Information technology — Security techniques — Security guidelines for design and implementation of virtualized servers

This document specifies security guidelines for the design and implementation of VSs. Design considerations focusing on identifying and mitigating risks, and implementation recommendations with respect to typical VSs are covered in this document. This document is not applicable to: (see also 5.3.2 Exclusions) — desktop, OS, network, and storage virtualization; and — vendor attestation. This document is intended to benefit any organization using and/or providing VSs.

Technologies de l'information — Techniques de sécurité — Lignes directrices pour la conception et l’implémentation sécurisées des serveurs virtualisés

General Information

Status

Published

Publication Date

11-Nov-2018

ICS

35.030 - IT Security

Technical Committee

ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection

Drafting Committee

ISO/IEC JTC 1/SC 27/WG 4 - Security controls and services

Current Stage

9060 - Close of review

Start Date

04-Jun-2029

Ref Project

Buy Standard

ISO/IEC 21878:2018 - Information technology -- Security techniques -- Security guidelines for design and implementation of virtualized servers

Standard

ISO/IEC 21878:2018 - Information technology -- Security techniques -- Security guidelines for design and implementation of virtualized servers

English language

22 pages

sale 15% off

Preview

sale 15% off

Preview

Standards Content (Sample)

ISO/IEC 21878:2018 - Informati...

INTERNATIONAL ISO/IEC
STANDARD 21878
First edition
2018-11
Information technology — Security
techniques — Security guidelines
for design and implementation of
virtualized servers
Technologies de l'information — Techniques de sécurité — Lignes
directrices pour la conception et l’implémentation sécurisées des
serveurs virtualisés
Reference number
ISO/IEC 21878:2018(E)
©
ISO/IEC 2018

---------------------- Page: 1 ----------------------
ISO/IEC 21878:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 21878:2018(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Overview of server virtualization . 3
5.1 Types of server virtualization . 3
5.2 Components of a VS . 3
5.3 Technical considerations . 4
5.3.1 General. 4
5.3.2 Exclusions . 4
6 Overview of security threats and risks . 5
6.1 General . 5
6.2 Common threats . 5
6.3 VS-specific risks . 6
6.3.1 General. 6
6.3.2 VM risks . 6
6.3.3 Hypervisor risk
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO

ISO/IEC 4922-2:2024(Main)

Information security — Secure multiparty computation — Part 2: Mechanisms based on secret sharing

This document specifies the processes for secure multiparty computation mechanisms based on the secret sharing techniques which are specified in ISO/IEC 19592-2. Secure multiparty computation based on secret sharing can be used for confidential data processing. Examples of possible applications include collaborative data analytics or machine learning where data are kept secret, secure auctions where each bidding price is hidden, and performing cryptographic operations where the secrecy of the private keys is maintained. This document specifies the mechanisms including but not limited to addition, subtraction, multiplication by a constant, shared random number generation, and multiplication with their parameters and properties. This document describes how to perform a secure function evaluation using these mechanisms and secret sharing techniques.

Standard
33 pages
English language
sale 15% off
Draft
34 pages
English language
sale 15% off
Draft
34 pages
English language
sale 15% off

ISO

ISO/IEC 27006-1:2024(Main)

Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1. The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification. NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

Standard
47 pages
English language
sale 15% off
Standard
53 pages
French language
sale 15% off
Draft
49 pages
English language
sale 15% off
Draft
49 pages
English language
sale 15% off

ISO

ISO/IEC 27001:2022/Amd 1:2024(Amendment)

Information security, cybersecurity and privacy protection — Information security management systems — Requirements — Amendment 1: Climate action changes

Standard
1 page
English language
sale 15% off
Standard
1 page
French language
sale 15% off

ISO

ISO/IEC 29100:2024(Main)

Information technology — Security techniques — Privacy framework

This document provides a privacy framework which: — specifies a common privacy terminology; — defines the actors and their roles in processing personally identifiable information (PII); — describes privacy safeguarding considerations; — provides references to known privacy principles for information technology. This document is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

Standard
22 pages
English language
sale 15% off
Draft
22 pages
English language
sale 15% off

ISO

ISO/IEC 27040:2024(Main)

Information technology — Security techniques — Storage security

This document provides detailed technical requirements and guidance on how organizations can achieve an appropriate level of risk mitigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection of data both while stored in information and communications technology (ICT) systems and while in transit across the communication links associated with storage. Storage security includes the security of devices and media, management activities related to the devices and media, applications and services, and controlling or monitoring user activities during the lifetime of devices and media, and after end of use or end of life. Storage security is relevant to anyone involved in owning, operating, or using data storage devices, media, and networks. This includes senior managers, acquirers of storage products and services, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information or storage security, storage operation, or who are responsible for an organization’s overall security programme and security policy development. It is also relevant to anyone involved in the planning, design, and implementation of the architectural aspects of storage network security. This document provides an overview of storage security concepts and related definitions. It includes requirements and guidance on the threats, design, and control aspects associated with typical storage scenarios and storage technology areas. In addition, it provides references to other international standards and technical reports that address existing practices and techniques that can be applied to storage security.

