Shulou(Shulou.com)06/02 Report--

Introduction: as a new model, private cloud has brought great changes to the information development of enterprises, and it is one of the development trends of the IT industry. It provides unified services for business units, including not only computing resources, storage resources, network resources, but also security resources, such as identity authentication, virus detection, behavior audit and so on.

In the enterprise private cloud environment, the security requirements of different business systems vary greatly, so in a "cloud": how to provide different security policies for different business systems, how and where to deploy various security policies? How to meet the needs of differentiation?

This article will talk about the four security challenges and specific practices facing private clouds.

1. Management of virtual cloud desktops in cloud environment

Virtualized Desktop Terminal Security

Cloud desktop realizes desktop unification and resource sharing through virtualization technology, and enables employees to access cross-platform desktop systems at any time and anywhere through thin clients, which can solve the disadvantages of traditional desktop management mode. Moreover, by uniformly planning the IP addresses of all cloud desktop users, setting policies on firewalls and switches, establishing access control lists, and restricting Internet access in this network segment, it is also convenient to realize the isolation of cloud desktop users from the Internet.

With the development of virtualization technology, the security problem of virtualized desktop terminal is becoming more and more prominent.

Terminal security for virtualized desktops faces two main types of problems:

The continuation of the traditional terminal security problems; the new problems faced in the virtualized environment, including the security threats faced by the virtualized environment, the security threats caused by borderless access, the threats caused by virtual machine protection gaps, and the resource contention caused by security protection, and so on.

System risk of Cloud Desktop

From the system point of view of the cloud desktop, there are security risks in all aspects, such as the client, the transmission network, the server, the storage and so on. Ignoring any detail will lead to information loopholes in the whole system.

Client: in the application environment of virtual cloud desktop, any intelligent terminal can access the cloud desktop environment as long as it has access rights. If you use a simple user name and password as authentication, then disclosure means that the other person can access your desktop system from anywhere and get the relevant data. This requires a more stringent terminal authentication mechanism. At present, the better solution is Ukey access certification. As a secure access authentication of cloud platform, it can not only improve the security of cloud platform, but also maximize the efficiency of Ukey, make full use of the high reliability of Ukey to protect cloud computing resources and prevent illegal operation of unauthorized users. For remote users, a secure communication service can be provided by combining Ukey authentication with SSL × × technology. It is also a good idea to use MAC addresses to limit the scope of clients that are allowed to access the cloud. Although some flexibility is sacrificed, this approach can greatly improve the controllability of the client.

Transmission network: most enterprise users provide secure connection points for remote access devices for remote access beyond firewall protection, but not all intelligent terminals support the corresponding × × technology. Devices such as smart phones can generally adopt the customized solution provided by professional security manufacturers. The communication between the terminal within the enterprise and the cloud can be encrypted through SSL × × protocol to ensure the security of the overall transmission process.

Server-side: in the overall solution architecture of virtual desktops, the background server-side architecture usually adopts the way of horizontal expansion. The advantage is that on the one hand, the high availability of the system is improved by enhancing redundancy; on the other hand, the computing power can be gradually increased according to the number of users. In the large concurrency environment, the front end of the system will use a load balancer to send the user's connection request to the server that still has the remaining computing power for processing. However, this architecture is prone to distributed rejection, so it is necessary to configure security control components on the front-end load balancer or set up a security gateway at the back end of the firewall for identity authentication authorization.

Storage side: after adopting the virtual desktop scheme, all the information will be stored in the backstage disk array. In order to meet the access needs of the file system, the storage system based on NAS architecture is generally adopted. The advantage of this approach is that enterprises only need to consider protecting the information of the back-end disk array from leakage, which greatly reduces the probability of active information disclosure that may be caused by the front-end client. However, there are hidden dangers in this centralized way of information storage. For example, a system administrator, or an illegal user with administrator privileges, can use superuser privileges to open all user directories and gain access to data. Generally, professional encryption equipment can be used for encryption storage and the encryption algorithm can be specified by the front-end user. At the same time, the separation of powers should be considered in data management, that is, system administrators, data external auditors and data owners are required to confirm that the sending of information can be allowed at the same time. In this way, active anti-disclosure can be realized. In addition, all operations need to be audited to ensure traceability.

Second, how to carry out dynamic security protection in the network layer

The large-scale operation of cloud computing has brought challenges to the traditional network architecture and application deployment. Both technological innovation and architectural changes need to serve the core requirements of cloud computing, that is, dynamic, flexible and flexible. And achieve the simplicity of network deployment.

