Private Cloud Permissions Planning
-- Brought to you by 2X Cloud Computing guest blogger Brien M. Posey --
As you plan to build a private cloud, you will need to spend quite a bit of time thinking about cloud controls. Role based security and control mechanisms must be put into place as a way of preserving the security and the integrity of the private cloud.
Role based security planning is different for a private cloud than for an individual system. Server applications such as Microsoft Exchange Server make heavy use of role based security. However, the roles that are applied for use with applications such as Microsoft Exchange tend to be specific to an individual application or to an individual server.
Private clouds are different. When you give someone access to a private cloud, you aren’t granting them access to an application or to a server, but rather to a unified collection of resources. As such, the security and control mechanisms that you implement for a private cloud must be capable of providing access to resources and capabilities, while also preventing excessive resource consumption.
There are three main security roles that you should plan on using within your private cloud. Each cloud infrastructure vendor calls these roles something slightly different, but the functionality remains basically the same. The roles that must be defined are:
- The Fabric Administrator – The fabric administrator is the administrator who is responsible for building and maintaining the cloud fabric. This administrator would oversee things like storage, network connectivity, and host servers.
- The Tenant Administrator – The tenant administrator is the administrator who is responsible for delegating permissions to cloud resources. For example, this administrator would be the one who would grant a user permission to create a virtual machine. This administrator might also be responsible for building the templates used for virtual machine creation.
- The Self Service Administrator – The self-service administrator refers to a user who has been delegated permission to create virtual machines within the private cloud. This person essentially becomes an administrator over the virtual machines that they create, but not over the private cloud as a whole.
Keep in mind that these roles only represent the basic requirements. Some organizations create more granular roles as a way to further separate job duties. For example, an organization might have a host administrator and a storage administrator, rather than a fabric administrator who oversees the entire cloud infrastructure.
Assigning appropriate administrative roles is only one of the steps required in preparing the private cloud for use. Controls must also be put into place to prevent self-service administrators from consuming excessive resources. There are two main control mechanisms that serve this purpose.
The first such mechanism is a resource quota. A resource quota defines the maximum aggregate hardware resources that the self-service administrator is allowed to use. For example, a resource quota might grant a self-service administrator eight CPU cores. Another quota might grant the same administrator 10 GB of physical disk space. The administrator is free to create virtual machines at will until the quotas are reached.
The other mechanism for controlling resource consumption is chargebacks. Chargebacks allow the tenant administrator to keep track of the self-service administrator’s resource usage so that the self-service administrator can be billed accordingly.
Although it is easy to get caught up in the details of infrastructure capacity planning for your private cloud, it is just as important to think of resource control from a permissions and quota perspective. Otherwise, it will be nearly impossible to keep cloud resource consumption in check.
About Brien M. Posey
Brien Posey is a ten time Microsoft MVP with two decades of IT experience. Prior to becoming a freelance technical writer, Brien served as CIO for a national chain of hospitals and healthcare facilities. He has also worked as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.
Since going freelance in 2001, Brien has become a prolific technical author. He has published many thousands of articles and numerous books on a wide variety of topics (primarily focusing on enterprise networking). In addition to his writing, Brien has provided consulting services to clients and speaks at IT events all over the world.
About 2X Software
2X Software is a global leader in virtual desktop and application delivery, remote access and cloud computing solutions. Thousands of enterprises worldwide trust in the reliability and scalability of 2X products. 2X offers a range of solutions to make every company’s shift to cloud computing simple and affordable.