‫ Security Considerations for Cloud Computing (Part 1) - Virtualization Platform (Section one)

IRCAR201302166
Date: 2013/02/19
This article looks at some of the security issues related to virtualization in the cloud.
In a previous article, Microsoft Private Cloud: Overview of Hypervisor Securitywe talked about hypervisor security in the Microsoft private cloud. But cloud computing – both public and private – is a complex topic, and in this series, we’re going to delve into some of those complexities. A cloud computing environment offers a multitude of advantages. However, you need to understand that while the hypervisor is an important component, cloud computing is more than just virtualization. Remember that a cloud has the following characteristics, according to NIST:
  • Self-service
  • Broad network access
  • Elasticity
  • Chargeback
  • Resource pooling
You might have noticed that virtualization is not one of the five core tenants. Of course, virtualization makes it a lot easier to attain the capabilities enabled by each of these tenants. And since we are likely to be using one or more virtualization platforms in our cloud datacenters (whether public or private or hybrid cloud), we’re going to need to consider some of the security issues related to virtualization in the cloud.
Before you can intelligently think about the security concerns related to virtualization and cloud computing, however, you have to understand how virtualization is used in a cloud environment. A virtual machine (typically referred to as a “VM”) is usually a commodity operating system instance that is contained in a configured and running OS image. The OS image is a snapshot of a server and includes space for virtual disk storage. You need some form of technology to support the virtual machines and this is done using a hypervisor.
Different virtualization platforms will use different approaches. Regardless of the vendor, there are two standard types of virtualization platforms that are in use today:
  • Type 1 hypervisors run directly on bare hardware. Guest operating systems run on top of the hypervisor. Examples include Microsoft Hyper-Vand VMware ESX.
  • Type 2 hypervisors are also called “hosted hypervisors” where the hypervisor runs as a program in the host OS. VMs run on top of the Type 2 hypervisor. Examples of Type 2 hypervisors include Oracle VirtualBox, Parallels, Virtual PC, VMware Fusion, VMware Server, Xen, and XenServer.
An in depth discussion of how virtualization works is beyond the scope of this article. There are a number of good resources on the Microsoft and VMware web sites where you can learn more about virtualization platforms. What we’re going to focus on here are some important security issues related to hypervisors, and these security issues become even more important when we think about using virtualization in the cloud. Let’s look at some of them:
  • The first consideration is that when you create a new virtual machine and turn it on, you’ll be adding a new operating system to your production environment. Regardless of the operating system, each running operating system has its own security risks. That means you need to be very careful that each operating system running in your virtual environment be patched, maintained, and monitored as appropriate per its intended use, just like any non-virtual operating system on your network.
  • Next, you need to be aware that the common network intrusion detection systems that are used on enterprise networks today do not necessarily work as well in a virtualized infrastructure. This is especially the case when the traffic you want to monitor is taking place between virtual machines hosted on the same virtual server or a member of a virtual server cluster or array. The result is that methods used to monitor traffic between VMs will need to use alternative methods or entirely forego network based intrusion detection system and move the detection back to the host.
  • Another important is that when you move virtual machines from one physical server to another, such as when you employ dynamic resource scheduling or PRO - network monitoring, systems may not know that these virtual machines and the services they run have moved, and thus may generate alarms that are false (false positives). The situation is even more problematic when you use clustering in conjunction with virtualization.
  • Finally, virtualization requires that you adopt different management practices across the entire solution for the services that you’re delivering. Issues such as desired configuration management (DCM), virtual machine mobility and capacity planning and management need to be reexamined. In addition, you may run into problems with resource allocation that can lead to significant slowing of the entire infrastructure. For these reasons, you need to pay particular attention to performance management when running applications and services in a virtualized environment.
Related Links:
Microsoft Private Cloud - Overview of Hypervisor Security (second section)

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0