Challenges faced by traditional networks

The challenges faced by the traditional network are mainly four points: 1. The utilization rate of the server has increased from 20% to 80%, and the traffic of the server port has increased significantly, which poses a great challenge to the network carrying performance of the data center and requires higher network reliability. 2. Multiple applications are deployed and run on the same physical server, which makes the network traffic superimposed on the same physical server, and the traffic model becomes more uncontrollable. 3. The application of server virtualization technology must be accompanied by the migration of virtual machines, which needs an efficient network environment to guarantee. 4. The deployment and migration of virtual machines make the deployment of security policies complex and helpless, and a dynamic mechanism is needed to protect the data center.

Private cloud solves the above problems from two aspects.

In the enterprise private cloud environment, the integration of multi-business and multi-tenant resource pool environment, the security isolation between businesses and tenants has become a problem that must be solved in the construction of cloud platform.

1. Security from east to west

Compared with the traditional network architecture, the private cloud data center network traffic model gradually replaces north-south traffic by east-west traffic. On the one hand, the maintainability of the isolation scheme needs to be considered in multi-service and multi-tenant isolation. On the other hand, the horizontal scalability of network capabilities needs to be considered. At present, the security isolation of most resource pools still uses the physical firewall as the east-west and north-south isolation scheme, but the physical firewall has a structural bottleneck in the flattened data center network, which limits the horizontal expansion ability of the network. Here, we can consider using the distributed virtual firewall to isolate the horizontal traffic between the business and the tenant. The north-south traffic isolation is realized by NFV firewall, and the customized policy is automatically sent to DFW (distributed virtual firewall) through SDN Controller to realize the security isolation between business and tenant. The performance of distributed virtual firewall is our main concern at present. With the growth of traffic scale, we will consider the architecture of combining virtual firewall and physical firewall according to the situation.

2. North-South security

NFV (Network function Virtualization), through software and hardware decoupling and function abstraction, enables network equipment functions to no longer rely on special hardware, resources can be fully and flexibly shared, rapid development and deployment of new services are realized, and automatic deployment, flexible scaling, fault isolation and self-healing are carried out based on actual business requirements. The commonly used NFV components are vFW, vLB, vSwitch, etc. The following is a brief introduction to the deployment and application of IT cloud platform NFV, taking vFW and vLB as examples.

Using vFW (Virtual Firewall) to realize North-South Security Protection

North-south traffic is mainly business traffic between clients and servers. This kind of traffic needs to enter and leave the resource pool. The boundary of security isolation is at the exit of the resource pool, where you can deploy a physical firewall or a NFV firewall cluster to securely isolate the entire resource pool from the external network.

Using vLB (Virtual load balancing) to realize the activation of business load on demand

Through the deployment of virtual load balancer, we can provide load balancing services for multiple tenants. Virtual load balancer currently supports all kinds of TCP applications, such as FTP, HTTP, HTTPS, etc., and supports rich load distribution algorithms and session persistence methods.

With the growth of business volume, a set of virtual load balancing devices can be deployed separately for each business or tenant to improve the manageability and scalability of load balancing.

Third, how does the private cloud ensure the security of each layer

Different aspects of security can be seen from different angles. From the perspective of private cloud security planning, there are four levels to pay attention to:

Boundary protection: it is the bottom line of private cloud security protection.

Basic protection: it is a stage synchronized with the private cloud construction process, and it is necessary to build a cloud security management system.

Enhanced protection: with the gradual maturity of cloud security technology, it is necessary to enhance and improve cloud security services, encryption authentication, etc.

Cloud protection: for more complex cloud computing models such as SaaS, new technologies such as cloud security access agents need to be introduced to achieve protection combined with business.

For all levels of protection, the directions and means to be considered are:

In terms of boundary protection, build a "flow network layer" based on SDN technology, improve the isolation granularity and intensity of "east-west", and strengthen cloud traffic monitoring; in basic protection, build a cloud security management system to enhance the application of various security reinforcement technologies in the underlying platform of private cloud, especially through security means to solidify the underlying behavior. In terms of enhanced protection, such as encryption authentication, security scanning services, regular security scanning of all CVMs, timely detection of security vulnerabilities, protection against DDoS, automatic defense against SYNFLOOD, UDPFLOOD and other common services, to effectively ensure the normal operation of user business. In terms of cloud protection, cloud security proxy mechanisms for business operations and business data are introduced into new technologies related to cloud security, such as Ali Yun's situational awareness, combined with business to achieve protection.

