SPG:Drafts:Virtual Machines Endorsement Policy March 2015
Security Policy for the Endorsement and Operation of Virtual Machine Images
This draft policy is currently under review. The previous adopted version of the text may be seen at https://documents.egi.eu/public/ShowDocument?docid=771
As a result of the March 2015 SPG meeting, there was an item to work on an update of this policy to address the requirements from the EGI Federated Clouds folks.
THIS VERSION WAS PRODUCED DURING THE EGI SPG MEETING IN MARCH 2015
This document describes the security-related policy requirements for the generation, distribution and operations of virtual machine (VM) images, as part of a trusted computing environment of the IT infrastructure.
The aim is to enable VM images to be generated according to best practices and to be both trusted and operated elsewhere.
This policy does not compel resource centres to instantiate images endorsed in accordance with this policy. Should a resource centre decide to instanciate a VM image generated by any other non-compliant procedures, that resource centre is still bound by all applicable security policies and is required to consider the security implications of such an action on other participants.
The following terms are defined.
- Endorser: A role, held either by an individual or a team, who is responsible for confirming that a particular VM image has been produced according to the requirements of this policy and states that the image can be trusted. An Endorser should be one of a limited number of authorised and trusted individuals appointed either by the infrastructure, a VO or a resource centre. The appointing body must assume responsibility for the actions of the Endorser and must ensure that he/she is aware of the requirements of this policy.
- VM operator: A role, held either by an individual or a team, who is responsible for the security of the VM during its operation phase, from the time it is instantiated, until it is terminated. Typically this addresses individuals with root access on the VM.
- VM consumer: A role held by an individual who consumes with no level of management privilege the services operated on or by a VM.
- Third party: An external entity other than the resource centre where the VM is operated.
Use case classification
The current policy document addresses the following use cases.
Endorser: resource centre, VM operator: resource centre
In this class virtualisation is not directly accessible by users. It includes, for example, the use of virtual worker nodes that act in a similar way to real worker nodes.
The resource centre is both the Endorser and the VM operator and is responsible to ensure the compliance of the VM with existing security policies.
Endorser: Third party, VM operator: resource centre
In this class, the resource centre is the VM operator, and the trust relationship is established between the resource centre and the Endorser.
Endorser: Third party, VM operator: Third Party
In this class, the resource centre runs the VM but is not the VM operator, and the trust relationship is established between:
- the resource centre and the VM operator
- the VM operator and the Endorser (both roles can be combined)
The resource centre is responsible to ensure sufficient traceability in order to enable malicious network activity to be linked with any VM and its VM operator, as defined in the Security Traceability and Logging policy.
The resource centre has no direct trust relationship with the Endorser and may decide to apply specific restrictions to control the access of the VM to other resources, including network services.
Policy Requirements on the VM Operator
By acting as a VM Operator you agree to the conditions laid down in this document and other referenced documents, which may be revised from time to time.
- You are responsible to fulfil all the operational security and incident response requirements expressed in other policies.
- You are responsible to ensure that any VM being run is compliant with existing security policies, including but not limited to security patching, vulnerability management, incident response, logging and traceability.
- You are responsible for handling all problems related to the execution of any licensed software in a VM image. You shall ensure that any software run in a VM, complies with applicable license conditions and you shall hold the resource centre running the image free and harmless from any liability with respect thereto.
- If the VM image is endorsed then the instantiation may be considered to be trustworthy up to the point of contextualisation.
- You are responsible for the consequences of contextualisation of any instantiated VM image, including credentials and certificates and for the operation of the VM from that point on.
- You are responsible for all lawful actions of the VM consumer.
- You recognise that the Infrastructure Organisation, the resource centres and the VOs reserve the right to block any endorsed image or terminate any instance of a virtual machine and associated user workload for administrative, operational or security reasons.
Policy Requirements on the Endorser
By acting as an Endorser you agree to the conditions laid down in this document and other referenced documents, which may be revised from time to time.
- You are held responsible by all interested parties for checking and confirming that a VM image has been produced according to the requirements of this policy and that there is no known reason, security-related or otherwise, why it should not be trusted.
- You recognise that the VM image must be generated according to current best practice, the details of which may be documented elsewhere by the infrastructure. These include but are not limited to:
- any image generation tool used must be fully patched and up to date;
- all operating system and other installed software security patches must be applied to all images and be up to date;
- images are assumed to be world-readable and as such must not contain any confidential information;
- images must contain no installed accessible accounts or any other means of access;
- images must not contain any form of credential, such as passwords or private keys;
- images must be configured such that they do not prevent resource centres from meeting the finegrained monitoring and control requirements defined in the Security Traceability and Logging policy to allow for security incident response;
- the image must not prevent resource centres from implementing local authorisation and/or policy decisions, e.g. blocking the running of work for a particular user.
- You must disclose to any appropriate stakeholder on request the procedures and practices you use for checking and endorsing images.
- You must provide and maintain an up to date list of your currently endorsed images together with the metadata relating to each VM image.
- Either the list or each individual image's metadata must be digitally signed by the endorser.
- You must keep an auditable history of every image endorsed including the date/time of generation and full list, including exact versions, of installed software and operating system contained in the VM. This must be made available to appropriate stakeholders on demand.
- You must implement a removal or revocation procedure to allow the VM operators to exclude those images which are no longer endorsed. This procedure must be implemented whenever a relevant security update is required. This removal must also be recorded locally in your auditable history. Your responsibility for this revoked VM image ends at this point.
- You are responsible for handling all issues related to the distribution of any licensed software in a VM image. You shall ensure that any software distributed in a VM image, complies with applicable license conditions and you shall hold the resource centre running the image free and harmless from any liability with respect thereto.
- You must assist in security incident response and must have an appropriate security vulnerability patching process in place.