As an operator of a private cloud solution:image

  • How do I detect and respond to requests for resources that might negatively impact other tenant applications or the whole cloud?
  • What impact does the private cloud have on my plans to maintain the availability and capacity of resources?

Security Functionality

Enabling rapid elasticity in the supply of private cloud resources to tenants impacts on many of the same operational security functions as the enabling of the on-demand self-service and resource pooling attributes discussed previously:

  • Role-based access controls must govern the requests for private-cloud resources. However, your private cloud may support automatic scaling, so the requests for resources may also come from the hosted applications themselves instead of from the tenant.
  • You should ensure that all requests for resources (and freeing of resources) are logged and auditable.
  • You should ensure that tenant isolation and data protection is maintained as resources are allocated and de-allocated.

However, enabling rapid elasticity in the supply of private cloud resources raises some additional operational concerns:

  • Allocating and de-allocating resources takes a finite amount of time. Too many allocation and de-allocation requests from a tenant or a tenant application could prevent requests from other tenants being fulfilled, or even destabilize the private cloud. Monitoring should detect and limit this type of behavior. Audit trails should identify the source of every request to allocate or de-allocate resources.
  • Although one of the benefits of cloud architectures is to achieve a more efficient use of available resources by using resource pooling and recycling to average out demand, your monitoring should track overall resource utilization and trends to help you ensure you have enough capacity to maintain availability at peak times.
  • Enabling rapid elasticity puts further pressure on the processes that clean the resources that tenants return to the pool before those resources can be re-used.

Enabling rapid elasticity shares some of the same security concerns as managing resource pooling. However, in addition to the requirement that resources can be recycled without compromising the confidentiality of any data that a service might have stored on the resource before releasing it back into the pool, resource recycling must happen quickly, especially if there is pressure on the available resources within the cloud. This consideration further emphasizes the importance of efficient automation procedures to manage the cloud infrastructure.

Infrastructure Security

Giving client business units or hosted applications the ability to rapidly scale in or out the virtual resources they are using also gives those clients access to the shared pool of resources. You must constrain elasticity in the supply of available resources so that clients do not affect the availability of the services owned and managed by other clients or destabilize the cloud as a whole.

Monitoring and Logging

You should monitor and log resource requests to maintain a full audit trail of provisioning requests associated with scaling running applications and services. This approach can help you to identify clients or applications that might be affecting the overall availability of services within the cloud by overloading the infrastructure with requests to provision or de-provision resources. You should also have automated monitoring in place that can identify resource de-provisioning requests that attempts to flood the cloud with requests to shut down running services within the cloud in a type of denial of service attack.

Managing Capacity Limits

Although in the private cloud there is typically a financial incentive for client business units to use resources efficiently, the private cloud approach to service delivery is new and may be unfamiliar to the service consumers. Although SLAs may offer guarantees that resources will be available to scale running applications and services, and that those resources will be available within a given timeframe, the CSP may need to take steps to educate tenants about the elastic capabilities of the private cloud.

This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page

Operational monitoring may include monitoring for under-utilized resources that may indicate hoarding behavior by client business units attempting to reserve capacity and consequently reducing the ability of the infrastructure to make resources available to other business units.

Part of the private cloud capacity management processes should include regular reviews of any resource usage quotas applied to tenants. Changes in usage patterns of private cloud resources and changes in the available resources may enable you to increase quotas or force you to reduce them.

If you use quotas to control how many virtual instances a service or application can use, you may be able to use information from the provisioning system as input to your capacity planning procedures to ensure the availability of services in the longer term.

To manage capacity limits, you may consider a hybrid private cloud model that enables you to use a public cloud or a private cloud hosted by a third party to host applications and services when your on-premises capacity is exhausted in order to maintain availability (sometimes referred to as “cloud bursting). In this scenario, you must plan carefully how you will continue to provide your services to your client business units, including how you will:

  • Maintain the information security of tenant applications and services.
  • Integrate identity and access management systems with the external cloud.
  • Continue to meet the requirements specified in the SLAs with your client business units.
  • Manage events, incidents, and problems.
  • Ensure IT service continuity.

Platform Security

Enabling rapid elasticity in the supply of resources may require the infrastructure to move virtualized services between physical devices (for example to load balance requests effectively). Automated procedures that move running services between physical servers should ensure that recycling resources does not accidentally expose confidential data.

Software Security

Typically, enabling rapid elasticity in the supply of resources is achieved by allocating additional virtual machines to a tenant application or service and configuring load balancing across those virtual machines. Tenant applications will not always "just work" in such a scenario: they must be designed to work in this way, often by introducing state data that must be shared between the different instances. Sharing state may involve configuring access control on a cache, using shared data that must be protected, or using the client application. These approaches may introduce security vulnerabilities if not implemented correctly.

You can provide best practice guidance or verification services to software development groups within the enterprise on the approaches they can take to ensure that application and services take reasonable steps to ensure the confidentiality, integrity, and trust-worthiness of their data when they are scaled to run on multiple instances.



If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below:
[Enter your name here and include any contact information you would like to share]

Return to Private Cloud Security Operations Challenges

Return to A Solution for Private Cloud Security

Return to Reference Architecture for Private Cloud

Move forward to Private Cloud Security Operations Challenges - Measured Services

Table of Contents for A Solution for Private Cloud Security