The embarrassing situation of private cloud security, how IDC ensures security

Source: Internet
Author: User
Keywords Cloud computing private cloud

The embarrassing situation of private cloud security

Generally speaking, the transition from the existing IT management system to the private cloud platform requires several steps: Large data centralization, business system integration, virtualization of IT resources, management platform cloud, cloud service delivery. (Many people think that the private cloud is the construction of the information center, in fact, the virtual transformation of the information Center is generally the last two phases merged into the Information Center unified operation and maintenance management platform, but does not necessarily provide cloud services, therefore, can not be called the strict sense of private cloud.) In this process, resource virtualization is the key, because only the resources are virtualized management, can talk about dynamic deployment, can provide flexible service support capabilities. What resources can and need virtualization management? Compute resources, including CPU and content, as well as storage resources, network resources. We note that there are generally no security resources involved. This is not surprising, because the virtualization platform manufacturers are first to business services to achieve the main, security issues are mostly placed behind the consideration.

This gives CIOs a problem: Private cloud provides a unified service for all business units, not only computing resources, storage resources, network resources, but also security resources, such as identity authentication, virus killing, intrusion detection, behavior audit, and so on, only allocating the system of computing resources and storing resources, to the users, is tantamount to "streaking." Private cloud is different from public cloud, common cloud business single, can establish unified security policy, and private cloud different business system security requirements vary greatly, in a "cloud", for different business systems to provide different security policies, security policy how to deploy?

Cloud computing security has been a hot issue in the industry, there is a special organization CSA (Cloud Security Alliance) to develop a number of guidance, but landing are more difficult. To sum up, cloud computing's safe landing has two problems:

The first is the problem of the architecture of the cloud computing system. Because of the use of virtualized resource management, the server of the user business system no longer explicitly run on which server, but the dynamic drift of the VM (virtual machine), the users of different business systems in a "clump" inside and out, each business system has no "boundary", How can you ensure that users who are restless are peeping through the data of other systems, and rely solely on the management of virtualized operating systems to meet the isolation of the user's business flow? And do not say that virtual machine escape research, such as "blue pill", the traditional operating system is a bunch of vulnerabilities, virtualization operating system vulnerabilities will be very small? The degree of harm is greater.

Second, the virtualization of the operating system manufacturer's problem. Currently, there are not many vendors that can provide virtualized operating systems, such as VMware, Microsoft, Citrix, Xen, RedHat, and so on. First of all, VMware, the largest market share, is a private code manufacturer like Microsoft, providing only Third-party development interface APIs. VMware provides the system's underlying security interface, such as Vmsafe, but this interface is currently not open to domestic security vendors, that is, to achieve security deployment, can only purchase foreign third-party security manufacturer products. Other vendors, such as Xen, are open source, there is no interface problem, but require users of their own technical force is very strong to deploy and maintain.

In a word: the security problem in the cloud is serious, the best way is that the security device can be like storage device, forming pool resource pool, when the user request cloud server, with compute resources, storage resources on demand to the user.

However, in the current situation of security vendors, it will take some time to fully reach this stage; In order to deal with the security of private cloud services during the transitional period, we propose a security solution for the transition-"cloud" solution.

Design idea of "cloud" scheme

In the absence of a way to determine how many different business systems can be safely isolated in a cloud, according to the security requirements of different business systems, the business systems with similar security requirements and service objects are deployed in a cloud, otherwise deployed in different clouds, so that a cloud is formed in the enterprise. such as Office business Cloud, production business cloud, Internet services cloud, or according to the level of protection, divided into level system cloud, level two system cloud, three level system cloud.

"Cloud" scheme design model

The core network of the enterprise is "physical", the cloud of different business services is connected to the core network, each cloud has its own cloud management center, responsible for cloud computing, storage, security resource management, enterprise users are divided into virtual terminals (such as running virtual desktop "stupid terminal") and real terminals (such as PC, such as "Rich Terminal"), Through the corporate network, you can login to different clouds, the entire network of users with a unified identity authentication, and the establishment of cloud Security Management Center platform, the platform through the various Cloud Management Center interface, can directly monitor the cloud virtual machine running state.

The advantages of cloud schemes are obvious: a cloud of business system security requirements are similar, users are the same, the need for security isolation is greatly reduced, so that the different business systems in a cloud security isolation in a security dilemma, the network between the clouds is "physical" visible, the traditional security boundary ideas fully applicable; of course. , different clouds can adopt different virtualization operating systems, reduce the over-reliance on a manufacturer (desktop operating system dependence on Microsoft is a headache for many CIOs); Finally, if a cloud is a problem, it will not affect the business system in other clouds.

The disadvantages of cloud schemes are also obvious: it resource utilization is limited, which is clearly contrary to the goal of adopting virtualization technology; artificially building multiple cloud, multiple management platform, management complexity is obviously increased.

However, cloud solutions can solve the current virtual platform itself security is not in place, business needs to promote the cloud computing model has launched a contradiction. While walking and learning, "stones", always better than unworthy.

Cloud Solutions break down the security of the private cloud: 1, the security between the clouds; 2. Security within the cloud.

The idea of safety design between clouds

Different clouds, logically like "security domains" in traditional security design, with a clear security zone boundary, therefore, the security of the clouds can be based on the traditional security design ideas, deployment ideas can refer to the "Vase model" of the three baselines of a platform, network boundary and secure domain Boundary security protection baseline; The dynamic monitoring baseline of the important resource area and the core convergence, the credit management baseline of the user and operation personnel, the security management platform of daily operation and emergency handling, the specific technical and management requirements, can refer to the requirements of the level protection, here is not to repeat.

Cloud inside is actually a cloud platform management system range, also can be said to be a virtualized operating system management platform under the security design. From the system point of view, can be divided into two levels of security design: 1, Virtual machine security, 2, virtualization platform security.

Security in virtual machines

Is the user to apply to the virtual machine, from the user point of view and the physical server is the same, the user selected operating system and business services software, therefore, the virtual machine security is like a host system for security protection design. As a result of virtual machine management than physical confidential more simple, easy to configure and modify the patch upgrade management, switch machine is a directory of files running just.

At the same time, the computing resources of virtual machines can be applied dynamically, and there is no contradiction between the traditional host security and the business contention resources, because the security monitoring in the host House can reduce the efficiency of the operation, many business managers refuse to install other resident software. Of course, the compatibility problem between software still exists, so before the system upgrades or installs the security software, must test on other virtual machines, guaranteed does not affect the business software the normal operation. Back to bit net home >>

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.