‫ Security Considerations for Cloud Computing (Part 3) - Broad Network Access (section one)

IRCAR201304170
Date:2013-04-23
 
Introduction
In part two of our private cloud security series, we talked about how the five essential characteristics of cloud computing affect security considerations for private cloud environments. We also talked about how security in the private cloud is similar to the security decisions you make in the traditional datacenter. The main differences are related to the unique security issues you run into when considering the five essential characteristics of cloud computing, with the focus being on the on-demand self-service characteristic. Finally, in that article we talked about how our discussions are about private cloud computing in general and are not specific to what might be considered the Microsoft private cloud. We’ll talk about the Microsoft private cloud in great detail in future articles later this year after Windows Server 8 and the Windows Server 8 compatible suite of System Center products are released.
In this, part 3 of our series, we’ll discuss how the “Broad Network Access” characteristic of cloud computing introduces security issues that you need to address. When we refer to broad network access in cloud computing, we mean that the resources hosted by the cloud should be available to any computing device, regardless of form factor, from any Internet connected location. Of the five essential characteristics of cloud computing, broad network access is the most debated. The reason for this is that when you think about private cloud, you are most likely deploying the private cloud to keep your most highly prized information away from most of the people on the Internet. For many, it appears that broad network access is more applicable to public cloud deployments than private cloud.
However, you can take another view of broad network access. If we make the assumption that hybrid clouds, which are a combination of public and private clouds, will be a common deployment model, then you might want to enable broad network access from the perspective that the private cloud needs to be highly accessible to the front end components hosted in the public cloud.
Issues Related to Broad Network Access and Private Cloud Security
The key issues related to broad network access and private cloud security include the following:
·         Perimeter network role and location
·         Identity and Access Management (IdAM)
·         Authentication
·         Authorization
·         Role-based access control (RBAC)
·         Federation
·         Logging and Auditing
·         Public network connectivity
·         Endpoint protection Client security
Let’s briefly discuss each of these.
Perimeter network role and location
In the private cloud, you will need to think about how you handle inbound connections to the resources on the private cloud network. In some cases, the inbound access will be required to allow front end services to connect to private cloud resources and in other cases, you may be hosting private cloud resources to which client devices will connect. Because inbound access from the Internet is required, you are going to need to support a DMZ between the private cloud services and the Internet.
An important consideration is that you may want to host your DMZ and firewalls in a virtualized environment like the rest of the services in your private cloud. However, because the firewalls and other gateways belong to a different security zone, you should not host these services on the same servers that host your production workloads. The reason for this is that if somehow the gateway virtual machines are compromised, there is the chance of an attacker taking down your entire private cloud infrastructure.
Identity and Access Management (IdAM)
Identity and access management are critical areas when dealing with private cloud security. You will need to be able to authenticate all inbound connections to the private cloud, and then after the user is authenticated, you need a mechanism in place to authorize the use of private cloud resources. How you will do this depends on the range of clients that you anticipate connecting to your private cloud resources and the nature of the private cloud resources to which they connect.
Access management needs to take into consideration not only the users of private cloud services, but also the managers of the private cloud infrastructure. You do not want the managers of the components of the private cloud infrastructure to have omnibus control of all aspects of the infrastructure; you only want them to be able to manage the pieces for which they are responsible. In addition, you do not want the managers of the tenant workloads to have access to other tenant workloads and the private cloud infrastructure.
Related Links:
References:

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0