Security technology of enterprise private cloud Platform

Source: Internet
Author: User
Keywords Cloud security Cloud security
Tags access access control applied authentication balance point based behavior business

Cloud computing is a new internet based computer technology, it integrates the distributed computing, utility computing, parallel Computing, grid computing, networked storage, virtualization and other traditional computer and network technology, forming a set of new standards and models, "cloud computing" concept is rapidly applied to the production environment, all kinds of "cloud computing" The scope of service is growing and its influence is incalculable. In layman's terms, cloud computing allows you to deliver all data-processing tasks to the network, and the enterprise-class data center handles the data tasks on the client's computer so that you can save hardware resources for individual users by providing them with a data center for users with multiple different devices. The cloud Platform security measures described in this article are primarily for VMware Series cloud computing platforms.

1. Introduction to Cloud Security

Currently, the typical enterprise private cloud computing platform topology is shown in Figure 1.

  

Cloud computing is in the ascendant, and security research for cloud computing platforms is ongoing, and despite the security implications of cloud computing, it still presents opportunities for information security. In the cloud computing approach, data is centrally stored, which brings at least two benefits to data security:

(1) Reduce the data stolen, destroyed and the possibility of leakage. This is one of the most discussed advantages of cloud computing service providers. As long as users have access to the Internet, they can access it at any time, without having to carry it on their own, or to maintain or repair it.

(2) It is easier to monitor data safely. Data centralized storage in one or several data centers, data center managers can be unified management of data, responsible for resource allocation, load balancing, software deployment, security control, and more reliable data security real-time monitoring and data backup and recovery.

Although cloud computing itself contributes to security, however, due to the complexity of cloud computing, user dynamics and other characteristics, security issues are still a huge challenge to the development of cloud computing, how to ensure that the cloud computing environment between different subjects to identify each other, trust and the confidentiality and integrity of each subject to ask, computing availability and confidentiality [3], It is an urgent problem to make the cloud computing environment applicable to different types of security requirements.

2. Cloud security research based on enterprise Cloud Platform

With the development of enterprise information, production and office space for mobile office has an urgent need, such as mobile file browsing and marking some practical needs. At the same time, enterprise business development needs to rely on advanced information platform to carry out strong support, high-performance computing clusters, three-dimensional visual graphics workstation, a large number of data storage equipment and different functions of professional applications can provide a more accurate, more efficient comprehensive decision-making provides a solid technical support, The above enterprise requirements need a new service platform to support, cloud computing is such a new platform, it enables the delivery of service mode to the cloud, all users have access to Low-cost, high-performance, fast configuration and cloud computing services support. However, the security problem is always the biggest problem and hidden trouble that the cloud platform is put into use normally, the security problems of service security, data security, personal privacy and so on require to establish a complete security system of cloud Platform according to the actual business of the enterprise, And based on the consideration of economic factors, we should try to integrate the original security infrastructure and cloud platform of the enterprise as far as possible, and analyze and study the contradictory body of cloud platform performance and security, find the best balance point, make the cloud platform more secure and reliable. Figure 2 shows a complete cloud security architecture, it covers the physical layer, link layer, network layer, Transport layer and application layer, and takes as many security measures as possible to ensure the safe operation of the private cloud platform, but how to exert the function of each security means to avoid the contradiction between each other; How to protect the safety conditions Minimizing the overhead of systems for security monitoring is a problem that needs to be addressed. The security measures introduced in this paper include Ukey authentication, access control, data encryption and intrusion detection.

2.1 Ukey Unified Identity Authentication Security

In the face of increasingly complex network environment, the common network access authentication can not meet the security needs, it is difficult to determine the user identity, to ensure the privacy of data, and Ukey is used to carry out a number of special business access certification. Using Ukey authentication as security access authentication of cloud platform not only can improve the security of cloud platform, but also can make ukey exert maximum efficiency, make full use of ukey high reliability to protect cloud computing resources and prevent illegal operation of unauthorized users. SSL VPN is a kind of secure communication service for remote users by using virtual private network based on SSL protocol, and the combination of Ukey authentication and SSL VPN technology can greatly improve the security of cloud platform.

