Cloud Provider Best Practices
The primary theme of the service provider’s responsibility is around providing a secure and isolated environment for each customer.
Ex.
1. Each customer should only be able to access his or her own environment and no other customer’s environment in any way.
2. No customer should have any visibility into the structure, systems, data or any other attributes of another customer’s environment.
3. Isolate networks: is to provide a level of isolation between all of the different networks that are a part of the virtualization infrastructure.
These networks include management networks, VMware VMotion or Live Migration networks, IP storage networks, and individual customer networks.
All of these networks should be segment- ed from each other
4. Secure customer access to cloud-based resources
Customers will need to have a way to access their resources that are located within the cloud and be able to manage those resources in a secure manner.
5. Secure, consistent backups and restoration of cloud-based resources
6. Strong authentication, authorization and auditing mechanisms
It is very important in this type of shared environment to properly and securely authenticate system users and admin- iterators, and provide them with access to only the resources they need to do their jobs or the resources that they own within the system. It is also very important in a cloud environment to know who is doing what within the system, when they did it, and what exactly they did.
7. Separating duties and enforcing least privilege applies for both the cloud provider and the customer.
8. A library of secure and up-to-date templates of base OS and applications
9. Resource management to prevent denial of service (DoS) attacks
10. Follow standard best practices for securing operating systems
11. Encrypt critical data
Cloud Security reference architecture
1) Security profile per compute profile
2) Security DMZ per vApp
3) OS Management
4) Resource Management
5) Security profile per network
6) Data Security
7) Security Authentication, Authorization, and Auditing
8) Identity Management
1) Security profile per compute profile
Administrators should communicate enterprise corporate security policy and server tier firewall rules that are defined within a vApp to the service provider. This should include corporate server security patch levels, anti-virus status and
file-level access restrictions. The VMware vCloud reference architecture provides a method to communicate the policies and server tier firewall rules for the vApp.
2) Security DMZ for vApp
The service provider needs to validate the patch level and security level prior to bringing a vApp into the production environment. The VMware vCloud reference architecture should include a DMZ area for validating the vApp and miti- gating any security violations according to each enterprise’s security profile.
3) OS management
It is important to understand the security hardening performed around the service provider’s library of OSs and patching policies. Administrators should update traditional security policies that govern the service provider’s hosting environment to ensure that virtual machines are hardened and patched within the standard enterprise policies. Administrators should update virtual machines that are not at the correct patch level to the correct patch level through a DMZ, for example.
4) Resource management
The service provider needs to separate and isolate the resources each customer virtual machine uses from other cus- tomers’ virtual machine resources to prevent DDoS attacks. These attacks are usually caused by log files not having limits or CPU or memory utilization increasing on a single virtual machine through memory leaks or poorly behaving applica- tions.
5) Security profile per network
In addition to the vApp having a compute security profile, there should also be a network security profile to ensure perimeter and Web access security. This includes functionality like switch and router Access Control Lists (ACLs), perim- eter firewall rules, or Web application security (Application Firewall, URL Filtering, whitelist and blacklists). The VMware vCloud reference architecture provides a method to communicate the network security profile.
A critical component of the reference architecture is the isolation of networks; enterprises need to ensure that service providers implement separate management networks and data networks per customer. In other words, there needs to be complete isolation between each customer’s virtual machine and the data traffic connecting to their virtual machines. In addition, service providers should have a separate network for VMware VMotion and VMware VMsafe™. Enterprises should request that service providers encrypt all management traffic, including VMware VMotion events.
Many enterprises will require encryption of data packets via SSL/IPSec, or management connectivity via SSL or SSH. Some service providers offer only shared or open connectivity. At a minimum, all management connectivity should be provided via SSL.
6) Data security
Enterprises should request service providers provide access paths to only the physical servers that must have access to maintain the desired functionality. Service providers should accomplish this through the use of zoning via SAN N-Port ID virtualization (NPIV ), LUN masking, access lists and permission configurations.
7) Security authentication, authorization and auditing
Cloud service provider environments require tight integration with enterprise policies around individual and group access, authentication and auditing (AAA). This involves integrating corporate directories and group policies with the service provider’s policies.. Service providers should offer stronger authentication methods to enterprises, such as
2-factor hard or soft tokens or certificates. The enterprise should require a user access report, including administrative access as well as authentication failures, through the service provider portal or via a method that pulls this data back to the enterprise. The VMware vCloud reference architecture provides a method to communicate the access controls and authentication needs to the service provider.
8) Identity management (SSO, entitlements)
Cloud environments require control over user access. Cloud providers must define a virtual machine identity that ties each virtual machine to an asset identity within the provider’s infrastructure. Based on this identity, service providers are able to assign user, role and privilege access within the extended infrastructure to provide role-based access controls.
Enterprises also want to prevent unauthorized data cloning or copying from a virtual machine to a USB device or CD. Service providers can prevent cloning and copying of virtual machines using a combination of virtual machine identity and server configuration management policies.
