Introducing A Solution for Private Cloud Security

As I’ve mentioned in other blog posts, private cloud provides you an opportunity to “reset” your datacenter. When you look at your enterprise network today, did it really grow the way you wanted it to? Is it managed and operated in the way that you would have ideally designed it? Or, does it suffer from so many networks are there today from the “it sort of grew this way” syndrome? If you’re like most admins, you know that if you had the chance to start over, you’d do things a lot differently.

That’s where private cloud comes in. With private cloud, you get the chance to rearchitect your physical, platform and application infrastructure in a way that that enables you to provide dial-tone services to your organization. Your rearchitected datacenter would include all the key features you want, baked in. Management, monitoring, reporting, sizing, troubleshooting, deployment and chargeback would all be tightly integrated and automated. And perhaps most important of all, security would be integrated into every aspect of your new new services delivery infrastructure.

The Private Cloud Security Hole

And this is where we’ve run into a problem. In the past, if you did a search for “private cloud security” you wouldn’t see much in terms of useful information. Sure, there were plenty of short articles and blog posts, there were plenty of vendor offerings that addressed a piece of the private cloud security puzzle, but there wasn’t anything comprehensive or authoritative targeted at the private cloud. And there definitely wasn’t anything available that was specifically targeted at private cloud security architecture. This was a big hole, because without comprehensive guidance on private cloud security architecture, how can you design a truly secure private cloud deployment? You’d be stuck where you are today with your current datacenter approach to security – a “bolted on, after the fact” methodology which leaves you in the same security predicament you may be finding yourself in today.

My team saw this as a significant issue, since few organizations (or at least organizations that are invested in security and data/application governance) are going to run head-first into the private cloud without having an in-depth and thoughtful approach to private cloud security. I saw many commentators quip that private cloud security is little more than traditional datacenter security, but with a the added consideration of virtualization security issues. Although we recognized that private cloud security shares much in common with traditional datacenter security concepts, principles and patterns, there are some issues that are unique to the private cloud environment and some where there is increased focus or different approach than what you would use in a traditional datacenter.

A Solution for Private Cloud Security

These were our thoughts and motivations for creating “A Solution for Private Cloud Security”. Note that the title states “A Solution” and not “The Solution”. We did this on purpose because we didn’t want the title to connote that this document set is the only approach to private cloud security – it is one of many possible solutions and this is ours. A Solution for Private Cloud Security is one component of our Reference Architecture for Private Cloud with is a comprehensive set of documentation on private cloud architecture. Thus, A Solution for Private Cloud Security takes an architectural approach to private cloud security.

A Solution for Private Cloud Security includes the following core documents:

• A Solution for Private Cloud Security – Service Blueprint
• A Solution for Private Cloud Security – Server Design
• A Solution for Private Cloud Security – Service Operations

Each of these documents can be read online, or you can download the entire document set.

Using the TechNet Wiki and Gallery to Deliver Authoritative Guidance

You might notice that the Solution for Private Cloud security documentation is located on the TechNet wiki. We had several reasons for doing this:

• The TechNet wiki is an low overhead, low friction, agile platform that enables us to publish critical content that you need in the shortest time possible.
• The TechNet wiki enables us to develop thought leading content in collaboration with the private cloud architecture community – while we have a lot of great minds at Microsoft, there are even more great thinkers outside of Microsoft and we want to work together to create the type of thought leading content you need so that you can confidently deploy private cloud in a secure fashion
• The TechNet Gallery allows us to post Microsoft Word .doc files as well as PDF files so that the content is available for offline use
• Versioning the content on the wiki and Gallery is fast and easy

Of course, no solution is perfect and there were some issues that we needed to address. The key issues and solutions include:

