As ator of a private cloud solution:

• How do I monitor and audit the use of the services hosted in the cloud? If I don't know what I've got, how do I make sure that it's secure?
• What happens if the wrong people request or de-provision resources?
• How does the private cloud affect my customer service management procedures?

Security Functionality

The operational procedures associated with managing a private cloud should include the following security functionality in relation to the on-demand, self-service attribute of the private cloud:

• You should maintain the role-based access controls that govern who can provision and de-provision private cloud resources.
• You should monitor the provisioning and de-provisioning of resources to identify events that might indicate a misuse of cloud-based resources.
• You should log all provisioning and de-provisioning related events to enable you to audit who was using specific resources at specific times.
• You should ensure that the automated provisioning processes deliver virtual environments with a known, up to date security base-line configuration already applied.
• You should ensure that when a tenant provisions a new virtual environment, that nothing in the base-line environment compromises any data protection mechanisms that the tenant chooses to use.
• As a part of the automatic provisioning process, you should ensure that tenants are aware of their responsibilities for managing the security of their resources as specified in the SLA.

The following sections describe in more detail how to provide this functionality in the private cloud.

Platform Security

In the IaaS service delivery model, typically tenants are given access to virtual machines that they can use to host their own applications and services. The tenants can typically choose the operating systems that they wish to use:

• Allowing the tenants free choice over the operating systems they install leaves all responsibility for managing the security of the platform with the tenant. It is not realistic to expect the CSP to provide support and management services for the full range of possible operating systems. The lack of control available to the CSP results in a higher risk associated with this approach.
• If the CSP mandates that tenants should select from a list of approved operating systems, the CSP can provide a set of pre-configured, patched, baseline images. This arrangement helps to ensure that tenant environments start from a known good configuration, makes it more feasible for the CSP to support and manage the tenant environments, and helps reduce the overall attack surface of the private cloud.

In the second scenario outlined above, operational responsibilities should include ensuring that the tenant's operating system is fully patched: baseline machine images should be kept up to date with the latest security patches, currently active virtual machines should be patched, and any dormant virtual machines should be updated.  

Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page

Note: To carry out this updating, the CSP must have access to the virtual machines. Again, the responsibilities for updating virtual machines should be set out clearly in the SLA. With PaaS, customer applications might be dependent on specific updates, such as to SQL Server Express or a particular version of the .NET Framework.

System Center provides an example of how you can patch offline virtual machines. You can use System Centecles/solution-for-private-cloud.aspx"> document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page

Note: To carry out this updating, the CSP must have access to the virtual machines. Again, the responsibilities for updating virtual machines should be set out clearly in the SLA. With PaaS, customer applications might be dependent on specific updates, such as to SQLr Virtual Machine Manager to manage patching your virtual machine images, including dormant images and templates. See http://technet.microsoft.com/en-us/magazine/ff848996.aspx for more information.

The SLA between the CSP and the tenant must specify where the responsibility for managing the security of the virtualized operating system lies.

In the PaaS service delivery model, the standardized run-time environment means that responsibility for maintaining the security of the run-time lies with the CSP. However, if the platform enables tenants to configure options that impact the security of their environment, such as opening or closing ports, such changes made by the tenant should be subject to role-based access controls and be fully logged.

Software Security

In the SaaS service delivery model, the CSP is responsible for all aspects of the hosted service's security. The on-demand self-service attribute, if it exists, is likely to appear as the ability of client business units to register their end users to have access to the service. Security related operational activities will include maintaining the identity and access management systems used by the service, managing information security, availability, and IT service continuity.

In the IaaS and PaaS service models, the CSP may monitor the software deployed by the tenants for compliance with corporate standards for designing, implementing, and managing software and services.

Service Delivery Security

You should use traffic analysis and packet inspection to monitor the use of all service delivery endpoints and identify unusual patterns or potential attacks.

Management Security

You must be able to identify who within your organization has requested and authorized specific resources through the automated provisioning system for the private cloud. Although other users may access a service hosted in the cloud, the person or business unit who requested and authorized the use of a resource is responsible for paying for that resource and responsible for ensuring that its use complies with any enterprise policies. The self-service provisioning system must record all the relevant information about the resource request and ensure that the tenants are fully aware of their responsibilities in running and maintaining that resource. The same system must record requests and authorizations to de-provision resources at the end of their lifecycle.

Note:
In providing information to the tenants about their responsibilities for running and maintaining the resource, you should be careful not to reveal any information that might compromise your security systems and procedures.

To ensure that any provisioning process includes all the necessary security configuration steps, you should use automated procedures. As well as ensuring repeatable processes, automation can automatically log details of each step to provide a full audit trail of the provisioning and de-provisioning processes.

You should monitor and log all access to management functions that relate to the self-service attribute of the private cloud: for example financial management, capacity management, and fabric management.

You should also automate complex management operations to ensure they are performed in a repeatable fashion and that all steps are logged. Quotas should ensure that an attacker cannot simply request more and more pooled resources until the resources are exhausted.

Legal Issues

In the SaaS service delivery model, legislation may restrict access to certain services to users in particular geographic regions. The cloud service provider should ensure compliance, for example by ensuring that the self-service provisioning system verifies the geographic region of the user who is requesting access, and by monitoring and filtering access to the service based on the location that the request originates from.

REFERENCES:

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Private Cloud Security Operations Challenges

Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to Private Cloud Security Operations Challenges - Rapid Elasticity

Table of Contents for A Solution for Private Cloud Security