ISO/IEC 27033-7
ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security
(first edition)
Abstract
ISO/IEC 27033 part 7 "aims to identify security risks of network virtualization and proposes guidelines for the implementation of network virtualization security. Overall, [ISO/IEC 27033-7] intends to considerably aid the comprehensive definition and implementation of security for any organization’s virtualization environments. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls required to provide secure virtualization environments.”
[Source: ISO/IEC 27033-7:2023]
Introduction
Network virtualization was defined in ISO/IEC TR 29181-1:2012 as "technology that enables the creation of logically isolated network partitions over shared physical network infrastructures so that multiple heterogeneous virtual networks can simultaneously coexist over the shared infrastructures.
Note 1 to entry: Network virtualization allows the aggregation of multiple resources and makes the aggregated resources appear as a single resource."
For context, the same 2012 standard concerned "Future Network", defined as "network of the future which is made on clean-slate design approach as well as incremental design approach; it should provide futuristic capabilities and services beyond the limitations of the current network, including the Internet".
Scope
Within the multipart network security standard ISO/IEC 27033, part 7 addresses information risks and security controls applicable to network virtualisation.
Structure
Main clauses:
5: Overview
6: Security threats
7: Security recommendations
8: Security controls
9: Design techniques and considerations
Annex A: Use cases of network virtualization
Annex B: Detailed security threat description of network virtualization
Status
The current first edition of part 7 was published in 2023.
Commentary
The standard outlines some “security threats” or “security issues” - generic examples of types of incident (such as “Insider attacks: an administrator tampers image or changes security configurations”) but does not explain which information security controls address the identified “security threats/issues”, nor conversely which information risks the suggested information security controls are intended to mitigate: there is no cross-referencing between the two, hence it is unclear how users are meant to identify, select or prioritise whichever controls are most appropriate for their situations.
So much for the “implementation guidelines”!