Analysis of security architecture of cloud computing data center

Source: Internet
Author: User
Keywords Security data center cloud computing Data Center
Tags access access control analysis application application layer applications based broke

The purpose of the data center is to make better use of data, data mining and data efficiency. The application of cloud computing technology in the data center is an inevitable trend. It is important to study the information security architecture of cloud computing data Center for the benefit from data center to be supported by a relatively safe and stable environment.

Overview of Cloud Computing

Introduction to Cloud Computing

Cloud computing technology ranks first among the top ten most strategic technologies and trends for most organizations, Gartner, a world-renowned market research consultancy.

Cloud computing refers to the delivery and usage patterns of IT infrastructure, which means acquiring the required resources over the network in an on-demand, scalable manner. From a deeper point of view, it can be extended beyond the IT infrastructure to the service level. This service can be it and software, Internet-related, or other services. Its core idea is that the unified management and dispatch of a large number of computing resources connected with the network, constitute a pool of computing resources to provide users with on-demand services. A network that provides resources is called a "cloud." The resources in the cloud can be extended indefinitely by the user, and can be readily available, on demand, and extended at any time. In a nutshell, cloud computing systems can be viewed as having web browsers and "cloud" components, and cloud is a parallel distributed computing system composed of many internal interconnected virtual machines, which can provide computing resources dynamically according to the service level agreements negotiated between service providers and customers.

The rationale for cloud computing is that computing is done on a large number of distributed computers, not on a local computer or a remote server, and that the data center runs more like the Internet. Resources can be easily switched to required applications, and users can access computers and storage systems as needed. In a data center based on the cloud computing model, users ' reliance on hardware and software facilities has been greatly reduced, using only the services provided by the data center, "Everything is a Service" (Xasaservice,xaas).

As an important feature of cloud computing, "Everything is a service" is divided into 3 aspects, infrastructure namely service (INFRASTRUCTUREASASERVICE,IAAS), Platform as Service (PLATFORMASASERVICE,PAAS) and software as service ( Softwareasaservice,saas). From the perspective of the technology architecture of cloud computing, IaaS contains all the infrastructure resources such as room equipment. PAAs is located on the top level of IaaS, providing users with a platform for application development, middleware usage, and database, message and queue functions. PAAs allows developers to develop applications on top of the platform, using the programming language and tools provided by PAAs support. SaaS, located above the IaaS and PAAs, provides a separate running environment to provide users with a complete user experience, including content presentation and application management.

(b) The advantages and disadvantages of cloud computing

As a new system model, cloud computing has its unique advantages. First, it is easy to deploy and configure easily, in the public cloud, users can easily access through the Internet, while in the private cloud, users can access the service from the local area network. Second, scalability ensures that cloud computing models can be smoothly extended from small, verifiable models to large data centers, providing data services for a large number of nodes at the same time.

Third, cloud computing has a high availability feature, and in the entire model, even if a subset of the compute nodes fail, it will not affect the service to the user. The construction cost is reduced. Cloud computing is a scale economy, the larger the scale, the lower the relative cost of construction. Resource sharing becomes easier. Help achieve centralized management and lower management and maintenance costs.

At the same time, cloud computing has some drawbacks in practical applications. First, security needs to be improved, from 2008 ~2010 years, the world has a number of data center information security incidents, of which 80% of events in the cloud computing model built data center. Second, the quality of service protection. Third, when migrating from a traditional data center platform to a cloud computing datacenter, a smooth transition of distributed services may occur.

(iii) Benefits of migrating to cloud environments

The introduction of cloud computing technology will bring data center to enhance data security, accelerate information sharing speed, improve service quality, reduce operating costs and other benefits.

First, enhance the data processing capacity. By combining cloud computing technology with data mining technology, we can quickly extract valuable information from massive data and provide service for decision-making of institutions. Thousands of computer groups distributed across the cloud provide powerful computing power and divide large computational handlers into countless smaller subroutines over the network. Cloud computing technology can store, analyze, process, excavate and correlate a lot of business data in a short time, thus greatly enhance the data processing ability.

Second, enhance the storage capacity and reliability of data. On the one hand, many servers in the cloud can provide powerful storage capabilities, and many different types of storage devices in the network work together through application software to meet the huge data storage needs of the growing business. On the other side, cloud computing also improves data reliability. Even if a server fails, other servers can quickly back up their data to other servers in a very short time and start a new server to provide services.

Third, reduce data center operating costs, improve operational efficiency. With the continuous development of business, gradually from one region to other regions, the branch office is increasing. It has to spend a lot of money to buy a large number of computer equipment, resulting in a sharp increase in data center operating costs. If the use of cloud computing technology, can be like economies of scale, in the long run it can greatly reduce operating costs, improve operational efficiency.

