When you read books on virtualization, cloud computing, security, or software product sheets a common word that shows up is Policy. Tools often claim to implement Policy, while books urge you to read or write your Policy. But what does Policy imply?
Webster (webster.com) defines policy as:
1 a : prudence or wisdom in the management of affairs b : management or procedure based primarily on material interest
2 a : a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions b : a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body
When you read policy in product literature and books we are looking at definition number 2 and often a over b. But what does this mean to those who administer and run virtual environments or make use of cloud services?
In these settings, having a robust policy is required. Such a policy should include nearly every aspect of the environment. Most large companies have written policies about how people should deal with one another, how they should deal with computing resources, how security interacts with their lives within the organization and sometimes out side. In essence, it is The Book to which you refer if there is any doubt or you wish to know exactly how to proceed. In the military The Book guides your ever action, and all falls back to The Book.
I am finding more and more companies are relying on tools to provide policy instead of having their own written policy. A written Policy leads to written Procedures that may make use of tools. For example, I am sure there is a Backup Policy in place within your organization that states in its simplest form that backups will be made, be tested, and be stored offsite. The Procedures for doing all this may or may not be within the Policy, but there are tools that can assist in all these policy requirements, they do not replace Policy.
Virtualization Requirements for The Book
In the physical world of computing, there was always a process for purchasing new hardware, tracking hardware via asset tags, and ensuring that the physical resources were disposed of properly when at the end of life. I have been through a number of scrambles around inventory time to find misplaced machines or ones that have been destroyed.
In the virtual world, this translates into handling sprawl, so one of our Policies for the book needs to be the lifecycle of a virtual machine, how to dispose of the VM, track the VM, and determination if the VM actually needs new hardware resources. Collectively this could be known as Capacity Management or Lifecycle Management, no matter the name you use, there should be a written policy in The Book that covers this. Lifecycle Management and Capacity Management are tied together. Let me present an example:
Manager A requests a large VM (8 vCPUs, 64GBs of Memory, 4TBs Disk, and 10Gb of Network). Your virtual environment does not have nearly that capacity so what do you do?
Your policy should be robust enough to handle this case. So you fall back to The Book and work out the details on how to proceed. One company I consulted at had the right idea. Their policy was:
Treat a request for a new VM as if it was a physical resource as it may end up requiring new physical resources.
This worked for them as the policy for new Resources was extremely well understood and required fairly systematic review such as:
- Architectural Review of the Request to determine the need for new servers or could one be reused. In the case of virtual machines they were looking at need as well as the REAL resources required by the VM (which are quite a bit less).
- Capacity Review to determine if the server could even be placed within the environment (power requirements, etc.) For a VM they were looking to determine if new resources would need to be purchased to fit the VM into the current infrastructure.
- Resource Consumption Review to determine how many resources the server would use in the future and whether that would require new resources and by when.
- Security Review to determine where the server would live within the environment and which security controls to place upon the server and application. Was this a PCI environment, DMZ system, etc. What trust zone did it belong to as well as Roles and Permissions for access.
In essence, there was much more involved with putting out a server. Capacity planning, Future Resource Consumption, and Security were major components of their policy, and it was all documented within The Book. In addition, each server had its own architectural review document on file that could be updated as details changed.
The last area of interest, this customer did not do, was determine how to charge back the resource utilization to the owner of the server.
In all this, the customer interchanged the words server and VM, so that they could make the most use of their existing policies. If you are writing new policies you may be able to streamline this process even more. Tools such as HyTrust, vKernel and Hyper9 help with the Capacity analysis component of your policies but do not replace the written policy.
Cloud Computing Requirements for The Book
I am not sure much changes when you discuss the cloud over a virtual environment but there are some obvious differences. The first is that as a user of the cloud the capacity review component is part of the Cloud Provider but I would hazzard to guess that most of the rest will stay the same. So let’s look at the Capacity Review component.
In our example, that type of VM would most likely be difficult for a cloud provider to provide easily so the Capacity Review needs to include communication with the Cloud Provider to determine if the capacity exists. Perhaps the cloud provider exposes tools like vkernel and Hyper9 to the Cloud user, or they have their own frontend to do so. In order to place businesses within the cloud, Capacity reviews will be required. As business grow their needs they will need to plan their capacity with the cloud provider.
This is one more thing the cloud provider must expose to the cloud user via the cloud portal software. Without such it would be very difficult to place a business within the cloud.
The other aspect of Policy that is within the hands of the cloud providers is security, when you perform a Security Review as part of your deployment of a VM or application, how will you know that the proper controls are in place to protect your trust zones? This is one other aspect of the cloud, the providers will need to expose. CloudAudit.org is working on some of this, but the responsibility will end up being the owner’s of the data within the cloud. If the provider exposes HyTrust and other security tools, perhaps you can gain the control.
So if you are using the cloud, or plan to use the cloud update your Policy (The Book) to include how to determine if your cloud provider can meet your current and future capacity as well as security requirements.
Share this Article:
Latest posts by Edward Haletky (see all)
- Common Product Security Questions - November 23, 2016
- Sorry Support: Not Getting My Data - November 18, 2016
- Moving to the Future: Strategies for Handling Data Scale - November 14, 2016