Security Considerations for the Private Cloud \\IaaS (Part 1)

If you would like to be notified on when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.

Introduction

The cloud is here, like it or not, and we must embrace the cloud. Or so you would think when you read industry reports that the cloud is taking over datacenters with a vengeance. Like most technology shifts, the “paradigm” changes take place a lot more quickly in the heads of industry writers and analysts, and much more slowly in the world outside. Nevertheless, cloud computing does have some advantages that makes it an attractive option, and therefore it’s something that you need to think about.

Cloud Service and Deployment Models

In this series of articles, we’ll talk about security issues in the private cloud. Before we get to that, though,  you need to understand the cloud service models and deployment models. There are three cloud service models:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)

There are also three generally recognized deployment models:

  • Private Cloud
  • Public Cloud
  • Hybrid Cloud

Some people include a fourth model, which is referred to as “community cloud” – but in most cases, the community cloud is a particular instantiation of one of the other cloud deployment models.

Each of the service models can be deployed using any one of the three deployment models. Therefore, if we talk about the private cloud, we could think about Software as a Service in the Private Cloud, Platform as a Service in the Private Cloud, and Infrastructure as a Service in the Private Cloud. In this series, we’re going to focus on some of the security issues you need to consider when deploying Infrastructure as a Service in the private cloud.

Infrastructure as a Service is a cloud service model that enables you to provide IT infrastructure to users without requiring them to think about the hardware and supporting network and storage infrastructure. All your users have to do is check out a service catalog, pick the infrastructure they want from that catalog – whichwould include compute (processing resources), memory, storage and networking – decide how long they want to use the service, and away they go!

Infrastructure as a Service can be provided on site, in your own data center; this would be one example of Infrastructure as a Service in a Private Cloud. You could also have your Infrastructure as a Service offering located in a hosted data center; this would be another example of Infrastructure as a Service in a Private Cloud. Then there is the option of using Infrastructure as a Service that is hosted by an IaaS provider, such as the Amazon.com EC2 service, where you can buy compute, memory, storage and networking (and more) infrastructure on a “pay as you go” (metered services) basis , which is one of the core tenets of cloud computing.

Security considerations differ, depending on whether you use a public or private Infrastructure as a Service cloud offering. What’s the difference?

  • In the private cloud, you own and run everything – from layer 1 (the hardware and the building and the physical security) to layer 8 (the “political” or “human factor” layer). You are completely responsible for the entire security stack with the Private Cloud Infrastructure as a Service deployment.
  • In contrast, when you use a Public Cloud Infrastructure as a Service provider, you share the security duties. There are components of the Infrastructure as a Service offering for which the Cloud Service Provider (CSP) is responsible, and there are things for which you as the customer are responsible. The demarcation of security responsibilities between you and the Cloud Service Provider should be well understood, clearly defined, and explicitly agreed upon.

Since you own the Private Cloud from top to bottom, you need to understand the security issues for Private Cloud security at all levels. In general, Private Cloud Security isn’t much different than the security you deploy in your own data center and intranet environment;  there are still going to be the issues of hardware/physical security, host OS security, application security, network security and data security. However, Private Cloud computing introduces additional elements such as:

  • Virtualization,
  • Multi-tenancy, and
  • Automation

Because of this, you have to think about the security issues that are related to virtualization, multi-tenancy and automation.

Understanding the Microsoft Private Cloud

To get a better grip on Private Cloud security issues in general, it would benefit you to have a better understanding of the Microsoft Private Cloud in particular. I’ve talked to many people about cloud computing, and the most common misunderstanding that I run into is that it seems the majority of people believe the Private Cloud is nothing more than a virtualized data center behind a firewall. The data center might be on-premises, or in a hosted data center.

I say that this is a misunderstanding because it’s just not true. A Private Cloud is not the same as a virtualized data center, in which the focus is on server consolidation. Likewise, a Private Cloud is not the same as a dynamic data center, where the virtualized data center is cranked up a notch so that other capabilities are added, such as:

  • Dynamic Resource Allocation (e.g., the dynamic memory allocation available in Hyper-V)
  • Dynamic Resource Scheduling,  where VMs can be moved among hosts participating in a virtual server array, depending on the resource consumption patterns of a particular virtual machine or machines, such as the PRO capability in System Center Virtual Machine Manager (SCVMM)
  • Power management (such as parking cores in a virtual server participating in a virtual server array, or turning the virtual server off entirely if all virtual machines can be moved off the virtual server).

