Cloud Computing Update – Security and Virtualisation in Government using Microsoft Hyper-V

My colleague and Microsoft UK Chief Security Advisor, Stuart Aston, has provided me with the following update and clarification to an earlier posting on Microsoft Hyper-V for use by public sector organisations in the UK.

As Government and their suppliers "reach for the cloud", it is clear that virtualisation and simplicity are vital components in its success and in driving down the costs for government. In this posting we are providing the latest clarification on the suitability of Microsoft's Hyper-V for use by UK Government or their suppliers in the delivery of services for government.

For clarity:

The Windows Server Hyper-V hypervisor is suitable for HM Government or their suppliers to utilise to virtualise multiple workloads onto a server or server farm at any common Impact Level and threat.

This will enable customers and service providers alike to maximise their utilisation of hardware, improve the resilience characteristics of many services in a cost efficient way and follow the recommendations of CESG's Good Practice Guide on Virtualisation.

Frequently Asked Questions:

Does Hyper-V need to be "accredited/approved/assessed" by CESG before I can use it to virtualise government services at a common level of risk and threat?

CESG's Good Practice Guide on Virtualisation states that hypervisors do not need to be assessed if you are virtualising servers at a common level of risk and threat (the Good Practice Guide for Virtualisation is available from the CESG Account Manager for UK Government departments and their suppliers). At present no product is assessed to operate at differing levels of risk and threat. All systems virtualised and operating at multiple Impact levels and threats will need to be accredited for operation regardless of the status of individual products.

Is Hyper-V common criteria accredited?

Both Windows Server 2008 and Hyper-V are Common Criteria certified to EAL4+ and have been since 2009. Hyper-V's security certificate is available hereand its security target is here. We would always recommend customers review the security target and understand what security capabilities are actually evaluated and contribute to the Information Assurance of a solution, beyond the base claims of any manufacturer.

Is the "R2" version of Hyper-V evaluated?

Yes its Certification Report and Security Target can be viewed on the Common Criteria Portal. Guidance from CESG is that the latest software from Microsoft should be used and kept up to date.

What Patterns/Templates are available to use in aiding deploy Hyper-V server for government use?

In addition to CESG's Good Practice Guide on Virtualisation, CESG are producing a number of "Architectural Patterns". These are non-product specific and in both cases cover a variety of deployment scenarios including operating at a common level of risk and threat as well as other specialised scenarios.

For detailed security guidance on how to implement Microsoft's Enterprise Server products we understand that CESG's guidance is to utilise Microsoft's best practice, which is available here for Hyper-V.

I want my virtual servers to operate at multiple levels of threat and risk?

At present no product is assessed to be able to operate at multiple levels of threat and risk. However, in an enterprise environment it is both practical and operationally cost effective to create pools of servers that operate at a common level of the threat and risk and still recognise the benefits of increased hardware utilisation that decrease hardware footprints and maximise value.

What is Microsoft's relationship with CESG?

Microsoft has a long and successful partnership with CESG primarily through the Government Security Program, and ensures that CESG has the best knowledge available to be able to provide pragmatic information assurance guidance to HM Government. A customer or partner seeking definitive Information Assurance guidance should approach CESG via their normal channels.

Who can I contact to discuss further?

If you are a government department or system integrator for a government department please contact CESG via your CESG Account Manager, or your Microsoft Account Manager, Partner Manager or Technical Specialist.

Posted by Ian