When we deploy an internal infrastructure as a service (IaaS) cloud computing, there is a wide range of security issues that need our consideration, is that enterprises must not only consider the requirements of meeting security best practices, but also should be in line with regulatory Request. This article will discuss in detail how to control virtual machine instances, management platforms, and network and storage infrastructures that support IaaS implementation.
Virtual Machine Instances First, the operating system and applications for the virtual machines (VMs) must be locked and must be properly configured using existing rules, such as those from the Internet Security Center (CIS). Correct virtual machine management at the same time may also result in more robust and consistent configuration management.
The key to creating and managing a security configuration on a virtual machine instance is the use of templates. It is wise for administrators to create a "golden image" for initializing all virtual machines in cloud computing. The template should be baselineed and rigorous revision controls implemented to ensure that all patches and other updates are applied in a timely manner. Many virtualization platforms provide specific controls to ensure the security of virtual machines; enterprise users should, of course, make full use of these capabilities. For example, VMware's virtual machine configuration settings specifically restrict the copying and pasting of virtual machines to the underlying hypervisor, and can help prevent sensitive data from being copied to the hypervisor's memory and clipboard. Platform products from Microsoft Corp. and Citrix System Inc. provide similar anti-copy and paste restrictions. Other platform features can help businesses disable unnecessary devices, set logging parameters, and more. In addition, when securing virtual machine instances, it is important to isolate virtual machines running in different cloud computing areas based on standard data classification guidelines. Because virtual machines share hardware resources, running virtual machines in the same cloud computing zone can result in data in memory errors, although the probability of such errors occurring today is extremely low. Management Platform The second key to ensuring virtual environment security is ensuring the security of the management platform that interacts with virtual machines to configure and monitor the underlying hypervisor system in use. These platforms, such as VMware vCenter, Microsoft System Center Virtual Machine Manager (SCVMM), and Citrix XenCenter, come with their own native security controls that can be implemented. For example, Vcenter is often installed on Windows and has system privileges inherited from the local administrator role unless related roles and permissions are modified during the installation. When it comes to management tools, it is paramount to ensure that the security of your database is managed, but the default for many products is not inherently secure. Most importantly, roles and permissions must be assigned to different operational roles within the management platform. While many businesses have a virtualization operations team that manages the running of virtual machines within IaaS cloud computing, the key principle is not granted too much authority within the management console. I recommend giving different levels of authority for storage, networking, systems management, and other teams, respectively, as they would in a traditional data center environment. For cloud management tools such as vCloud Director and OpenStack, roles and permissions should be carefully assigned, but different end users of cloud computing virtual machines must be included. For example, development teams should have virtual machines for their work tasks, which should be isolated from the virtual machines used by the finance team. All of the management tools should be isolated in a separate segment and it is a good idea to require access to these systems through a "hop-box" or a dedicated security agent platform such as HyTrust, where you can build strong The certification and centralized authorization of user monitoring. Network and storage infrastructure While ensuring the security of networks and storage that drive IaaS cloud computing is a wide-ranging task, there are some common best practices that should be implemented. For the storage environment, keep in mind that, like any other sensitive file, the virtual machine must be protected. Some files store valid memory or memory snapshots (which may be the most sensitive, such as user credentials and other sensitive data that may be contained), as well as other files that represent the complete hard disk of the system. In both cases, this document contains sensitive data. It is crucial to use separate logical unit numbers (LUNs) and zones / domains in your storage environment to isolate systems of different sensitivities. If Storage Area Network (SAN) encryption is available, consider whether it applies. On the network side, it is important to ensure that individual network segments are isolated and under the control of virtual local area networks (VLANs) and access controls. If fine-grained security controls are required in a virtualized environment, organizations can consider using virtual firewalls and virtual intrusion detection devices. VMware's vCloud platform itself has integrated its vShield virtual security appliance, while other products from traditional network vendors are also available. In addition, consider the network segment where sensitive virtual machine data may be transmitted in clear text, such as vMotion networks. In this VMware environment, plaintext memory data is transferred from one hypervisor to another, making it easy to leak sensitive data.
Conclusion When it comes to ensuring the security of virtual environments or IaaS private cloud computing, the three aspects of the above control measures are just the tip of the iceberg. For more information, VMware has a series of in-depth and enhanced hands-on guides for evaluating specific controls, and OpenStack provides a security guide on its website. By following some basic practices, organizations can build their own internal IaaS cloud computing and ensure that they meet their own standards and all other necessary industry requirements. 【Editor: Iris Wei TEL: (010) 68476606】