To achieve cost savings, scalability and other important benefits, many organizations have migrated applications and sensitive data to private clouds. However, concerns over how to secure a private cloud and the resources within it often delay these migrations. Virtualization technologies, in particular, are very important to cloud security. Yet many IT staff members do not have experience securing or managing them. It is not always clear how an organization’s security policies for traditional IT systems can be supported in a cloud environment.
Fortunately, enterprises are becoming increasingly savvy about private cloud security. By taking advantage of the current knowledge of virtualization security for private cloud architectures, enterprises can migrate additional data and applications to private clouds with increased confidence that these data and applications will remain secure.
Virtualization security is critically important to the overall security of any private cloud deployment. An attacker who can circumvent or compromise virtualization security controls can readily hop from one cloud workload to another. Such an attacker could be a malicious insider who wants unauthorized information or an external attacker who has gained access to the private cloud through a compromised user device (such as a desktop, notebook or mobile device) and then escalated the user’s privileges to cause a data breach.
Virtualization security can be intimidating for IT professionals who do not have experience with the virtualization technologies. However, virtualization is merely another layer to secure. It has its own threats and vulnerabilities — and its own security controls and practices designed to reduce these risks.
Virtualization software is one of several layers. The first layer is the physical environment, which requires physical security controls. To accomplish this, IT staff should treat a private cloud like any other enterprise data center. Rigorous physical security controls should be implemented to minimize physical access to cloud servers, networks and infrastructure (such as power, water or climate control systems). Next, depending on the cloud architecture details, a host operating system layer might sit on top of the physical layer. Like any other server’s operating system, this needs to be secured, even more tightly if possible.
For more information overcoming security challenges during cloud deployment, read the white paper “Securing the Private Cloud.”