increase from $109.6 million in 2016 to $705 million in 2021. This segment managed to grow from 2 percent of total revenue in 2016 to 7.3 percent in 2021. The introduction of more cloud solutions within the access management market is likely to help SMEs, in particular, because cloudbased access management solutions can be more cost effective and scalable for small and medium enterprises. On-premises hybrid and cloud solutions As there are still a lot of applications running on premises at companies, a significant portion of larger organizations still want some on-premises solutions. Larger organizations are more likely to move to a hybrid model, with some applications running in the cloud as a stepping stone toward full adoption of cloud solutions. Hybrid solutions are projected to increase from $1.1 billion in 2016 to $1.7 billion in 2021. In contrast, smaller organizations are more likely to deploy software-as-a-service (SaaS) solutions, which for them can be more cost effective than on-premises solutions. Technological developments and the battle with hackers There is a continuous battle being waged as hackers increasingly try to gain control of the networks they want to compromise. It is important for organizations to take into account people’s locations, to help detect fraudulent activity and ensure the right people have the right access, at the right time and at the correct location. Technologies like machine learning (ML) and artificial intelligence (AI) are also important weapons in this battle. Leveraging emerging technologies, such as behavioral biometrics, will help to reduce the burden on end-users and increase the validity of identity proofing. Organizations can learn a lot about how people interact with their networks, to give a full picture of how things are evolving, but these technology developments are a bit of a cat-and-mouse game. Blockchain makes security cheaper and more accessible Many organizations have isolated and centralized identity management systems, but the current landscape demands federation and single sign-on (SSO). These systems make identity management, protection and verification very cumbersome, costly and risky for industry enterprises and government agencies. Blockchain has the potential to introduce improvements that can make security more accessible and budget friendly. With smart contract capabilities, there can even be a secondary market where users benefit from sharing resources back to the network. Smart contracts automatically execute pieces of code carrying valuable data or performing other condition-based executions. A permissioned blockchain technology provides core capabilities that enable a trusted digital identity network to build and operate the following: A shared, append-only ledger, with one version of the facts shared across all permissioned network participants in real time. Smart contracts that ensure verifiable and signed business logic is executed in each transaction. Trust between known participants, to verify transactions and ensure records are valid. Privacy and security measures that grant access only to permissioned parties. Cybersecurity – Access Management Report 2018 This two-volume report provides coverage in several key areas of the identity and access management market, including access management and identity governance and administration. It provides detailed analysis of individual vertical markets from market-specific operating models to key trends and development opportunities.

Lower storage spend Organizations are keeping as much as 40% of their inactive data on their most expensive infrastructure. With unstructured video growing exponentially, fueled by the rise of new video surveillance programs, one can’t afford to have this kind of inefficiency. The solution is to adopt a multi-tier storage system that automatically migrates the video to the most cost efficient tiers of storage. Whether that’s high-performance disk storage, object-based storage or high-capacity primary storage, file-based tape or the cloud – the organization can cost-effectively store data based on various policy requirements. Easy, immediate access Finding a file in the system should be no more difficult than finding a document on a C: drive.           Quantum’s solution for video surveillance is a single file system, built specifically for video applications. On the backend, retention and access policies can be set to handle data migration and simplify organization and file recall. High performance Storage performance that performs inefficiently prevents companies from capturing usable data. Quantum’s StorNext software retains data cost-effectively, supports complex video management systems and analytic applications, and ingests video from 4 times as many cameras per server to deliver time-to-decision results, allowing proactive protection and crime prevention. Quantum’s storage infrastructure not only handles this sheer volume of data with ease, but also delivers streaming performance regardless of whether it’s on disk, tape, or in the cloud. Scale with storage needs The ability to seamlessly integrate more sources of information into modern analytical tools is becoming more important, as is the capacity to scale and accommodate increased camera and sensor counts, panoramic coverage and higher image resolution. As more cameras are added, image resolutions increase and retention times become longer, Quantum’s solution can scale to handle the need for more capacity. Compliant with current infrastructure Quantum’s storage solutions support all major platforms, operating systems and networks, and      integrate seamlessly with VMS and other systems. This enables security professionals to integrate the solution into their existing infrastructure without being locked into a  single vendor or platform as well as to configure the file interface to receive input from a variety of devices and systems. No trade-off necessary To gain more insight and an increased return on investment from video surveillance data, a storage solution must balance high performance, high capacity and high retention. These three parameters can be flexed to provide the best trade-off between budget and mission whilst minimizing sacrifice of redundancy, accessibility or scalability. Gateway storage architecture Upgrading storage capabilities while also satisfying budgetary restrictions is a challenging part of building a comprehensive storage infrastructure. Instead of replacing the pre-existing storage system, why not build onto it? Artico™ offers an easy, nondisruptive choice for adding Quantum tape, FlexTier™, and Lattus™ scale-out storage to an existing security environment. Quantum’s StorNext platform is a policy-driven tiering software, allowing users to extend primary storage with scalable, more cost-effective tiers of storage. Our multi-tier solution is ideal for security and surveillance organizations with large amounts of video dealing with the challenges that come with scaling storage with your data growth. End users can set up policies to automatically migrate data across tiers, utilizing less costly types of storages like file-based tape and cloud, thus delivering the total capacity needed more cost effectively.