When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.
Topic
Functional separation between computing environments
Applicable to
all
History
Priority
must
Mar 2023
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that has demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products.
An existing control relating to choosing software-based isolation mechanisms from ‘vendors that have made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products’ was amended to ‘vendors that have demonstrated a commitment to secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, secure programming practices, and maintaining the security of their products’.
Mar 2022
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that has made a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products.
Requirements for software-based isolation mechanisms to be from a vendor that uses secure programming practices has been expanded to a vendor that has demonstrated a commitment to secure-by-design principles, secure programming practices and maintaining the security of their products.
Aug 2020
When using a software-based isolation mechanism to share a physical server’s hardware, the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner.
Security control 1460 was split into 5 different security controls (i.e. 1460, 1604 1605, 1606 and 1607) to allow for sufficient focus on each aspect of hardening software-based isolation mechanisms.
Jul 2020
When using a software-based isolation mechanism to share a physical server’s hardware:
• the isolation mechanism is from a vendor that uses secure coding practices and, when security vulnerabilities have been identified, develops and distributes patches in a timely manner
• the configuration of the isolation mechanism is hardened by removing unneeded functionality and restricting access to the administrative interface used to manage the isolation mechanism
• the underlying operating system running on the server is hardened
• patches are applied to the isolation mechanism and underlying operating system in a timely manner
• integrity and log monitoring are performed for the isolation mechanism and underlying operating system in a timely manner.
2015
When using a software-based isolation mechanism to share a physical server’s hardware,agencies must ensure that:• the isolation mechanism is from a vendor that uses secure programming practices and,when vulnerabilities have been identified, the vendor has developed and distributed patchesin a timely manner• the configuration of the isolation mechanism is hardened, including removing supportfor unneeded functionality and restricting access to the administrative interface used tomanage the isolation mechanism, with the configuration performed and reviewed by subjectmatter experts• the underlying operating system running on the server is hardened• security patches are applied to both the isolation mechanism and operating system in atimely manner• integrity and log monitoring is performed for the isolation mechanism and underlyingoperating system in a timely manner.