There is a lot to do about security in relation to cloud computing, especially for public cloud environments. This blog post will go into detail on how security is arranged within and around IBM SmartCloud Enterprise.
This is the third part of the IBM SmartCloud Enterprise Unleashed series, find the previous posts here:
- Unleashed I takes you though all the basics of SmartCloud Enterprise and details all valuable information resources.
- Unleashed II is a deep dive into functional and technical use cases, utilizing the capabilities that SmartCloud Enterprise offers.
Public guests in all data centers now benefit from our Secure Shield Internet connectivity, with additional firewall and intrusion protection, as well as new, distributed denial of service (DDOS) and Botnet protection. This new networking design also provides the foundation for the additional shared, private connectivity options that many of our customers have been requesting.
Improved hypervisor security
Since the release of SmartCloud Enterprise 2.1 the mandatory access control (MAC) in the KVM hypervisor is now enabled, adding an additional level of isolation against guest break outs beyond basic process separation. For more information on KVM security, see our whitepaper KVM: Hypervisor Security You Can Depend On.
New demonstration videos
Recently three new demo videos have been uploaded recently to the SmartCloud Enterprise video-channel. For this blog post I would like to specifically mention Demo #10 — VM Dedicated Firewall. This video illustrates how to install and configure a Red Hat instance to act as a gateway between the public Internet and a private VLAN. After the firewall instance is provisioned, we show how to modify the Red Hat firewall settings as well as how to modify the route files to direct traffic through the firewall instance.
IBM SmartCloud and Security
How does IBM deliver cloud security?
Some of the growing cloud security concerns include: security of highly virtualized environments from targeted threats and attacks, enabling secure collaboration, protection of the data (isolation, sharing) in a rapid provisioning and de-provisioning environment while experiencing the loss of direct control of security compliance, and privacy parameters. In order to build this trust, IBM has written this paper to enable discussion around the new security challenges cloud introduces and how these are addressed by IBM’s cloud offerings.
We highlight the approach IBM takes to secure cloud services delivered from IBM delivery centres in the whitepaper How does IBM deliver cloud security.
SmartCloud Application Services
Being able to repetitively execute changes in your infrastructure and application landscape significantly reduces error-prone manual actions, increasing the availability and overall security. On top of SmartCloud Enterprise IBM has been building a comprehensive suite of platform (PaaS) services to standardize and automate delivery activities and processes.
The first release of this suite, called SmartCloud Application Services, implements services for deploying complete pre-build and self-build topologies and services to support Agile development and continues delivery.
Read more on deploying topology’s in Edwin Schouten’s blog post Design Patterns for the Cloud, read more on continues delivery in the blog post DevOps and the Cloud. Even better, the SmartCloud Application Services is now available for a 90-day trial at no cost.
Management and Monitoring
Security is not only about fencing your assets and data, but also about insight; knowing when your assets are showing usage patterns outside the normal pattern and being able to act on this is essential.
This Thoughts on Cloud blog post takes you though a set of technology previews that allow you to monitor your IBM SmartCloud infrastructure as a service (IaaS) resources anywhere, anytime to gain greater insight into consumption and costs. You can also download and email command output and logs from running instances, and record virtual machine instance expiration time to your calendar. With this capability, you can share information about your cloud resources with colleagues.
Authentication and Authorization
Integrate your authentication policy using a proxy
Managing business rules for the authorization and authentication of custom-built cloud applications in the IBM SmartCloud Enterprise environment doesn’t have to be a difficult task. In this developerWorks article the author uses the structure of IBM Cloud APIs to demonstrate how to build business rules into a proxy that bridges among the command line, Java, and RESTful APIs. Using a proxy also keeps users from skipping around your business rules when accessing the IBM Cloud portal.
SmartCloud Enterprise TSAM Security
This IBM Redbooks draft provides an in depth view of the authentication and authorization tools and techniques used inside SmartCloud Enterprise. With the increasing popularity of cloud computing and its capabilities of dynamic provisioning, the need for security in the provisioning process is greater than ever.
But productivity is also an important concern. The goal of security in IBM provisioning software is to protect the resources in the data model with a minimum of administrative support. The provisioning server uses two types of security to protect the data model: authentication and authorization. Once the identity of the user is verified through authentication, authorization determines what the user can do with the product.
Secure virtual machine instances in the cloud
The Internet is a very hostile place for a server to be running. Security is a crucial element of any deployment of compute resources within an enterprise and even more important when moving those resources beyond the physical walls of an enterprise. With the growth of cloud-based infrastructures, sometimes inexperienced or unaware users do not consider how important security is in a public cloud. This developerWorks article highlights some of the topics which need to be considered when provisioning virtual servers in SmartCloud Enterprise.
Security should be dealt with on many layers of your application landscape architecture, including the network layer. This developerWorks article guides you though all the important concepts of networking for IBM SmartCloud Enterprise, including Virtual Local Area Networks, Virtual Private Networks, and the different protocol layers. Following that, it is explained how to use tools including OpenSSH, OpenVPN, and proxy servers to set up different network topology’s and solve connectivity problems, giving examples important to common cloud situations.
Backup & Recovery
Alternative Windows Capture
This asset in the Asset Catalog for SmartCloud Enterprise provides the necessary documentation and autolog scripts required to perform non-sysprep Windows image capture as part of our Alternative Windows Capture beta program. When you have images running with software like Microsoft Active Directory, Microsoft SQL Server, Microsoft IIS or using file encryption you can consider selecting the non-sysprep capture mode to successfully capture and secure the instance as an image. This functionality is still part of the pilot program, more details can be found in the asset.
Recover a corrupted instance
Read this blog post from Dominique Vernier about how you’re able to restore a corrupted instance, using some of the more advanced SmartCloud Enterprise capabilities. The solution leverages the capability to copy images to persistent storage using the API.