SEC305

Microsoft Private Cloud Security

Dr. Thomas W ShinderPrincipal Knowledge Engineer/Principal WriterMicrosoft – SCD iX Solutions GroupPrivate Cloud Architecture - Security

BETA!

Agenda

Building a secure private cloud on Microsoft technologies

Private cloud security concerns

Security & compliance in a Microsoft private cloud

NIST Cloud Definition

CommunityCloud

Private Cloud

Public Cloud

Hybrid CloudsDeploymentModels

ServiceModels

EssentialCharacteristics

Common Characteristics

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Resource Pooling

Broad Network Access Rapid Elasticity

Measured Service

On Demand Self-Service

Low Cost Software

Virtualization Service Orientation

Advanced Security

Homogeneity

Massive Scale Resilient Computing

Geographic Distribution

Microsoft’s View of Private Cloud

Operating SystemVirtualization

A Private Cloud presents the OS and virtualization resources

as a pool of shared resources

The resource pool is created through management, based

on business rules and executed through automation.

ManagementYou no longer think about numbers of VMs, server

ratios, memory or storage but instead on how much compute resources you have access to

Your focus now shifts to the applications, where you rely on the pool of resources to supply

the right capacity and capabilities

Characteristics:“Tenant” self-service on-demandCharge for resources consumedOrchestrated management and monitoringTenant monitoring & reporting interfaces

Implementing a Microsoft Private CloudClustered “Scale units” of 16 physical serversVirtualized using Hyper-V to create platform for 1,000 VMsDiscrete management layer using System Center suiteOrchestration of complex workflows using SCORCHActive Directory provides common security model for hosting and hosted assets

Compute / Network / Storage

Management Layer

Hyper-V based Hypervisor

Orchestration Layer

Admin / Tenant Interfaces

Au

thN

, A

uth

Z &

Au

dit

ing

Private Cloud Security ConcernsSecurity is the number 1 concern for cloud adoption

75% responded 4 or 5 (on 1 to 5 scale) *Key security issues:

Isolation of tenants from each other & hosting infrastructureCompute and network layers

Authentication / Authorization / Auditing of access to cloud servicesImpact to CIA via exploitation of software vulnerabilitiesUnauthorized access / DoS due to weak (or mis)configurationImpact to CIA of services by malicious codeImpact to CIA of dataCompliance

* Source: IDC Enterprise Panel, August 2008

# CIA = Confidentiality, Integrity & Availability

Security & Compliance in a Microsoft Private Cloud

Secure virtualization platformSecure development lifecycleHighly automated management, monitoring & reportingComprehensive security model for authN, authZ & auditingMulti-layered security controls

Secure Virtualization PlatformA secure platform to enforce VM isolation

WindowsKernel

Server Core

Virtualization Stack

DeviceDrivers

Windows hypervisor

VM WorkerProcesses

Guest Partitions

Ring 0

Ring 3

OSKernel

VMBus

GuestApplications

Root Partition

CPUStorage NIC

Ring 0

Ring 3

“Ring “-1”

Microkernel HypervisorIsolation boundary between partitionsMinimal TCB with no third-party drivers

Root partitionMediates all access to hypervisorServer core minimizes attack surface

~50% less patching requiredGuests cannot interfere with each other

Dedicated workers processesDedicated VMBus channel

Certified to Common Criteria EAL4+

Secure Virtualization Platform Microkernel vs. Monolithic Hypervisor

Monolithic Hypervisor hosts:Virtualization stack3rd party device drivers

Larger code baseHarder to test securityIncreased attack surface

Hardware

Hypervisor

VM 1 VM 2Virtual-ization Stack

RootPartition

Drivers

GuestPartition

GuestPartition

Hypervisor

VM 1(Admin)

VM 2 VM 3

Hardware

Drivers

Virtualization Stack

“The fact is, the absolute last place you want to see drivers is in the hypervisor, not only because the added abstraction layer is inevitably a big performance problem, but because hardware and drivers are by definition buggier than "generic" code that can be tested.”Linus Torvalds, https://lists.linux-foundation.org/pipermail/desktop_architects/2007-August/002446.html

Security Development Lifecycle

Industry leading software security assurance process

Prescriptive yet practical approachProactive – not just “looking for bugs”Detect security problems earlyProven results

Protects Microsoft customers by:Reducing the number of vulnerabilitiesReducing the severity of vulnerabilities

Conception

Release

Highly Automated Management, Monitoring & ReportingThe Problem

Operational complexity does not promote securityComplex manual tasks across multiple systems…

Performed by multiple admins…Invites omissions and errors…

And lacks traceability and auditing…

If you don’t know what you have – you can’t secure it!

