Discussion on the traditional security product virtualization in cloud computing environment

Traditional it construction, users need to purchase their own hardware equipment, operating system, purchase or develop their own business systems, and put a lot of maintenance costs. In view of the expansion of the business and the instantaneous use of the peak, each system's computing, storage capacity must have a certain amount of redundancy, which means that most of the time the redundant resources are wasted. However, when business explodes, it facilities cannot meet the needs immediately due to the construction cycle. The advent of cloud computing will completely solve these problems.

Cloud computing and storage resources through the network to connect to a unified management and scheduling, on-demand delivery services. Users can gain storage space, computing power, or application system only through network access.

According to NIST's definition, the basic features of cloud computing are: on-demand service, extensive network access, resource pooling, fast elasticity, measurable services. Three service modes, infrastructure as service (IaaS), Platform as Service (PaaS) and software as service (SaaS).

Compared with the traditional it construction model, business owners need not build their own IT systems, only to become cloud computing tenants, they can obtain flexible scalability, but also to avoid cumbersome system maintenance work. Because this model only needs to pay for the resources already used, thus greatly improving the IT construction investment rate of return.

But cloud computing has posed a serious challenge to network security. From the perspective of cloud computing tenants, the network, equipment, applications, data are not under their control, even do not know the specific physical location, how to ensure data security and business continuity is clearly the biggest challenge. So that Cisco's CEO Chambers exclaimed, "This is going to be a security nightmare."

From the perspective of cloud provider, there is no change in the network security requirements in traditional mode, whether from the confidentiality, integrality, usability of information security, or from the physical layer to the application layer according to the network level, it is still a problem to be solved. In traditional network security solution, the most important point is to establish network boundary, distinguish trusting domain and untrusted domain, then make access control and security defense in network boundary. However, there is still a boundary between cloud computing resource pool and Internet, and there are different domains in the resource pool because of the need of management. This means that traditional network security products can continue to play its role.

Then whether the traditional network security products can fully meet the security requirements of the cloud computing environment?

The business owner in the traditional it construction is the platform owner and the security responsible person. "Computer Information Network international networking Security Management measures" tenth also clearly stipulates that each unit responsible for the network's security responsibilities, establish "who is responsible for, who is in charge, who operates, who is responsible for" principle. Cloud computing and virtualization applications, business owners are just cloud computing tenants, not platform owners, thereby altering this security responsibility relationship. In different service modes, the security responsibilities of business owners vary: In SaaS mode, business owners basically rely on services to ensure network security, while PAAs or IaaS mode, the business all need to monitor and manage security, but the physical security and so on to the cloud service provider.

This change in security responsibilities is bound to require a different security view for cloud computing service providers and cloud tenants. For cloud tenants, it is only necessary to care about their data security and business continuity, regardless of where the actual physical server is in the earth. For cloud service providers, it is necessary to focus on the security of each server, each network, and the security status of the key tenant.

How do network security products meet these flexible management requirements? The answer is virtualization. Virtualization of security products will provide flexible, scalable security protection for cloud service providers and cloud users.

We will further analyze the virtualization requirements of traditional security products in different scenarios.

Application Scenario One:

In the case of SaaS, cloud computing service providers set up resource pools for tenants to connect to the Internet through physical wiring. Cloud computing service providers need security monitoring and management on the Internet, so they deploy FW/UTM, IDS, auditing, and other security devices that monitor the external traffic of all servers and devices in the resource pool.

Because the Uniform resource pool traffic passes through the same security device, different tenants may not have the same security requirements, which means that security devices can provide different security policies for different tenants, and that different tenants cannot rely solely on physical ports, but must use identity such as IP address, VLAN, etc. The resulting log also needs to be filtered and filtered according to different users. This requires the ability of the security device to have a virtual device from the functional level, which corresponds to the virtual device on the security device and the user's resource pool.

Application Scenario Two:

With cloud computing tenants increasing demand for service capabilities, servers used by the same cloud tenant are no longer in the same resource pool, or even in the same geographic location, where the same cloud tenant traffic passes through multiple security devices.

In this scenario, the virtual devices on different physical security devices are required to be managed uniformly, and multiple virtual devices can be bound to a single logical device.

Application Scenario Three:

In the case of PAAs or IAAS, cloud-computing tenants also need to monitor their security status in addition to the continued security monitoring of cloud computing service providers. In other words, users of security devices, in addition to cloud service providers, there are cloud computing tenants.

In this case, the security device, in addition to the functionality of the virtual engine, must also be able to create accounts for cloud computing tenants and designate one or more virtual devices for management.

Through the analysis of the above different scenarios, we can see that different security roles have their own security needs, under different service modes and different resource sizes, the same security role needs different security products. Scene one and scene two analyze the demand of security products on the network boundary of Cloud Computing center, and scenario three analyzes the different needs of cloud computing tenant and service provider. These requirements can be met by increasing the virtualization capabilities of traditional security offerings.

The emergence of cloud computing has challenged the traditional network security concept. Venus Chen believes that we must take the initiative to meet new changes, positive thinking, continuous innovation, to the user's business escort, to contribute to the security industry.

(Responsible editor: The good of the Legacy)