II. Security of cloud computing

(i) Security incidents in global cloud computing data centers

In recent years, the construction of cloud computing data center has been developing rapidly, and large companies such as Amazon, Google and Microsoft have invested a lot of human and financial resources to build their own cloud computing data center to provide users with a variety of services. But these it giants in dealing with the security problems in the cloud also appear to be a bit powerless, users also suffer a certain loss when using. The following is a security event that occurred in the global Cloud Computing data center from 2009 to 2011.

1.2009 years February 24, Google's Gmail e-mail broke out a global failure, service interruption time of up to 4 hours. Google explains the cause of the accident: in the case of routine maintenance at a European data center, some new program code (which attempts to focus geographically close data on everyone) has side effects that lead to the overload of another European data center, so that the ripple effect expands to other data center interfaces and eventually leads to global disconnection, Cause other data centers to not function.

2.2009 years March 17, Microsoft's cloud computing platform Azure stopped running for about 22 hours.

In the 3.2009 June, Rackspace suffered a severe cloud service outage. Power supply equipment tripping, backup generator failure, many racks of server downtime.

4.201 years, Microsoft broke BPOs service interruption incident. This is the first time Microsoft has burst a major cloud computing data breakthrough event.

5.2011 years March, Google's mailbox again broke out large-scale user data leakage incident, about 150,000 Gmail users found their own in Sunday all mail and chat records were deleted, some users found that their accounts were reset. Google says the users affected by the problem are about 0.08% of the total number of users.

6.2011 years April 22, Amazon Cloud Data center Server widespread downtime, the incident is considered Amazon's history of the most serious cloud computing security incident.

In addition to the six major cloud data center security incidents mentioned above, several small security incidents have occurred.

(ii) Impact of security incidents

The occurrence of these security incidents has caused the security issue of cloud computing to be paid attention again. Before that, almost all users ' biggest questions about cloud computing were security issues, especially the security of the public cloud, which raised public concern about private clouds, and more companies and government agencies believed in the security of private clouds. Therefore, the design of data center based on cloud computing is actually a game between high efficiency, high quality service and safe and reliable.

(iii) Key security technologies for cloud computing

The security risks facing cloud computing data centers are divided into 3 levels, 4 categories. The 34 levels are data, application and virtualization, 4 categories are transmission security, storage security, recovery security and audit security, in which transmission security is unique to the data level.

To resolve the above security risks, there are several technologies that can be used at present.

1. Resource access control. In a cloud environment, resources are divided into several access areas, and users have the right to share data across regions, but they need to set up identity authentication and identity management policies in each locale, while setting access control policies. The resource access control technology mainly solves the risk of priority access and administrative authority.

2. Data availability and usability. Cloud computing data centers have a larger scale of data than traditional data centers, and large data centers can provide services with tremendous communication pressure. Data in the transmission and use of the correctness and reliability of the situation can not be guaranteed, and in the service efficiency requirements, wait until the data fully transferred to the local check its accuracy and reliability is not realistic, so need to use data and usability technology to determine whether the remote data is correctly available.

3. Data privacy protection. The technology is primarily to address the risk of data leakage in cloud computing data centers.

4. Virtualization security. The data center in the process of migrating to the cloud computing platform is bound to use virtualization technology, which is generally applied to the PAAs level, so ensuring the security of the virtualized platform is very important for the overall security of the cloud data center.

5. Trusted cloud computing platform. Cloud computing platform is divided into public and private cloud two categories, private cloud computing platform for users to build their own, do not use the public network cloud service provider services. While the public cloud computing platform involves the use of the third cloud service provider's products, the trusted cloud computing platform technology can guarantee the reliability and durability of the cloud platform, especially the public cloud platform.

Information security architecture of traditional data center

The security threats that traditional data centers face are mainly from 3 aspects, one is facing the application layer attack, the other is facing the network layer attack, the third is the infrastructure attack (the infrastructure is the network, host and other information system hardware facilities). Therefore, the traditional data center information security protection system generally according to the "Multi-layer protection, zoning planning, layered deployment" principle.

(i) Multi-layer protection

Multi-layer protection is generally divided into 3 layers, the first layer is High-performance hardware firewall, the second layer has a high performance detection engine IDs and even IPs, the third layer is a rich security features of routers and switches. This layered way is relatively macroscopic, from a more microscopic point of view, according to the 0SI7 layer model, the data center has also established a very specific information security protection system from the link layer to the application layer, such as anti-virus gateway, data leakage protection methods and protective equipment.

(ii) Zoning planning, tiered deployment

Data centers have different value and vulnerability to different devices, according to the situation of these devices to develop different security policies and trust models, the data center is divided into different regions, which is zoning planning. In general, data centers can be divided into remote access area, Internet Server area, LAN external server area, LAN internal server area, district area, core zone, etc. according to different trust levels.