Highly Automated Management, Monitoring & Reporting

Portals &Reporting

3rd PartySolutions

Integration:Virtual resource managementConfiguration managementOperations managementData protection managementIncident / change management

Automation & Orchestration:Simplify complex workflowsAutomate responsesEnable self-service

Oversight & auditing

Highly Automated Management, Monitoring & Reporting

Event Mgmt

Service Desk

Asset/CMDB

Configuration

Virtual

Security

Storage

Server

Network

IT Silos VM Provisioning Process

Monitor Servicerequest

Stop VM

Updaterequest

Updaterequest

Update & closerequest

Clone newVM

Updateproperties

Remove from Ops Manager

Test VM DeployApplications

VerifyApplication

Add to Ops Manager

Create CIRetire CI

Createincident

Detach Storage

Detach Network Adapter

1. Stop old VM, release resources & retire asset

2. Create / configure new VM, & log ticket

3. Test VM & update ticket4. Deploy apps, verify &

update ticket5. Register asset in CMDB

& add to monitoring

1 2

3

4

5

Authentication ServicesAD provides overarching authentication service for all users and resources

Windows security model common across all hosts & guestsSimplifies authorization of users to resourcesProvides detailed auditing of all access attemptsAzMan provides role-based authorization for granular task delegation

Centralized policy storage and enforcementExtensible security model

Certificate servicesFederation services

Comprehensive Security Model for authN, authZ & auditing - Active Directory Services

Multi-layered Security ControlsA Defense in Depth Approach

Data

Perimeter / Access

Application

Host

Network

Windows security model for access control and auditing System Center Data Protection Manager for data availability

User identification & authorization Application-layer malware protection

Host boundaries enforced by external hypervisor Host malware protection

VLANs and packet filters in network fabric Host firewall to supplement & integrate IPSec isolation

Controlled access to portals / services using UAG Controlled outbound access using TMG

Layer Defenses

Patch Management Application / Host

hardening

Security Update ManagementTimely and effective protection against software vulnerabilities

Industry-leader in update management:Predictable release processTimely & detailed communications channelsUpdate assurance testing for high quality updatesCC EAL4+ALC_FLR.3 (systematic flaw remediation)

Highly automated deployment & verificationHosts / guests report required updatesUpdate process initiated

Requests authenticated and approved

Hyper-V hosts patched with zero downtime

Patch Orchestration using System Center and Opalis

Security

Orchestration

Management

Automation

Virtualization

Servers

Network

Storage

Service Management Approve Service

Request

Security UpdatesReceived

Initiate UpdateWorkflow

Initiate Maint.Mode on Host

Migrate VMs off Host

VM Live Migration

Patch PhysicalHost

Patch MasterImage

Patch Installation

Patch Installation

Migrate VMsEnsure Separation

Report Workflow Results

End Maint.Mode on Host

Verify HostAvailability

Run HostHealth Check

Investigate AnyIssues

Migrate VMsBack

VM Live Migration

Verify Hyper-V Health

Verify ServerHealth

Verify Network Connectivity

Verify Storage Connectivity

Verify Patch Installation

Report Workflow Results

Investigate AnyIssues

ContinueWorkflow

ContinueWorkflow

Migrate VMs off Host

1

2

3

4

5

6

7

8

Application / Host HardeningMicrosoft Security Compliance Manager

Modify & manage security baselinespublished by Microsoft

Domain Member, Hyper-V Host, Domain Controller etc.Enterprise Client / Specialized Security Limited Functionality

Baseline enforcementExport from baseline library to Group Policy

Measure baseline complianceExport from baseline library to DCM packReport on compliance with DCM pack using Configuration Manager

Host Malware ProtectionProtecting Hosts / Guests from malicious code

Highly-effective protection against malwareEffective reactive / proactive remediation with very low false positivesBehavior monitoring backed by Dynamic Signature ServiceBlock network-based vulnerabilities with NISBacked by Microsoft Malware Protection Center

Role-specific exclusions minimize performance impactNo additional infrastructure for management, monitoring or reporting

Network Traffic IsolationIsolating traffic using VLANs

Hosts and VMs support 802.1Q (VLAN tagging)

Each assigned VLAN IDEnforced across network fabricFirewalls permit inter-VLAN traffic as per policy

Isolates:Host from guestsMgmt. traffic from guest traffic

Filtering Network Connections to HostsWindows Firewall with IPSec

Block all inbound connections to non-essential servicesDeny guest to host / management systemsCentrally managed firewall policy

Server and Domain Isolation using IPSecNon-domain hosts cannot connectTrusted hosts within domain mustauthenticate to connect

Data Center’sPhysical Servers

Guest OS

Data-Center Network

SummarySecure virtualization platform providing isolation and non-interference

Secure development lifecycle and update management lifecycle

Highly automated management, monitoring & reporting

Comprehensive security model for authN, authZ & auditing

Multi-layered security controls

Private Cloud Architecture Goes Social!

The Microsoft Private Cloud Architecture blogThe Microsoft Private Cloud Architecture Facebook page The Microsoft Private Cloud Architecture Twitter account The Microsoft Private Cloud Architecture LinkedIn Group The Microsoft Private Cloud TechNet forums The Microsoft Private Cloud Dojo on the TechNet Wiki

Additional Resources

Private Cloud Solution Hubwww.technet.com/cloud/private-cloud

Private Cloud IaaS Pagewww. microsoft.com/privatecloud

Questions?

Session Code Dr. Thomas W Shinder

Principal Knowledge Engineer/Principal Writertomsh@microsoft.com Blog – Private Cloud Architecture Blog http://blogs.technet.com/b/privatecloud/

You can ask your questions at “Ask the expert” zone within an hour after end of this session