Welcome to this first paper in the Solution for Private Cloud Security series. This paper discusses private cloud security from the architectural perspective and seeks to define the problem domain, key scenarios, and create a structured approach that you will use to create a private cloud security design. At this level, this guidance is mostly technology-agnostic and organizations that are implementing a heterogeneous private cloud will also benefit from this guidance.image

The overall focus of this paper is on private cloud security and the special considerations that these environments bring. Hence, this content is intended only to cover the differences between private cloud security and traditional data center security rather than the entire security domain. The differences may reflect entirely new issues introduced by private cloud, or areas that require refocus due to private cloud security exigencies.

Many of the principles that this paper covers also apply to public cloud models. However, public cloud environments bring additional complexity in terms of overall control of the infrastructure and the contractual relationship between the provider and the consumer. This paper also acknowledges that many organizations are also considering incorporating public and private cloud provisioning into a hybrid cloud environment; however, hybrid cloud implementations are not the primary focus.


Note:
This document is part of a collection of documents that comprise the
Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality . If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page





Aim of this Paper

The aim of this paper is to provide an architectural blueprint for implementing effective security within a private cloud environment.

Introduction to Private Cloud Security

Implementing a private cloud environment requires IT departments to re-evaluate many aspects of how they interact with their organization. A recent trend has been for business units to circumvent IT departments and source services direct from an external hosted provider (sometimes referred to a “credit card clouds”). Hence, IT departments are increasingly considering themselves as a separate business unit whose job is to provide reliable IT services to the organization.

This change in the relationship between IT department and host organization has often been hindered by the inability to account effectively for the cost of the services that the IT department provides. Private cloud computing provides the ability to allocate costs in a fair and metered manner to the service user in proportion to the user’s demand for those services.

Private cloud implementations also affect the way in which IT departments need to view security. The chief change is that security can no longer be viewed as a discrete silo that contains traditional capabilities such as authentication, authorization, auditing, and so on. Instead, security in cloud implementations (whether private, public or hybrid) must be considered as a wrapper around every element of the cloud environment. This security model shows that to approach any part of the cloud environment, the consumer or provider must pass through the security wrapper. Additionally, all communication between layers in the cloud model (for example, between infrastructure and platform layers) must also pass through security controls. Security also applies to intra-layer communications, for example between in-memory processes and associated storage.

In summary, security is a universal factor that applies to every element of cloud operations. Designers, implementers, and operators must consider security factors in every interaction for each physical or logical component of the cloud environment.

This requirement for pervasive security results from changing organizational perspectives around the delivery of IT services. Increasingly, IT departments are breaking out from the traditional firewalled datacenter approach and having to act as one of many possible service providers that host the organization’s IT services. Business units no longer have to contract with the internal provider and often source these services from external providers, such as public cloud vendors and internal IT departments must recognize this change.

The opportunity with the move to private or hybrid cloud architectures is that it gives you the chance to re-examine the provisioning of security within your datacenter. You can take a holistic view of the central importance of security and ensure that you achieve this goal within your private cloud design.

The next section defines the new security threats from the cloud and identifies the private cloud security domains within the Cloud Security Alliance (CSA) model.

Cloud Security Alliance Domains

The Cloud Security Alliance (CSA) is an independent grouping consisting of over 120 corporate members. In the organization’s own words, they have “a broad remit to address all aspects of cloud security, including compliance, global security-related legislation and regulation, identity management, and the challenge of monitoring and auditing security across a cloud-based IT supply chain. CSA is becoming the focal point for security standards globally, aligning multiple, disparate government policies on cloud security and putting forward standards for ratification by international standards bodies.”

CSA has recently released Version 3 of their Security Guidance for Critical Areas of Focus in Cloud Computing document, available from http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf. The CSA document defines fourteen security domains for both private and public cloud. In contrast, this document covers the areas that these domains reference by using the Microsoft private cloud security model.

Next Steps

After this brief introduction to private cloud security, you are now ready to dive deeper into the security architectural issues and challenges. These will be covered in the following sections:

Defining the Private Cloud Security Problem Domain

Cloud Security Challenges

Private Cloud Reference Model Security Perspective

Private Cloud Security Model

RESOURCES:


ACKNOWLEDGEMENTS LIST:

If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to Defining the Private Cloud Security Domain

Table of Contents for A Solution for Private Cloud Security