The hierarchical architecture of traditional data center is embodied in the traditional network 3-layer deployment (access layer, aggregation layer, core layer), but also in the design and deployment of the application system. Multi-tier architectures break down application servers into manageable, secure tiers that avoid the potential security implications of hosting all features on a single server, enhancing scalability and high availability.

(iii) Safety protection technology

According to the information security architecture of traditional data center, there are many kinds of security protection technology to support it. Safety protection technology is also divided into 3 levels. The first layer is the data Center network Infrastructure Protection technology, including VLAN based port isolation, Stproot/bpduguard, port security. The second layer is the data center border Protection technology, including the use and management of firewall. The third layer is the data Center Application Security protection technology, including virus protection, data leakage protection, data storage protection and so on.

Information security architecture of data center in cloud environment

In the construction of cloud computing data center, because of the high degree of resource integration and sharing, whether data security, application security or virtualization security, are delivered to the data center users in the way of service. Under the guidance of this kind of construction idea, the information security system of cloud computing data center and the security protection system of the traditional data center are very different, which comes down to the following several aspects mainly.

(i) New virtualization security Requirements

The virtualization of cloud computing data centers is divided into software virtualization and hardware virtualization. Software virtualization refers to the ability to create, run, and revoke virtual servers by directly deploying the software on a physical machine. In this case, users have the conditions to operate multiple virtual servers at the same time, so there must be a strict restriction on any unauthorized user access to the virtualization software layer, such as the establishment of stringent control measures to limit physical and logical access control for hypervisor and other virtualization levels. The security of hardware virtualization can draw on the security of physical server, mainly from the entity machine selection, Virtual server security and day-to-day management of 3 aspects to develop a safety protection program. In addition, under the condition of high resource integration, the requirement of resource allocation and security isolation between data is higher, and security equipment should be adapted to the requirements of cloud computing data Center virtualization.

(ii) Mixed security boundary

One of the important ideas in the construction of the traditional data Center security protection system is the security isolation and access control based on the boundary, and emphasizes the zoning planning and layered protection. But in cloud computing data centers, where resources are highly integrated, infrastructure is unified, and security device deployment boundaries have become blurred and even disappearing.

(iii) Greater scope for security threat discovery and processing

In traditional data centers, the source of information about security threats is the security software deployed on the client and the hardware security products deployed in the network. Managers in the information can be in a very short period of time to deal with security threats, but this processing is a subregional, that is, can not do the entire data center of centralized prevention and centralized treatment, can not form the overall security protection. In the cloud Computing data center, the perception and processing of security threats will tend to be unified, the information sharing rate is very high, the security protection system is more macroscopic than the traditional data center system, the protection scope is bigger. According to the new situation of information security system construction of cloud computing data Center, the information security protection of cloud computing data Center can be considered synthetically from the following aspects.

1. Focus on support for virtualization

Virtualization is the key technology of cloud computing data center, and the basic network architecture, storage resources, computing resources and application resources of modern data center are already moving towards virtualization. Whether it is to meet the needs of different users, to provide personalized resource services, or to use the logic of isolation to ensure data security, virtualization is a very good choice. Therefore, in the construction of cloud computing data Center Security protection system, the support of virtualization is very important.

2. Building a unified security threat protection system

Because the security boundaries of cloud computing data centers have become blurred and resources are highly integrated, the ability of administrators to partition the entire data center can only be based on logical partitioning, and physical security boundaries have ceased to exist. In this case, it is unrealistic to deploy separate security systems for users. The deployment of security devices should shift from the original security protection based on each subsystem to security protection based on the entire cloud computing data center, building a unified security threat protection system. In a figurative metaphor, the security threat protection system for cloud computing data centers should be like a dome covering the entire data center.

3. Formation of safety risk, Shaanxi speed reaction mechanism

In the security building of the cloud Computing data center, take full advantage of cloud computing's powerful resource sharing and computing power, quickly respond to and dispose of security risks, quickly locate and resolve security threats, and push security threats to the entire data center, making all security devices capable of detecting this security threat.

V. Summary

The purpose of the data center is to make better use of data, data mining and data efficiency. The application of cloud computing technology in the data center is an inevitable trend. It is important to study the information security architecture of cloud computing data Center for the benefit from data center to be supported by a relatively safe and stable environment.

China in the "Twelve-Five" development plan has been listed as the need to focus on the development of cloud computing content, so the cloud computing data center is facing the top priority is not from the technical level, but from the management level. The guidance Department of Information Technology Management in China should set up relevant standards of cloud computing data Center as soon as possible, especially information security standards, so as to standardize and manage early.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.