Cloud solution to solve the problem of "private cloud" security transition period

Source: Internet
Author: User
Keywords Cloud computing cloud security cloud security
Tags access anti- authentication authority management beginning behavior business business cloud

Cloud computing is able to provide a virtualized pool of resources, flexible service capabilities, self-service, etc., won the CIO's favor, in order to improve the utilization of IT equipment, improve the capacity of service disaster, improve the rapid response to business support, the majority of enterprises are beginning to try the private cloud construction.

The embarrassing situation of private cloud security

Generally speaking, the transition from the existing IT management system to the private cloud platform requires several steps: Large data centralization, business system integration, virtualization of IT resources, management platform cloud, cloud service delivery. (Many people think that the private cloud is the construction of the information center, in fact, the virtual transformation of the information Center is generally the last two phases merged into the Information Center unified operation and maintenance management platform, but does not necessarily provide cloud services, therefore, can not be called the strict sense of private cloud.) In this process, resource virtualization is the key, because only the resources are virtualized management, can talk about dynamic deployment, can provide flexible service support capabilities. What resources can and need virtualization management? Compute resources, including CPU and content, as well as storage resources, network resources. We note that there are generally no security resources involved. This is not surprising, because the virtualization platform manufacturers are first to business services to achieve the main, security issues are mostly placed behind the consideration.

This gives CIOs a problem: Private cloud provides a unified service for all business units, not only computing resources, storage resources, network resources, but also security resources, such as identity authentication, virus killing, intrusion detection, behavior audit, and so on, only allocating the system of computing resources and storing resources, to the users, is tantamount to "streaking." Private cloud is different from public cloud, common cloud business single, can establish unified security policy, and private cloud different business system security requirements vary greatly, in a "cloud", for different business systems to provide different security policies, security policy how to deploy?

Cloud computing security has been a hot issue in the industry, there is a special organization CSA (Cloud Security Alliance) to develop a number of guidance, but landing are more difficult. To sum up, cloud computing's safe landing has two problems:

The first is the problem of the architecture of the cloud computing system. Because of the use of virtualized resource management, the server of the user business system no longer explicitly run on which server, but the dynamic drift of the VM (virtual machine), the users of different business systems in a "clump" inside and out, each business system has no "boundary", How can you ensure that users who are restless are peeping through the data of other systems, and rely solely on the management of virtualized operating systems to meet the isolation of the user's business flow? And do not say that virtual machine escape research, such as "blue pill", the traditional operating system is a bunch of vulnerabilities, virtualization operating system vulnerabilities will be very small? The degree of harm is greater.

Second, the virtualization of the operating system manufacturer's problem. Currently, there are not many vendors that can provide virtualized operating systems, such as VMware, Microsoft, Citrix, Xen, RedHat, and so on. First of all, VMware, the largest market share, is a private code manufacturer like Microsoft, providing only Third-party development interface APIs. VMware provides the system's underlying security interface, such as Vmsafe, but this interface is currently not open to domestic security vendors, that is, to achieve security deployment, can only purchase foreign third-party security manufacturer products. Other vendors, such as Xen, are open source, there is no interface problem, but require users of their own technical force is very strong to deploy and maintain.

In a word: the security problem in the cloud is serious, the best way is that the security device can be like storage device, forming pool resource pool, when the user request cloud server, with compute resources, storage resources on demand to the user.

However, in the current situation of security vendors, it will take some time to fully reach this stage; In order to deal with the security of private cloud services during the transitional period, we propose a security solution for the transition-"cloud" solution.

Design idea of "cloud" scheme

In the absence of a way to determine how many different business systems can be safely isolated in a cloud, according to the security requirements of different business systems, the business systems with similar security requirements and service objects are deployed in a cloud, otherwise deployed in different clouds, so that a cloud is formed in the enterprise. such as Office business Cloud, production business cloud, Internet services cloud, or according to the level of protection, divided into level system cloud, level two system cloud, three level system cloud.

  

"Cloud" scheme design model

The core network of the enterprise is "physical", the cloud of different business services is connected to the core network, each cloud has its own cloud management center, responsible for cloud computing, storage, security resource management, enterprise users are divided into virtual terminals (such as running virtual desktop "stupid terminal") and real terminals (such as PC, such as "Rich Terminal"), Through the corporate network, you can login to different clouds, the entire network of users with a unified identity authentication, and the establishment of cloud Security Management Center platform, the platform through the various Cloud Management Center interface, can directly monitor the cloud virtual machine running state.

The advantages of cloud schemes are obvious: a cloud of business system security requirements are similar, users are the same, the need for security isolation is greatly reduced, so that the different business systems in a cloud security isolation in a security dilemma, the network between the clouds is "physical" visible, the traditional security boundary ideas fully applicable; of course. , different clouds can adopt different virtualization operating systems, reduce the over-reliance on a manufacturer (desktop operating system dependence on Microsoft is a headache for many CIOs); Finally, if a cloud is a problem, it will not affect the business system in other clouds.

The disadvantages of cloud schemes are also obvious: it resource utilization is limited, which is clearly contrary to the goal of adopting virtualization technology; artificially building multiple cloud, multiple management platform, management complexity is obviously increased.

However, cloud solutions can solve the current virtual platform itself security is not in place, business needs to promote the cloud computing model has launched a contradiction. While walking and learning, "stones", always better than unworthy.

Cloud Solutions break down the security of the private cloud: 1, the security between the clouds; 2. Security within the cloud.

The idea of safety design between clouds

Different clouds, logically like "security domains" in traditional security design, with a clear security zone boundary, therefore, the security of the clouds can be based on the traditional security design ideas, deployment ideas can refer to the "Vase model" of the three baselines of a platform, network boundary and secure domain Boundary security protection baseline; The dynamic monitoring baseline of the important resource area and the core convergence, the credit management baseline of the user and operation personnel, the security management platform of daily operation and emergency handling, the specific technical and management requirements, can refer to the requirements of the level protection, here is not to repeat.

