For the last several months, we have been discussing ways to make sure you are ready for the next step in your IT evolution: Cloud.
When review the different steps of making sure you are ready, one that I have intentionally avoided was Security. I spoke to you about “Security of Business”, but not the actual securing of your cloud. It was a very simple reason why I did this: “No matter the IT environment, you must take precautions.”
So, wanting to make sure we covered several of the other topics first (e.g. Design, Finance, Connectivity…), we move on to straight security. Although, isn’t that kind of an oxymoron statement? Why? Well, because security within an IT environment is multifaceted. It has move sides and needs than just simple authentication and authorization. And within and around a cloud, it is even more so. In the following example, I am going to use an onsite deployment scenario, and we can wade thru the levels one by one.
Lets start with our perimeter security. You have several layers, depending on your cloud management software. So, starting furthest from the center of your cloud, or in this case, we will call it a server Instance OS, we have the perimeter. This is normally a pair of firewalls setup in a fault tolerant or high availability (FT/HA) setup. It isn’t necessarily at the edge of your onsite cloud, in fact, most of the time it isn’t. It is at the edge of the datacenter, protecting all of it.
You have your firewalls at the perimeter, then, the next step down is probably another set of firewalls at the edge of the cloud. These firewalls should also be setup as FT/HA and restrict specific TCP/UDP ports traveling into and out of the cloud environment. But here, they may also divide up their responsibilities. They may provide protection for just the physical aspects of the cloud, which would be the Compute and Infrastructure nodes, or exposing an API interface from an internal port, they may provide protection for the virtual machines (VM) communicating to/from within or outside the cloud.
Now, continuing on inside the cloud, and moving away from the physical infrastructure, your security becomes far more robust. Now, you will take advantage as things like LDAP or Microsoft AD for your user authentication and authorization at the VM level. Most cloud management tools also allow you to take advantage of other security tools, such as virtual firewalls, virtual edge routers and access to storage areas.
Now, lets spin it around and go back out away from your VMs. You have security in your OS. You then have it on each user based on either internal or external authentication and authorization. Then you go back through a possible virtual firewall and or an edge router. Then back through your physical kit. But remember, based on your cloud management software, you may have far more levels of security that is not based on the VMs or the physical routers and firewalls. Next month, we will dig into the SDN or Software Defined Network world of cloud.
By Richard Thayer