Transcript TechEd Russia 2011 Template EN

Building a secure private cloud
on Microsoft technologies
Private cloud security concerns
Security & compliance in a
Microsoft private cloud
Hybrid Clouds
Deployment
Models
Service
Models
Community
Cloud
Private Cloud
Infrastructure as a
Service (IaaS)
Public Cloud
Platform as a Service
(PaaS)
Software as a Service
(SaaS)
On Demand Self-Service
Essential
Characteristics
Common
Characteristics
Broad Network Access
Rapid Elasticity
Resource Pooling
Measured Service
Massive Scale
Resilient Computing
Homogeneity
Geographic Distribution
Virtualization
Service Orientation
Low Cost Software
Advanced Security
A Private Cloud presents the
OS and virtualization
resources as a pool of shared
resources
Operating System
Virtualization
Your focus now shifts to the
applications, where you rely
on the pool of resources to
supply the right capacity and
capabilities
Management
The resource pool is created
through management, based
on business rules and executed
through automation.
You no longer think about
numbers of VMs, server
ratios, memory or storage but
instead on how much compute
resources you have access to
AuthN, AuthZ & Auditing
Admin / Tenant Interfaces
Orchestration Layer
Management Layer
Hyper-V based Hypervisor
Compute / Network / Storage
* Source: IDC Enterprise Panel, August 2008
# CIA = Confidentiality, Integrity & Availability
Root Partition
Guest Partitions
Ring 3
Ring 3
Virtualization Stack
Guest
Applications
VM Worker
Processes
OS
Kernel
Server Core
Windows
Kernel
Device
Drivers
VMBus
Ring 0
“Ring “-1”
Storage
Ring 0
Windows hypervisor
NIC
CPU
Root
Partition
Guest
Partition
Guest
Partition
Virtualization
Stack
VM 1
VM 2
VM 1
(Admin)
VM 2
VM 3
Virtualization Stack
Drivers
Hypervisor
Hypervisor
Hardware
Drivers
Hardware
“The fact is, the absolute last place you want to see drivers is in the hypervisor, not only because
the added abstraction layer is inevitably a big performance problem, but because hardware and
drivers are by definition buggier than "generic" code that can be tested.”
Linus Torvalds, https://lists.linux-foundation.org/pipermail/desktop_architects/2007-August/002446.html
Conception
Release
Portals &
Reporting
3rd Party
Solutions
IT Silos
VM Provisioning Process
Event Mgmt
Remove from
Ops Manager
Add to
Ops Manager
Service Desk
Asset/CMDB
Monitor
Service
request
Create
incident
Update
request
5
Update
request
3
Retire CI
Configuration
1
2
Test VM
Virtual
Stop VM
Security
Clone new
VM
Storage
Detach Storage
Server
Network
Detach Network Adapter
Update
properties
Deploy
Applications
Update & close
request
Create CI
Verify
Application
4
Layer
Defenses
Data
 Windows security model for access control and auditing
 System Center Data Protection Manager for data availability
Application
Host
Network
Perimeter /
Access
 User identification & authorization
 Application-layer malware protection
 Host boundaries enforced by external hypervisor
 Host malware protection
 VLANs and packet filters in network fabric
 Host firewall to supplement & integrate IPSec isolation
 Controlled access to portals / services using UAG
 Controlled outbound access using TMG
 Patch Management
 Application / Host
hardening
Service
Management
Security
Orchestration
Management
Automation
Virtualization
Servers
Approve Service
Request
Security Updates
Received
Investigate Any
Issues
5
2
1
Initiate Update
Workflow
Continue
Workflow
Migrate VMs
off Host
Initiate Maint.
Mode on Host
4
Patch Physical
Host
Report Workflow
Results
Patch Master
Image
Verify Host
Availability
Run Host
Health Check
VM Live
Migration
Verify Hyper-V
Health
3
Patch
Installation
Verify Server
Health
Verify Network
Connectivity
Patch
Installation
7
Continue
Workflow
Migrate VMs
Ensure Separation
Network
Storage
8
Investigate Any
Issues
Verify Storage
Connectivity
Verify Patch
Installation
6
End Maint.
Mode on Host
Migrate VMs
off Host
Migrate VMs
Back
VM Live
Migration
Report Workflow
Results
Data Center’s
Physical Servers
Guest OS
Data-Center Network
Microsoft Private Cloud Architecture blog
Microsoft Private Cloud Architecture Facebook page
Microsoft Private Cloud Architecture Twitter account
Microsoft Private Cloud Architecture LinkedIn Group
Microsoft Private Cloud TechNet forums
Microsoft Private Cloud Dojo on the TechNet Wiki
[email protected]
http://blogs.technet.com/b/privatecloud/