‫ Security Considerations for Cloud Computing (Part 5) - Rapid Elasticity

Date: 2013-10-14

In the first four parts of this series on private cloud security, we talked about some basic considerations that are specific to security issues in the private cloud. We’ve talked about Today, we’ll turn our attention to another essential characteristic of cloud computing: rapid elasticity.
The concept of rapid elasticity is one of the major characteristics that set cloud computing apart from traditional datacenter computing. In a cloud environment, you have multiple tenants that share components of a shared resource pool (and in the case of a private cloud, all the tenants are part of a single corporate entity). Your tenants use the networking, compute and storage assets in the shared pool, and then return them to the pool when they no longer need those assets. They can also get more resources from the shared pool if and when they need to – but when they no longer need these additional resources, they return them to the pool. In a well architected cloud, the acquisition and release of assets from and to the shared pool would be automated, based on service demands and driven by an intelligence policy.
This rapid, policy based acquisition and release of shared pool resources is the heart and definition of rapid elasticity.
Security Concerns Associated with Rapid Elasticity
This essential characteristic of cloud computing enables you, as the provider of cloud services or cloud infrastructure, to give your customers/tenants the resources they need to provide the best service to the tenants’ customers – the end users of the services that are hosted on your private cloud. Rapid elasticity also enables you to optimize the use of the shared resource pool. You will have explicit agreements with your tenants about the amounts of resources they need, which includes minimum guarantees and maximum caps. This allows you to plan the scale of the cloud datacenter so that all tenants are able to get what they need.
However, rapid elasticity also introduces some security concerns that you might not encounter in a traditional datacenter. Issues that are associated with rapid elasticity include:
·         Authentication, authorization, and access controls (AAA) that control who can request additional resources from the shared resource pool or release resources back into the pool.
·         Monitoring and auditing requests to acquire and release resources to guarantee that quotas are enforced and the services remain available.
·         Ensuring that when resources are released back into the shared pool, all data remnants are wiped from all components of the shared pool that were consumed by the private cloud tenant.
Securing the Cloud Infrastructure
The receipt and release of resources must be fully logged and auditable. Monitoring is important when providing cloud resources and releasing them because an attacker could destabilize the private cloud by shutting down resources. The provisioning and de-provisioning schemes must ensure that the resources available in the pool for reuse do not contain sensitive data that could be used by the application or service that next acquires the resource.
Your private cloud might offer different resource quotas for different clients (thus you might offer a choice of small, medium, and large virtual machines).To maintain service quality for all clients, you might need to limit the number of certain sizes of virtual machines in your cloud so that, for example, 5% of virtual machines are large, 75% are medium, and 20% are small.
You should define policies that describe quotas to control the use of private cloud resource usage. That helps prevent a client – or an attacker – from accidentally or deliberately overwhelming the private cloud infrastructure with provisioning requests. You should be able to tell which tenant or process made a particular provisioning request and you should also be able to dynamically monitor resource utilization by each tenant.
Private cloud infrastructure design should ensure availability for all tenants when other tenants are making use of the cloud’s ability to elastically respond to demands for service. As noted before, all requests to acquire or release resources from tenants should be logged and auditable. The private cloud infrastructure should also be responsive and should not introduce significant delays when resources are requested.
There may be scenarios where requests for private cloud resources are very elastic upwards and it may be difficult to maintain the availability with existing capacity. In this case, you might want to consider using a hybrid cloud deployment and extending the private cloud to a third party.
In a hybrid cloud deployment you will need to consider the security controls employed by the hosting party, as their practices may or may not align with your security requirements.
Secure the Software in the Private Cloud
Hosted applications and services must be designed to take advantage of cloud attributes so that they retain their security configuration when they scale out. Cloud services can be designed to initiate resource requests programmatically, based on demand. These operations must be completed without impacting service availability within the cloud. In addition, applications that are designed to support rapid elasticity should include a mechanism to share user state (which can include automated processes) across virtual machine instances through the cloud infrastructure. SLAs can define how to do this securely.
Secure Management Processes in an Elastic Environment
Acquiring and releasing resources should be made through an integrated cloud management system that is implemented through intuitive interfaces and also programmatic interfaces. Strong access control should be applied to these interfaces by employing role-based access control (RBAC), and there should be robust logging of access to these interface. These interfaces should also enforce quota checks on resource allocation.
Related Links:


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 18 مرداد 1393



امتیاز شما
تعداد امتیازها:0