In many organizations, IT is in the difficult position of having to adhere to corporate policies of controlling cloud service usage, while allowing end-users to have the flexibility they need to work effectively with their VMs. Implementing self-service provisioning capabilities removes much of the need for repetitive, high-maintenance, hands-on IT provisioning and frees up IT resources for more essential projects.
One of the first actions that enterprise IT must do to regain control over self- service provisioning is implementing a strict set of usage policies. Large environments have many staff performing many different roles. This in itself is not an issue but, if improperly managed, it can become a security issue as people leave, go to new jobs, and their accounts become dormant and need to be addressed. And if your decommissioning process doesn’t cope with that, it leads to VM sprawl.
While IT must govern VM usage policies, server owners also need a degree of control. They like to be able to self-serve and do tasks like perform their own snapshots or power operations. This is where role-based policies come into play. The creation of role-based policies is not to prevent end-users from getting access to the services that they need, but rather to act as a protective mechanism for the underlying infrastructure.
Like any other virtualized environment, private clouds contain a finite amount of hardware resources, and those resources must be shared among the various internal customers. If a single user were to consume an excessive quantity of system resources, then the resulting resource contention could potentially have a negative impact on others.
The actual mechanisms available for establishing user controls vary from one vendor’s solution to the next and when deploying across multiple cloud providers. Not only does this user control variation increase the scope for error, but IT management can be challenged by the lack of a unified interface being presented. Whether your cloud infrastructure is from one vendor or several, generally speaking, one of the first things that must be done is to establish an effective set of permissions.
Permissions aren’t just used as an access control mechanism for virtual machine deployment, but also for managing various aspects of the private cloud environment as a whole. Larger organizations often benefit from being able to delegate permission to perform specific tasks, but generally do not want to grant unrestricted administrative access except where absolutely necessary. Regardless of the permission structure that is exposed through a management tool though, it is essential for the tool to support the use of existing user accounts through Active Directory or LDAP integration.
A partial solution to the issue of control vs empowerment can be to keep it simple. A good place to start in terms of making VM management easier is creating groups for users. Create a role, then add groups to that role, and users to the group, so that adding and removing users becomes much easier. But don’t let it end there. A periodic review should be carried out, at least yearly, to ensure that the user accounts are still active, still relevant, and meet with current security guidelines. In parallel with that review, the access granted to the groups, and the roles they have been granted should also be periodically reviewed.
Doing these checks still leaves the issue of delivering the VM management to the owner/end-user. So how do we give the correct rights to the user, and still maintain a good degree of control over the infrastructure, and the management of the infrastructure? Also, how do you provide users with the ability to do such operations as snapshots and reboots as needed, bearing in mind that they need to be subject to change controls, and performed in a business-aware fashion?
Enter Embotics vCommander.
First of all, vCommander serves to separate the users from the infrastructure, so there is no need to add and manage users directly in VMware, Azure, AWS, or other cloud providers. The security model can be thought of as concentric rings, with the goal to provide the fewest number of people with access to each ring. So, as you approach the center, there is a greater ability to negatively impact other users and the environment, so greater expertise is required to avoid bad situations.
Using this model ensures that security is simpler to enforce, and becomes less problematic over time, with direct access to managed systems like VMware or AWSbeing reserved for senior administrators, because almost all day-to-day activity can be performed from within vCommander, where role-based access control ensures that users can only do what you want them to, where you want them to do it.
To empower end-users with non-administrative access, vCommander supplies the user with an intuitive interface, called the Service Portal, that is both simple and powerful. The Service Portal provides self-service for virtual machines and other services, allowing end-users to power services on and off, request new services, request changes to existing services, monitor VM performance and resource usage, and keep an eye on service costs.
The granular permissions set for the Service Portal role determine what the Service Portal user can see and do, and these are defined in the administration console of vCommander. The following Service Portal roles exist by default in a new installation of vCommander:
- View Only
- Delegated Admin
With over 30 permissions available, each of these roles can be customized for your own installation according to your organization’s usage policies. You can also add additional roles as required, although we recommend that you limit the number of Service Portal user roles to allow for easier tracking and maintenance.
Once the roles are defined, it’s then a simple task to create a group, add users and assign roles. When a user next logs into the portal, they will be able to perform all of the operations that they have permissions for without having direct access to the private or public cloud platform., No matter who is taking an action, vCommander’s powerful events log and search capabilities make a deep security audit a matter of a few simple clicks.
As important as a good permissions model is though, it’s equally important for the private cloud software to be able to conform to an organization’s own rules of operation. For example, it isn’t always appropriate to simply grant a user the ability to create virtual machines at will, especially when a chargeback model is being used and each virtual machine that’s created impacts the department’s budget. In situations like this, it’s far more effective to give users the ability to request a virtual machine pending approval from a manager, or to set up quotas for resources based on a user, group or department. Not every private cloud management tool supports the use of permissions or quotas, and those that do might not always be able to fully match the organization’s requirements.
To see more about managing infrastructure access with Embotics vCommander, why not check out vExpert Stuart Burns’ short video demonstration on the subject to see how you can resolve some of your cloud management woes.
And if you would like a customized demonstration of vCommander, so you can see for yourself how easy easy it is to assign role-based access to your users, and take back control over your infrastructure, click on the link below.