Design and implementation of a cloud security service architecture

1. Research background

Cloud computing is a product of the integration of Grid computing, distributed computing, parallel computing, utility computing, networked storage, virtualization, load balancing, and other traditional computer technology and network technologies. With the help of SaaS, PaaS, IaaS, MSP and other advanced business models, this powerful computing power is distributed to the end-user. The core idea of cloud computing is to manage and dispatch a large number of computing resources with network connection, and form a computing resource pool to serve the users on demand.

As cloud computing becomes the trend of future development, it is widely regarded as the core of new generation of information technology reform and business application Mode reform. As the IT infrastructure, the delivery and usage of information services and the new internet-based computing model, cloud computing makes it simpler, easier to use, and makes the cost of knowledge popularization drop dramatically, enabling people to better acquire and utilize knowledge, and to better support work and life. The advent of cloud computing is the result of the advancement of technology, demand and business model in traditional it and communication fields, which has the important features of network-centric, service-providing, high scalability and high reliability, and virtualization and transparency of resource usage. With the deep application of cloud computing technology and philosophy, the use of cloud computing's powerful service capability to provide security services (i.e. cloud security) is becoming more and more important in security industry, while cloud computing technology and concepts have a far-reaching impact on traditional security technologies and applications.

2. Key technologies for cloud security services

Current cloud computing in resource sharing and distribution is a whole independent system, is a fixed amount of resources or established solutions to provide users with services, the business process is relatively fixed. With the development of network technology and the idea of Service architecture (serviceoriented Architecture,soa), the sharing and application process of network security devices should be based on service, and a lot of work has been done on how to publish resources and how to search for resources. But how to realize the resources and tasks in interface, function, process, semantics, service quality, such as intelligent matching, rent-seeking, dynamic combination, etc., there is no effective solution. Because the current security cloud technology does not solve the problem of dynamic sharing and intelligent allocation of network security devices and intelligent embedded access of terminal physical devices, the application and development of it are limited.

The key technologies involved in the security cloud can be broadly divided into: patterns, architectures, standards and specifications, cloud technologies, integrated management techniques for cloud services, and security cloud business management models and technologies.

(1) Security cloud model, architecture, relevant standards and specifications

Mainly from the point of view of the system, the paper studies the structure, organization and operation mode of the security cloud Platform, and studies the relevant standards and specifications to support the implementation of the security cloud. Includes: Support for multiuser, a commercially operating, service-oriented security architecture; The interactive, shared and interoperable modes of the devices in the security cloud Application mode, the relevant standards, protocols and specifications of the security cloud platform, such as cloud service access standards, Cloud Service Description specification, cloud service Access Protocol, etc.

(2) Cloud technology

The main research security cloud services provide end-to-end security devices embedded Cloud terminal packaging, access, call and other technologies, and study the security Service request to access the security cloud platform, access and invoke the security cloud platform services, including: support to participate in the security cloud of the low-level terminal physical devices intelligent embedded access technology, cloud computing interconnection technology Cloud Terminal Equipment Services define encapsulation, release, virtualization technology and the development of corresponding tools, cloud request access and access cloud manufacturing platform technology, and support platform users to use the security cloud Platform technology, IoT implementation technology.

(3) Cloud Service Integrated management technology

The main research and support cloud service operators to access the cloud services, publishing, organization and aggregation, management and scheduling, such as integrated management operations, including: Cloud provider-side resources and services access management, such as the unified interface definition and management, authentication management, efficient and dynamic cloud service formation, aggregation, storage methods, efficient, Intelligent Security Cloud Service Search and dynamic matching technology, security cloud task dynamic construction and deployment, decomposition, resource service collaborative scheduling optimization configuration method; Secure cloud services provide patterns and generalizations, cloud users (including cloud-and cloud-requester) management, authorization mechanisms, etc.

