There is a lot of emphasis and excitement around the growth and versatility of public clouds, overshadowing the strong growth and development of private clouds. A private cloud is not just a virtualized infrastructure of compute and storage services. It is an automated and orchestrated system of virtualized compute, storage, network, and security, where workloads are provisioned, managed, and deprovisioned without human intervention. While private clouds can operate in the same models as public clouds, the tendency for organizations is to run a platform-as-a-service offering. This model usually delivers a service catalog of operating systems and related capabilities that internal users can request for their workload.
In this scenario, IT is typically responsible for securing up to the operating system, while the operating department has responsibility for application, data, and access security. It is critical that these responsibilities be clearly articulated, so that there are no gaps. The best practice to achieve this is to focus on security at the workload.
The goal for any type of environment is consistent visibility, management, policy, and threat intelligence across all functions, from a physical data center to a public cloud, and every variant in between. Focusing on the workload enables the creation of security policies based on multiple attributes that uniquely identify groups of applications, content, and purpose; for example, the operating system, owner ID, or security tag. Using these attributes, instead of IP addresses or other static elements, ensures that the appropriate policy group follows the virtual machine wherever it moves, reducing configuration errors and simplifying the overall rule set.
What is challenging about this approach is minimizing the performance impact to each workload, without sacrificing security. The solution is software-defined security. The easiest way to do this would be to put the security functions on each virtual machine, but that is neither an efficient use of resources nor an effective way to deliver consistency across all of the workloads. Instead, security functions should be delivered through the cloud infrastructure and applied automatically.
For network security functions, a virtual intrusion prevention system (IPS) is applied to each workload as it is provisioned, locking down all but the essential traffic necessary for it to function. This isolates the workloads from each other, and has the benefit of minimizing potential misuse of both east-west and north-south communications. The next step is virtual network inspection. Virtual network inspection, automatically applied when a new virtual machine is created with the appropriate policy for that workload, is linked to the workload by the predefined attributes. As a result, it moves with the workload, and is destroyed when the workload is stopped, meaning that new workloads spawn with the most updated set of policies.
Next is server security functions for the specific virtual machine. Instead of running additional anti-virus and other endpoint functions on each virtual machine, these functions are virtualized and centralized for maximum efficiency and effectiveness. All workloads on the hypervisor then have the most current capabilities. Load balancing and other virtualization features ensure that there is sufficient endpoint security processing, spawning additional security capacity when needed.
When malicious or suspicious activity is detected, predefined rules automatically take appropriate action. Possible actions include quarantining the virtual machine for forensic investigation, more closely monitoring the traffic, or stopping that machine and respawning a clean one. If sensitive data is discovered within the workload’s traffic, appropriate policies and restrictions are immediately applied, such as encrypting the data or restricting access to the virtual machine. The benefits of this single-platform, virtualized approach to private cloud security are efficient use of resources, consistent security across all workload groups, and the agility to add capacity and capabilities when needed.
For more details on this, you can view the full presentation with ISACA, available on demand.