As Government and their suppliers "reach for the cloud", it is clear that virtualisation & simplicity are vital components in its success and in driving down the costs for government. However, it has come to our attention that there seems to be some confusion on the suitability of Microsoft's Hyper-V for use by UK Government or their suppliers in the delivery of services for government. Microsoft would like to correct that confusion and address a number of questions that have been raised.

For clarity:

The Windows Server Hyper-V hypervisor is suitable for HM Government or their suppliers to utilise to virtualise multiple workloads onto a server or server farm at any common Impact Level and threat.

This will enable customers and service providers alike to maximise their utilisation of hardware, improve the resilience characteristics of many services in a cost efficient way and follow the recommendations of CESG's Good Practice Guide on Virtualisation.

Frequently asked questions:

Does Hyper-V need to be "accredited/approved/assessed" by CESG before I can use it to virtualise government services at a common level of risk and threat?

CESG's Good Practice Guide on Virtualisation states that hypervisors do not need to be assessed if you are virtualising servers at a common level of risk and threat (the Good Practice Guide for Virtualisation is available via your CESG Account Manager for government departments and their suppliers). At present no product is assessed to operate at differing levels of risk and threat. All systems virtualised and operating at multiple Impact levels and threats will need to be accredited for operation regardless of the status of individual products.

Is Hyper-V common criteria accredited?

Actually both Server 2008 and Hyper-V are Common Criteria certified to EAL4+ and have been since 2009. Hyper-V's security certificate is available here and its security target is here. We would always recommend customers review the security target and understand what security capabilities are actually evaluated and contribute to the Information Assurance of a solution, beyond the base claims of any manufacturer.

Is the "R2" version of Hyper-V evaluated?

Although Windows Server 2008R2, including Hyper-V, is in common criteria evaluation to EAL 4+ our understanding is that CESG's recommendation would be to use the latest software from Microsoft and keep it updated regardless of its evaluation status.

What Patterns/Templates are available to use in aiding the deployment of  Hyper-V server for government use?

In addition to CESG's Good Practice Guide on Virtualisation, CESG are producing a number of "Architectural Patterns". These are non-product specific and in both cases cover a variety of deployment scenarios including operating at a common level of risk and threat as well as other specialised scenarios.  For detailed security guidance on how to implement Microsoft's Enterprise Server products we understand that CESG's guidance is to utilise Microsoft's best practice, which is available here for Hyper-V .

I want my virtual servers to operate at multiple levels of threat and risk?

At present no product is assessed to be able to operate at multiple levels of threat and risk. However, in an enterprise environment it is both practical and operationally cost effective to create pools of servers that operate at a common level of the threat and risk and still recognise the benefits of increased hardware utilisation that decrease hardware footprints and maximise value.

What is Microsoft's relationship with CESG?

Microsoft has a long and successful partnership with CESG primarily through the Government Security Program, and ensures that CESG has the best knowledge available to be able provide pragmatic information assurance guidance to HM Government. A customer or partner seeking definitive Information Assurance guidance should approach CESG via their normal channels.

Who can I contact to discuss further?

If you are a government department or system integrator for a government department please contact CESG via your CESG account manager, or your Microsoft Account Manager, Partner Manager or Technical Specialist.

Posted by Nick