As an operator of a private cloud solution, I want to be sure that an appropriate level of security applies regardless of where
the client is connecting from and regardless of the device
form factor. This requirement applies to both cloud management and application security.
Security Functionality
There is in an increasing demand from business users to enable support for a wider range of client devices (for example mobile phones and tablets). These devices, alongside more traditional clients, are used both internally and externally to access corporate systems. Private clouds may also enable on-demand self-service access to computing and storage resources. Private clouds also mean that some responsibility for managing security is given over to tenants (the degree of control typically depends on the service delivery model: IaaS, PaaS, or SaaS).
Combined with a complex infrastructure built to support virtualization and resource pooling, enabling broad network access to private cloud resources gives rise to the following operational concerns:
- Monitoring is complex. You should be able to monitor effectively at all levels in the architecture and be able to analyze the collected data to respond to incidents quickly.
- You should attempt to ensure that all access to cloud-based services is traceable and auditable.
- You must ensure that all platforms, host and guest, are updated promptly with the latest security patches to protect them from emerging threats.
- You must have plans in place to contain any security breaches in the cloud. This plan should balance the thoroughness of your response against the stipulations in the SLA.
- It may be difficult to contain a security breach in the infrastructure without being forced to take the whole cloud offline because of the homogenous nature of the infrastructure and the difficulty in identifying which applications and services are currently hosted on which physical device.
- You may not have full control over all aspects of security. For example, tenant applications may be responsible for their own identity management, authentication, and authorization. Business units may require users to be able to access cloud-hosted services using smartphones and tablets.
Infrastructure Security
The design of your private cloud infrastructure should ensure that the infrastructure resources such as servers and virtualization stacks are isolated from the virtualized guest operating systems.
Where possible your monitoring systems should monitor as much traffic and activity in the infrastructure as possible, regardless of from where it originates. Note that with IaaS provision, you may not have access to tenant VMs and your monitoring may have
to be at the network level.
Note:
This document is part of a collection of documents that comprise the
Reference Architecture for Private Cloud
document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name
and any contact information you wish to share at the bottom of this page
Whatever the allocation of responsibility, you must be able to respond quickly to any possible security issue in the infrastructure as it could affect all of the servers or hypervisors in the cloud. Furthermore, it may be difficult to determine which guest environments are or were affected by problems identified in the infrastructure.
Virtualization raises some additional monitoring problems. Traditional architectures may use dedicated devices to monitor and analyze network traffic as it passes through switches in the data center. However, in a virtualized environment, some network traffic in VLANs may never leave the physical server because the two virtual machines that are communicating happen to be hosted on the same box.
Whatever the allocation of responsibility, you must be able to respond quickly to any possible security issue in the infrastructure as it could affect all of the servers or hypervisors in the cloud. Furthermore, it may be difficult to determine which guest environments are or were affected by problems identified in the infrastructure.
Virtualization raises some additional monitoring problems. Traditional architectures may use dedicated devices to monitor and analyze network traffic as it passes through switches in the data center. How0in 10pt;">In a very large private cloud you may also hit the limit of 4094 VLANs, which may limit your ability to isolate networks using this technology.
Your host systems should also be protected by host-based firewalls. You should monitor these firewalls and regularly review the configuration.
Automated analysis of monitoring data and automated responses are necessary to handle the large volume of monitoring data in the cloud.
Platform Security
The virtual machines that typically make up the platform in a private cloud will often be the ultimate target of any attack because of the data that they contain or have access to. However, in a private cloud, the CSP does not always have full operational control of these virtual environments and their security. The cloud service provider can use security controls in the infrastructure to provide some level of protection, but the virtual machines must also take steps to protect themselves:
- You should have operational procedures in place to update guest operating systems in a timely manner with the latest security patches to help protect them from the broadest possible set of attacks. At the platform level, you should be using automation to manage this task.
- Guest operating systems should be protected by their own firewall. You must have procedures in place to verify the firewall settings regularly.
- Guest operating systems should be regularly scanned for malware. You must carefully plan how to schedule these scans: if all the virtual machines hosted on a physical server begin their scan at the same time, this will cause performance problems for all the hosted applications and services.
If you do not have access to the platform because it is completely owned and managed by the tenant, you can use the SLA to specify that the tenant must perform logging, patching, and malware scanning on their virtual environments. The SLA may also specify that you should audit the tenant's compliance with these requirements.