• Managing a large content set – where are all the documents? Because there are so many pages in the A Solution for Private Cloud document set, we needed a way to keep track of all the content. We solved this problem by creating a content map that contains embedded links to each page. In addition, there is spreadsheet that contains a structured collection of all the page names and links.
• Versioning of content. Since the content is contained on the wiki, it is being continuously updated by us and the community. Many of you want to know where the “official” version is located. At this time the content is labeled “beta” so there is no official version per se. However, by the end of February 2012, we will “stamp” the updated content as “Version 1” and there will be a graphic that states “click here to view the official version 1 of this document”. Over time, there will be a “version 2” and the graphic will be updated and a new link is created for version 2. This will continue as an iterative process.
• There might be malicious edits of the documents – how do we monitor for that? The wiki pages are all configured to send email messages to our team whenever there is an update. These updates are reviewed. Fortunately, there have been infinitesimally few, if any, malicious edits on the TechNet wiki.
• Page translation (localization). Each page in the wiki includes the translation widget. Readers who’s first language is not English can quickly access a machine translation. Extensive anecdotal reports suggest that machine translation is as effective as non-machine translation when the non-machine translation is not performed by subject matter experts. In addition, interested an incented individual are able to freely translate these pages and post them to the TechNet wiki.

We are optimistic that the TechNet wiki will eventually be the preferred and standard location for timely, relevant, actionable and thought leading guidance coming from Microsoft. Reference Architectural for Private Cloud and A Solution for Private Cloud Security are our initial attempts and our approach will evolve over time.

Call to Action for Community Participation

One of the key enablers of the TechNet wiki is that it makes is possible for the entire private cloud security community to work together to expand and enhance the A Solution Private Cloud content. There are a number of ways you can participate to improve this information and get it ready to meet the quality bar for version 1:

• Edit the online content in the wiki – I will receive a notification of your edit and will review it.
• Put a comment in the online content – I will receive a notification that you left a comment and will incorporate the changes that you suggest
• Download the Microsoft Word .doc files and edit the content and send the edited doc to me at tomsh@microsoft.com
• Download the Microsoft Word .doc files and add comments to the .doc and send the files to me at tomsh@microsoft.com
• Send an email to me at tomsh@icrosoft.com with your ideas and suggestions and I will incorporate them into the online and offline content

Your participation is highly appreciated and welcome and it’s the community contributions that will put this content over the top by adding the real world insights that only a diverse community can provide.

How to Use A Solution for Private Cloud Security Documentation

There are two main ways you can “use” the A Solution for Private Cloud Security documentation:

• You can download the document set and read the documents offline
• You can read the content online in the TechNet wiki
• You can click through the online documentation using the A Solution for Private Cloud Security content map

There are a number of “artifacts” included in the online documentation set that are designed to make it easier to use the content.

CONTENT MAP

You can use the content map to get a “bird’s-eye” view of the content – the content map is on the first page of the documentation set and looks like the figure below.

At this time, you cannot click on the pages in the content map and go to the page you’re interested in. However, you can download the content map in Visio format and you can click on the pages in the Visio file and that will take you to the pages you click on.

NAVIGATIONAL LINKS

At the bottom of each page are links that help you navigate the online content, such as those that appear in the figure below.

All the pages include these navigational aids. Each page includes:

• A link that returns you to A Solution for Private Cloud Security
• A link that returns you to Reference Architecture for Private Cloud
• A link that returns you to the branch point previous to the page you’re currently on
• A link that forwards you to the next page in the set – this makes it easy to read the online content from beginning to end – something that is difficult to do in the TechNet library
• A link to the Table of Contents for A Solution for Private Cloud – this makes it easy for you to see the entire content set and the titles of each page so that you can browse the available content easily

A LINK TO THE PRIVATE CLOUD SOLUTIONS HUB

Our private cloud architecture group has a number of venues in which we participate. This includes twitter, Facebook, LinkedIn, TechNet forums, TechNet blog, and others. But the central point for private cloud architectural guidance and ultimate solutions is the Private Cloud Solutions Hub. Each page in the document set contains a graphic that you can click that will take you to the Private Cloud Solutions Hub.

Summary

The A Solution for Private Cloud Security set for architectural documents provides the architectural foundation on which you can build security into your private cloud design from the ground up. Three documents – Service Blueprint, Service Design and Service Operations. The content is currently in the beta phase, and all members of the private cloud security community, both from within Microsoft and outside of Microsoft are welcome and encouraged to help in improving this content. This content is presented in an online format on the TechNet wiki so that collaboration is easy and agile, and also in Word .doc format for easy offline reading. Finally, the online content includes a number of navigational elements to make it easier to navigate the content and get a holistic understanding of the entire content set.

I hope you enjoy the A Solution for Private Cloud Security and look forward to your feedback and contributions!

Thanks!

Tom

Tom
Tom Shinder
tomsh@microsoft.com
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder