1 / 35

An Approach to Secure Cloud Computing Architectures

An Approach to Secure Cloud Computing Architectures. By Y. Serge Joseph FAU security Group February 24th, 2011. Motivation. A secure Cloud Computing architecture model requires a security layer at each design level . We are talking from a provider point of view .

clark-estes
Download Presentation

An Approach to Secure Cloud Computing Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011

  2. Motivation • A secure Cloud Computing architecture model requires a security layer ateach design level. • We are talkingfrom a provider point of view. • Cloud Computingis a broadSubject. • Wewillonly focus on the architecture of Infrastructure as a Service layer

  3. Cloud Computing Deployment models • Private Cloud is concerned with the internal needs of an organization • A public Cloud sells services to the general public • Hybrid Cloud pools resources from different Clouds. It is a combination of public and private Cloud • A community Cloud is a joint effort between different organizations to share resources

  4. How does a provider choose a deployment model? Deployment models are driven by: • Organization Needs • Prospective customers requirement • Cloud security concerns • Our design approach is based on the Cloud Case Study example we present in the next slide

  5. Example: Design a Cloud Computing for FAU with the following requirement • On demand secure software development and testing environment for researchers/programmers: example .NET, Java, C++, database development environment • Provide secure research laboratory as a service • Pool cloud idle resources to run simulations; guaranty a minimum computation at peak time. • offload computing to public Cloud such as Amazon EC2

  6. What deployment model fit the above FAU Cloud? • Choose a private Cloud solution with Amazon EC2 compatible API. Let us Take a closer look at the requirement -- Provision of Simulation for research purpose belongs to the SaaS layer -- The secure development and test environment fit in PaaS layer -- On demand secure research laboratory provision requires a IaaS Layer

  7. Security Requirement for FAU Cloud • We need to address security at each Level of the design -- IaaS layer Security requirement (this Presentation) -- PaaS layer Security requirement (Future Presentation) -- SaaS layer Security requirement (Future Presentation)

  8. Note • We will respectively cover Security at the PaaS and SaaS in two future presentations • At this point there will be no section reserved for Saas and PaaS

  9. FAU Cloud IaaS Security requirement • Availability: High throughput network bandwidth • Physical Data Center temperature. • Restricted physical access to the Data Center • Redundant power source in case of power failure.

  10. FAU Cloud IaaS Security requirement • Hardware maintenance agreement • Virtual Data Center policy • Compliance with electrical and data wiring • Cloud Server configuration Back up and recovery policy • Fire prevention policy • Administrator Policy

  11. IAAS Security Requirement Secure protocol policy Intrusion Detection System Firewall Antivirus Anti malware

  12. FAU Private Cloud Server Security Policy • All server must have the following packages -- Intrusion Detection System (IDS) -- Firewall -- Antivirus -- Anti malware Secure Protocol such as ssh, sftp, scopy

  13. FAU Secure Private Cloud Architecture We choose an Open Source solution: Eucalyptus Cloud -- Complement it with third party power management subsystem and -- Cloud Monitor Controller The following components will be described in the next few slides • Node Controller • Storage Controller • Cloud Controller • Cluster controller • Walrus Storage • Power management Controller • Cloud Monitor System

  14. Figure 1 shows a rough draft of the Eucalytus model (Courtesy of http://csrdu.org/blog/2010/10/23/introduction-to-private-cloud-computing-with-ubuntu-enterprise-cloud/)

  15. Node Controller • Runs as a server • Control Virtual machine instances • Discover hypervisors resources • Interfaces with Cluster Controller and Hypervisors • Provision resources to the VM • Propagate data to Cloud Controller Security measure: -- Apply server security policy as describe above

  16. Use case for Node Controller

  17. Storage Controller • Similar to Amazon elastic block storage services • Ability to create snapshots • Create and manage persistent block storage device Security measure -- Apply server security policy as describe above

  18. Use case for Storage Controller

  19. Cloud Controller • Monitor the overall cloud infrastructure • Monitor Node controller of hypervisor resources • Interfaces with Cloud administrator • Provide resource arbitration • Monitor Virtual machine migrations • Run on top OS server

  20. Cloud Controller (continued) Security measure -- Apply server security policy as describe above

  21. Use case for Cloud Controller

  22. Cluster controller • Process Cloud Controller to deploy instances • Select available hypervisor to deploy virtual machines • Audit hypervisors and report to Cloud Controller Security measure -- Apply server security policy as describe above

  23. Use case for Cluster Controller

  24. Walrus Storage Services • Compatible with Amazon S3 • Capacity to store virtual machine images • Store snapshot • Use S3 API to store files • Can coexist on the Cloud Controller server • Security measure: -- Apply server security policy as describe above

  25. Use case for walrus services

  26. Power management Controller • Monitor power grid for failure • Failsafe to backup power subsystem • Auto detect grid power to return to normal state • Security measure: • Use Secure channel to shutdown system • Allow trusted host by IP address and Mac Address

  27. Use case for Power Management

  28. Cloud Monitor System • Monitor room temperature • Monitor Cloud , Cluster, storage and hypervisors controllers performance • Alert system administrator on any abnormality • Security measure: • Restrict access to admin • Patch daily as needed • Apply Organization security policy

  29. Use case for Cloud Monitor system

  30. Cloud administrator • Manage Users • Manage Roles • Create Data Center • Manage VMs • Create Cloud Security Policy

  31. Use case for cloud Administrator

  32. The FAU Private Cloud ARchitecture • Class diagram for Infrastructure as a service is shown in the next slide.

  33. FAU private Cloud Architecture Class Diagram

  34. Implementation of IaaS layer for the FAU Private Cloud

  35. conclusion • We only provide a secure architecture for Infrastructure as a Service in the FAU private Cloud Example. • The design was based on security requirementfor the respective layer • Future presentation will address PaaS and SaaS Secure architecture

More Related