  

Cloud inside is actually a cloud platform management system range, also can be said to be a virtualized operating system management platform under the security design. From the system point of view, can be divided into two levels of security design: 1, Virtual machine security, 2, virtualization platform security.

Security in virtual machines

Is the user to apply to the virtual machine, from the user point of view and the physical server is the same, the user selected operating system and business services software, therefore, the virtual machine security is like a host system for security protection design. As a result of virtual machine management than physical confidential more simple, easy to configure and modify the patch upgrade management, switch machine is a directory of files running just.

At the same time, the computing resources of virtual machines can be applied dynamically, and there is no contradiction between the traditional host security and the business contention resources, because the security monitoring in the host House can reduce the efficiency of the operation, many business managers refuse to install other resident software. Of course, the compatibility problem between software still exists, so before the system upgrades or installs the security software, must test on other virtual machines, guaranteed does not affect the business software the normal operation.

  

There are several areas of security that need to be considered in the virtual machine:

Identity authentication and authority management: Identity identification can be unified with the whole network identity authentication system, but the authority management within the cloud has its own detailed management, to ensure that the cloud internal users can access business differences;

Service reinforcement and anti-control defense: This is primarily for servers, like ordinary business servers, requiring basic security reinforcement, installing suitable patches, shutting down unwanted services, deleting unwanted accounts, and so on, but this is not enough. Servers are network-oriented, disrupting services, simply affecting their business, and if hacked into "broiler", it could be a tool for attacking other targets. Because the cloud is generally more than one business system in operation, a system of loopholes are exploited, the establishment of a hacker invasion of the bridgehead, as a springboard for internal attacks, many hackers are such a step-by-step infiltration into the core confidential server. Therefore, the server is not controlled by intruders, do not become "broiler" is the minimum requirements for server security, the installation of an anti-control defense system, or the system to carry out the reverse control of the reinforcement is very necessary;

Terminal protection system: This is mainly for Remote Desktop or BYOD, because the visitor's terminal variety, security status strange, to access the terminal to carry out appropriate security checks, or limit their access to the cloud services are necessary; Of course, you can also take advantage of "container" Remote Desktop, Isolate the remote terminal within the business and other systems, to ensure that the terminal virus, Trojan can not invade the cloud services;

Anti-virus: viruses and Trojans are pervasive, the user traffic virus filtering is necessary. Of course, anti-virus can also be implemented at the entrance of the cloud, but for the application layer of the virus, or through the host to monitor the killing way more effective.

Security on virtualized platforms

The security on the virtualization platform is directly related to the openness of the manufacturers ' products, which can be divided into two kinds of situations:

The first is open source platform, or get the manufacturer's underlying security API interface, such as VMware's Vmsafe interface, you can use the interface to insert your own security code, the virtual machine traffic security checks and control.

  

This way directly in the virtual platform of the underlying hypervisor control user data flow, some like we understand the operating system is divided into kernel State and user state, hackers to break through the hypervisor to the kernel layer is more difficult, it is very difficult to circumvent this security monitoring.

The second situation is not access to the underlying interface of the virtualization platform, or the hope that through Third-party security control measures, users can be assured (virtualization platform for their own management, the security of their own control, always make people some doubt). This kind of method is the current safety control measure that the safety factory is popular with the flow traction.

The realization of the idea is to use the SDN technology in the flow of traction Control Protocol OpenFlow, guide the user traffic flow according to the stipulated security policy, combine the virtualization technology of security products, set up the resource pool of firewall, intrusion detection, user behavior Audit, virus filtering, etc., when the user requests the virtual machine resource, , storage resources to the user, to ensure the security of the user's business.

The steps to implement are as follows:

Virtual pooling of security resources: First, "Multiple to one" virtualization of security devices, the formation of a virtual, logical, high processing capacity of the security equipment, such as virtual firewall, virtual intrusion detection, and then to virtual security equipment "one to many" virtual, generating user-tailored, processing capacity matching virtual security equipment;

Deployment Flow Control Server: It is the center of Traffic control management, accept and deploy the security policy of user traffic, when the user business virtual machine Migration, responsible for the migration of the traffic traction strategy; The server can be hot standby, improve system security, can also adopt virtual machine mode. At the same time, install the flow control engine in the Virtual Computing resource pool: The method is to open a virtual machine running flow control engine in each physical server, which is responsible for directing all the virtual machines on the physical server, and carrying out the traffic traction according to the security policy;

The traction of user traffic is divided into two modes:

Because of the need to change the flow of user traffic, the purpose of the Mac, destination IP to be modified. A lot of specific scenarios, here we use Mac in Mac technology, packet two package, after the security equipment processing "safe flow" to restore to the "normal" state; in the clouds physical switches and virtual Switches Support SDN mode, you can also use the OpenFlow The encapsulation of the Protocol for guidance;

When a virtual machine for a user business service migrates in a different physical service, the security policy for that user's business also continues to boot the user's business traffic with the flow control virtual machine that migrates to the destination physical service.

  

Summary

Cloud solutions are deployed in different clouds by deploying business systems with different security requirements reduce the need for the separation of business flows in the cloud, and within the cloud, through the flow of traction and virtual machine reinforcement to achieve the network level of security filtering, while strengthening the business system itself security management, such as user Rights Management, Business behavior Audit, to achieve the application level of access control, the storage and transmission of sensitive data are recommended to use encryption methods.

The cloud scheme is a transitional scheme, in which clouds can synthesize a cloud by the time the security isolation and control techniques in the cloud mature.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.