Cloud Computing Design Model (10)-goalkeeper Model

Cloud Computing Design Model (10)-goalkeeper Model

Verify and disinfect requests by acting as a proxy between the client and the application or service, and protect applications and services with dedicated host instances for requests and data between them. This provides an additional security layer and limits the attack surface of the system.

Background and Problems

Applications expose their features to customers by accepting and processing requests. In the cloud hosting solution, applications expose terminal client connections, generally including code to process requests from clients. This code can perform authentication and verification, process some or all requests, and possibly access storage and other services on behalf of the client.

If a malicious user can compromise the system and access the managed environment of the application, it uses security mechanisms such as creden and storage keys, and the service accesses data and is exposed. Therefore, malicious users may gain uncontrolled access to sensitive information and other services.

Solution

To minimize the risk of exposure to sensitive information and service customers, decoupling exposes the host or task from processing requests and accessing the public endpoint of the Code. This can be achieved by using an elevation or dedicated task to interact with the client, and then connecting the requests that are opened by hand (possibly through a decoupling Interface) to the host or the requests to be processed by the task. Figure 1 shows a high-level view of this method.

Figure 1-advanced overview of this mode


The goalkeeper mode can be simply used to protect storage, or it can be used as a more comprehensive facade to protect the functionality of all applications. Important factors are:
? Control verification. The goalkeeper verifies all requests and rejects those that do not comply with the verification requirements.
? Limited risks and exposures. The goalkeeper does not have a credential or key for accessing the storage and service from a trusted host. If the firewall is broken, attackers cannot obtain access creden or keys.
? Appropriate security. The goalkeeper runs in a limited privileged mode, while the rest of the application runs in full trust mode required to access storage and services. If the firewall is damaged, it cannot directly access the services or data of the application.

This pattern effectively acts like a firewall in a typical network topology. It allows the guard to check the request and make a decision about whether to pass the request to a trusted host (sometimes called the King of keys) to execute the required task. This decision usually requires the goalkeeper to verify and pass it to the content required for disinfection before a trusted host.

Problems and precautions

Consider the following when deciding how to implement this mode:
? Ensure that trusted hosts send requests to the gatekeeper by exposing only internal or protected endpoints and only connecting to the goalkeeper. Trusted Hosts should not expose any external endpoints or interfaces.
? Guan Shou must run in limited privileged mode. In general, this means running the goalkeeper and a trusted host of an independent hosting service or virtual machine.
? Do not execute related applications or services, or access any data processing. It features pure verification and disinfection requirements. Trusted Hosts may require additional verification of requests, but the core verification should be performed by the goalkeeper.
? Use a goalkeeper and a trusted host or task if this is a possible secure communication channel (https, SSL or TLS ). However, some hosting environments may not support HTTPS internal endpoints.
? Adding additional layers to implement the goalkeeper mode may affect the application performance, because it requires additional processing and network communication.
? The instance may be a single point of failure. To minimize the impact of failures, consider deploying other instances and use an automatic Scaling Mechanism to ensure sufficient capacity to maintain availability.

When to use this mode

This mode is very suitable:
? Applications that process sensitive information and expose sensitive information must be protected against malicious attacks to a certain extent, or must be executed to prevent the destruction of key business services.
? In distributed applications, it is necessary to perform request verification from the main tasks separately, or to centralize this verification to simplify maintenance and management.

Example

In a cloud hosting scenario, this mode can be achieved by using an internal endpoint, a queue, or storage is decoupled from trusted roles or virtual machines in service applications as an intermediate communication mechanism. Figure 2 shows the basic principles for using an internal endpoint.

Figure 2-an example of using cloud service networks and auxiliary roles in the pattern

Msdn: http://msdn.microsoft.com/en-us/library/dn589793.aspx

Cloud Computing Design Model (10)-goalkeeper Model