CompTIA CASP+ CAS-004 – Chapter 05 – Implementing Security for Cloud and Virtualization Technologies

1. Chapter Introduction

In this chapter, we’re going to be looking at implementing security for cloud technologies and virtualization technologies. Cloud technologies are all the rage today. It’s what everybody’s talking about. Operating systems are built for it and it’s utilized just about everywhere. As security professionals, though, the introduction of cloud technologies brings about new set of challenges. Data ownership, data retention, data recovery, confidentiality, integrity, and availability.

But new ways of looking at those security fundamentals as it relates to cloud technologies. Because in many cases when we talk about cloud technologies, we’re discussing situations where the data is no longer under our direct control or we at least don’t manage the physical devices that are hosting that data. Along with the heavy use of cloud technology, we have a lot of ambiguity. I’ve always found that cloud technology is really confusing to a lot of people. They still have a good grasp of it and that’s okay.

That’s what we want to try to do here, is make sure that we understand the differences between the service models, the differences between the different hosting options, and some considerations that you can take into account as you’re thinking about cloud technology. Now, cloud technology is simply built on virtualization technology at this point.

Most are more familiar with virtualization because it’s been around longer than the cloud has. But the cloud is merely an extension to virtualization that’s going to give some extra capability. So we’re going to talk about all of these. We’re also going to discuss some options for securing remote access and collaboration as well. So, unified messaging capabilities, voiceover IP, a little bit on different types of visual VPNs that can be utilized for remote access for users as well. And so the long and the short of it is these technologies are used in just about every organization that you’re going to encounter. And so as a security professional, we need to be prepared for that.

2. Topic A: Cloud and Virtualization Technology

In this first topic, we’re going to discuss cloud computing and virtualization. So, as I said, virtualization is really the foundation operating independent machines with an operating system and virtual hardware. These are nested inside a single host system, sometimes called the hypervisor. That gives us a lot of flexibility and a lot of benefits, which we’ll go through that is then extended to the use of the cloud. And in the cloud we have automatic provisioning. We have elasticity, the ability to grow and shrink on an as needed basis to respond to the corresponding performance requirements based on peak usage and non peak usage.

We have the pay as you go model, the ability to essentially say I need that and I need it now, and have it automatically provisioned for you. Those are cloud capabilities. But everything in the cloud is virtualized, right? You’re not clicking and procuring a physical server in 20 minutes. No, you’re procuring a virtual machine which can then be modified and expanded or shrunk to meet your particular needs. So those are the two are closely related to one another and we need to have a good understanding of them.

3. Cloud Computing and Virtualization

Now, as I said earlier, cloud computing is ambiguous. People do get confused with cloud computing. They’re not exactly sure what it’s all about. They know it’s out there on the Internet. But sometimes that’s about as far as it goes. It can be confusing because it comes in a number of different forms. But essentially it’s fairly simple concept that just builds on virtualization capabilities and makes data centers accessible over the Internet to their customers. But I like to try to explain it in this way because we understand virtualization. I think this works.

So with virtualization, you have something really often referred to as the fabric. And that fabric includes the physical machines that the virtual machines are hosted upon. So the physical machines have physical CPUs, they have physical memory, they have network cards, they have storage devices inherently, or they have access to storage devices on the storage area network. Those are the resources, the physical resources. Even when we use virtualization, obviously there are still physical resources, right? You don’t just slice and dice CPU and memory. That doesn’t exist for each individual virtual machine. So physical resources exist in virtualization. It’s just that they’re on the hypervisor, and those are allocated to individual guest operating systems running in virtual machines.

And that’s where the benefits come, because I have a reduction in overall power use with virtualization because I’m minimizing the number of physical computers. They are virtual computers, and therefore I can dynamically allocate compute and storage resources. You need four processors. That give you four processors. If we install another app and we decide we needed to double that, then I can go in and give you eight virtual CPUs. So long as there are enough physical CPUs on the host to go around, that’s not going to be an issue.

You need more storage, we’ll just give you another virtual hard drive. We’ll just expand existing virtual hard drives. Once again, as long as you have enough resources on the host, that’s no problem. And in fact, most of that can be dynamically allocated and does not require you to even shut down the virtual machine. It depends. CPU allocation typically would require a restart. Virtualization gives us easier disaster recovery and high availability. That’s another advantage that it has. And the reason for that is because everything is stored inside virtual machine files. Those virtual machines can be a resource in a failover cluster.

