فا

‫ Security Considerations for Cloud Computing (Part 3) - Broad Network Access (section two)

IRCAR201307179
Date:2013-07-06
Role-based access control (RBAC)
This leads us to the concept of role based access control. Access to various components of the private cloud should be based on the role that person has within the private cloud. There are various components of the private cloud that require support for multiple roles. The challenge is that the components of the infrastructure that used to be hosted on different physical components in a distributed fashion in a traditional data center are now consolidated into a central infrastructure in the private cloud.
Networking, computing, and storage roles need to be delegated to the people who are responsible for those components. Your cloud management solution will likely provide a central console to manage all of these components. Therefore, you need to confirm that your private cloud management interface enables you to give the administrators of the various components access to the configuration interfaces they require, but no access to any other configuration options.
End users of the cloud – whether they are consumers of the private cloud services or tenant administrators – should be limited to access to components of the services they require. End users need access to the controls of the services they connect to so that the application provides them with the desired services and tenant administrators need access to controls that influence the functionality and performance of their workloads.
Federation
Federation of your authentication and authorization infrastructure is critical because of the number of systems that the private cloud will be working with. Most private cloud environments will have components situated in the public cloud, or with partners who are running their own private cloud environments. Because of this, this is no centralized authentication repository. This is also true when you think about client connections to the private cloud. You may or may not have knowledge of these client systems in advance and therefore will need to support a decentralized approach when it comes to authentication repositories. Federation allows you to do this by enabling your private cloud to consume claims generated by trusted authentication repositories.
Logging and Auditing
Auditing needs to be robust and comprehensive in the private cloud. Because there are so many tenant workloads and so many users and devices connecting from a variety of locations to your private cloud, you need to comprehensively log and report on all activities taking place in the private cloud. This situation becomes increasing complex due to the fact that self-service enables tenant administrators to spin up services on an automated basis and enable users to connect to these resources.
Logging and auditing is also crucial for predictability. You need to know trends and patterns due to broad network access. Is there a pattern to users’ connectivity? Do more users connect at certain times of day? Are there more attacks coming from a certain geographic location? Is there a trend for a particular type of attack or attacks from particular devices? Widespread logging and reporting can give you this critical information so that you can create automated responses to these issues.
Public network connectivity
Because broad network access requires Internet connectivity, you need to make sure that your connection to the Internet is performant and highly available. You will also need to assure that there is always enough bandwidth available so that users and administrators can connect to the resources they require. You may need to employ QoS services so that each of the tenant workloads has the bandwidth it requires. In addition, QoS is important because a rogue tenant workload may flood the Internet connect and negatively impact other tenants in the private cloud infrastructure.
Endpoint protection and Client Security
Perhaps the most important issue in terms of broad network access is endpoint protection and client security. Due to the fact that broad network access requires that you support a variety of devices from anywhere in the world, and also the fact that many of the users of the tenant services will be unknown to you, you need to consider how you can enable secure behavior from those devices connecting to the tenant workloads.
In most cases, you will likely have no control over the configuration of these devices. You will need to think about the security implications of unsecure devices connecting to the services hosted on the private cloud. Depending on the workload, you will need to consider the use of gateway devices that can assess the security configuration of the devices connecting to the workload and provide a level of access to each device based on its current security posture.
Summary
In this article, we looked at the security implications of the “broad network access” characteristic of cloud computing. While broad network access is a debatable feature of private cloud in some circles, there are arguments that it still applies to the private cloud. The key issue is that there is the chance that both known and unknown users using managed and unmanaged devices will connect to tenant services running on your private cloud.
Related Links:

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0