an approach to secure cloud computing architectures
DESCRIPTION
An Approach to Secure Cloud Computing Architectures. By Y. Serge Joseph FAU security Group February 24th, 2011. Motivation. A secure Cloud Computing architecture model requires a security layer at each design level . We are talking from a provider point of view . - PowerPoint PPT PresentationTRANSCRIPT
An Approach to Secure Cloud Computing Architectures
By Y. Serge JosephFAU security GroupFebruary 24th, 2011
Motivation
• A secure Cloud Computing architecture model requires a security layer at each design level.
• We are talking from a provider point of view. • Cloud Computing is a broad Subject.• We will only focus on the architecture of
Infrastructure as a Service layer
Cloud Computing Deployment models
• Private Cloud is concerned with the internal needs of an organization
• A public Cloud sells services to the general public
• Hybrid Cloud pools resources from different Clouds. It is a combination of public and private Cloud
• A community Cloud is a joint effort between different organizations to share resources
How does a provider choose a deployment model?
Deployment models are driven by:• Organization Needs• Prospective customers requirement• Cloud security concerns• Our design approach is based on the Cloud
Case Study example we present in the next slide
Example: Design a Cloud Computing for FAU with the following requirement
• On demand secure software development and testing environment for researchers/programmers: example .NET, Java, C++, database development environment
• Provide secure research laboratory as a service
• Pool cloud idle resources to run simulations; guaranty a minimum computation at peak time.
• offload computing to public Cloud such as Amazon EC2
What deployment model fit the above FAU Cloud?
• Choose a private Cloud solution with Amazon EC2 compatible API.
Let us Take a closer look at the requirement-- Provision of Simulation for research purpose
belongs to the SaaS layer-- The secure development and test environment
fit in PaaS layer-- On demand secure research laboratory
provision requires a IaaS Layer
Security Requirement for FAU Cloud
• We need to address security at each Level of the design
-- IaaS layer Security requirement (this Presentation)
-- PaaS layer Security requirement (Future Presentation)
-- SaaS layer Security requirement (Future Presentation)
Note
• We will respectively cover Security at the PaaS and SaaS in two future presentations
• At this point there will be no section reserved for Saas and PaaS
FAU Cloud IaaS Security requirement
• Availability: High throughput network bandwidth
• Physical Data Center temperature. • Restricted physical access to the Data Center• Redundant power source in case of power
failure.
FAU Cloud IaaS Security requirement
• Hardware maintenance agreement• Virtual Data Center policy• Compliance with electrical and data wiring• Cloud Server configuration Back up and
recovery policy• Fire prevention policy• Administrator Policy
IAAS Security Requirement
Secure protocol policyIntrusion Detection SystemFirewallAntivirusAnti malware
FAU Private Cloud Server Security Policy
• All server must have the following packages-- Intrusion Detection System (IDS)-- Firewall-- Antivirus-- Anti malwareSecure Protocol such as ssh, sftp, scopy
FAU Secure Private Cloud Architecture
We choose an Open Source solution: Eucalyptus Cloud -- Complement it with third party power management subsystem and -- Cloud Monitor Controller
The following components will be described in the next few slides• Node Controller• Storage Controller• Cloud Controller• Cluster controller• Walrus Storage• Power management Controller• Cloud Monitor System
Figure 1 shows a rough draft of the Eucalytus model (Courtesy of http://csrdu.org/blog/2010/10/23/introduction-to-private-cloud-computing-with-ubuntu-enterprise-cloud/)
Node Controller
• Runs as a server• Control Virtual machine instances• Discover hypervisors resources• Interfaces with Cluster Controller and Hypervisors • Provision resources to the VM• Propagate data to Cloud Controller Security measure:-- Apply server security policy as describe above
Use case for Node Controller
Storage Controller
• Similar to Amazon elastic block storage services
• Ability to create snapshots• Create and manage persistent block storage
device Security measure-- Apply server security policy as describe above
Use case for Storage Controller
Cloud Controller
• Monitor the overall cloud infrastructure• Monitor Node controller of hypervisor
resources• Interfaces with Cloud administrator• Provide resource arbitration• Monitor Virtual machine migrations• Run on top OS server
Cloud Controller (continued)
Security measure-- Apply server security policy as describe above
Use case for Cloud Controller
Cluster controller
• Process Cloud Controller to deploy instances• Select available hypervisor to deploy virtual
machines• Audit hypervisors and report to Cloud
Controller Security measure-- Apply server security policy as describe above
Use case for Cluster Controller
Walrus Storage Services
• Compatible with Amazon S3• Capacity to store virtual machine images• Store snapshot• Use S3 API to store files• Can coexist on the Cloud Controller server• Security measure:-- Apply server security policy as describe above
Use case for walrus services
Power management Controller
• Monitor power grid for failure• Failsafe to backup power subsystem• Auto detect grid power to return to normal
state• Security measure:• Use Secure channel to shutdown system• Allow trusted host by IP address and Mac
Address
Use case for Power Management
Cloud Monitor System
• Monitor room temperature• Monitor Cloud , Cluster, storage and
hypervisors controllers performance• Alert system administrator on any abnormality• Security measure:• Restrict access to admin• Patch daily as needed• Apply Organization security policy
Use case for Cloud Monitor system
Cloud administrator
• Manage Users• Manage Roles• Create Data Center• Manage VMs• Create Cloud Security Policy
Use case for cloud Administrator
The FAU Private Cloud ARchitecture
• Class diagram for Infrastructure as a service is shown in the next slide.
FAU private Cloud Architecture Class Diagram
Implementation of IaaS layer for the FAU Private Cloud
conclusion
• We only provide a secure architecture for Infrastructure as a Service in the FAU private Cloud Example.
• The design was based on security requirement for the respective layer
• Future presentation will address PaaS and SaaS Secure architecture