How to guarantee the security of enterprise cloud computing

Cloud computing, from concept to practice

According to statistics, the current more classic definition of cloud computing more than 50 kinds. Different experts and enterprises have defined the concept of cloud computing from their own perspective. One of the more recognized, more authoritative is the United States Institute of National Standards and Technology (NIST) definition.

NIST's definition of cloud computing: cloud Computing is a model that makes it easy to access a common set of configurable computing resources (such as networks, servers, storage devices, applications, and services) on demand. These resources can be quickly provided and published, while minimizing administrative costs or interference from service providers. The cloud model consists of five basic features, three service models, and four release models.

So how do you parse the cloud model defined by NIST?

First, let's look at the basic features of the cloud model.

--Self-service on demand. Depending on the customer's needs, you can unilaterally provide computing power to customers, such as server time and networked storage, from each service provider, and these are automatically done without interference.

-Extensive network access. With the ability to access through a normative mechanism, this mechanism can use a wide range of thin and fat client platforms (such as carrying telephones, laptops, and PDAs).

--resource sharing. The computing resources provided by the provider are focused on providing services to multiple customers through a multiple customer sharing model and dynamically allocating or redistributing different physical and virtual resources according to customer requirements. The idea of a regional independence is that customers usually do not need control to know the exact location of the resource being provided, but may specify the location of the resource in a higher level of abstraction, such as country, state, or data center. Examples of resources include storage devices, data processing, memory, network bandwidth, and virtual machines.

-Fast scalability. Ability to deliver services quickly and with scalability. In some scenarios, the services provided can be scaled up automatically and rapidly, rapidly releasing under certain conditions, and rapidly shrinking laterally. For customers, this ability is used to make the services provided appear to be unlimited, and to purchase any quantity at any time.

-Measurable services. The cloud system automatically controls and optimizes resources to achieve some type of service (such as storage, processing, bandwidth, and active user accounts) at certain levels of abstraction through a measurable capability lever. The use of resources can be monitored and controlled by providing these service reports to vendors and users to achieve transparency.

The cloud model provides three service models.

One is software as a service (SaaS). The customer uses the service provider to run the application on the cloud infrastructure. These applications can be accessed through a variety of client devices, such as web-based e-mail. Customers do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, storage devices, and even stand-alone application functions, limiting user-configurable application settings where possible exceptions.

Second, the platform is the service (PaaS). Customers use cloud vendor-supported development languages and tools to develop applications and publish them to the cloud infrastructure. Customers do not manage or control the underlying cloud infrastructure, including networks, servers, operating systems, or storage devices, but can control the distribution of applications and the possible application-run environment configuration.

Third, architecture is Service (IaaS). Provide customers with processing, storage, networking, and other basic computing resources on which customers can run arbitrary software, including operating systems and applications. Users do not manage or control the underlying cloud infrastructure, but they can control the operating system, store, publish applications, and possibly limit the control of selected network components (such as firewalls).

The cloud model has several publishing forms: private Cloud, community cloud, public cloud, mixed cloud.

In the specific practice of cloud computing, it is generally from some aspects began to involve, and specific applications, to find a way to improve efficiency through cloud computing technology.

China strategically attaches great importance to this wave of cloud computing, in the national departments of "Twelve-Five" planning, cloud computing is mentioned in a very important position, and in many cities, a number of enterprises began the cloud computing pilot. In the experiment of cloud computing, it is an important problem how to start the cloud computing system in a planned and step-by-step way.

Construction process and safety guarantee of enterprise cloud computing system

In the domestic cloud computing system's construction practice, the more typical promotion way is: Starts from the private cloud, starts from the IaaS service, expands gradually to the cloud computing application other aspect.

As shown on the left, the cloud computing system for a large group of companies is planned as follows:

1. Through the integration of the resource layer, the server resources of the core computing domain are integrated into the computing resource pool, the cloud Computing data Center is formed, and the resource utilization efficiency is improved by introducing the server virtualization technology.

2. Through a unified management platform to solve the cloud computing data Center resource allocation and management, to achieve dynamic flexible deployment and backup migration management.

3. The development of cloud computing System User management and user-service interface for the group's internal departments and business systems to provide IAAS services.

On the basis of private cloud and IaaS services, it extends to Paas/saas services within the group and extends to external delivery services.

In the implementation of the entire cloud computing system, the corresponding security measures are a great challenge to customers. According to the different construction stages of cloud computing system, the corresponding security measures are put forward.

First, in the phase of computing resource integration and server virtualization, the key of security is to solve the security gateway deployment location problem brought by server virtualization.

Second, in the unified management platform stage, the key of the security guarantee is to solve the problem of the security function accompanying the dynamic deployment of virtual server.

Third, in the development phase of user-service interface, the key of security guarantee is the construction of unified identity authentication system and the problem of operation and maintenance audit.

Security device deployment after server virtualization

Server virtualization puts forward new requirements for the deployment of secure gateway devices.

First, for traditional security devices, multiple instances (also known as virtual security gateways) need to be supported, and each instance supports a separate security engine and security management configuration interface to support multiple users in cloud computing systems.

The second is that the communication between different virtualized servers within the same physical server does not go through the network and requires a new form of security device, deployed within the virtual operating system, to control access to the virtual server.