|
When deploying an on-premises infrastructure-as-a-service (IaaS) cloud computing, there should be a broad security consideration, meaning that the organization must consider not only meeting security best practices, but also complying with regulatory requirements. In this article, we'll discuss how to control virtual machine instances, management platforms, and the network and storage infrastructure that supports IaaS implementations. Virtual machine instances First, the operating system and applications of the virtual machine (VM) must be locked down and properly configured using existing rules, such as the configuration guidelines from the Internet Security Center (CIS). Proper VM management also results in some more robust and consistent configuration management measures. The key to creating and managing security configurations on virtual machine instances is the use of templates. It is wise for administrators to create a "golden image" for initializing all virtual machines in cloud computing. He should baseline this template and implement strict revision controls to ensure that all patches and other updates are applied in a timely manner. Many virtualization platforms provide specific controls to ensure the security of virtual machines; Enterprise users should certainly make full use of these features. For example, VMware's virtual machine configuration settings specifically restrict copy and paste operations between the virtual machine and the underlying hypervisor, which can help prevent sensitive data from being copied to the hypervisor's memory and clipboard. Microsoft Corporation and Citrix System platform products offer similar limited copy-paste functionality. Other platforms also provide features to help businesses disable unnecessary devices, set logging parameters, and more. Also, when securing virtual machine instances, be sure to isolate virtual machines running in different cloud computing regions according to standard data classification principles. Because virtual machines share hardware resources, running them in the same cloud computing region can lead to data collisions in memory, although the probability of such conflicts is extremely low today. Management platform The second key to securing a virtual environment is to secure the management platform that interacts with the virtual machine and configures and monitors the underlying hypervisor system in use. These platforms, such as VMware's vCenter, Microsoft's System Center Virtual Machine Manager (SCVMM), and Citrix's XenCenter, come with their own on-premises security controls that can be implemented. For example, Vcenter is often installed on Windows and inherits the local administrator role with system privileges, unless the relevant roles and permissions are modified during the installation process. When it comes to management tools, ensuring the security of the management database is paramount, but many products do not have built-in security by default. Most importantly, roles and permissions must be assigned to different operational roles within the management platform. While many organizations have a virtualization team that manages virtual machine operations within the IaaS cloud, not granting too many permissions within the management console is key. I recommend granting permissions to storage, networking, system administration, and other teams, just like you would in a traditional data center environment. For cloud management tools such as vCloud Director and OpenStack, roles and permissions should be carefully assigned, and different end users of cloud virtual machines must be included. For example, the development team should have virtual machines for their work tasks that should be isolated from the virtual machines used by the finance team. All management tools should be isolated in a separate network segment, and it is a good idea to require access to these systems through a "jump box" or a dedicated secure proxy platform such as HyTrust, where you can establish strong authentication and centralized user monitoring. Network and storage infrastructure While securing the network and storage that advances IaaS cloud computing is a broad task, there are some general best practices that should be implemented. For storage environments, remember that like any other sensitive file, you must protect your virtual machine. Some files store valid memory or memory snapshots (which may be the most sensitive, such as those that may contain user credentials and other sensitive data), while others represent the system's full hard drive. In both cases, the file contains sensitive data. It is critical that separate logical unit numbers (LUNs) and zones/domains in a storage environment can isolate systems with different sensitivities. If storage area network (SAN)-level encryption is available, consider whether it is applicable. On the network side, it's important to ensure that individual CIDR segments are isolated and under the control of virtual local area networks (VLANs) and access controls. If fine-grained security controls are a must in a virtual environment, then enterprises can consider using virtual firewalls and virtual intrusion detection appliances. VMware's vCloud platform itself is integrated with its vShield virtual security facility, while other products from traditional network vendors are also available. In addition, you should consider network segments where sensitive virtual machine data may be transmitted in plaintext, such as vMotion networks. In this VMware environment, plaintext memory data is transferred from one hypervisor to another, making sensitive data vulnerable to leakage. conclusion When it comes to securing virtual environments or IaaS private cloud computing, the controls in these three areas are just the tip of the iceberg. For more information, VMware has a series of in-depth hardening practical guides for evaluating specific controls, and OpenStack provides a security guide on its website. By following some basic practices, businesses can build their own in-house IaaS cloud computing and ensure that they can meet their own standards and all other necessary industry requirements.
| 
Posted on 10/20/2014 10:49:09 AM
|
|
|
