With private cloud environments, you have three options for client security:
The option for insecure trusted client is not considered further for obvious reasons.
An example of a secure untrusted client would be a laptop with integrated disk encryption, either hardware or software-based. It would require two-factor authentication to log on, using either a smart
card or fingerprint recognition and would not be domain-joined. Authentication to the cloud service would also be two-factor and the device might include a geographic locating device to assist with recovery in case of theft.
This document is part of a collection of documents that comprise the
Reference Architecture for Private Cloud
document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name
and any contact information you wish to share at the bottom of this page
One area that may change with private and hybrid cloud implementations is domain membership, which is no longer a pre-requisite if the client uses federated authentication to identify themselves to cloud –based applications using
the cloud directory service as their home realm. It should be noted that implementing federated authentication on a standalone computer rather than adding that computer to the domain changes the profile of network services available to the clients.
In reality, most organizations running private cloud environments will probably attempt to secure their client computers as much as possible. However, as previously discussed, if an attacker can gain
physical possession of a hardware device, your attempts to protect the data on it must be extremely effective and render the stored data functionally inaccessible. There must certainly be no inherent degradation of the security of your private cloud environment
if a client computer is stolen and compromised. And if a client computer is stolen and compromised, the effects of this compromise on your environment must be carefully assessed.
Unfortunately, the only person who is likely to know the difference between a stolen laptop and a stolen and compromised one will be the attacker. In consequence, you must either be absolutely sure
that a stolen client laptop is as close to an inert lump of plastic and metal from the attacker’s perspective or that you can rapidly make any changes to your own environment that may be required (for example, reissuing trusted root certificates and revoking
ones on the stolen equipment) resulting from the possible compromise.
Having a in place auditing policy for the endpoint device is a security best practice. If you use by example Wyse client device then making a central store to distribute a standard configuration or if using mobile device then a standard auditing list would
be: What type (Android, Apple, Windows), OS's version and if it's uptodate, Check if it's jailbreaked, Be sure the equipement lock after a period of time, If an antivirus is available for that mobile device then be sure it's installed.
Never forget that usually the auditing will take place when you configure the VPN software. If your customers setup themselft the VPN connection then some VPN softwares allow rule to check the host if it has an antivirus installed and if it's uptodate. If
it's in-house then you can have a control by restricting the DHCP (like an example
there). With all that setup the only way to be more sure the device is not stolen is by adding a token authentification + NIP (like with RSA key) for the VPN.
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
Return to Private Cloud Security Model
Return to Blueprint for A Solution for Private Cloud Security
Return to A Solution for Private Cloud Security
Return to Reference Architecture for Private Cloud
Move forward to Private Cloud Security Model - Legal and Compliance Issues
Table of Contents for A Solution for Private Cloud Security