...building hybrid clouds that can support any device from anywhere
As companies start planning their transition to a private cloud model, one of the most common concerns relates to Private Cloud Security. According to a survey done by Intel in 2012, the greatest security concerns in the Private Cloud space for IT Pros was access control. Among others were issues such as proper firewalling and prevent VMs from disrupting each other (sometimes referred to as the “noisy neighbor” phenomenon). This does match with the core security concerns in a private cloud security space that were addressed in a paper that was also released last year, called A Solution for Private Cloud Security, which was also subject of a session that we delivered at TechEd North America 2012.
Now that most of the concerns were raised, the question that remains is: how can I leverage Windows Server 2012 Infrastructure capabilities to enhance security in a private cloud environment? There are many features in Windows Server 2012 that can be leveraged to address those core concerns and this article aims to give a brief explanation of those capabilities by breaking up the private cloud security story into four major sections:
Three of these four topics are listed in the Infrastructure piece of the Private Cloud Reference Model. We are adding resiliency as part of the infrastructure for the purpose of this discussion, since resiliency is related to the “A” in the CIA security model. The first part of this article will address Compute and Storage.
To bring the theoretical concerns to reality it is important to define some potential practical scenarios that could occur. The table below describes some concerns from the tenant perspective:
While these are all valid concerns, that are ways to mitigate those security concerns by leveraging some native features in Windows Server 2012. The table below maps these security concerns to a feature and the rationale behind this mitigation:
With Secure Boot in place there will be a validation of the operating system before it loads. With this process in place the likelihood that this security concern will really happen is dramatically reduced.
Network Unlock for Bitlocker
By using this feature if the server is taken outside the trusted location (off premise), the machine will require a PIN in order to boot.
Storage is another very big topic around private cloud security concern, mainly because there is where the data is located. Here are some of the tenant’s concerns for storage:
These two core concerns can be address as per description on the table below:
Bitlocker Drive Encryption
This feature enables IT administrator to encrypt local disk storage (DAS), encrypt traditional failover cluster disks and Cluster Shared Volumes 2.0. These capabilities will help mitigate those two core concerns.
This first part of this three part series (yes three, because the third part will be a collection of demos on each one of those features) addressed the core security concerns in a private cloud security environment, the features that can assist the protection of compute resources and storage resources. In the next part we will address networking and resiliency.