As the highest level of the private cloud service provision layers, software security brings its own specific security challenges that are unique to an environment thatimage hosts live applications. Figure 1 shows these areas diagrammatically.

 

Figure 1. Security in the software layer of the private cloud

Application Security

Application security in private cloud implementations has many commonalities with data center application hosting. All the usual best practices about making applications secure by design and secure by default apply equally in the private cloud. However, there are the following issues that are specific to the cloud.

  • Application partitioning. The requirement for a multi-tenant support in private cloud environments requires strict application partitioning, where provisioned applications only service requests from users within the provisioning consumer’s organizational unit or virtual team. Supporting this multi-tenant model requires full integration between each running application and the authentication and authorization mechanisms. Typically, authentication would be carried out through federated identities, using an industry-standard federation model such as Security Assertion Markup Language (SAML) token exchange.
  • Client trust levels. With private cloud implementations, you may not have the same level of control over client types, operating systems, browser types, update levels and anti-virus security as with a more tightly-controlled network, particularly if you are making use of the universal connectivity aspect of cloud provision. In consequence, applications that you create should validate and constrain all client input by checking it for type, range, length, and format.

Update Security

Update security in the software layer involves similar considerations to updates in the platform layer. Again, the deployment flexibility and virtualization features assist with installing application security updates and rolling back a complete application if an update fails.

RESOURCES:

 

ACKNOWLEDGEMENTS LIST:
If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Private Cloud Security Model

Return to Blueprint for A Solution for Private Cloud Security

Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to Service Delivery Security

Table of Contents for A Solution for Private Cloud Security