Resiliency Mitigations in Virtualized and Cloud Environments

Transitioning from a physical platform environment to a virtual cyber environment poses new challenges as well as opportunities in risk management. Moving a locally hosted cyber environment to a cloud-hosted environment poses similar challenges and opportunities. While these types of transitions provide capabilities for reducing costs, incorporating redundancy, improving continuity of operations, and increasing cyber resiliency, they also reduce the separation between systems, the separation between environments, the capabilities for trusted insight into the systems and their environments, the hands-on management, and the control of systems and their environment.

A virtual machine (VM) may be at risk of losing its availability, integrity, and/or confidentiality caused by an attack on, or by, another VM that has been designed to support an environment with different risks.

In cloud computing and storage services, the key concept with regard to risk is that the data owner has outsourced control of, and therefore some degree of responsibility for, the data storage and processing platforms. The priorities of the cloud resource managers and contractual agreements regarding management of, use of, and access to the cloud environments are critical to consider when assessing and mitigating risk for these environments.

This document discusses the challenges posed by virtual and cloud environments, and how cyber resiliency techniques can increase mission assurance in environments whose architectures are based on virtual infrastructure and cloud services. Virtual environments are not the same as cloud environments, yet they frequently support cloud environments; therefore, the risks associated with virtual environments often must be considered in addressing the risks associated with cloud environments.