Security Considerations for Infrastructure as a Service–IaaS-Private Cloud
Cloud computing makes a lot of promises in the areas of increased flexibility and agility, potential cost savings, and competitive advantages for developers so that they can stand up an infrastructure quickly and efficiently to enable then to develop the software to drive business success. There are a lot of problems that cloud, especially private cloud solves, but one of those isn’t security.
Private Cloud security requirements and considerations share a lot with those you find in the traditional datacenter. You still need to secure the infrastructure, you still need to secure the platforms, you still need to secure the applications and you still need to secure the data.
However, in a private cloud environment, you need to think about a few things that you don’t always see in the traditional datacenter:
- Hypervisor security – In the past, services were typically hosted on individual servers, which created a physical demarcation that most of us trusted between these services. With private cloud, most or all of them will run in a virtualized environment and you can’t take the security model used by the hypervisor for granted – you’ll need to evaluate the security models and development of your hypervisors and consider whether you should tier your applications based on relative security of different hypervisors.
- Multitenancy – Most of us understand that public clouds are going to be multitenant solutions, where you will be sharing a pooled resource infrastructure with other consumers of the cloud service. The same is likely going to be true of your private cloud IaaS deployment. Although all the tenants will be from the same company (this is by definition for private cloud), not all tenants may be comfortable sharing infrastructure with other orgs within the same company. For example, would Research and Development and Human Resources feel comfortable having their services hosted on the same infrastructure as Test or Messaging? You’ll need to consider how you handle multitenancy in private cloud environment
- Identity Management and Access Control (IdAM) – In a traditional datacenter we were comfortable with the small handful of authentication repositories we had to work with – Active Directory being one of the most popular. But with private cloud, how will you handle authentication and authorization for the cloud infrastructure? How will you handle it for the tenants? How will you handle delegation of administration of various aspect of the cloud fabric in what is an increasingly consolidated environment? And how will you handle the evolution of your private cloud to a hybrid cloud, where you will use various methods of federation and external identity providers, all with various levels of trust?
- Network Security – in the traditional datacenter we had sophisticated network IDS/IPS devices that enabled us to view and assess traffic over the wire. We also had internal firewalls or advanced switches that enabled variable levels of access control over the wired (or wireless) network. In our private cloud we are likely to have many components of a service communicate with each other over virtual network channels only. How are you going to assess that traffic? How are you going to employ the same powerful access controls you did with your physical networks? And how will you control quality of service, which is a key issues in the “Availability” aspect of the CIA (Confidentiality, Integrity and Availability) security model
- Eventing and Reporting – Private cloud, while enabling many of your business groups, is going to potentially significantly increase the complexity of your overall computing infrastructure. Teams will be firing up virtual machines using self-service portals, they’ll be installing operating systems and services, and many of these are going to be connected to other resources in the private cloud, to resources on your production network, to resources on the Internet and even resources hosted in your public cloud. How will you set up an eventing and reporting infrastructure that will be aware of all of these devices as they are instantiated and then tore down? How will you collect and organize this information? How will you determine what information is “interesting” and how will you remove the noise? How will integrate the intelligence data you collect with your automation systems so that remediation takes place automatically?
These are just a few of the issues that you should consider when you start your journey to the private cloud. If you would like to learn about more considerations and some of the possible solutions to these problems, then check out this presentation I delivered to the Microsoft Enterprise Security MVPs.
Click HERE to download the presentation.
Let me know what you think of the presentation and if you have any questions or ideas that you think should be included. We’re still in an evolutionary phase when it comes to private cloud and now is the time for the thought leaders in the private cloud community to step up!