Securing the Virtual Infrastructure
Cloud computing tests the limit of security operations and infrastructure from various perspectives. Let us examine what is different about Cloud Security and identify what are existing threats and what are the new areas that we should be concerned about.
Figure 2 Cloud Security - Existing & New Threats
I think what make cloud security complex is the number of layers involved in the cloud service stack and the number of components in each layers. So it means
· Increased infrastructure layers to manage and protect
· Multiple operating systems and applications per server
More Components = More Exposure
As we can see we already do perimeter protection at the network and operating systems as well as do physical and personnel security for the traditional infrastructure. All of them holds good for cloud as well to combat the existing threats at these layers.
us examine what are the new points of exposure with cloud. Security and resiliency complexities are raised
by virtualization and automation which are essentials to cloud. The new risks
· Cloud Service Management Vulnerabilities
· Secure storage of VMs and the management data
· Managing identities on the increasing number of virtual assets
· Stealth rootkits in hardware now possible
· Virtual NICs & Virtual Hardware are targets
· Virtual sprawl, VM stealing
· Dynamic relocation of VMs
· Elimination of physical boundaries between systems
· Manually tracking software and configurations of VMs
For managing these additional complexities, you need a reference model that is comprehensive and covers security controls that can combat not only the existing challenges but also the new challenges that cloud brings in.
IBM Foundational Security controls for IBM cloud reference model (see below) provides the different elements and controls required to build a secure cloud.
Figure 1 Foundation Security Controls for IBM Cloud Reference Model
Managing datacenter identities (Identity and access Management) is one of the top-most security concerns and we discussed how to handle the same in my previous post. I’ll discuss how to handle the virtualization related threats in my next post.
Meanwhile let me know your comments on this reference model. Do you think these set of controls are comprehensive. Do you see any areas not covered from a cloud security perspective? If so, just add it as comment to this post and let us discuss.