June 2010 Update - Secure Multi-tenant Infrastructure
NetApp, Cisco, and VMware have taken a lead in describing secure multi-tenant infrastructure, showing the market “how it’s done”. The reason is obvious: security integration is the path to the cloud and resilient virtual computing infrastructure (infrastructure 2.0) in general. Integration is the key.
A secure, integrated virtual infrastructure is the holy grail for data center managers and cloud operators, and achieving the benefits in improved utilization, greater flexibility, faster time to market for new applications and services through the cloud at lower unit costs is only possible through integration. Forget about end-to-end security, and look to integration. Integration is as important as the technology itself, and security is a key enabler for workloads, particularly those in the higher tiers requiring proven, trusted security across server, storage, and network layers. Businesses moving to the virtual stack should demand a well defined and open framework of security integration across products, hardware and software, and human capital, at an acceptable cost, as they make this journey toward a virtual infrastructure supporting both private and open cloud environments.
Secure Virtual Infrastructure
NetApp, Cisco, and VMWare have detailed their approach to security integration in a document titled the Cloud Security Architecture. The goal of this document is to demonstrate how to piece together component features into a cohesive security platform and achieve compliance, transparency in operations, recoverability, data assurance, etc. requirements of the user.
Although geared toward sales managers and engineers and not risk management or security professionals, the goal of the architecture is to produce a security virtual infrastructure (SVI) comprised of Netapp storage, Cisco compute and switching, and VMware software for trusted environments and critical enterprise applications operating in private and open cloud environements.
The architecture proposes a level of security assurance and resiliency in support of 4 primary service level components (referred to as “pillars”):
- Availability allows the infrastructure to meet the expectation of compute, network, and storage to always be available even in the event of failure.
- Secure Separation ensures one tenant does not have access to another tenant’s resources, such as virtual machine (VM), network bandwidth, and storage.
- Service Assurance provides isolated compute, network, and storage performance.
- Management is required to rapidly provision and manage resources and view resource availability.
Core technologies from each vendor that make up the security architecture are:
- VMware - vSphere, vCenter, with vShield Zones
- Cisco - Unified Computing System, Nexus Switches, MDS Switches, and
- NetApp - MultiStore with Data Motion and vFiler Units
In this architecture, each tenant in a multi-tenant environment (e.g., encapsulated application, virtual machine, associated metadata), plus the infrastructure resources required by the application including storage, compute, management, is encapsulated by a security and isolation layer comprised of virtual firewall features, policy management, access control lists, and compliance reporting. The virtual firewall features protect against cross-tenant access, and the policy, ACLs, and logging manage controls inside each tenant environment.
Most agree that VMware has a great opportunity, and some say obligation, to define the security integration story, considering its position in the virtualization marketplace and the role of the hypervisor in negotiating the security, performance, and resource policies between applications and infrastructure. Discussing the architecture with a few colleagues produced a few initial reactions.
- As of the end of last year, this architecture had only been lab tested, but not yet tested in end-user production environments or independently verified with certifications, etc.-- (question - Against what yardstick or standard is this security architecture being measured?). Clearly a work in process, as is security in the cloud more generally. However, there's no doubt that progress with continued and new components and capabilities will be added both to improve manageability and security of the stack. As well, NetApp has indicated that the origins of the architecture trace back 7 years, spanning dozens of large production deployments in the interim and the architecture benefits from lessons learned in those years.
- There’s tremendous complexity in the architecture. Not surprising. And while complexity and security tend to not work well together for practitioners, the ultimate goal is to prove this approach less complex than trying to achieve massive economies of scale with manageable domain separation for security, QoS, resource allocation, etc…
- Although the concepts of trust and assurance levels are sprinkled throughout the document, it’s difficult to determine how secure or trust-able the architecture actually is. For example, if the integration was defined in terms of a category of standard assurance levels, such as the levels defined by NIST in FIPS 140 for security modules (most likely overkill, but a reasonable reference), would end-users see a clearer path to implementation for workloads - tier 1, tier 2, etc. - with varying risk parameters? Food for thought.
Can we ultimately get to a point in integration where security is instrumented and can be dialed up and dialed down by policy for any given risk or compliance requirement?
Action Item: Stay tuned and start VSI testing. Not only is this architecture for integrating security new, but so are some of the threats, vulnerabilities, and risks. But security integration is certainly the name of the game in cloud computing, and the best integrations will be those that come with less complexity, open policy-based assurance level, and best-in-class capabilities for all security requirements, from credential management, to hypervisor hardening, to application protection, etc..