Today I received a very interesting question from a coworker about something related to this subject. In a nutshell the question was: I definitely see the value of moving to a private cloud, however today I have lots of tools in place to protect my network (IDS, IPS, etc). What it will happen with these tools when I move to a private cloud?
This is an important question to ask when planning to move to a private cloud. What it will happen with the investment that I have in place today to protect my network? While you will preserve this investment, it will be necessary to have other tools in place to protect the tenants that are part of the private cloud infrastructure. Let’s use the diagram below as an example:
The diagram shows that the investment in the physical network protection can still be used to monitor traffic outside of the hypervisor. What needs to be done now is to invest in to virtual network protection to allow the communication between tenants and also in/out from the virtual network to take place in a secure manner. There are many built in resources in Windows Server 2012 R2 that will enable you to do that, here are some:
- Scenario 1: Protecting against eavesdropping attack
- Scenario 2 – Protecting against rogue services
- Scenario 3: Isolating and protecting virtual machines
As you can see in the third scenario, there is also the possibility to extend the security beyond the capabilities that are built in to Hyper-V Virtual Switch. For more information about some of the enhancements in the Hyper-V Virtual Switch in Windows Server 2012 R2, read this article. Also feel free to download this presentation that I delivered last year about Security Enhancements in Windows Server 2012 for Private Cloud Infrastructure.
In summary, you won’t lose your investments in physical security, but you must plan correctly to address the new treat landscape that will be introduced with the addition of the virtual network in your infrastructure.