Securing a Private Cloud
Currently the whole debate of private cloud vs public cloud is still going on, although it has died down somewhat. Personally, I am on the fence for this one as I believe (like so many others) that a private cloud is the same as a public cloud, just that the reins for control and security are more wholly in your corner. As such, if anything goes wrong your buttocks are most likely to get prodded.
Here are some tips on how to secure a private cloud:
- Don’t take half measures – embedding crytpographically strong checksums into specific security files such as manifests or descriptors that have been pre-checked may be a valid security measure but why stop there? Why not ensure secure retrieval for the entire archive while you’re at it? If you are going to implement something like signatures make sure that it is enabled at every point of entry covering every aspect possible.
- Best practices have not changed – the platform may have changed but the basics remain the same. This includes making sure of access, integrity, authenticity and confidentiality just like before. For example, secure password creation and usage is the basics of any form of networking security yet it is still one of the most commonly exploited factors in any attack from outside sources. This is because people still use “password” or “1234” as their password of choice even when logging into your private cloud.
- Be wary of outside intentions – if you are relying on an outside company to provide security for your private cloud even a simple link to their site may act as a security breach, allowing attackers to discreetly enter and wreak havoc. While I am not advocating that you trust no one, some security companies commonly register non-secure URL HTTP links in their VMfeed modules to appliances and the like which can be used to piggyback into your “secure” private cloud.
- Virtual security for virtual services – thinking that a new security hardware will stop an attack on a virtual system such as your private cloud is one sure way to get your buttocks prodded. What may work for a hardware based network may not work all the time for a virtual system, especially one that constantly changes. As such you should make sure that all your bases are covered, especially the virtual ones, for example, shifting towards a more flexible logic-based security and so forth.
- Make sure everyone is on the level – since everything is still new, there are still no set standards or policies which govern the security for a private cloud. Making sure that everyone related to the security measures in your company are on the same level as yourself is a good way to keep everything tight and secure. You do not want a private cloud vulnerability to open up just because someone else likes to do things differently.
Disclaimer: These tips are not the be and all for every security vulnerability or possibility that may occur in your private cloud, but if you follow them in general, you can expect the likelihood of security breaches in your private cloud to be less.
By Muz Ismial