  

Research and solution on security management, control and audit of 2.2 cloud Platform

Cloud security management platform built in the cloud computing environment infrastructure, mainly through the functions of VMware software with other security management strategy unified management control.

2.2.1 Access Control Policy

The Cloud security management platform defines different access policies according to the different resources, service control of resources, the level and sensitivity of user data in the enterprise are also different, important and sensitive data need more protection, therefore need to specifically develop access control policies for these data and files, through Ukey to identify , according to different identities and categories to restrict access to users and the use of computer resources and network resources, to ensure that legitimate users to normal access, and prevent illegal access.

2.2.2 Data Storage Security Policy

Enterprise data is always threatened by a variety of threats, and the storage service itself is not trusted, so data encryption is the first choice to solve the problem. At present, the symmetric encryption algorithm, such as DES, is widely used because of its fast encryption and decryption speed. Asymmetric encryption system, such as RSA algorithm has a higher intensity, so the dynamic generation of Des Key and combined with RSA public key encryption method can give full play to the advantages of both the performance and strength of the balance point.

Before processing begins, the cloud encryption program obtains the corresponding RSA public key from the public key library for the user receiving the data. When encryption begins, a Des key generator randomly generates a Des key, selects the value n according to the algorithm, reads n bytes from the source data, and encrypts the random des Key to a cipher with length m bytes. At the same time, the DES Key is encrypted by the receiver's RSA public key into a ciphertext, encrypted with the N-byte source data, and attached to the length of the two, together as a packet stored in the cloud, as shown in Figure 3. The client continues to work, regenerating the random des Key and the random number n, repeating the process, sending the second until the last packet to complete the encryption work.

  

The decryption process begins with the data receiver reading the first two 32b, through RSA decryption, the encrypted des key length (set to L1) and the encrypted data length (L2) are obtained respectively, then the L1 and L2 byte data in the packet are read sequentially, and the former is translated into plaintext by the RSA private key of the receiver end. A des key is obtained, while the latter is decrypted by the DES Key, and the decrypted plaintext is appended to the target data to be saved. This completes the decryption of a packet, as shown in Figure 4. Repeat the process until all data packets are decrypted and the original data before encryption is obtained.

2.3 Cloud computing platform intrusion detection

Cloud platform data is more concentrated and vulnerable to attacks and intrusions, but using the traditional feature base discriminant method of anti-virus software has been unable to effectively ensure the security of the cloud platform, so intrusion detection and defense is more important, it is necessary to cloud computing platform Network, framework and data and other threats to carry out real-time active monitoring, Detection and defense.

  

Traditional intrusion detection protection technology is a passive defense system, it is difficult to meet the current network attack and defense of the new situation. This method combines active defense with traditional passive defense, exploring the combination of intrusion detection system and cloud computing platform, using the improved Apriori algorithm, a hierarchical sequential search method is used to excavate frequent itemsets, improve the speed of mining, and quickly find out whether the network or system is invaded. When the query behavior is legal, the system returns a complete and correct explanation, when the behavior of the query is a feature of misoperation or malicious behavior, the interpretation will be associated with the node of the specific event and event, to determine whether the behavior is legal or wrong through the node behavior (that is, the state change or the information passing on some nodes). and take the necessary treatment measures.

3. Conclusion

As a new model, cloud computing has brought great changes to the development of enterprise informatization, and it is a developing trend of IT industry. It enhances the network efficiency, saves the enterprise cost and the resources, the application foreground is very broad, but the security question still is hinders the enterprise to fully deploy the cloud platform the biggest obstacle. Although this article proposes some cloud security defense strategy, but not mature, so in the future on the basis of how to effectively control access rights and overall security management mechanism, how to further classify the data, real-time security operation and monitoring, how to more effectively control the risk of external attacks and other aspects of in-depth research, More effective to improve the security of cloud computing platform, for cloud computing in the wider use of enterprises to provide a more secure security.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.