...building hybrid clouds that can support any device from anywhere
In my previous post I covered two major sections of private cloud security: Compute and Storage. This post will focus on the next two sections: Networking and Resiliency.
It is through network connectivity that most transactions happen, which means that this is potentially the larger section to protect since most of the attacks will potentially take place on this area. We always emphasize that defense in depth should be used in all layers and sometimes due to many other restrictions it is not feasible to do it. However, if you have to choose an area where defense in depth should be fully applied, networking section should be on top of the list.
As a tenant of the private cloud you must be concerned about the possibility that your data will compromised over the network. Scenarios are described below:
These are some core concerns around networking component of a private cloud and as you can see two out of three concerns are related to privacy. This is a reflection of the primary drivers of risk for an enterprise, which are:
(Source: Business drivers and strategy for a private cloud)
To address these concerns you can leverage the following features in Windows Server 2012:
Can other tenants access my data?
Isolation using Port ACLs
Allows you to create rules to apply to a Hyper-V switch port. The rule specifies whether a packet is allowed or denied on the way into or out of the VM.
Can data leakage occur while data is in transit?
Isolation and Encryption
Besides isolation between tenants you might want to leverage SMB Encryption for workloads that don’t need fully encryption using IPSec. SMB Encryption is an end-to-end encryption of SMB data in flight that protects data from eavesdropping attacks.
Can rogue servers/traffic can disrupt my workload?
Protects against a malicious VM representing itself as a Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks.
MAC Address Spoofing
Some rogue applications could try to spoof their MAC Address in order to start an attack; with this feature you can mitigate this. If the application spoofs the MAC Address the VM won’t be able to communicate with other VMs since the Hyper-V Virtual Switch will block the access.
Note: for more information about SMB Encryption, watch Episode 20 of From End to Edge and Beyond, where Tom Shinder and myself interviewed Jose Barreto (Principal PM from Microsoft File Server Team). He goes in more details about this feature.
After all that, what if we have a hardware failure in a private cloud? Clearly we can say that resiliency is part of the “A” in the CIA (Confidentiality, Integrity and Availability) triad. If the private cloud is not available it is a done deal, it is over, and therefore availability becomes a fundamental requirement for private cloud security.
There are two approaches for resiliency:
Windows Server 2012 brings a set of capabilities that can enhance the overall resiliency experience. Among all features the following ones can be categorized as resiliency in a private cloud security perspective:
Now that you have a fundamental understanding of some core security features available in Windows Server 2012 and how to use them in a private cloud environment you should build your own Private Cloud infrastructure with Windows Server 2012. To do that you can use the paper below that was produced by our team (SCD iX Solutions):
Building Your Cloud Infrastructure: Converged Data Center with File Server Storage http://technet.microsoft.com/en-us/library/hh831738.aspx
You can also watch Episode 17 of From End to Edge and Beyond where Tom Shinder and I interviewed Josh Adams (Senior PM at Microsoft) where he demonstrates how to build this environment: http://technet.microsoft.com/en-us/video/from-end-to-edge-and-beyond-episode-17
The second part of this series covered Networking and Resiliency aspects of a private cloud and how to embed security while planning those two core areas by leveraging Windows Server 2012 built in capabilities. Next and final post will demonstrate some of these features, how to use it and how to implement it.
See you next time!
Yuri Diogenes SCD iX Solutions Group
its so good a knowledge but there is always a loop hole when the carriers are considered.
Thanks, I'm glad you liked!