IV. Storage Security of Private Cloud

The following focuses on storage security, which mainly includes four points:

Resource isolation and access control

In the private cloud environment, when using applications, enterprises do not need to care about the actual storage location of the data, but only need to submit the data to virtual volumes or virtual disks, and the virtualization management software distributes the data in different physical media. This may cause resources with different security requirements to exist on the same physical storage medium, and applications / hosts with low security requirements may exceed their authority to access sensitive resources or high security applications / hosts. In order to avoid this situation, virtualization management software should use a variety of access control management means to isolate and control storage resources to ensure that only authorized hosts / applications can access authorized resources. Unauthorized hosts / applications cannot access or even see the existence of other storage resources.

Data encryption protection

Among all kinds of security technologies, encryption technology is the most common and basic security protection means. in the private cloud environment, data encryption protection is still the last line of defense of data protection. Data encryption exists in the process of data transmission and storage. Encryption protection in the process of data transmission can protect the integrity, confidentiality and availability of data, and prevent data from being illegally intercepted, tampered with and lost. According to the characteristics of different virtualized objects, enterprises should adopt different transmission encryption methods. For example, for IP SAN network, we can use IPSec Encryption (IPSec encryption) or SSL encryption function to prevent data from eavesdropping, ensure the confidentiality of information, use IPSec summary and anti-reply function to prevent information from being tampered with, and ensure the integrity of information.

The encryption of the data storage can not only achieve the confidentiality, integrity and availability of the data, but also prevent the security of the data itself when the storage medium is accidentally lost or uncontrollable. The protection of data storage is generally completed on the host side, and the application system usually encrypts the data first, and then transmits it to the storage network.

However, due to the diversity of encryption algorithms used in different applications, the encryption intensity is inconsistent, which is not conducive to the unified protection of data storage security. In order to solve this problem, IEEE secure data Storage Association put forward the P1619 security standard system, which establishes a general standard for encrypting data on storage media, which makes the storage devices produced by various manufacturers have good compatibility.

Another idea of data storage protection is to concatenate a hardware encryption device before the storage device, encrypt all the data flowing into the storage network, and submit the ciphertext to the storage device; decrypt all data flowing out of the storage device and submit the plaintext to the server This encryption is similar to the P1619 solution mentioned above, but the encryption here is done by an external encryption device rather than integrated into the storage network. This solution has nothing to do with the upper application and storage, but in the case of large amount of data, the encryption and decryption performance and processing ability of the hardware encryption device are relatively high.

The third solution to the data encryption protection is to rely on the encryption function of the storage device itself, such as the data encryption technology based on the tape drive, so that the data is protected by encrypting the data on the tape machine; at present, the trusted computer Organization (TCG,Trusted Computing Group) has also proposed a self-encryption standard for the hard disk, which places the encryption unit in the hard disk to protect the data.

The self-encrypting hard disk provides the user authentication key, the encryption key is protected by the authentication key, and the hard disk data is protected by the encryption key. The authentication key is the only certificate for the user to access the hard disk. Only after passing the authentication can the hard disk be unlocked, decrypt the encryption key, and finally access the hard disk data.

Distributed Detection system based on Storage

The storage-based detection system is embedded in the storage system, such as SAN fiber switch, disk array controller or HBA card, which can crawl, count and analyze all read and write operations of the storage device, and alarm suspicious behavior. Because the storage-based detection system runs on the storage system, has independent hardware and operating system, and is independent from the host, it can continue to protect the information on the storage media after the host is attacked. In the storage virtualization network, the enterprise should deploy the storage-based detection system on the critical path of the system, establish a unified management center of the whole network, and uniformly manage the detection strategy. realize the real-time update of the feature library and timely response to alarm events.

Data deletion or destruction

The complete deletion of data is also an issue that must be considered. As the physical location of data storage is located on multiple heterogeneous storage systems, applications do not know the specific location of data storage, while the ordinary file deletion operation does not really delete the file, but just deletes the entry of the index file.

Therefore, after the application of storage virtualization technology, virtualization management software should distribute files with the same security requirements on the same disk or disks on the same physical storage; when deleting files, in order to completely remove sensitive information on these disks, all locations of files on the disk or disks are physically overwritten at the same time. For the occasions with high demand for safety and confidentiality, degaussing should also be used for thorough destruction.

5. Conclusion

Security issues remain the biggest obstacle to the full deployment of cloud platforms by enterprises. It is necessary to carry out in-depth research on how to effectively control access rights and the overall security management mechanism, how to further classify data, how to operate and monitor real-time security, and how to more effectively control the risks caused by external threats. In order to more effectively improve the security of cloud computing platform, and provide more secure guarantee for the wide application of cloud computing in enterprises.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.