Security Considerations for Cloud Computing (Part 3) – Broad Network Access

If you would like to read the other parts in this article series please go to:

Introduction

In part two of our private cloud security series, we talked about how the five essential characteristics of cloud computing affect security considerations for private cloud environments. We also talked about how security in the private cloud is similar to the security decisions you make in the traditional datacenter. The main differences are related to the unique security issues you run into when considering the five essential characteristics of cloud computing, with the focus being on the on-demand self-service characteristic. Finally, in that article we talked about how our discussions are about private cloud computing in general and are not specific to what might be considered the Microsoft private cloud. We’ll talk about the Microsoft private cloud in great detail in future articles later this year after Windows Server 8 and the Windows Server 8 compatible suite of System Center products are released.

In this, part 3 of our series, we’ll discuss how the “Broad Network Access” characteristic of cloud computing introduces security issues that you need to address. When we refer to broad network access in cloud computing, we mean that the resources hosted by the cloud should be available to any computing device, regardless of form factor, from any Internet connected location. Of the five essential characteristics of cloud computing, broad network access is the most debated. The reason for this is that when you think about private cloud, you are most likely deploying the private cloud to keep your most highly prized information away from most of the people on the Internet. For many, it appears that broad network access is more applicable to public cloud deployments than private cloud.

However, you can take another view of broad network access. If we make the assumption that hybrid clouds, which are a combination of public and private clouds, will be a common deployment model, then you might want to enable broad network access from the perspective that the private cloud needs to be highly accessible to the front end components hosted in the public cloud. However, what doesn’t apply here is the ability of a broad array of devices to connect to the private cloud, since these devices will be connecting to front end services in the public cloud.

Issues Related to Broad Network Access and Private Cloud Security

The key issues related to broad network access and private cloud security include the following:

  • Perimeter network role and location
  • Identity and Access Management (IdAM)
  • Authentication
  • Authorization
  • Role-based access control (RBAC)
  • Federation
  • Logging and Auditing
  • Public network connectivity
  • Endpoint protection Client security

Let’s briefly discuss each of these.

Perimeter network role and location

In the private cloud, you will need to think about how you handle inbound connections to the resources on the private cloud network. In some cases, the inbound access will be required to allow front end services to connect to private cloud resources and in other cases, you may be hosting private cloud resources to which client devices will connect. Because inbound access from the Internet is required, you are going to need to support a DMZ between the private cloud services and the Internet.

An important consideration is that you may want to host your DMZ and firewalls in a virtualized environment like the rest of the services in your private cloud. However, because the firewalls and other gateways belong to a different security zone, you should not host these services on the same servers that host your production workloads. The reason for this is that if somehow the gateway virtual machines are compromised, there is the chance of an attacker taking down your entire private cloud infrastructure.

Identity and Access Management (IdAM)

Identity and access management are critical areas when dealing with private cloud security. You will need to be able to authenticate all inbound connections to the private cloud, and then after the user is authenticated, you need a mechanism in place to authorize the use of private cloud resources. How you will do this depends on the range of clients that you anticipate connecting to your private cloud resources and the nature of the private cloud resources to which they connect.

Access management needs to take into consideration not only the users of private cloud services, but also the managers of the private cloud infrastructure. You do not want the managers of the components of the private cloud infrastructure to have omnibus control of all aspects of the infrastructure; you only want them to be able to manage the pieces for which they are responsible. In addition, you do not want the managers of the tenant workloads to have access to other tenant workloads and the private cloud infrastructure.

Role-based access control (RBAC)

This leads us to the concept of role based access control. Access to various components of the private cloud should be based on the role that person has within the private cloud. There are various components of the private cloud that require support for multiple roles. The challenge is that the components of the infrastructure that used to be hosted on different physical components in a distributed fashion in a traditional data center are now consolidated into a central infrastructure in the private cloud.

Networking, computing, and storage roles need to be delegated to the people who are responsible for those components. Your cloud management solution will likely provide a central console to manage all of these components. Therefore, you need to confirm that your private cloud management interface enables you to give the administrators of the various components access to the configuration interfaces they require, but no access to any other configuration options.

End users of the cloud – whether they are consumers of the private cloud services or tenant administrators – should be limited to access to components of the services they require. End users need access to the controls of the services they connect to so that the application provides them with the desired services and tenant administrators need access to controls that influence the functionality and performance of their workloads.

Federation

Federation of your authentication and authorization infrastructure is critical because of the number of systems that the private cloud will be working with. Most private cloud environments will have components situated in the public cloud, or with partners who are running their own private cloud environments. Because of this, this is no centralized authentication repository. This is also true when you think about client connections to the private cloud. You may or may not have knowledge of these client systems in advance and therefore will need to support a decentralized approach when it comes to authentication repositories. Federation allows you to do this by enabling your private cloud to consume claims generated by trusted authentication repositories.

Logging and Auditing

Auditing needs to be robust and comprehensive in the private cloud. Because there are so many tenant workloads and so many users and devices connecting from a variety of locations to your private cloud, you need to comprehensively log and report on all activities taking place in the private cloud. This situation becomes increasing complex due to the fact that self-service enables tenant administrators to spin up services on an automated basis and enable users to connect to these resources – all of which happens without explicit knowledge or real-time or personal communication with the cloud infrastructure administrators.

Logging and auditing is also crucial for predictability. You need to know trends and patterns due to broad network access. Is there a pattern to users’ connectivity? Do more users connect at certain times of day? Are there more attacks coming from a certain geographic location? Is there a trend for a particular type of attack or attacks from particular devices? Widespread logging and reporting can give you this critical information so that you can create automated responses to these issues.

Public network connectivity

Because broad network access requires Internet connectivity, you need to make sure that your connection to the Internet is performant and highly available. You will need to work with your ISP to assure SLAs for Internet connectivity. You will also need to assure that there is always enough bandwidth available so that users and administrators can connect to the resources they require. You may need to employ QoS services so that each of the tenant workloads has the bandwidth it requires. In addition, QoSis important because a rogue tenant workload may flood the Internet connect and negatively impact other tenants in the private cloud infrastructure.

Endpoint protection and Client Security

Perhaps the most important issue in terms of broad network access is endpoint protection and client security. Due to the fact that broad network access requires that you support a variety of devices from anywhere in the world, and also the fact that many of the users of the tenant services will be unknown to you, you need to consider how you can enable secure behavior from those devices connecting to the tenant workloads.

In most cases, you will likely have no control over the configuration of these devices. You will need to think about the security implications of unsecure devices connecting to the services hosted on the private cloud. Depending on the workload, you will need to consider the use of gateway devices that can assess the security configuration of the devices connecting to the workload and provide a level of access to each device based on its current security posture. Secure devices may have access to more services than unsecure devices, or secure devices will have access to more components of the application than unsecure devices.

Summary

In this article, we looked at the security implications of the “broad network access” characteristic of cloud computing. While broad network access is a debatable feature of private cloud in some circles, there are arguments that it still applies to the private cloud. The key issue is that there is the chance that both known and unknown users using managed and unmanaged devices will connect to tenant services running on your private cloud.

 

If you would like to read the other parts in this article series please go to:

 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top