3. System implementation

The main research contents of this paper include how to use the Blue Shield network security cloud protection platform based on the cloud computing platform, based on the existing integrated network security devices and systems of Blue Shield, a unified threat management cloud service, a unified terminal management cloud service, and a unified policy management cloud service are implemented to embody the cloud computing environment in network security, In particular, the advantages of external network defense. At the same time, this paper utilizes the data-holding proof method based on the homomorphic hash (homomorphic hashing), the virtual network servo audit, the authentication and key management framework based on general purpose, and the efficient Authenticated key agreement protocol, which can prove the security. Independent and controllable fine-grained cloud data sharing access control means to protect users ' privacy and data security, eliminate users ' doubts about cloud computing, and ensure the stable operation of cloud platform.

Blue Shield network security cloud Protection platform architecture includes network security infrastructure layer IaaS (infrastructure as a service), network security application Platform layer PAAs (Platform as a service), As well as the Network Security Service Layer SaaS (secure Software as a service). which：

Figure 1 Blue Shield cloud security platform architecture

(1) The Network security Infrastructure Layer IaaS provides the basic storage resources and computing resources, constructs the cloud infrastructure layer through the open source Xen cloud computing Virtual infrastructure system, realizes the hardware resources virtualization, and uses the virtual machine as the base unit to allocate, dispatch and manage the resources. Xen virtualized infrastructure resources to achieve networked delivery of infrastructure resources.

(2) on the basis of IaaS, through the design of the corresponding service interface to achieve basic and common functions, the construction of network security application platform layer PAAs. PaaS is based on the open source Hadoop cloud computing application platform, providing support for HDFS distributed storage and map/reduce parallel computing, providing support for the common needs of various innovative software/services, including massive data storage and backup, collection, analysis and monitoring of massive security information, The basic realization of cooperative defense.

(3) on the basis of PAAs, through the Web service interface, in the form of network services to provide all kinds of direct application-oriented software services, including cloud Web site protection, cloud risk assessment, cloud audit and Cloud firewall and other software services.

(1) Network security infrastructure layer

The network security Infrastructure Layer IaaS provides the basic storage resources and computing resources, constructs the cloud infrastructure layer through the Xen cloud computing virtual infrastructure system, realizes the hardware resources virtualization, and uses the virtual machine as the base unit to allocate, dispatch and manage the resources. Xen virtualized infrastructure resources to achieve networked delivery of infrastructure resources.

Xen is a cloud virtualization infrastructure platform that completes the virtualization of hardware resources and provides a unified platform for managing and accessing resources. Introducing the concept of virtualization into the device allows a physical device to be virtualized to multiple devices. At the same time, the environment between the various virtual devices is strictly isolated; This project supports users to obtain application services in any location, using various terminals. The resources requested by the user are from the cloud, not the fixed physical entity. The application runs somewhere in the cloud and the user does not need to know where the application is running. Only need a laptop or a mobile phone, you can use the network to achieve security cloud services.

Fig. 2 Xen Application System

Xen implements the following main functions: ① the virtualization of hardware resources. By virtualizing hardware Resources, Xen can virtualize a consistent environment and platform in different hardware environments to simplify software development and management. ② The security isolation of multiple tenant shares and services for hardware resources. Xen through the virtualization, the hardware resources segmentation, isolation and sharing, can achieve a single hardware multiple groups of users to share, improve the utilization of hardware resources. At the same time, the virtualization process forms a strict isolation zone, providing a safe running area for each service. Pooling intensive management of ③ resources. Xen creates a unified pool of resources after virtualization of hardware resources. Xen centrally manages and allocates hardware resources to maximize resource utilization. ④ implements the intensive product development model. Traditional chimney-type research and development need to start from the hardware platform for product development. After the integration of Xen platform, product development can be directly from the product application module, without considering the hardware and software platform issues.

(3) Network Security application Platform layer

In the network Security application platform layer, through the Hadoop platform, the Network Security Service layer provides a variety of common services, such as Web site security Cloud protection, cloud firewall, cloud Security risk assessment, cloud security policy Management, cloud security collaborative defense, cloud security traffic management.

4. Conclusion

This paper mainly explores the key technologies needed for cloud security services, on the basis of the existing integrated network security equipment and system of Blue Shield, three cloud Security Service architecture is designed, which realizes the unified threat management cloud service, unified terminal Management cloud service, and unified policy Management cloud-based service, which embodies the cloud computing environment in network security, In particular, the advantages of external network defense.