Knowledge
Identify relevant industry security standards.
- For security standards there are a few and for these they are normally for government,finance,military and telecommunications. There are a few standards each of these keep to and they largely overlap into the next point of compliancy. For example here in the United Kingdom there are a few cloud vendors who run community clouds where they assure they meet business impact levels and each of these levels determines the requirements for protection. A really good article straight from the UK government is here where information security is defined based on a number of criteria. A lot of government and military companies keep data in IL2 or IL3 and vSphere 4.0 and 4.1 were actually verified to meet IL3 compliancy. Recently they are still EAL4+ and FISMA certified.
- For your conceptual design you will need to know what abstraction is required based on whatever the relevant security standard is and most likely have to sit down with the compliancy officer and determine what they feel is required for them to approve your solution meets their security standards.
Identify relevant industry compliance standards.
- There are a number of compliance standards that are used from various companies who process credit cards, hospitals who keep peoples personal data to companies who have to keep to specific regulations. There are a number of these and some are only applicable in specific countries but the ones I think are the most likely to be seen in a vCloud environment are:
- Sarbanes-Oxley
- Health Insurance Portability and Accountability Act (HIPAA)
- Federal Financial Institutions Examination Council (FFIEC)
- Payment Card Industry Data Security Standard (PCI DSS)
- International Organization for Standardization (ISO) 17799
- National Institute of Standards and Technology (NIST)
- International Organization for Standardization (ISO) 27001
- A really great example of this is the Architecture Design Guide for Payment Card Industry (PCI) document by VMware. This is PERFECT in showing the kinds of things you need to keep in mind and the varying mechanisms to achieve this. The document goes much deeper than conceptual but seeing as you will have to go from conceptual to logical and then to physical it makes sense to learn it now.
- Another great document by VMware that is mentioned on the blueprint is the Infrastructure Security: Getting to the Bottom of Compliance in the Cloud document.
Explain vCloud security capabilities.
- This along with the two points above are covered perfectly in appendix B of the vCAT Architecting a VMware vCloud pdf. For the conceptual design this is more around isolation and multi-tenancy but the whole of appendix B gives a great break down of the kinds of security that is possible within vCloud and the mechanisms and products that can be used to achieve this.
Identify the auditing capabilities of vCloud technologies.
-
This is the vast mechanisms such as logging,log retention, syslog shipping and firewall logging via vCNS to name but a few that are possible via vCloud. Appendix B of the vCAT covers these off really well and the retention policies mentioned in the Architecture Design Guide for Payment Card Industry (PCI) document cover off the kinds of auditing you may be requested to do. For conceptual this isn’t very applicable and I’m amazed it is actually mentioned here.
Skills and Abilities
Based on customer requirements, determine auditing requirements for a vCloud conceptual design.
- These would be determined in design workshops and discussions with different subject matter experts within the customer around what they are looking to audit/log and if there are any compliancy standards they needs to meet. If they are a service provider who provides public cloud to the general public then there is a very good chance they have to meet PCI compliancy for example and so retain logs and do auditing to ensure security and allow retrospective inspection. For a conceptual design auditing isn’t something you would put in your “napkin” design but knowing if you need additional auditing does mean you have to design to be prepared for this in the logical and physical designs.
Based on customer requirements, determine security requirements for a vCloud conceptual design.
- A large portion of this is the same as above as with security requirements around compliancy includes auditing also. For example if it is a private cloud that is being designed but it is for a hospital, then HIPAA standards need to be met and so certain security measures need to be applied. For conceptual this is mainly around separation, defence in depth and usage of two factor authentication to name a few off my head. How different zones within the cloud offering are separated and secured also need to be planned for and conceptually designed.
Based on customer requirements and vShield Edge security capabilities, determine the impact to a vCloud conceptual design.
- For this you need to know what vShield Edge is capable of doing and in what use cases each of these would be used. A perfect document that describes this is the vShield Edge Design Guide Whitepaper. The actual impact to a conceptual design is mainly that vShield Edge allows isolated virtual datacentre’s hosted on a common physical infrastructure instead of needing siloed physical infrastructures. The separation via the vShield Edge firewall is in most cases more than sufficient but knowing where physical separation is required (PCI for example) is also very important.
- vShield Edge also provides IPSec VPN capabilities which are very important for the security of your cloud infrastructure. Knowing that the vShield edge can provide this along with NAT,Load balancing and most importantly for this section firewall capabilities via one device means you don’t need multiple devices like in a traditional multitenant design.
Explain the logging capabilities of the various VMware products.
- There are numerous products within the VMware product set that enable logging capabilities. The main ones that will apply to the vCloud infrastructure are:
- vCloud Director: kb.vmware.com/kb/2021435
- vCloud Director Cells: kb.vmware.com/kb/1026815
- vCenter: kb.vmware.com/kb/1011641
- vCloud Director Diagnostic and Audit Logs: http://download3.vmware.com/vcat/documentation-center/index.html#page/Operating%2520a%2520vCloud/3b%2520Operating%2520a%2520VMware%2520vCloud.2.139.html
- vShield: kb.vmware.com/kb/1026255
- A brilliant blog article by Tom Fojta about Centralized Logging in vCloud Director Environments which covers all of the above and some more
If you feel I have covered something incorrectly please let me know as I’m learning like everyone else and I certainly don’t claim to be perfect (near it but not perfect ). Also the vBrownbag covered the whole of objective 1 here.
Gregg