They can be replicated from one system to another and so automatically activated on a second host system should the first host fail. I don’t mean to be getting off the train, but we’re building on virtualization. And in virtualization you use a set of resources, and those resources are compute resources, which is memory and processor network resources and storage resources. Collectively, you can refer to those as the fabric. All right, now fast forward to cloud computing, because cloud computing is just an extension to virtualization, and it’s going to provide us with some benefits on top of virtualization. And those benefits are going to be the ability, as I said before I think to automatically provision to automatically deploy via virtual machine templates to have a pay as you go model to not only have scalability the ability to scale up but to have elasticity the ability to scale up and down based on workload. But it’s all still based on virtualization.

So the question really, the very first question is who hosts the resources? Are you paying another company to host and manage your cloud? Then what you have is a public cloud or are you creating and managing your own environment, your own cloud? There you would have a private cloud, okay? And really I’m trying to break it down because it’s understandable how this can all get confusing. But this part should not be that confusing. Public cloud, the provider owns the resource, private cloud, the customer owns the data center. I personally had a problem with the term private cloud. What do you mean a private cloud? Is this just a cloud? It’s stuff out there on the internet that’s just private just to me? No, that would be a multitenant public cloud. It has nothing to do with where it’s what does have something to do, I’m sorry, with where it’s located, who owns the resources.

That’s what it’s really all about, who owns that underlying fabric, who can see it and who can manage it. If you’re utilizing a public cloud, whether it’s third party provider or Microsoft, Google, AWS, you don’t see or manage the underlying resources. That is a public cloud. And in reality that’s the most common type of cloud for us to be dealing with. You might ask, why would somebody want a private cloud? Well, in a private cloud situation, the organization can take advantage of cloud technologies, of the automatic provisioning, the pay as you go, the billing based on resource usage, et cetera. They can take advantage of all that, but they can do it inhouse. So larger organizations may set up and manage a private cloud.

4. Cloud Options

All right, so let’s talk a little bit more about these. There are a couple of other cloud options that we hadn’t mentioned, so I wanted, by way of introduction, you might see that I’m sort of passionate about cloud technologies. I work a lot with them and so I don’t mean to go off there, but here are your different options. The public option is going to be the most likely one for you to use. This is the standard cloud computing model and in this model a service provider is going to make resources available to the public over the Internet. All right? Now some of them may be free or they may be offered for pay per use. And when we say some of them may be free, a lot of times a good example of this would be cloud storage. So cloud storage via Dropbox, Google Drive, OneDrive for Microsoft, they all have free versions of that. As long as you register, you get X amount of gigabytes for free because storage is cheap and the proprietors don’t care.

And they also are assuming that at some point you will run out of space and then you will need to expand and then they’ll start charging you $10 a month for a terabyte of data. But that’s a whole lot of data for $10 a month if you need that type of cloud storage. In Microsoft Azure, there are some services that are free or maybe not free, but so cheap that it’s virtually free for use. So it kind of depends on exactly what you’re doing. Obviously there are a lot of other things in the cloud that are not free and not free at all. Office 365 and Microsoft’s World, their software as a solution product is anywhere from four or $5 per user a month, up to $20 to $30 per user per month, depending on the features that you require. Hosting massive SQL databases on Azure virtual Machines or in Google Cloud Services AWS, that’s going to be hundreds of dollars a month, but you don’t have to pay for the resources, so you’re paying for it as you use it. In this case, the public case, the provider does own the resource. So as I said, Amazon, IBM, Google, Microsoft, there are many more in this situation.

They’re always available over the Internet and you have access to your subscription. And then the cloud delivery model is going to determine your access over resources before we go there. Private cloud is still utilizing the cloud computing model, but the organization is implementing the cloud on its internal enterprise. So we own the data center that is hosting all of the virtual machines. And that cloud is not used by anybody outside the organization, but it’s used by employees and partners. In this case, you definitely will need on site data personnel, you’ll definitely need specialist, and typically you will be using specialized software that is meant to manage private clouds like the System Center suite of products for Microsoft. A hybrid cloud is a situation in which an organization provides and manages some resources in house and has others provided externally via the public cloud. And this is more common than you think because a lot of organizations don’t go full boat and just move everything to the public cloud. And very few organizations that I’ve interacted with have a private cloud. So they either use public cloud technologies or they don’t use cloud technologies at all.

