Cloud ERA Data Center security Construction Trilogy

Before building the cloud data center, the data center of many user units is built independently, which has independent network equipment, security equipment and server, and the traditional network security products are deployed at this time.

Figure 1 Traditional Datacenter centralization

In the context of the cloud computing era, data centers need to be advanced to a centralized mass-sharing platform, providing resilient, on-demand, self-service deployments by introducing server virtualization technologies. The cloud of data center has put forward new requirements to the traditional safety protection and safety products.

The author divides the security construction of the data center in the cloud era into three stages.

1. Virtualization of traditional security products

2, integrated into the cloud computing platform of virtual machine security equipment

3, independent security and controllable cloud computing platform

The virtualization of traditional security products

In the first phase of building a cloud data center, a variety of physical hardware needs to be built into a pool of resources to provide services to multiple user units in a virtualized manner to achieve the cost-performance advantage of cloud computing data centers. The user organization uses the virtual network, virtual security devices, and virtual servers provided by the Cloud data center.

At this stage, the traditional security products are still used, deployed on the periphery of the server resource pool, creating logically separate virtual devices for different user units. As a result, traditional security products need to be virtualized to support virtual device capabilities, including engines and management interfaces. As shown in Figure 2.

Fig. 2 Virtualization of traditional security products

A virtual machine security device that blends into the cloud computing platform

In the second phase of cloud data center construction, hardware resources such as network devices, security devices and servers need to be further integrated. Access control between multiple virtual machines within the same physical server cannot be achieved through hardware security devices that are outside the server resource pool.

At this stage, the security device needs to be software-based and converged on the virtualization platform as a security application (see Figure 3).

Figure 3 Virtual machine security devices on virtualized platforms

Virtual machine security devices can be integrated into virtualized platforms in two ways, the first way is through virtual network routing (see Figure 4), and the second way is to embed security control functionality into the virtualization platform by invoking the Hypervisor layer API (see Figure 5).

Figure 4 How virtual network routing is deployed

Figure 5 Hypervisor API Invocation Deployment method

Self-safe and controllable cloud computing platform

In the third phase of cloud computing data Center Construction, we need to consider the security of the cloud computing platform itself.

First, the cloud computing platform itself also has a variety of security vulnerabilities, such as the use of a typical virtual machine escape Vulnerability-blue pill, an attacker can attack hypervisor, install the back door in case of controlling the client VM, Control other VMs. Because cloud computing platforms are often important, these vulnerabilities need to be more valued than traditional host security vulnerabilities.

Secondly, the Hypervisor layer's API call itself needs to be controlled by the virtualization platform manufacturer. VMware, for example, has opened the Vm-safe API to its TAP (Technology Alliance Partners) to develop secure applications, but recently, VMware has shut down the Vm-safe API.

Finally, in the strategic perspective of national information security, we must consider the security of the supply chain when we build the cloud computing data center. The security of Cloud computing data Center can be completely ensured only by implementing a fully autonomous and controllable cloud computing platform. As shown in Figure 6.

Fig. 6 self-safe and controllable cloud computing platform