As a designer of a private cloud solution, I am concerned that a rogue application, client, or DoS attack might destabilize the data center by requesting a large amount ofimage resources. How do I balance the requirement that individual consumers/tenants have the perception of infinite capacity with the reality of limited shared resources?

Security Functionality

Figure 1 lists a number of capabilities that the security wrapper should include in the private cloud such as:

  • Identity and access management
  • Data protection
  • Monitoring
  • Management
  • Authentication
  • Authorization
  • Role-based access control
  • Auditing

The first paper in this series, "Solution for Private Cloud Security: Service Blueprint," describes these capabilities. This section describes how these capabilities relate to the rapid elasticity attribute of private clouds. The following sections will describe how your design should apply these capabilities at each layer in the private cloud architecture.

Cloud architectures offer elasticity of resources to clients and hosted applications and services. From the tenant’s perspective, the cloud offers an unlimited pool of resources. If the consumer of the cloud service anticipates a burst in demand for their service, the client can request more resources from the cloud to ensure that the service is capable of meeting that demand.  


Note:
This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page


A more sophisticated hosted application or service can monitor demand and automatically request additional resources from the cloud using an API. Clients and client applications can also release resources back into the pool when they are no longer required.

The key issues associated with the rapid elasticity attribute of the private cloud are therefore:

  • Authentication, authorization, and role-based access controls that control who or what, within the organization, may request additional resources from the pool or return resources that are no longer required to the pool.
  • Monitoring and auditing requests to allocate and de-allocate resources to ensure that quotas are respected and that the availability of individual services, hardware devices, and the private cloud is maintained.
  • Ensuring data destruction with pooled resources so that session information from one tenant is not available to another tenant.

Infrastructure Security

As this paper has already identified, provisioning and de-provisioning resources must be fully logged and auditable. Monitoring is equally important for both provisioning and de-provisioning requests: an attacker may attempt to destabilize the private cloud by shutting down resources. As has also been discussed, the provisioning and de-provisioning processes must ensure that the resources available in the pool for reuse do not contain any sensitive data that could be exploited by the application or service that next acquires the resource.

From the perspective of the tenants, the private cloud is an unlimited pool of resources, available on demand. From the perspective of the cloud service provider, the private cloud is fixed size pool of shared resources used by client business units who have expectations of the quality of service they will receive from the cloud.

You may also offer different sizes of resource to clients (for example small, medium, and large virtual machines), and in order to maintain availability for all clients you might need to limit the number of certain sizes of virtual machine in your cloud so that 10% of virtual machines are large, 60 % are medium, and 30% are small.

To balance the conflicting views of the cloud service provider and the tenants, policies that define quotas must mediate access to the cloud resources, so that a client or attacker cannot accidentally or deliberately overwhelm the cloud infrastructure with provisioning requests or grab a large share of the available resources to the detriment of the service availability to other clients. To implement such quotas you must be able to tell which client made the provisioning request (remembering that the request itself may be made automatically by a running service), dynamically monitor the resource utilization by client, and enforce the quota. This arrangement must all be specified in the relevant SLAs with the clients.

You must also determine the appropriate granularity of the resource quotas and determine whether the quotas may be adjusted. For example, you may apply a quota to a client business unit for all the services and applications that it hosts in the cloud, or apply quotas to each individual application. A client could request a higher quota for a service that is particularly resource intensive; or a client may request a lower quota for a lower priority service or ask for limits on the costs associated with running the service.

The infrastructure design must enable the private cloud to maintain availability for all clients when applications and services are making use the clouds ability to respond quickly to changes in demand for the service. All requests to provision or de-prevision resources for a client must be logged and auditable, and to ensure availability, the cloud infrastructure must be able to handle provisioning requests in a timely manner.

If demand for private cloud resources is highly elastic and you cannot maintain the availability of the hosted services with your existing capacity, you can adopt a hybrid model and extend your private cloud to infrastructure provided by a third party (sometimes referred to as “cloud bursting”). In this scenario, you must consider what impact, if any, does hosting a service in the third party's infrastructure instead of your own will have on:

  • The SLAs with your client business units.
  • The integration of a tenants application with other services hosted in your private cloud.
  • The legal requirements that relate to the hosted application.

One of the functions that the cloud infrastructure provides is dynamic load balancing for the applications and services hosted in the cloud as demand for those services changes and as services scales in or out. Dynamic load balancing may require running virtualized environments to move between physical servers or even between data centers. In addition to maintaining availability, the automated procedures that handle this process must maintain the confidentiality and integrity of these virtualized environments.

Additionally, when overall demand is high for cloud resources, any load balancing and quota-based rationing of resources must guarantee availability of systems as specified by any SLAs with the client business units.

Software Security

Software that can scale in a private cloud faces two security related issues:

  • Although the private cloud infrastructure can enable rapid elasticity in the supply of virtual resources, hosted applications and services must be designed correctly if they are to function securely when they are scaled out.
  • Hosted applications and services that initiate scaling requests automatically based on monitored demand or a timetable must perform these operations without impacting their own or other services availability within the cloud.

Applications that are designed to scale may require some mechanism to share user state across instances. SLAs or corporate policies may define how to accomplish shared state securely; for example, specifying requirements for cookie encryption.

Poorly designed autoscaling algorithms used in a hosted service could affect the availability of other services by repeatedly requesting to provision and then deprovision a resource, or by continuing to request resources indefinitely. It is also possible that a poorly designed autoscaling algorithm could inadvertently shut a service down completely, making it unavailable.

Apart from verifying the autoscaling behavior built into hosted applications and services, the cloud infrastructure could include checks within the autoscaling service to prevent repeated resource requests and enable tenants to specify upper and lower limits on their resource requirements.

Management Security

Provisioning and deprovisioning requests and scale in and out requests are made through a cloud management interface, implemented either as a GUI or through an API. Access to these functions should be protected through role-based access control policies and their use fully logged. Additionally, these interfaces should implement any quota checks on resource allocation that you want to enforce.

Legal Issues

Certain applications may need to guarantee availability or meet targets for response time or throughput to meet legal or corporate policy requirements. The private cloud's enablement of rapid elasticity in meeting demand for services, must ensure that any such legal or corporate requirements are met without comprising the confidentiality, integrity, or availability of those or any other services hosted in the cloud.

REFERENCES:

 

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Private Cloud Security Challenges

Return to Design Guide for Private Cloud Security


Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to Private Cloud Security Challenges - Measured Services

Table of Contents for A Solution for Private Cloud Security