In my previous post I covered two major sections of private cloud security: Compute and Storage. This post will focus on the next two sections: Networking and Resiliency.
Networking
It is through network connectivity that most transactions happen, which means that this is potentially the larger section to protect since most of the attacks will potentially take place on this area. We always emphasize that defense in depth should be used in all layers and sometimes due to many other restrictions it is not feasible to do it. However, if you have to choose an area where defense in depth should be fully applied, networking section should be on top of the list.
As a tenant of the private cloud you must be concerned about the possibility that your data will compromised over the network. Scenarios are described below:
What if…
|
|
These are some core concerns around networking component of a private cloud and as you can see two out of three concerns are related to privacy. This is a reflection of the primary drivers of risk for an enterprise, which are:
- Governance, risk management and compliance (GRC)
- Security
- Privacy and identity assurance
- Data sovereignty
(Source: Business drivers and strategy for a private cloud)
To address these concerns you can leverage the following features in Windows Server 2012:
Security Concern | Feature | Rationale |
Can other tenants access my data? | Allows you to create rules to apply to a Hyper-V switch port. The rule specifies whether a packet is allowed or denied on the way into or out of the VM. | |
Can data leakage occur while data is in transit?
| Isolation and Encryption | Besides isolation between tenants you might want to leverage SMB Encryption for workloads that don’t need fully encryption using IPSec. SMB Encryption is an end-to-end encryption of SMB data in flight that protects data from eavesdropping attacks. |
Can rogue servers/traffic can disrupt my workload? | Protects against a malicious VM representing itself as a Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks. | |
Some rogue applications could try to spoof their MAC Address in order to start an attack; with this feature you can mitigate this. If the application spoofs the MAC Address the VM won’t be able to communicate with other VMs since the Hyper-V Virtual Switch will block the access. |
Note: for more information about SMB Encryption, watch Episode 20 of From End to Edge and Beyond, where Tom Shinder and myself interviewed Jose Barreto (Principal PM from Microsoft File Server Team). He goes in more details about this feature.
Resiliency
After all that, what if we have a hardware failure in a private cloud? Clearly we can say that resiliency is part of the “A” in the CIA (Confidentiality, Integrity and Availability) triad. If the private cloud is not available it is a done deal, it is over, and therefore availability becomes a fundamental requirement for private cloud security.
There are two approaches for resiliency:
- Infrastructure Resiliency: VMs not designed to handle failures, H/A at server level, Failover clustering as another layer of protection, high-end servers, redundant power and network gear.
- App-Level Resiliency: VMs designed to handle failures (e.g. Guest Clustering) or downtime acceptable. Lower End Industry Standard Server, single infrastructure
Windows Server 2012 brings a set of capabilities that can enhance the overall resiliency experience. Among all features the following ones can be categorized as resiliency in a private cloud security perspective:
- Incremental Backups: Perform agentless backup operations more quickly and easily while saving network bandwidth & disk space.
- Inbox Replication: Hyper-V Replica enables the replication of VMs from Primary to Secondary site for inbuilt Disaster Recovery.
- Integrated NIC Teaming: Aggregate network adaptors to increase throughput and provide redundancy in case of link failure.
Putting things together
Now that you have a fundamental understanding of some core security features available in Windows Server 2012 and how to use them in a private cloud environment you should build your own Private Cloud infrastructure with Windows Server 2012. To do that you can use the paper below that was produced by our team (SCD iX Solutions):
Building Your Cloud Infrastructure: Converged Data Center with File Server Storage
http://technet.microsoft.com/en-us/library/hh831738.aspx
You can also watch Episode 17 of From End to Edge and Beyond where Tom Shinder and I interviewed Josh Adams (Senior PM at Microsoft) where he demonstrates how to build this environment:
http://technet.microsoft.com/en-us/video/from-end-to-edge-and-beyond-episode-17
Conclusion
The second part of this series covered Networking and Resiliency aspects of a private cloud and how to embed security while planning those two core areas by leveraging Windows Server 2012 built in capabilities. Next and final post will demonstrate some of these features, how to use it and how to implement it.
See you next time!
Yuri Diogenes
SCD iX Solutions Group