As an operator of a private cloud solution, I want to be sure that an appropriate level of security applies regardless of where the client is connecting from and regardless of the deviceimage form factor. This requirement applies to both cloud management and application security.

Security Functionality

There is in an increasing demand from business users to enable support for a wider range of client devices (for example mobile phones and tablets). These devices, alongside more traditional clients, are used both internally and externally to access corporate systems. Private clouds may also enable on-demand self-service access to computing and storage resources. Private clouds also mean that some responsibility for managing security is given over to tenants (the degree of control typically depends on the service delivery model: IaaS, PaaS, or SaaS).

Combined with a complex infrastructure built to support virtualization and resource pooling, enabling broad network access to private cloud resources gives rise to the following operational concerns:

Infrastructure Security

The design of your private cloud infrastructure should ensure that the infrastructure resources such as servers and virtualization stacks are isolated from the virtualized guest operating systems. Where possible your monitoring systems should monitor as much traffic and activity in the infrastructure as possible, regardless of from where it originates. Note that with IaaS provision, you may not have access to tenant VMs and your monitoring may have to be at the network level.


Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page


Whatever the allocation of responsibility, you must be able to respond quickly to any possible security issue in the infrastructure as it could affect all of the servers or hypervisors in the cloud. Furthermore, it may be difficult to determine which guest environments are or were affected by problems identified in the infrastructure.

Virtualization raises some additional monitoring problems. Traditional architectures may use dedicated devices to monitor and analyze network traffic as it passes through switches in the data center. However, in a virtualized environment, some network traffic in VLANs may never leave the physical server because the two virtual machines that are communicating happen to be hosted on the same box.

Whatever the allocation of responsibility, you must be able to respond quickly to any possible security issue in the infrastructure as it could affect all of the servers or hypervisors in the cloud. Furthermore, it may be difficult to determine which guest environments are or were affected by problems identified in the infrastructure.

Virtualization raises some additional monitoring problems. Traditional architectures may use dedicated devices to monitor and analyze network traffic as it passes through switches in the data center. How0in 10pt;">In a very large private cloud you may also hit the limit of 4094 VLANs, which may limit your ability to isolate networks using this technology.

Your host systems should also be protected by host-based firewalls. You should monitor these firewalls and regularly review the configuration.

Automated analysis of monitoring data and automated responses are necessary to handle the large volume of monitoring data in the cloud.

Platform Security

The virtual machines that typically make up the platform in a private cloud will often be the ultimate target of any attack because of the data that they contain or have access to. However, in a private cloud, the CSP does not always have full operational control of these virtual environments and their security. The cloud service provider can use security controls in the infrastructure to provide some level of protection, but the virtual machines must also take steps to protect themselves:

If you do not have access to the platform because it is completely owned and managed by the tenant, you can use the SLA to specify that the tenant must perform logging, patching, and malware scanning on their virtual environments. The SLA may also specify that you should audit the tenant's compliance with these requirements.

If your monitoring (in the platform or in the infrastructure) detects that a platform may have been compromised by an attacker, you may have automated processes that can shut down the virtual machine or machines that are involved. Alternatively, you may keep the resource operating while you attempt to diagnose the effect of the attack.

Software Security

Depending on who is responsible for the security of the software running in the virtual environment, the following operational tasks should be performed.

Your approach to complying with these requirements will be driven by the SLA.

Service Delivery Security

Service delivery endpoints enable clients to access management functionality in the cloud and end users to access services and applications hosted in the cloud. You should perform detailed monitoring and traffic analysis to identify any unusual usage patterns or activity that may indicate a threat.

You should also verify that clients are using appropriate endpoint security for their applications, for example using HTTPS or IPsec.   

Management Security

All management activities in the private cloud should be secured using role-based access controls and you should maintain a full audit trail of all management activities within the cloud.

You should perform regular reviews of access permissions to management functionality to determine whether the correct people have the required levels of access.

Client Security

Allowing a broad range of client devices to access cloud applications and services from both internal and external network locations expands the available attack surface. Although it is not feasible to lock down all the different client platforms in the way that you can lock down and control desktop client environments, there are still steps you can take to mitigate these threats.

Corporate governance rules, SLAs, or legislation can mandate or recommend that certain security features must be included, or procedures followed during the development, deployment, and management of client applications. If this is the case, you should audit the client applications for compliance.

Although there are tools available that enable you to remotely manage mobile devices, they may not cover the full spectrum of devices used by employees and may not cover all the features of those devices. For example, a tool may be able to remotely wipe some types of device once you have determined that it has been lost or stolen, but the same tool may not enable you to enforce the use of locking features on certain smartphones. To mitigate some of the threats posed by the increased use of and broader range of client devices such as smartphones and tablets, you should consider the following:

Another approach to mitigate these threats is to disallow the use of some or all devices. For example, you could restrict access to the private cloud to only approved corporate smartphones and tablets. In practice, this may prove to be difficult to enforce, and run counter to the expectations of your tenants in the different business units. Network Access Protection is a mechanism you can use to increase client security by ensuring client devices meet with corporate security policy. For more information, see Network Access Protection, at http://technet.microsoft.com/en-us/network/bb545879.

Depending on the SLAs in place with the client business unit, you may also be responsible for rolling out security updates and patches to certain client platforms and applications within the orgud to only approved corporate smartphones and tablets. In practice, this may prove to be difficult to enforce, and run counter to the expectations of your tenants in the different business units. Network Access Protection is a mechanism you can use to increase client security by ensuring client devices meet with corporate security policy. For more information, see Network Access Protection, at http://technet.microsoft.com/en-us/network/bb545879.

Depending on the SLAs in place with the client business unit, you may also beanization. This updating should be done in a timely manner to enhance your protection from emerging threats. The SLA must clearly identify the responsibility for client updates and whether the CSP or the tenant should be carrying these out. The SLA should also assign overall ownership of the issue of client security, such as deciding when an emerging threat has become real and the controls need to be updated.

Legal Issues

Depending on the SLAs in place with the client business unit, you may also be responsible for monitoring compliance with any legislation relevant to the client's location or the platform's location. For example, legislation in some regions specifies that certain categories of data must remain within that geographic region and may only be accessed from within that geographic region. Although this issue is less likely to be problematic in private cloud environments, it will probably be a factor with hybrid cloud implementations.

REFERENCES:

 

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Private Cloud Security Operations Challenges

Return to A Solution for Private Cloud Security


Return to Reference Architecture for Private Cloud

Move forward to Private Cloud Security Operations Challenges - On Demand Self Service

Table of Contents for A Solution for Private Cloud Security