Nuffnang

Monday, August 27, 2012

Security Best Practices in the Cloud

Cloud Provider Best Practices

The primary theme of the service providers responsibility is around providing a secure and isolated environment for each customer.

Ex.

1. Each customer should only be able to access his or her own environment and no other customers environment in any way.

2. No customer should have any visibility into the structure, systems, data or any other attributes of another customers environment.

3. Isolate networks: is to provide a level of isolation between all of the different networks that are a part of the virtualization infrastructure.

These networks include management networks, VMware VMotion or Live Migration networks, IP storage networks, and individual customer networks.

All of these networks should be segment- ed from each other

4. Secure customer access to cloud-based resources

Customers will need to have a way to access their resources that are located within the cloud and be able to manage those resources in a secure manner.

5. Secure, consistent backups and restoration of cloud-based resources

6. Strong authentication, authorization and auditing mechanisms

It is very important in this type of shared environment to properly and securely authenticate system users and admin- iterators, and provide them with access to only the resources they need to do their jobs or the resources that they own within the system. It is also very important in a cloud environment to know who is doing what within the system, when they did it, and what exactly they did.

7. Separating duties and enforcing least privilege applies for both the cloud provider and the customer.

8. A library of secure and up-to-date templates of base OS and applications

9. Resource management to prevent denial of service (DoS) attacks

10. Follow standard best practices for securing operating systems

11. Encrypt critical data

Cloud Security reference architecture

1) Security profile per compute profile

2) Security DMZ per vApp

3) OS Management

4) Resource Management

5) Security profile per network

6) Data Security

7) Security Authentication, Authorization, and Auditing

8) Identity Management

1) Security profile per compute profile

Administrators should communicate enterprise corporate security policy and server tier firewall rules that are defined within a vApp to the service provider. This should include corporate server security patch levels, anti-virus status and

file-level access restrictions. The VMware vCloud reference architecture provides a method to communicate the policies and server tier firewall rules for the vApp.

2) Security DMZ for vApp

The service provider needs to validate the patch level and security level prior to bringing a vApp into the production environment. The VMware vCloud reference architecture should include a DMZ area for validating the vApp and miti- gating any security violations according to each enterprises security profile.

3) OS management

It is important to understand the security hardening performed around the service providers library of OSs and patching policies. Administrators should update traditional security policies that govern the service providers hosting environment to ensure that virtual machines are hardened and patched within the standard enterprise policies. Administrators should update virtual machines that are not at the correct patch level to the correct patch level through a DMZ, for example.

4) Resource management

The service provider needs to separate and isolate the resources each customer virtual machine uses from other cus- tomers virtual machine resources to prevent DDoS attacks. These attacks are usually caused by log files not having limits or CPU or memory utilization increasing on a single virtual machine through memory leaks or poorly behaving applica- tions.

5) Security profile per network

In addition to the vApp having a compute security profile, there should also be a network security profile to ensure perimeter and Web access security. This includes functionality like switch and router Access Control Lists (ACLs), perim- eter firewall rules, or Web application security (Application Firewall, URL Filtering, whitelist and blacklists). The VMware vCloud reference architecture provides a method to communicate the network security profile.

A critical component of the reference architecture is the isolation of networks; enterprises need to ensure that service providers implement separate management networks and data networks per customer. In other words, there needs to be complete isolation between each customers virtual machine and the data traffic connecting to their virtual machines. In addition, service providers should have a separate network for VMware VMotion and VMware VMsafe™. Enterprises should request that service providers encrypt all management traffic, including VMware VMotion events.

Many enterprises will require encryption of data packets via SSL/IPSec, or management connectivity via SSL or SSH. Some service providers offer only shared or open connectivity. At a minimum, all management connectivity should be provided via SSL.

6) Data security

Enterprises should request service providers provide access paths to only the physical servers that must have access to maintain the desired functionality. Service providers should accomplish this through the use of zoning via SAN N-Port ID virtualization (NPIV ), LUN masking, access lists and permission configurations.

7) Security authentication, authorization and auditing

Cloud service provider environments require tight integration with enterprise policies around individual and group access, authentication and auditing (AAA). This involves integrating corporate directories and group policies with the service providers policies.. Service providers should offer stronger authentication methods to enterprises, such as

2-factor hard or soft tokens or certificates. The enterprise should require a user access report, including administrative access as well as authentication failures, through the service provider portal or via a method that pulls this data back to the enterprise. The VMware vCloud reference architecture provides a method to communicate the access controls and authentication needs to the service provider.

8) Identity management (SSO, entitlements)

Cloud environments require control over user access. Cloud providers must define a virtual machine identity that ties each virtual machine to an asset identity within the providers infrastructure. Based on this identity, service providers are able to assign user, role and privilege access within the extended infrastructure to provide role-based access controls.

Enterprises also want to prevent unauthorized data cloning or copying from a virtual machine to a USB device or CD. Service providers can prevent cloning and copying of virtual machines using a combination of virtual machine identity and server configuration management policies.