This section introduces the key operational security principles for private clouds. These principles apply to all the detailed security design recommendations that areimage discussed in subsequent sections.

Note: In the following discussions, we use the term "tenant" to refer to a client or customer, typically a business unit within the organization, who is using the private cloud to run its applications and services. We also refer to services or applications running in the private cloud and owned by such tenants as "tenant applications" or "tenant services." The term "cloud service provider (CSP)" is used to refer to that part of the IT department responsible for delivering private cloud services to the organization.

Monitor and Log Extensively

Your event management, incident management, and problem management processes in the private cloud depend on effective monitoring and logging. However, monitoring in the cloud is complex and introduces some new challenges: it must include the hosted services and virtual machines in addition to the underlying cloud physical and virtual infrastructure. You can simplify the problem to some degree by using standard templates and images when you commission host and guest environments by including monitoring configuration as a part of these templates. However, in the IaaS cloud service delivery model, tenants may have full control over their virtualized resources so you cannot make any assumptions about the level and quality of the monitoring data that you can obtain from their environments.

This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page

Virtualization in a private cloud can also make it more difficult to perform end-to-end monitoring because you may not know where a particular service is hosted. You should ensure that your monitoring software provides you with the necessary level of detail to monitor your virtual environments effectively.

One approach is that you can divide monitoring by layer within the private cloud infrastructure, so that the CSP monitors as the infrastructure level but the tenant monitors at the platform and software levels. Microsoft takes this approach with its public cloud offerings, with Global Foundation Services providing and monitoring the infrastructure layer but each cloud business, such as Office 365, monitoring at its service level.

Private clouds typically rely on a high degree of automation, as discussed in the next section. Automated processes must generate comprehensive logging data that can provide a detailed audit trail and facilitate the forensic activities that might be carried out as a part of the problem management process.

Use Tooling and Automation

Cloud architectures typically rely on widespread use of automation to address the difficulties in managing such a large and complex environment. Automation can introduce new security threats and mitigate others. For example:

  • Because automated processes are designed to be fast, an attack that exploits an automated process could rapidly propagate through the private cloud before an operator had a chance to intervene. For example, the provisioning system could be vulnerable to multiple false requests to provision resources until all resources are consumed, requiring a quota system to be in place.
  • Automated processes make it easier to ensure that security features are applied and configured consistently throughout the cloud, reducing the chance that an accidental or deliberate misconfiguration could open up a security loophole.

The size and complexity of a private cloud typically requires a high degree of automation in your incident management processes. You should plan to be able to respond to many common security related incidents in the private cloud automatically, and generate detailed logging information to facilitate your problem management processes.

For example, an automated malware scan could detect a particular virus in a virtual machine and an automatic process could then shut that virtual machine down and notify the operator and the tenant. Effective automated responses depend on the quality of the monitoring in place in the cloud. Alternatively, if the CSP does not have visibility of the tenant workloads, virtual network monitoring could pick up unexpected network traffic types and identify if a virtual machine is potentially compromised.

Note that any clones of the affected virtual machine would also need to be cleaned. Microsoft System Center Virtual Machine Manager 2012 includes a template update process. When you update a virtual machine gold image, any dependent virtual machines are serviced and updated automatically.

Security related incidents and problems may be complex and difficult to analyze in a private cloud for several reasons:

  • The number of layers in the architecture that implement security features: the service delivery layer, the infrastructure layer, the platform layer, the software layer, and the management stack.
  • Services and data owned by tenants may be located anywhere in the cloud.
  • Responsibility for managing security may be split between the IT department (the cloud service provider) and the business department (the cloud tenant).
  • The broad network access typically associated with cloud solutions.

You can use automated processes to consolidate and filter monitoring and logging data, and tools to help you analyze problems using the collected log data.

Automation is also necessary to deliver some of the specific attributes of the private cloud:

  • The self-service, on-demand characteristic of private clouds implies that client business units can request virtual cloud resources when they need them. However, not all private clouds will enable on-demand self-service directly to client business units: the driver for adopting a private cloud architecture may be primarily about more efficient use of resources, with those resources still managed directly by the IT department. In this scenario, the IT department uses the on-demand self-service features of the private cloud to be more efficient in its service delivery to the client business units. On-demand self-service, provisioning for client business units rather than for internal use by the IT department will probably require a higher level of automation.
  • Handling the rapid elasticity related to fluctuating demand also requires automation to ensure that additional resources are made available to existing hosted services as soon as they are required and to ensure that resources are quickly returned to the pool when a tenant no longer requires them.

Maintain Isolation between Tenants

A private cloud will require changes to the way that you manage information security: a private cloud hosts applications and services for multiple tenants. Although in the private cloud all of these tenants will belong to the same organization, it is still necessary to maintain strict isolation between the virtualized private cloud resources allocated to different tenants in order to maintain the confidentiality and integrity of the data held in the cloud.

The infrastructure of a private cloud is designed to maintain this isolation between virtual environments at run-time. However, you should monitor the environment for attempts to break the isolation or for evidence that confidential information has been exposed or data tampered with.

Operational activities such as those that relate to service continuity, availability management, and incident management may be designed to operate at the physical tier (for example detecting and replacing a faulty server), but these operations must maintain the isolation between different tenant's resources in the virtual environments in the cloud.

Understand the Responsibilities of Cloud Service Provider and Tenant

Your SLA must make it clear who is responsible for managing the security that relates to the services and data that tenants host in the cloud. SLAs must also make clear when and to what level of detail operations staff should have access to the tenant's virtualized resources, including access to logged data.

For example, the SLA may specify that if the cloud service provider is investigating a security related incident, then operators may have increased access to the tenant's virtual environments when they are attempting to identify and fix the problem that caused the incident.

Whatever the arrangement for investigating security incidents, the SLA should ensure that these responsibilities are clearly defined. Areas such as the responsibility for backup and restore processes, ownership of and access to the backed-up data, and storage of the backups must also be explicitly spelled out. Situations where the provider does not have access to the virtual machines yet is required to provide backup of that data must be addressed.

You should ensure that you periodically review your SLA with your consumers. This review process should look at any detected security incidents since the previous review and identify if there are any changes that need to be made to the terms of the SLA, such as division of responsibility, change in management processes, or integration of new tools.



If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Operations Guide for A Solution for Private Cloud Security

Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to A Solution for Private Cloud Operations Challenges

Table of Contents for A Solution for Private Cloud Security