As a designer of a private cloud, I want to want to ensure that all applications and services running in the cloud are measured and accounted for.
Figure 1 lists a number of security capabilities that the security wrapper should include in the private cloud such as:
The first paper in this series, "Solution for Private Cloud Security: Service Blueprint," describes these capabilities.
The On-demand Self-service section earlier in this paper discussed the issues associated with controlling and monitoring access to cloud services. This section highlights the importance of protecting the measurement and billing services in the private cloud, and the importance of providing detailed billing information to enable tenants to understand what they are paying for and to be able to identify any resources that they are paying for that they did not explicitly approve. This section also describes how these capabilities relate to the measured service attribute of private clouds. The following sections will describe how your design should apply these capabilities at each layer in the private cloud architecture.
Note: This document is part of a collection of documents that comprise the Reference Architecture for Private Cloud document set. The Solution for Private Cloud is a community collaboration project. Please feel free to edit this document to improve its quality. If you would like to be recognized for your work on improving this document, please include your name and any contact information you wish to share at the bottom of this page
In a private cloud environment, it is important for the CSP to track all chargeable use of the cloud services by its tenants so that it can bill tem accordingly. A concern of the private cloud service provider here is to ensure that tenants cannot bypass the monitoring systems in any way to reduce the amount they have to pay. Although it is unlikely that a business unit within an enterprise would try to steal cloud services from the enterprise private cloud in this way, there is the risk that someone could try to use the private cloud resources for their own purposes.
For example, an employee could run a private web server in the corporate cloud (often hosting explicit adult material) or someone from outside who gained access to the private cloud could run a private mail server. To achieve this without being detected, the person or entity using the private cloud resources would either have to bypass the measuring and billing in the private cloud, or arrange for their use to be paid for by a legitimate client such as a business unit.
The measured service attribute of private clouds also affects the overall availability of resources in the private cloud. By measuring and charging for the use of resources in the private cloud, the cloud service provider encourages tenants to return resources to the pool when they have finished with them. Without this cost incentive, tenants may hang on to resources indefinitely even though they are not using them, reducing the overall availability of the private cloud's resource pool.
You must ensure that all monitoring and logging features that measure resource usage and charge tenants accordingly are protected from tampering. Such logging must always be accurate and must always correctly identify who is using the resource.
Tenants should be able to access their own billing information through the financial management services in the private cloud with enough detail to enable them to identify any possible unauthorized usage of resources on their behalf. The cost of resources should provide a sufficient incentive for client business units to monitor their resource usage. REFERENCES:
ACKNOWLEDGEMENTS LIST: If you edit this page and would like acknowledgement of your participation in the v1 version of this document set, please include your name below: [Enter your name here and include any contact information you would like to share]
Return to Private Cloud Security Challenges Return to Design Guide for Private Cloud Security Return to A Solution for Private Cloud Security Return to Reference Architecture for Private Cloud Move forward to Operations Guide for A Solution for Private Cloud Security Table of Contents for A Solution for Private Cloud Security