As companies start planning their transition to a private cloud model, one of the most common concerns relates to Private Cloud Security. According to a survey done by Intel in 2012, the greatest security concerns in the Private Cloud space for IT Pros was access control. Among others were issues such as proper firewalling and prevent VMs from disrupting each other (sometimes referred to as the “noisy neighbor” phenomenon). This does match with the core security concerns in a private cloud security space that were addressed in a paper that was also released last year, called A Solution for Private Cloud Security, which was also subject of a session that we delivered at TechEd North America 2012.

Now that most of the concerns were raised, the question that remains is: how can I leverage Windows Server 2012 Infrastructure capabilities to enhance security in a private cloud environment? There are many features in Windows Server 2012 that can be leveraged to address those core concerns and this article aims to give a brief explanation of those capabilities by breaking up the private cloud security story into four major sections:

  • Compute
  • Storage
  • Networking
  • Resiliency

Three of these four topics are listed in the Infrastructure piece of the Private Cloud Reference Model. We are adding resiliency as part of the infrastructure for the purpose of this discussion, since resiliency is related to the “A” in the CIA security model. The first part of this article will address Compute and Storage.

Compute

To bring the theoretical concerns to reality it is important to define some potential practical scenarios that could occur. The table below describes some concerns from the tenant perspective:

What if…

clip_image002

  • The cloud operator restarts the compute resource that I’m using and injects malware into the boot process?
  • A failure in provisioning leads to another operating system to load, causing downtime to my workload?
  • What if there is a physical security breach and someone steals the server?

While these are all valid concerns, that are ways to mitigate those security concerns by leveraging some native features in Windows Server 2012. The table below maps these security concerns to a feature and the rationale behind this mitigation:

Security Concern

Feature

Rationale

  • The Cloud Operator restarts the compute resource that I’m using and load a malware upon the boot process?
  • A failure in provisioning leads to another operating system to load, causing downtime to my workload?

Secure Boot

With Secure Boot in place there will be a validation of the operating system before it loads. With this process in place the likelihood that this security concern will really happen is dramatically reduced.

  • What if there is a physical security breach and someone steals the server?

Network Unlock for Bitlocker

By using this feature if the server is taken outside the trusted location (off premise), the machine will require a PIN in order to boot.

Storage

Storage is another very big topic around private cloud security concern, mainly because there is where the data is located. Here are some of the tenant’s concerns for storage:

What if…

clip_image002[1]

  • Other tenants can access my data?
  • Data leakage occurs while data is at rest?

These two core concerns can be address as per description on the table below:

Security Concern

Feature

Rationale

  • Other tenants can access my data?
  • Data leakage occurs while data is at rest?

Bitlocker Drive Encryption

This feature enables IT administrator to encrypt local disk storage (DAS), encrypt traditional failover cluster disks and Cluster Shared Volumes 2.0. These capabilities will help mitigate those two core concerns.

Conclusion

This first part of this three part series (yes three, because the third part will be a collection of demos on each one of those features) addressed the core security concerns in a private cloud security environment, the features that can assist the protection of compute resources and storage resources. In the next part we will address networking and resiliency.