This section introduces the key operational security principles for private clouds. These principles apply to all the detailed security design recommendations that are
discussed in subsequent sections.
Note: In the following discussions, we use the term "tenant" to refer to a client or customer, typically a business unit within the organization, who is using the private cloud
to run its applications and services. We also refer to services or applications running in the private cloud and owned by such tenants as "tenant applications" or "tenant services." The term "cloud service provider (CSP)" is used to refer to that part of the
IT department responsible for delivering private cloud services to the organization.
Your event management, incident management, and problem management processes in the private cloud depend on effective monitoring and logging. However, monitoring in the cloud is complex and introduces
some new challenges: it must include the hosted services and virtual machines in addition to the underlying cloud physical and virtual infrastructure. You can simplify the problem to some degree by using standard templates and images when you commission host
and guest environments by including monitoring configuration as a part of these templates. However, in the IaaS cloud service delivery model, tenants may have full control over their virtualized resources so you cannot make any assumptions about the level
and quality of the monitoring data that you can obtain from their environments.
This document is part of a collection of documents that comprise the
Reference Architecture for Private Cloud
document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name
and any contact information you wish to share at the bottom of this page
Virtualization in a private cloud can also make it more difficult to perform end-to-end monitoring because you may not know where a particular service is hosted. You should ensure that your monitoring software provides you with
the necessary level of detail to monitor your virtual environments effectively.
One approach is that you can divide monitoring by layer within the private cloud infrastructure, so that the CSP monitors as the infrastructure level but the tenant monitors at the platform and software
levels. Microsoft takes this approach with its public cloud offerings, with Global Foundation Services providing and monitoring the infrastructure layer but each cloud business, such as Office 365, monitoring at its service level.
Private clouds typically rely on a high degree of automation, as discussed in the next section. Automated processes must generate comprehensive logging data that can provide a detailed audit trail
and facilitate the forensic activities that might be carried out as a part of the problem management process.
Cloud architectures typically rely on widespread use of automation to address the difficulties in managing such a large and complex environment. Automation can introduce new security threats and mitigate
others. For example:
The size and complexity of a private cloud typically requires a high degree of automation in your incident management processes. You should plan to be able to respond to many common security related
incidents in the private cloud automatically, and generate detailed logging information to facilitate your problem management processes.
For example, an automated malware scan could detect a particular virus in a virtual machine and an automatic process could then shut that virtual machine down and notify the operator and the tenant.
Effective automated responses depend on the quality of the monitoring in place in the cloud. Alternatively, if the CSP does not have visibility of the tenant workloads, virtual network monitoring could pick up unexpected network traffic types and identify
if a virtual machine is potentially compromised.
Note that any clones of the affected virtual machine would also need to be cleaned. Microsoft System Center Virtual Machine Manager 2012 includes a template update process. When you update a virtual
machine gold image, any dependent virtual machines are serviced and updated automatically.
Security related incidents and problems may be complex and difficult to analyze in a private cloud for several reasons:
You can use automated processes to consolidate and filter monitoring and logging data, and tools to help you analyze problems using the collected log data.
Automation is also necessary to deliver some of the specific attributes of the private cloud:
A private cloud will require changes to the way that you manage information security: a private cloud hosts applications and services for multiple tenants. Although in the private cloud all of these
tenants will belong to the same organization, it is still necessary to maintain strict isolation between the virtualized private cloud resources allocated to different tenants in order to maintain the confidentiality and integrity of the data held in the cloud.
The infrastructure of a private cloud is designed to maintain this isolation between virtual environments at run-time. However, you should monitor the environment for attempts to break the isolation
or for evidence that confidential information has been exposed or data tampered with.
Operational activities such as those that relate to service continuity, availability management, and incident management may be designed to operate at the physical tier (for example detecting and replacing
a faulty server), but these operations must maintain the isolation between different tenant's resources in the virtual environments in the cloud.
Your SLA must make it clear who is responsible for managing the security that relates to the services and data that tenants host in the cloud. SLAs must also make clear when and to what level of detail
operations staff should have access to the tenant's virtualized resources, including access to logged data.
For example, the SLA may specify that if the cloud service provider is investigating a security related incident, then operators may have increased access to the tenant's virtual environments when
they are attempting to identify and fix the problem that caused the incident.
Whatever the arrangement for investigating security incidents, the SLA should ensure that these responsibilities are clearly defined. Areas such as the responsibility for backup and restore processes,
ownership of and access to the backed-up data, and storage of the backups must also be explicitly spelled out. Situations where the provider does not have access to the virtual machines yet is required to provide backup of that data must be addressed.
You should ensure that you periodically review your SLA with your consumers. This review process should look at any detected security incidents since the previous review and identify if there are any
changes that need to be made to the terms of the SLA, such as division of responsibility, change in management processes, or integration of new tools.
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]
Return to Operations Guide for A Solution for Private Cloud Security
Return to A Solution for Private Cloud Security
Return to Reference Architecture for Private Cloud
Move forward to A Solution for Private Cloud Operations Challenges
Table of Contents for A Solution for Private Cloud Security