Like all forms of cloud computing, Private Clouds providing Infrastructure as a Service need to include the following features that are common to all cloud computing models:

  • Broad network access: Services provided by the Private Cloud Infrastructure as a Service offering must be available 24x7x365 over the network and must be accessible from a number of device form factors, including smart phones, laptops/netbooks, PadPCs, and traditional desktop computers.
  • Self-Service: The Private Cloud Infrastructure as a Service offering must be made available in a way that enables consumers of the service to obtain the services they desire through some type of self-service mechanism, such as a self-service portal. This would also include a services catalog from which the consumer of the service could choose. The consumer of the service should never be required to contact the Infrastructure as a Service administrator to obtain the required services.
  • Metered Services or pay as you go: The Private Cloud Infrastructure as a Service provider should provide a way to surface the service utilization information to the consumer. The provider should also have a charge back mechanism available so that the consumer of the service only pays for what is used. This increases awareness on the parts of both the service providers and the consumers that the service, while appearing to have infinite resources to the consumer, is a valuable one and that cost is related to utilization.
  • Rapid Elasticity: The Private Cloud Infrastructure as a Service offering should be able to quickly spin up the resources requested by the service’s consumers, and then quickly release those resources when consumers no longer require them. This enables the Private Cloud Infrastructure as a Service provider to service more customers, conserve compute, network, memory, and storage resources (since they won’t be allocated to “idle” consumers), and increase overall utilization of the entire Private Cloud Infrastructure as a Service deployment.
  • Resource Pooling: The Private Cloud Infrastructure as a Service design is built around the concept of resource pooling. Each component of the Private Cloud Infrastructure as a Service offering, including compute, memory, storage and networking, is “pooled” and abstracted from the consumer of the service. When the Private Cloud Infrastructure as a Service consumer requests a service allocation from the self-service portal, the resources are provided to the consumer, without requiring the consumer to be aware of the details of that component of the service offering. In other words, if the consumer requests 300 GB of storage, the consumer does not know, nor does he need to know, from which storage array or LUN that allocation from the pooled resource is located.

As you can see, a Private Cloud Infrastructure as a Service solution is a bit different from a server consolidation virtualization initiative or even a more sophisticated virtualized dynamic data center. Other important considerations (which are not yet officially part of the NIST definition of cloud computing, but critical to a functional Private Cloud infrastructure as a Service deployment) are automation and virtualization. It would be difficult to meet the five requirements of cloud computing without virtualization, and it would be nearly impossible to create a usable Private Cloud Infrastructure as a Service deployment without a high level of automation throughout the entire stack.

Microsoft Private Cloud Infrastructure as a Service Options

As this time, Microsoft provides three ways you can deploy a Private Cloud Infrastructure as a Service solution in your environment:

  • Do It Yourself (DIY)
  • Private Cloud Fast Track
  • A Dynamic Data Center service offering from Microsoft Consultation Service

You can find more information on each of these offerings at the Microsoft Private Cloud site  If you would like more technical information on the Microsoft Private Cloud and Infrastructure as a Service solution, check out the Private Cloud TechNet Hub at this site. In addition, for links to multiple Microsoft Private Cloud resources, check out the TechNet Private Cloud Dojo here.

Summary

In this article, we examined the different types of cloud service models and delivery models. We saw that while cloud computing requires virtualization to enable many of the features and capabilities that define cloud computing, virtualization is not the entire story. We then examined in detail the features and capabilities that define cloud computing within the context of the Infrastructure as a Service model. Finally, we took a short look at what Microsoft has to offer in the realm of Private Cloud Infrastructure as a Service.

Now that we have a common understanding of the Private Cloud delivery model and the IaaS service model, we’re prepared for part 2 of this article, which will focus on Private Cloud Infrastructure as a Service security. In that article, we will focus on the following key issues and how they relate to security in this context:

  • Network Security
  • Storage and Data
  • Host System

This is a fast moving subject, and there are sure to be some things that you might not have considered, so make sure to check www.windowsecurity.com on a regular basis for part 2 of the article! You can also follow me on twitter @debshinder and I’ll let you know when the article is available. Thanks! -Deb.

If you would like to be notified on when Deb Shinder releases the next part in this article series please sign up to our WindowSecurity.com Real Time Article Update newsletter.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top