Security Considerations for Cloud Computing (Part 4) – Resource Pooling

If you would like to read the other parts in this article series please go to:

Introduction

In this series on private cloud security, we have already talked about what defines the private cloud and then we looked at two of the essential characteristics of cloud computing: broad network access and on-demand self-service. We discussed how each of these enter into your security considerations and the impact that they have on private cloud security. In this article, we will continue with the theme and pick up on the third essential characteristic of cloud computing: pooled resources.

What is Resource Pooling?

Resource pooling in a private cloud enables the hypervisor to reassign tenants to different locations in the cloud to optimize resource usage; this is what VMware DRS and Hyper-V PRO can do. The virtualization solution must scrub any resources, especially storage and RAM, before reassigning them to another tenant. Data belonging to the original tenant must not be exposed to the new tenant. In the private cloud, automation will take care of the clearing and allocation of resources to tenants.

Security Implications

Resource pooling in a private cloud will affect your security design in several ways. You can expect to encounter some or all of the following categories of issues:

  • Issues related to reuse of resources by different tenant applications
  • Issues related to co-locating services that belong to different tenants on the same server
  • Issues related to automated processes that handle the allocation and de-allocation of resources

In a typical private cloud, the resources the tenant uses could be hosted on any of the devices in the cloud that offer that resource. For example, when a consumer of the cloud service provisions and starts a virtual machine in the private cloud, that virtual machine could be hosted on any of the servers in the private cloud. One consequence that follows from this arrangement is that the same machine could end up hosting applications and services that belong in different security zones, and those applications and services may themselves include different security capabilities, such as authentication and authorization.

Addressing Escalation of Privilege Issues

Your design must consider the risk that a low business impact service might be more easily compromised and the attacker will then be able to leverage that weakness to attack higher business impact services. An attack might be an attempt to the steal high business impact data, or to make the high value service unavailable by creating a denial of service on a lower business impact service.

The infrastructure layer typically includes monitoring of network traffic. Network traffic monitoring and IDS/IPS can identify unusual traffic that might indicate an attack on the infrastructure is in progress or that some element in the cloud is compromised.

Network Abstraction using Virtualization

Hypervisors support virtualizing the networking aspects of the infrastructure to enable the separation of logical and physical network traffic. This can create a situation where network traffic does not pass through a physical switch device and so may not be monitored. This introduces the risk that your network analysis tools will not be able to access all network traffic. You must determine whether this risk is acceptable or whether you must mitigate it by taking one or more of the following actions:

  • Send all network traffic through your physical network devices and do not allow intra-server VM to VM traffic over only virtual connections.
  • Add monitoring functionality to each server to monitor each virtual network by using network software analogues of physical monitoring devices.
  • Use a virtualization solution that enables virtualized network traffic monitoring devices, such as the extensible virtual switch that is expected to be available in the next version of Windows server.

Network traffic between virtual machines should be encrypted to protect data while in transit. On-the-wire encryption means that IDS/IPS solutions will not be able to inspect the traffic. However, you can use IPsec to provide authentication only without encryption, which is a new IPsec capability that’s included in Windows Server 2008 R2.

Disk Encryption

Whole volume encryption (such as BitLocker and other similar technologies) can protect physical storage media in the event that an attacker gains access to the physical storage infrastructure from within a virtual environment. You should also note that virtual machines should only have access to the virtual storage devices that are allocated to them, and not have explicit access to the storage arrays on which they may be located.

You will need to assess the relative advantages and disadvantages of security vs. performance that you will have to deal with when employing any encryption technique. Different encryption algorithms have different performance impacts and enable different levels of protection. Not all traffic needs to be encrypted or authenticated. Low business impact information might require only authentication without encryption. High business impact information might be encrypted over the wire and require authentication and authorization at the network level.

Core Infrastructure Security

All VMs in the private cloud will require compute, memory, storage, and network resources gathered from the pool. The hypervisor that you use must enable separation or isolation of these resources for each tenant. This can be accomplished in different ways.

An example would be the way Hyper-V maintains deliberate isolation between the memory and compute resources of all VMs running on the same host operating system, enables you to define isolated virtual switches and allows each virtual machine to use its own virtual hard disks without affecting the disks of other VMs. If multiple tenant applications that are hosted on different virtual machines require access to a shared resource, the sharing must be managed so that only the authorized applications have access, and so that all access and use is actively monitored.

Although policies should be created that apply to the infrastructure layer to protect the virtual machines and abstracted hardware elements, you should always use defense in depth and assume that attackers will discover a flaw in your infrastructure and try to get access to the platform (or the VMs running on the infrastructure).

There are two key controls you can enable from this perspective:

  • VMs should have their host-based firewalls configured to block network attacks from the external networks, intra-machine virtual machines, or other components of the infrastructure.
  • Host-based firewalls should allow inbound and outbound traffic from and to the specific machines with which they must communicate and disallow communications with all other physical and virtual machines.

IPsec can be used to logically isolate groups of hosted virtual machines so that they will be unable to connect to other machines. For example, if you have a multi-tier application in your private cloud, you could use IPsec to make sure the database server can only be connected to by the middle-tier server, and that the middle-tier server can only be connected to from the front-end web server.

Addressing Security Issues in Software

Protecting data for services and applications running in the private cloud can be accomplished in a number of ways. Application designers, not cloud infrastructure designers, are responsible for security feature design. The cloud service provider (CSP) should work with the application designers to help them be aware of the data protection services and other security features that are provided by the cloud infrastructure. Any features of the cloud infrastructure that might influence the design of the application or service should also be freely shared with the application designer.

Tenant applications may encrypt data in storage, data in RAM, and data during processing to make it more difficult for someone to steal or tamper with it in a tenant application or service even if they have gained authenticated and authorized access to the tenant’s environment. Remember, in the private cloud we are very concerned about the damage an authenticated and authorized user can do.

Encryption technologies require a private key to perform encryption and decryption in the symmetric encryption algorithm scenario, or decryption in the asymmetric algorithm scenario. The cloud infrastructure may move tenant applications to different host servers or even to other data centers to optimize service availability in the face of hardware failures or to optimize application performance or re-level resource utilization. Encryption techniques used by tenant applications for data protection must continue to be effective in these scenarios.

Automated processes that are responsible for moving applications and services to different devices must ensure that the cryptographic keys that are used to protect application data continue to be available to the applications and services as they are needed; if this requires keys to be copied between locations, then the automated processes must provide assurances that this transfer process is secure.

Summary

In this, part 4 of or series of articles on how the essential characteristic of cloud computing can affect security and the decisions you make about security in the private cloud, we discussed resource pooling. Resource pooling introduces a number of issues that are related to the need to isolate the workloads and abstracted hardware elements throughout the virtualized infrastructure so that pooling remains an enabler, not a fast track to compromising the tenants and the data managed by these tenants. Issues include escalation of privileges, network abstraction using virtualization, disk encryption, core infrastructure security and security issues in software. In the next installment of this series, we will look at how the essential cloud characteristic of rapid elasticity introduces its own collection of security issues.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top