170 likes | 188 Views
This use case explores how a mobile network operator (MNO) can deploy a secure cloud server application to provide access to a real cloud for clients, such as IMS applications. The server proxies all requests, allowing multiple services and white-label clouds to be supported. However, there are issues related to handling a large number of transactions, potential attacks or spoofing, and difficulty in issuing warrants for devices in different regulatory domains.
E N D
3GPP/SA3-LI#43 Tdoc SA3LI11_115 San Fanscico, 15 Nov– 18 Nov 2011 MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary (ed.oleary@rci.rogers.com), George Babut (gbabut@rci.rogers.com)
Introduction • This document provides additional use cases and provides a brief description of the first Cloud Use Case as reference
List of Potential Cloud Use Cases relevant to LI Work • Use Case 1: Filing Sharing Service with single MNO • Use Case 2: MNO uses a Cloud server • Use Case 2a: MNO uses a Cloud server that provides redirection • Use Case 3: The MNO hosts a cloud in its network • Use Case 4: SMB or Enterprise use multiple MNO networks • Use Case 5: Same as Use Case 4, but each MNO has a Cloud Server that proxies (extension of Use Case 2) • Use Case 6: Same as use case 6, however MNO cloud server provides redirection (extension of Use Case 2a) to the 3rd party cloud App server • Use Case 7: SMB or Enterprise use multiple MNO with their own Clouds (extension of Use Case 4) • Use Case 8: Enterprise extension to the cloud • Use Case 9; Local Break out
Use case 2 • MNO uses a Cloud server • MNO deploys a Cloud server Application that provides access to the real cloud • Client application • Could be an IMS application • Real cloud is as in Use one, third party, that may be anywhere or relocated anywhere in the regulatory domains • MNO internal DNS resolves URI request to the MNO cloud server application • the external DNS resolves the URI requests for the Cloud server to an MNO Cloud Server • This server proxies all request to the cloud location, hiding and recording all transactions • Allows multiple services and white label clouds to be supported
Use case 2 issues • It may be required to handle lots of transactions • N number of hosted cloud services, • It may be Attacked or spoofed (more than so than the core network, as it contains IPR (SMB files)) • Not as efficient as other cases, scaling • Allows clients to act as a network share • Access to files only when requested • May be difficult to issue a warrant, as device may in a different regulatory domain (roaming) • It may or may not have access to the crypto keys for secure content • Captures all transactions • Registered Domains (administration)
Use case 2 issues • How would cloud server application be identified to LEA? • URI redirection may not provide enough information as to the type of service • Ie file share, or music, or email • Crypto keys on content • What applications would be used to authenticate users prior to redirection to real cloud • Ie users that masquerade as targets • What other information is required to authenticate user/ target • Nothing precludes target for providing an associate with proper credentials to access the cloud services • What other information is gathered • MNO side and Non MNO side • HTTP get/ or application API information (what is encrypted and what is not) • IP address • Mac_ID • …
Use case 2a • MNO uses a Cloud server • MNO deploys a Cloud server Application that provides access to the real cloud • Client application • Could be an IMS application • Real cloud is as in Use one, third party, that may be anywhere or relocated anywhere in the regulatory domains • the DNS resolves the URI requests for the Cloud server to an MNO Cloud Server • The cloud server Authenticates the user per service and provides a redirection to the real cloud and the resource requested • In general no content passed through the cloud Server • LEA will capture CII on the cloud server • It may be possible to augment the Cloud server to provide capture of content as in use case 2, if cloud server included LEA target capture
Use case 2a Issues Redirection • Note that some form of authorizations should be used on this, else the user with the redirected URI, can easily modify that URI to access other resources/ files on the server. Ie www.rogers.com/files/pdf/file.pdf • Many servers may allowing the user to access the file directory by modifing the URI to www.rogers.com/files/ • But access block www.rogers.com/files/pdf/ • So access to these other locations will not be captured by LEA • Who controls the file access (user, MNO, cloud app?) • Captures all file requests, but may not capture all content • Implementation may allow the 3rd party Cloud to send to the cloud server file contents (for LEA and other government enterprise requirements (archival purposes)) or deleted files • User access directly files from the Cloud • “off loads” delivery and access to cloud from the MNO cloud server • Concern over access locally on 3rd party server to logs, or by the 3rd party service provider to log, and or admin activities/ alarms of data sent to MNO cloud server.
Use case 2a Issues • Access to content • Implementation may not be standardize • LI correlation issues • Crypto keys • May all be on the real cloud
Use Case 1General • MNO offers a cloud service, File Sharing Service, see “Dropbox” as a real world example www.dropbox.com • The service can be white labelled by the MNO, such that the user does not know its from a third party • The third party can choose its own third party provider for the service hosting • The MNO may be a converged operator providing may access domains (3gpp, Non 3gpp, wireline, cable, Broadband) • There are various business models offering the service which provide different architectures and implementations MNO Cloud Use cases
Regulatory Domain • Each regulatory Domain may have some constraints on the service delivery • The File Sharing cloud infrastructure may be required to operate in the same domain as the LEA pending the delivery or lack of delivery of LI information
Use Case 1Description • In this case, a Small medium business (SMB) has opted to use File sharing Service for all its users. An MNO was selected that provides Broadband and Wireless connectivity and provides an integrated service across both domains of it users to access files, • Read write and delete privileges are controlled by an Admin determined by the SMB for each user. • This may or not be controlled by the MNO, but by preconfigured access rules to the Service. (ie initial setup) • The MNO may have an Admin facility to the Cloud Service for user support (ie user set up configuration, clean up, network size, debug and problem resolution)
Use Case 1 Description- cont - • The service may use encryption from the application on the users device and provide end to end encryption from the application to the server. • The files stored on the File Sharing Server may be encrypted (end to end security from user to user) • The MNO may provide the encryption services • The Cloud Service provider may provide the encryption service • The user may provide its own encryption service
Use Case 1 Description- cont - • In this use case a third party service is used and that party has hosted the service on another third party application server. • The Third party Service resides in a country not in the regulatory domain of the MNO nor LEA • The third party APP Server is also not in the same regulatory domain as the MNO • The service is setup that allows a user while not on the MNO network, to access the File sharing via another access domain ( ie Internet Cafe)