That’s been my experience. But when they make the jump to public, it’s typically not an all or nothing kind of thing unless you have a smaller environment. So I currently work for a managed service provider and I do a lot of cloud deployments, moving people to Office 365, moving people to Azure, and it’s almost always a part of the infrastructure. Just in the last month, I have a couple of exceptions to that, but they’re companies that have five users.

So it’s not the company that has five users. Well, sure, they might eliminate an on prem server. It was the only server they had. And so they’re moving completely to Office 365 SharePoint and OneDrive for Data, and that’s that or another company might move to an Azure hosted domain, eliminating an on prem server, that would be a full move to a public cloud. But most of the time we’re outsourcing one part of the organization. And in many cases today still the most common piece is email. A lot tons of organizations have moved to Office 365, and in so doing they’ve eliminated an on premise exchange server. They haven’t eliminated all of their servers, just that on premise Exchange.

And they don’t have to worry about securing it anymore, they don’t have to worry about maintaining it, they don’t have to worry about upgrades, and so they’ve offloaded that part. Files are becoming a popular one as well, using file storage in the various cloud providers, mapping drives directly to Azure file shares in Microsoft’s World. But in that case, you would be talking about a hybrid. So users are logging in authenticating against a local domain controller, hitting a local print server, but their web server is hosted in the cloud and their file server is hosted in the cloud.

Okay? That would be a hybrid. And that is going to require a relationship with the service provider, a link between the two, as well as an in house cloud deployment specialist or at least help from contractors. Because there are a number of things that you have to do and sometimes the hybrid takes on even a bit more of a meaning because occasionally you can go hybrid within particular applications. Okay? But the hybrid, we’re not really talking about that.

And that can be another little confusing element, is that some applications will support parts on prem and parts in the cloud and there’s a synchronization and a relationship between the two that will likely be the case, but it’s not necessarily inherent to the term hybrid. When we talk about hybrid cloud here, we’re really just talking about some information is on prem, some information is in the cloud. It can be completely different information, right? I can host my authentication systems, infrastructure services, DNS, DHCP, Active Directory on Prem and I’m hosting files and a web server in my email in the cloud.

That’s still a hybrid when you are just talking about just the cloud computing model that you happen to be using. And what’s really important, of course, in that situation, in any situation where you’re using the public cloud, is that confidential and private information typically would be limited to the on prem environment unless we’ve already gone through and taken all the steps to make sure that that’s secure. A community cloud is a cloud computing model in which the cloud infrastructure is shared among a bunch of different organizations from a particular group. These are usually governmental, sometimes maybe healthcare, but agreements would be created to explicitly define the controls that would be put into place to protect the data of each organization involved in that community cloud. It’s a big multitenant, but it’s a little bit different from other multitenants because they are collected together, they are in a community. However, they can still be managed separately. That brings us to that term multitenancy model is a cloud computing model where multiple organizations are sharing resources. So this is the model that’s used by service providers because they’re going to slice and dice their resources and they’re going to allocate them to individual organizations and it helps them to manage that resource utilization a lot more efficiently. It is a little bit dangerous and this has been one of the kind of pain points as it relates to security for cloud technologies.

So organizations really need to ensure their data is protected from being accessed by other organizations or by unauthorized users. Your data is now outside of your direct control, meaning it is physically stored on devices that you cannot touch. They are not in your data center. Sure, there are logical software controls that you have over that information, but the provider has access as well. And we need to make sure that other tenants don’t have access. And that’s all, of course, in the documentation for particular providers.

The SLAs you generally speaking, aren’t going to have to worry about if you stick with the big players like IBM, Google, AWS, and Azure for Microsoft. But you start getting into some third party providers to save some money, then you definitely need to be looking into this in great detail, okay? Organizations need to not only ensure security, but also ensure that the provider is going to have enough resources for the future needs of the organization. Because if we multitenancy is a great thing, unless whoever’s behind the curtain doesn’t know what they’re doing. If they’re not managing resources properly, then one organization gets more than its share and the other organizations have to pay for it.

And that’s not a good thing. So especially with lower end third party providers, you would really want to dig in through all the documentation and make sure you’ve taken a look at the agreements, the security certifications, et cetera. A single tenancy model is a model where a single tenant is using a resource that does make sure the organization’s data is protected from other organization. It’s way more expensive than a multitenancy model. Your public cloud offerings are really not going to use that at this point.