Standard
85 pages
English language
sale 15% off
Draft
93 pages
English language
sale 15% off
Draft
87 pages
English language
sale 15% off
Draft
87 pages
English language
sale 15% off

ISO

ISO/IEC 29146:2024(Main)

Information technology — Security techniques — A framework for access management

This document defines and establishes a framework for access management (AM) and the secure management of the process to access information and information and communications technologies (ICT) resources, associated with the accountability of a subject within some contexts. This document provides concepts, terms and definitions applicable to distributed access management techniques in network environments. This document also provides explanations about related architecture, components and management functions. The subjects involved in access management can be uniquely recognized to access information systems, as defined in the ISO/IEC 24760 series. The nature and qualities of physical access control involved in access management systems are outside the scope of this document.

Standard
34 pages
English language
sale 15% off
Draft
34 pages
English language
sale 15% off
Draft
34 pages
English language
sale 15% off

ISO

ISO/IEC 17825:2024(Main)

Information technology — Security techniques — Testing methods for the mitigation of non-invasive attack classes against cryptographic modules

This document specifies the non-invasive attack mitigation test metrics for determining conformance to the requirements specified in ISO/IEC 19790:2012 for security levels 3 and 4. The test metrics are associated with the security functions addressed in ISO/IEC 19790:2012. Testing is conducted at the defined boundary of the cryptographic module and the inputs/outputs available at its defined boundary. This document is intended to be used in conjunction with ISO/IEC 24759:2017 to demonstrate conformance to ISO/IEC 19790:2012. NOTE ISO/IEC 24759:2017 specifies the test methods used by testing laboratories to assess whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012 and the test metrics specified in this document for each of the associated security functions addressed in ISO/IEC 19790:2012. The test approach employed in this document is an efficient “push-button” approach, i.e. the tests are technically sound, repeatable and have moderate costs.

Standard
38 pages
English language
sale 15% off
Draft
38 pages
English language
sale 15% off
Draft
38 pages
English language
sale 15% off

ISO

ISO/IEC 27033-7:2023(Main)

Information technology – Network security — Part 7: Guidelines for network virtualization security

This document aims to identify security risks of network virtualization and proposes guidelines for the implementation of network virtualization security. Overall, this document intends to considerably aid the comprehensive definition and implementation of security for any organization’s virtualization environments. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls required to provide secure virtualization environments.

Standard
23 pages
English language
sale 15% off
Draft
23 pages
English language
sale 15% off
Draft
23 pages
English language
sale 15% off

ISO

ISO/IEC TS 9569:2023(Main)

Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Patch Management Extension for the ISO/IEC 15408 series and ISO/IEC 18045

This document specifies patch management (PAM) security assurance requirements and is intended to be used as an extension of the ISO/IEC 15408 series and ISO/IEC 18045. The security assurance requirements specified in this document do not include evaluation or test activities on the final target of evaluation (TOE), but focus on the initial TOE and on the life cycle processes used by manufacturers. Additionally, this document gives guidance to facilitate the evaluation of the TOE, including the patch and development processes which support the patch management. This document lists options for evaluation authorities (or mutual recognition agreements) on how to utilize the additional assurance and additional evidence in their processes to enable the developer to consistently re-certify their updated or patched TOEs to the benefit of the users. The implementation of these options using an evaluation scheme is out of the scope of this document.

Technical specification
36 pages
English language
sale 15% off
Draft
36 pages
English language
sale 15% off
Draft
36 pages
English language
sale 15% off

ISO

ISO/IEC 27402:2023(Main)

Cybersecurity — IoT security and privacy — Device baseline requirements

This document provides baseline ICT requirements for IoT devices to support security and privacy controls.

Standard
16 pages
English language
sale 15% off
Draft
16 pages
English language
sale 15% off
Draft
16 pages
English language
sale 15% off