기업 데이터 유출 방지를 위한 KVM 하이퍼바이저 기반 데이터 보호 기법

Abstract

Recently, preventing unauthorized access to sensitive information is one of the main security concerns in every company. In order to handle this issue, most of companies set up a standard security policy for desktop PCs and laptops. When desktop PCs and laptops are under control of a company, it is easy to enforce the installation of all the agent softwares implementing the standard security policy in desktop PCs and laptops. However, if desktop PCs or laptops are not under complete control of a company, e.g. laptops carried by visitors or guests, a.k.a Bring-Your-Own-Device (BYOD), it is difficult to enforce the standard security policy without sacrificing users’ experience. Most companies do not allow any laptops or desktop PCs to run inside a company in the case when the standard security policy cannot be applied to them. Note that this requires visitors’ sacrifice for their own experience. VDI (Virtual Desktop Infrastructure) is a popular solution to handle the security issue in BYOD case. There are two kinds of VDI, one is server-based, and the other one is client-based. In case of server-based VDI, the cost of initial infrastructure construction is very expensive. Moreover, the sensitive data can be exposed by local storage of user devices, because server-based VDI don’t manage the host OS. In case of client-based VDI, existing environment of device must be changed. It is not suitable for user device. The sensitive data also can be exposed because the data is not managed by central server.In this thesis, we propose a new solution for providing data leakage prevention caused by BYOD devices. This solution is based on KVM hypervisor. It can be applicable to any user device regardless of OS or architecture. User never get the sensitive data of enterprise, because the real data is stored in server storage instead of local storage. We implement a security module that runs on standard PC hardware. We also show that performance of our security module is acceptable. The I/O performance is decreased because of virtualization and network traffic. However, the overall performance is degraded due to virtualization. To reduce the overhead caused by virtualization, we plan to adopt thin hypervisor-based solution to our security module.