Private Cloud Security Model - Platform Security
Having applied effective security to your infrastructure, you can start to examine security at the platform level. Good platform security is essential for high levels ofhttp://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/5658.image_5F00_64BCDD48.png application security in the software layer. Unless you have addressed potential attack points at the platform level, you are potentially compromising security of all your applications. You also need to consider security between the platform and the infrastructure layers. Figure 1 summarizes these security considerations.
Figure 1: Private cloud platform security issues
The first part of platform security is at the virtualization level; here you must protect the virtual machines from each other and from the host computers. The host computers must also be protected from the virtual machines.
Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page
To achieve high levels of security, you must consider each virtual machine as having its own defensive perimeter. These defenses will consist of a guest firewall, anti-virus, system policies, and IPsec-secured communications. In addition, you may also want to apply intrusion detection and security monitoring on the guest virtual machine, using either an agent-based or agentless mechanism. In effect, you are applying server security best practice to the virtual machines.
To support the rapid elasticity attribute of private cloud environments, virtual machines are typically provisioned from templates. As a virtual machine is provisioned, it must have the latest security updates applied, the anti-virus definitions updated, any policy changes implemented, and monitoring agents brought up to the latest release. A machine certificate needs to be installed and IPsec policies applied before bringing the virtual machine online in the production environment. Virtual networking simplifies this process, as the provisioning system can switch the virtual machine into a limited access security update virtual network to carry out this updating before switching it across to the production environment network.
Note: As mentioned in the infrastructure section, if the provider does not have access to the virtual machines in a PaaS environment, then there needs to be a mechanism for applying security updates to these virtual machines.
Security updates to the virtual machines should also address other platform components, such as application frameworks, user experience (UX) services, integration services, queuing services, and so on. If you are providing PaaS for your consumers, then at the end of this provisioning process, they should be able to connect to the virtual machines and start developing applications. If you are providing SaaS, you can start installing your applications and running services.
Data Security
The platform layer also includes access to data services, so you should consider security aspects of this storage as well. Because of the generalized increased threat levels (not just to private cloud implementations) it is important that you take the view that all data is accessible, wherever it is stored. The principle of security through obscurity is well and truly discredited, as attackers with administrator rights can gain access to all levels of a private cloud environment. If a data bit is stored, you must assume an attacker can access it. Only the combination of encryption, ACLs, monitoring and auditing can provide effective levels of security.
Other considerations with data security require you to consider the lifecycle of a data bit. Within private cloud environments, data bits are not written just to one location on a single hard drive. The requirement for resilience results in that information being replicated to multiple locations. In addition, this data may appear on caching disk controllers, in temporary files, or in other stores through application-level or operating system replication.
Finally, data at rest is always more vulnerable than data in transit. There are technologies that enable attackers to intercept data in transit between two hosts, but it may not be possible or practicable to reconstruct that data. In any event, data intercepted in transit can only compromise that individual transmission, whereas accessing data at rest can provide the entire data set.
Hence data security is a key factor that requires extensive investigation. Although the user perception of cloud services is that their data is “somewhere out there”, as an operator you cannot afford to take such a lax view. You must implement strict data security and review where your data resides from the moment of writing it to disk to the point at which it is scrubbed or encrypted beyond recovery.
Application Framework Security
Your choice of application framework will depend on the type of applications and the development environment that your cloud environment will support. Hence, you will need to ensure that you apply strict standards in terms of what application framework types and versions are available, how those frameworks can be used, and how you update them.
Development Environment Security
Your provision of development environment may result from your customer requirements or may be something that you impose as an organizational standard. However, the larger the number of development environments that you support, the greater the challenge of providing adequate security.
Whatever development environment you provide, it is important that your consumers implement best security practices into the applications that they create following the principles of SDL. Factors such as using appropriate class design to reduce attack surface area, developing robust exception management, avoiding threading vulnerabilities and so on apply even more in a private cloud environment. Providing consumers with a sandboxed environment can significantly reduce the threat from poorly secured code that your customers create.
When tenants deploy their applications, strict application partitioning is essential. Each tenant’s application must be completely bounded within its environment and not able to access other tenant applications or data. Any attempts to do so must be detected and that application instance suspended until you can complete your forensic analysis.
Update Security
Update security in the platform layer shares similar factors as the infrastructure layer. Updates need to be tested and deployed rapidly while minimizing downtime. Virtualization and virtual machine snapshots can assist in this process by creating fallback positions so that platform components can be updated. Private cloud environments simplify this process in that updates to development environments can be carried out when the development environment is not in use by the consumer. Again, you must consider the circumstances in which you might not have access to the virtual machines to make these updates.
RESOURCES:
ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]
Return to Private Cloud Security Model[
Return to Blueprint for A Solution for Private Cloud Security](http://social.technet.microsoft.com/wiki/contents/articles/blueprint-for-a-solution-for-private-cloud-security.aspx)
Return to A Solution for Private Cloud Security
Return to Reference Architecture for Private Cloud
Move forward to Private Cloud Security Model - Software Security
Table of Contents for A Solution for Private Cloud Security