an approach to secure cloud computing architectures
DESCRIPTION
An Approach to Secure Cloud Computing Architectures. By Y. Serge Joseph FAU security Group February 24th, 2011. Motivation. A secure Cloud Computing architecture model requires a security layer at each design level . We are talking from a provider point of view . - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/1.jpg)
An Approach to Secure Cloud Computing Architectures
By Y. Serge JosephFAU security GroupFebruary 24th, 2011
![Page 2: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/2.jpg)
Motivation
• A secure Cloud Computing architecture model requires a security layer at each design level.
• We are talking from a provider point of view. • Cloud Computing is a broad Subject.• We will only focus on the architecture of
Infrastructure as a Service layer
![Page 3: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/3.jpg)
Cloud Computing Deployment models
• Private Cloud is concerned with the internal needs of an organization
• A public Cloud sells services to the general public
• Hybrid Cloud pools resources from different Clouds. It is a combination of public and private Cloud
• A community Cloud is a joint effort between different organizations to share resources
![Page 4: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/4.jpg)
How does a provider choose a deployment model?
Deployment models are driven by:• Organization Needs• Prospective customers requirement• Cloud security concerns• Our design approach is based on the Cloud
Case Study example we present in the next slide
![Page 5: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/5.jpg)
Example: Design a Cloud Computing for FAU with the following requirement
• On demand secure software development and testing environment for researchers/programmers: example .NET, Java, C++, database development environment
• Provide secure research laboratory as a service
• Pool cloud idle resources to run simulations; guaranty a minimum computation at peak time.
• offload computing to public Cloud such as Amazon EC2
![Page 6: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/6.jpg)
What deployment model fit the above FAU Cloud?
• Choose a private Cloud solution with Amazon EC2 compatible API.
Let us Take a closer look at the requirement-- Provision of Simulation for research purpose
belongs to the SaaS layer-- The secure development and test environment
fit in PaaS layer-- On demand secure research laboratory
provision requires a IaaS Layer
![Page 7: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/7.jpg)
Security Requirement for FAU Cloud
• We need to address security at each Level of the design
-- IaaS layer Security requirement (this Presentation)
-- PaaS layer Security requirement (Future Presentation)
-- SaaS layer Security requirement (Future Presentation)
![Page 8: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/8.jpg)
Note
• We will respectively cover Security at the PaaS and SaaS in two future presentations
• At this point there will be no section reserved for Saas and PaaS
![Page 9: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/9.jpg)
FAU Cloud IaaS Security requirement
• Availability: High throughput network bandwidth
• Physical Data Center temperature. • Restricted physical access to the Data Center• Redundant power source in case of power
failure.
![Page 10: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/10.jpg)
FAU Cloud IaaS Security requirement
• Hardware maintenance agreement• Virtual Data Center policy• Compliance with electrical and data wiring• Cloud Server configuration Back up and
recovery policy• Fire prevention policy• Administrator Policy
![Page 11: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/11.jpg)
IAAS Security Requirement
Secure protocol policyIntrusion Detection SystemFirewallAntivirusAnti malware
![Page 12: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/12.jpg)
FAU Private Cloud Server Security Policy
• All server must have the following packages-- Intrusion Detection System (IDS)-- Firewall-- Antivirus-- Anti malwareSecure Protocol such as ssh, sftp, scopy
![Page 13: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/13.jpg)
FAU Secure Private Cloud Architecture
We choose an Open Source solution: Eucalyptus Cloud -- Complement it with third party power management subsystem and -- Cloud Monitor Controller
The following components will be described in the next few slides• Node Controller• Storage Controller• Cloud Controller• Cluster controller• Walrus Storage• Power management Controller• Cloud Monitor System
![Page 14: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/14.jpg)
Figure 1 shows a rough draft of the Eucalytus model (Courtesy of http://csrdu.org/blog/2010/10/23/introduction-to-private-cloud-computing-with-ubuntu-enterprise-cloud/)
![Page 15: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/15.jpg)
Node Controller
• Runs as a server• Control Virtual machine instances• Discover hypervisors resources• Interfaces with Cluster Controller and Hypervisors • Provision resources to the VM• Propagate data to Cloud Controller Security measure:-- Apply server security policy as describe above
![Page 16: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/16.jpg)
Use case for Node Controller
![Page 17: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/17.jpg)
Storage Controller
• Similar to Amazon elastic block storage services
• Ability to create snapshots• Create and manage persistent block storage
device Security measure-- Apply server security policy as describe above
![Page 18: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/18.jpg)
Use case for Storage Controller
![Page 19: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/19.jpg)
Cloud Controller
• Monitor the overall cloud infrastructure• Monitor Node controller of hypervisor
resources• Interfaces with Cloud administrator• Provide resource arbitration• Monitor Virtual machine migrations• Run on top OS server
![Page 20: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/20.jpg)
Cloud Controller (continued)
Security measure-- Apply server security policy as describe above
![Page 21: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/21.jpg)
Use case for Cloud Controller
![Page 22: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/22.jpg)
Cluster controller
• Process Cloud Controller to deploy instances• Select available hypervisor to deploy virtual
machines• Audit hypervisors and report to Cloud
Controller Security measure-- Apply server security policy as describe above
![Page 23: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/23.jpg)
Use case for Cluster Controller
![Page 24: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/24.jpg)
Walrus Storage Services
• Compatible with Amazon S3• Capacity to store virtual machine images• Store snapshot• Use S3 API to store files• Can coexist on the Cloud Controller server• Security measure:-- Apply server security policy as describe above
![Page 25: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/25.jpg)
Use case for walrus services
![Page 26: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/26.jpg)
Power management Controller
• Monitor power grid for failure• Failsafe to backup power subsystem• Auto detect grid power to return to normal
state• Security measure:• Use Secure channel to shutdown system• Allow trusted host by IP address and Mac
Address
![Page 27: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/27.jpg)
Use case for Power Management
![Page 28: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/28.jpg)
Cloud Monitor System
• Monitor room temperature• Monitor Cloud , Cluster, storage and
hypervisors controllers performance• Alert system administrator on any abnormality• Security measure:• Restrict access to admin• Patch daily as needed• Apply Organization security policy
![Page 29: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/29.jpg)
Use case for Cloud Monitor system
![Page 30: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/30.jpg)
Cloud administrator
• Manage Users• Manage Roles• Create Data Center• Manage VMs• Create Cloud Security Policy
![Page 31: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/31.jpg)
Use case for cloud Administrator
![Page 32: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/32.jpg)
The FAU Private Cloud ARchitecture
• Class diagram for Infrastructure as a service is shown in the next slide.
![Page 33: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/33.jpg)
FAU private Cloud Architecture Class Diagram
![Page 34: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/34.jpg)
Implementation of IaaS layer for the FAU Private Cloud
![Page 35: An Approach to Secure Cloud Computing Architectures](https://reader036.vdocument.in/reader036/viewer/2022062408/568130ed550346895d970f5f/html5/thumbnails/35.jpg)
conclusion
• We only provide a secure architecture for Infrastructure as a Service in the FAU private Cloud Example.
• The design was based on security requirement for the respective layer
• Future presentation will address PaaS and SaaS Secure architecture