فا

‫ Microsoft Private Cloud - Overview of Hypervisor Security (first section)

IRCAR201301163
Date: 2013/01/23
 
In this article we'll take a look at the differences between a traditional data center and the private cloud.
Introduction
Security continues to be a top concern for those considering a move to the cloud – and just because you’ve decided to deploy a private cloud instead of “going public” doesn’t mean you don’t have to worry about security. For the most part, private cloud security shares most of the same characteristics and requirements as security in the traditional datacenter. That is, you need to secure the facility, the hardware infrastructure, the network, the applications and the data in a private cloud in the same way that you need to secure the data in a traditional data center. However, there are a few significant differences between a traditional data center and the private cloud, and that’s what we’re going to look at in this article.
One of those significant differences is that almost all private clouds use virtualization. It is important to note that virtualization is not a requirement of private cloud. You could use blade servers instead of virtual machines to accomplish almost all of the same capabilities that you would have in a private cloud based on virtual machines. However, the cost of the blades is likely to be quite a bit higher, so for most companies, virtualization is the private cloud enabling technology of choice. And in a Microsoft shop, that increasingly means Hyper-V.
In a private cloud based on Microsoft Hyper-V, there are a number of things you need to consider when it comes to security. Some basic best practices include:
·         Disable processor based virtualization if you’re not using it
·         Use Windows server core to reduce attack surface and updating
·         Use Bitlocker volume encryption
·         Do not run applications and services on the Host operating system
·         Dedicate a NIC for management purposes
·         Do not mix security zones
·         Make sure that Hyper-V integration services are installed
·         Update virtual machine images offline
·         Use appropriate delegation of administration
Disable processor based virtualization if you’re not using it
Processor based virtualization assistance such as Intel VT enables virtual machines to work optimally by enhancing many memory management and isolation processes. You definitely want these technologies enabled when you are using the server to host Hyper-V based virtual machines. But if you decide to decommission the server and use it in a non-virtual server role, then you should disable these processor extensions, because they can potentially increase the attack surface on that machine. And since the machine isn’t hosting virtual machines, there’s no reason to enable those extensions. Turn them off if you’re not using them.
Use Windows server core to reduce attack surface and updating
Windows Server core deployments represent a minimal installation, which includes only the core components of the Windows Server 2008 or Windows Server 2008 R2 operating system that are required to get the operating system to run and enable installation of applications and services. Because there is a significant reduction in the number of binaries included in a Server core installation, the attack surface is reduced and there are fewer updates needed since the components that typically need updating (such as Internet Explorer) are not included in the installation.
It’s highly recommended that you run your Hyper-V virtual servers on top of a Server Core installation. After you install the Server Core version of Windows, you can then enable the Hyper-V role and install and configure virtual machines on the Server Core deployment by using a remote Hyper-V console or using the System Center Virtual Machine Manager (SCVMM).
Use BitLocker volume encryption
BitLocker is a volume based disk encryption system that enables you to encrypt entire volumes and entire hard disks. BitLocker works together with TPM (Trust Platform Modules) chips on the motherboard to increase the level of security and ensure that the boot environment has not been compromised by an intruder or malware.
BitLocker is important in all deployment scenarios. However, it is even more important when the physical security of the server is less than optimal, such as in branch office scenarios and many small and medium sized businesses. BitLocker protects you from offline attacks, where the intruder attempts to load another operating system and access the disk directly. When BitLocker encrypts the disk, offline attacks fail because the alternate OS used to access the disk is unable to break the BitLocker encryption to access the information on the disk.
You can use BitLocker to secure the boot operating system installed on the boot disk to protect core operating system components. You can also use BitLocker to secure the volumes where the virtual machines are stored. In addition, if you have data that is accessed by the virtual machines on other disks, you can use BitLocker to secure those volumes as well. In general, it’s a good idea to use BitLocker to secure all Windows hosted assets in your data center.
In this article, we took a look at some of the major issues involved with hypervisor security in the Microsoft Private Cloud. For the most part, security requirements in the private cloud are similar to those found in a traditional data center. One of the most obvious examples of where security requirements and considerations differ is hypervisor security, since most private cloud deployments use virtualization as an enabling technology. With this list of security considerations in mind, you can move forward to increase the overall security of your Microsoft private cloud solution.
References:

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0