"The transition" period of "private cloud" security: The design idea of "cloud" scheme

The embarrassing situation of private cloud security

Cloud computing is able to provide a virtualized pool of resources, flexible service capabilities, self-service, etc., won the CIO's favor, in order to improve the utilization of IT equipment, improve the capacity of service disaster, improve the rapid response to business support, the majority of enterprises are beginning to try the private cloud construction.

Generally speaking, the transition from the existing IT management system to the private cloud platform requires several steps: Large data centralization, business system integration, virtualization of IT resources, management platform cloud, cloud service delivery. (Many people think that the private cloud is the construction of the information center, in fact, the virtual transformation of the information Center is generally the last two phases merged into the Information Center unified operation and maintenance management platform, but does not necessarily provide cloud services, therefore, can not be called the strict sense of private cloud.) In this process, resource virtualization is the key, because only the resources are virtualized management, can talk about dynamic deployment, can provide flexible service support capabilities. What resources can and need virtualization management? Compute resources, including CPU and content, storage resources, network resources. We note that there are generally no security resources involved. This is not surprising, because the virtualization platform manufacturers are first to business services to achieve the main, security issues are mostly placed behind the consideration.

This is a problem for CIOs: Private Cloud provides a unified service for all business units, not only computing resources, storage resources, network resources, but also security resources, such as identity authentication, virus killing, intrusion detection, behavior audit, and so on, only allocating the system of computing resources and storing resources, to the users, is tantamount to "streaking." Private cloud is different from public cloud, common cloud business single, can establish unified security policy, and private cloud different business system security requirements vary greatly, in a "cloud", for different business systems provide different security policy, how security policy deployment? Where is the deployment?

Cloud computing security has been a hot issue in the industry, there is a special organization CSA (Cloud Security Alliance) to specify some guidance, but landing are more difficult. To sum up, cloud computing's safe landing has two problems:

The first is the problem of the architecture of the cloud computing system.

Because of the use of virtualized resource management, the server of the user business system no longer explicitly run on which server, but the dynamic drift of the VM (virtual machine), the users of different business systems in a "clump" inside and out, each business system has no "boundary", How can you ensure that users who are restless are peeping through the data of other systems, and rely solely on the management of virtualized operating systems to meet the isolation of the user's business streams? And do not say that virtual machine escape research, such as "blue pill", the traditional operating system is a bunch of vulnerabilities, virtualization operating system vulnerabilities will be very small? The degree of harm is much greater.

Second, the virtualization of the operating system manufacturer's problem.

Currently, there are not many vendors that can provide virtualized operating systems, such as VMware, Microsoft, Ctrix, Xen, RedHat, and so on. First of all, VMware, the largest market share, is a private code manufacturer like Microsoft, providing only Third-party development interface APIs. VMware provides the system's underlying security interface, such as Vmsafe, but this interface is currently not open to domestic security vendors, that is, to achieve security deployment, can only purchase foreign third-party security manufacturer products. Other vendors, such as Xen, are open source, there is no interface problem, but require users of their own technical force is very strong to deploy and maintain.

In a word: the security problem in the cloud is serious, the best way is that the security device can be like storage device, forming pool resource pool, when the user request cloud server, with compute resources, storage resources on demand to the user.

However, in the current situation of security vendors, it will take some time to fully reach this stage; In order to cope with the security of private cloud services during the transition period, we propose a security solution for the transition---"cloud" solution.

Second, the "cloud" plan design idea

In the absence of a way to determine how many different business systems can be run in a cloud to be safely isolated, according to the security requirements of different business systems, the business systems with similar security requirements and service objects are deployed in a cloud, otherwise they are deployed in different clouds, so that one cloud is formed in the enterprise. such as Office business Cloud, production business cloud, Internet services cloud, or according to the level of protection, divided into level system cloud, level two system cloud, three level system cloud.

"Cloud" scheme design model

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/cloud-computing/