If your monitoring (in the platform or in the infrastructure) detects that a platform may have been compromised by an attacker, you may have automated processes that can shut down the virtual machine or machines that are involved. Alternatively, you may keep the resource operating while you attempt to diagnose the effect of the attack.
Software Security
Depending on who is responsible for the security of the software running in the virtual environment, the following operational tasks should be performed.
- Apply patches and updates relating to security to any third-party applications and services.
- Monitor the use of the hosted service or application for possible malicious attacks.
- Verify that any secure design and development practices mandated by corporate policies are applied to the application. These might include the use of secure development methodologies such as the SDL, conducting regular security reviews of the application, auditing the application and verifying compliance with legal or corporate governance requirements.
Your approach to complying with these requirements will be driven by the SLA.
Service Delivery Security
Service delivery endpoints enable clients to access management functionality in the cloud and end users to access services and applications hosted in the cloud. You should perform detailed monitoring and traffic analysis to identify any unusual usage patterns or activity that may indicate a threat.
You should also verify that clients are using appropriate endpoint security for their applications, for example using HTTPS or IPsec.
Management Security
All management activities in the private cloud should be secured using role-based access controls and you should maintain a full audit trail of all management activities within the cloud.
You should perform regular reviews of access permissions to management functionality to determine whether the correct people have the required levels of access.
Client Security
Allowing a broad range of client devices to access cloud applications and services from both internal and external network locations expands the available attack surface. Although it is not feasible to lock down all the different client platforms in the way that you can lock down and control desktop client environments, there are still steps you can take to mitigate these threats.
Corporate governance rules, SLAs, or legislation can mandate or recommend that certain security features must be included, or procedures followed during the development, deployment, and management of client applications. If this is the case, you should audit the client applications for compliance.
Although there are tools available that enable you to remotely manage mobile devices, they may not cover the full spectrum of devices used by employees and may not cover all the features of those devices. For example, a tool may be able to remotely wipe some types of device once you have determined that it has been lost or stolen, but the same tool may not enable you to enforce the use of locking features on certain smartphones. To mitigate some of the threats posed by the increased use of and broader range of client devices such as smartphones and tablets, you should consider the following:
- Update the corporate policies that govern the acceptable use of different client devices.
- Educate users about corporate policies that pertain to client device usage and about the steps that users can take to enhance the security of the devices that they use.
- Update your auditing procedures and incident response procedures to take into account the range of client devices and platforms in use.
Another approach to mitigate these threats is to disallow the use of some or all devices. For example, you could restrict access to the private cloud to only approved corporate smartphones and tablets. In practice, this may prove to be difficult to enforce, and run counter to the expectations of your tenants in the different business units. Network Access Protection is a mechanism you can use to increase client security by ensuring client devices meet with corporate security policy. For more information, see Network Access Protection, at http://technet.microsoft.com/en-us/network/bb545879.
Depending on the SLAs in place with the client business unit, you may also be responsible for rolling out security updates and patches to certain client platforms and applications within the orgud to only approved corporate smartphones and tablets. In practice, this may prove to be difficult to enforce, and run counter to the expectations of your tenants in the different business units. Network Access Protection is a mechanism you can use to increase client security by ensuring client devices meet with corporate security policy. For more information, see Network Access Protection, at http://technet.microsoft.com/en-us/network/bb545879.
Depending on the SLAs in place with the client business unit, you may also beanization. This updating should be done in a timely manner to enhance your protection from emerging threats. The SLA must clearly identify the responsibility for client updates and whether the CSP or the tenant should be carrying these out. The SLA should also assign overall ownership of the issue of client security, such as deciding when an emerging threat has become real and the controls need to be updated.
Legal Issues
Depending on the SLAs in place with the client business unit, you may also be responsible for monitoring compliance with any legislation relevant to the client's location or the platform's location.
For example, legislation in some regions specifies that certain categories of data must remain within that geographic region and may only be accessed from within that geographic region. Although this issue is less likely to be problematic in private cloud
environments, it will probably be a factor with hybrid cloud implementations.
REFERENCES:
ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]
Return to Private Cloud Security Operations Challenges
Return to A Solution for Private Cloud Security
Return to Reference Architecture for Private Cloud
Move forward to Private Cloud Security Operations Challenges - On Demand Self Service
Table of Contents for A Solution for Private Cloud Security