Is it possible to use a cloud framework to better secure your datacenter? Do cloud technologies provide a secure framework for building more than just clouds? We all know that virtualization is a building block to the cloud, but there may be a way to use cloud frameworks to first secure your datacenter before you launch a private, public, or hybrid cloud. In essence, we can use tools like vCloud Director to provide a more secure environment that properly segregates trust zones from one another while allowing specific accesses.
It dawned on me that cloud frameworks come with all sorts of mechanisms to automatically provide IT as a service that includes components of security, whether that is the deployment of network segregation methods or edge firewalls. Since they have security mechanisms built into them, there may be a middle ground for the deployment of cloud frameworks, perhaps simply as automation frameworks that can augment existing virtual environment deployment mechanisms. So what tools exist that can provide ‘ready-made’ security to aid us in protecting our trust zones within our existing datacenter while allowing required access? What are the cloud frameworks and their security benefits?
- OpenStack provides a method to deploy virtual machines and hook those virtual machines up to networks using IP and VLAN assignment mechanisms and other controls when using OpenStack Networking (Quantum). The Dashboard project allows for implementing role-based access controls. Multi-tenancy is achieved via the implementation of security groups. OpenStack, however, lacks one important feature for security: a ready-made firewall construct. However, you can deploy your own virtualized firewall quite easily. But, unless OpenStack Networking is employed, most of the security is within the role-based access controls of the OpenStack Dashboard and the use of hypervisor isolation techniques.
- VMware vCloud Director includes vCloud Network and Security components (edge and introspective firewalls), as well as inherent role-based access controls and improved networking choices. vCloud Director gives you the choice to deploy a tenant within an open environment or in an environment protected by an edge firewall. Even if you choose not to deploy an edge firewall, you can still deploy an introspective firewall. In addition, you get multiple choices for network segregation, ranging from filtered portgroups to VLANs to vXLAN constructs.
Which framework works for you depends entirely on how much effort you need to put into securing your virtual environment as you move to the cloud. By using a secure cloud framework you can build up a secure virtualized datacenter with proper segregation of trust zones before you even consider moving to a cloud. However, by using tools like vCloud Director and OpenStack, you are poised to go to the cloud. By implementing datacenters using secure cloud frameworks, IT has a chance of implementing security as part of the datacenter from the beginning.
Automation is key to datacenter deployments today; perhaps we can use the higher order cloud frameworks to further our automation of just the datacenter with inherent security. But what inherent security do we need? Here is a short list to prepare a defense in depth using cloud frameworks:
- Edge firewall protection to block gross attacks and unauthorized communication between trust zones (vCloud or third party).
- Introspective or per-VM firewalls to layer fine-grained rules between virtual machines within a trust zone (vCloud).
- Network segregation at the virtual and physical switch layers to ensure traffic does not bypass our firewall mechanisms (vCloud, OpenStack Quantum).
- Endpoint security mechanisms to implement data loss prevention, mandatory access controls (white listing, sandboxing), data protection, etc. The list of endpoint security mechanisms is fairly large. (Trend Micro, Symantec, Bitdefender, plus many others, as well as Intigua to manage them/automate updates and installations).
To gain all this security, your cloud framework needs to be mixed with other product, and automation needs to be set up to automatically build security in from the beginning, whether that is deploying a new trust zone or virtual machine.