Cloud security review and sum up the scene

2010-09-25  来源:本站原创  分类:Tech  人气:235 

This article discusses the use cases of cloud computing discussion group issued a "cloud computing with the case of the White Paper" version 3.0 - a more than 900 participants from the open web community to create an information base. The original discussion group members is an open supporter of the Universal Declaration of cloud computing, but the rapidly growing ranks of the current members all over the world. Which community members include representatives from large and small companies, government agencies, consulting firms, suppliers and users representatives.

Group reached consensus on three principles:

  • Users together.
  • To maintain any action cloud computing and open interest should be customer oriented.
  • Follow the existing standards as much as possible.

"Cloud computing use cases of the White Paper" version 3.0 of the target

"Cloud computing use cases of the White Paper" version 3.0, the goal is to emphasize the need for standardized environmental cloud features and requirements to ensure interoperability, integration and ease of portability. It must be able to open without using non-proprietary technologies to achieve the situation described in this article all use cases. Cloud computing must become an open environment to minimize vendor lock-in and increase customer choice.

"Cloud computing use cases of the White Paper" relating to the content very comprehensive, so we do not intend to cover all the contents of an article. For this review, we will focus on the assessment team on security issues and the clouds in the scene, because the security is enterprise-class cloud computing one of the primary considerations.

General safety topics cloud

"Cloud computing use cases of the White Paper" covers developers and architects should consider migrating to the cloud of security issues. It stressed that the environment with other systems, like the cloud as a whole is a good example, you can display the "consistent, transparent, standards-based security framework," this need. Cloud does not matter a single deployment model.

If you think the cloud and other environmental safety in a major difference, that would be what is it? It is not a technical problem ... but the business-sensitive data and applications of cognitive control, because the cloud service providers to control the infrastructure. Discussion on the following topics will solve this problem:

  • Laws and regulations, although not a technical problem, but you can decide what priority the security needs of functional requirements.
  • Cloud providers should be able to provide a list of minimum security controls, so you think their infrastructure is safe enough for you.
  • There is also a minimum security joint model (mechanism) a list of infrastructure providers to deliver security through its control.

Who makes this possible?

"Cloud computing use cases of the White Paper" version 3.0, ed participants with Dustin Amrhein, Patrick Anderson, Andrew de Andrade, Joe Armstrong, Ezhil Arasan B, James Bartlett, Richard Bruklis, Ken Cameron, Reuven Cohen, Tim M. Crawford, Vikas Deolaliker, Andrew Easton, Rodrigo Flores, Gaston Fourcade, Thomas Freund, Valery Herrington, Babak Hosseinzadeh, Steve Hughes, William Jay Huie, Nguyen Quang Hung, Pam Isom, Sam Johnston, Ravi Kulkarni, Anil Kunjunny, Thomas Lukasik, Bob Marcus, Gary Mazzaferro, Craig McClanahan, Meredith Medley, Walt Melo, Andres Monroy-Hernandez, Dirk Nicol, Lisa Noon, Santosh Padhy, Greg Pfister, Thomas Plunkett, Ling Qian, Balu Ramachandran, Jason Reed, German Retana, Bhaskar Prasad Rimal, Dave Russell, Matt F . Rutkowski, Clark Sanford, Krishna Sankar, Alfonso Olias Sanz, Mark B. Sigler, Wil Sinclair, Erik Sliman, Patrick Stingley, Robert Syputa, Doug Tidwell, Kris Walker, Kurt Williams, John M Willis, Yutaka Sasaki, Michael Vesace, Eric Windisch, Pavan Yara and Fred Zappert.

Legal nature of the problem is not entirely a technical problem, it is relatively simple, we start with the aspects. One indisputable fact is that many governments have strict data privacy laws, some data can affect the physical and logical Configuration . Strategy or a similar situation also exists in the form industry-specific instruction in business and non-governmental organizations. These also apply to run the application in the cloud. Comply with these laws and regulations than any other needs are important. There is no way to circumvent these laws, regulations and policies (after all, data and application owners can decide not to let you use it) - these may affect your choice of Cloud technology non-technical considerations.

Security control

"Cloud computing white paper with a case of" full protection of cloud environment (with the existence of relevant standards) required for the following security control.

Asset management. You must be able to manage all the physical / virtual hardware, network and software assets, including audit and compliance purposes, access to assets.

Encryption: the key and certificate management. For anyone familiar with the site, this is a little thing like no brains, including the use of standards-based encryption features and services to support the static and dynamic information security. Standard: KMIP, OASIS key management interoperability agreement.

Data / Storage Security. You should be able to format the data is stored as encrypted. It is worth noting that some users need to be data independent of other users of data storage. Standard: IEEE P1619, the IEEE working group to develop storage security.

Endpoint security. Users must be able to ensure that its cloud resources to endpoint security. This includes network protocols, and through restrictions on the endpoint device type.

Event auditing and reporting. This seems too obvious, do not mention, but a key to achieve security is to know what happened. Particularly in relation to the system failure, the invasion of a direct attack assessment. In this case, timeliness is critical.

Identity, role, access control and property. This is a joint cloud computing aspects of a strong identity authentication. If you can not, as in a single interoperable system, like access to all resources, clouds can not exist. Similarly, if not the "consistent, machine-readable way," the definition of personal and service properties, the safety of the cloud can not be effective. Standards: SAML, OASIS Security Assertion Markup Language and X.509 Certificates, ITU public key and attribute certificate frameworks part of the proposal.

Network security. You must be able to protect the switches, routers and packet-level network transmission; IP stack itself should ensure safety.

Security policy. For access control and resource allocation and effective, you must be able to a unified, reliable way to define, solve and implement security policies. Only through a unified, reliable way to achieve security policy automatically. Standards: XACML, OASIS eXtensible Access Control Markup Language.

Service automation. You should have an automated means to manage and analyze security control flow and process - as violations of security policies or client licensing agreements reported event - to support security compliance audits.

Work load and service management. You should be able to follow the defined security policy and client license configuration, deployment and monitoring services. Standards: SPML, OASIS Service Provisioning Markup Language.

Safety joint model

Joint Authentication is possible to make cloud computing a basic concept. United is the number of independent resources - assets, status, configuration, etc. - the ability to act as a single resource. This paper summarizes the following joint model to help the vendor achieve security control in the manner required.

Trust. Both organizations through the definition of authentication trust relationship capabilities. The agencies can exchange authentication credentials (typically X.509 certificate), and then use these certificates to ensure message security, create a signed security token (typically SAML). Joint Trust is the joint model for all other security foundation.

Identity management. Accepted definition of user credentials (user name and password, certificate, etc.) and return the identity provider can identify the user's signature ability of the security token. Trust the identity provider service provider can use the token Jiyu user the appropriate access rights, even in the service provider to the user does not understand the situation as well.

Access management. Security token used to check written to manage resource access strategy cloud (usually XACML) capabilities. Access to resources on the cloud can be controlled by multiple factors.

Single sign-on and log off. According to evidence from credible institutions the ability to conduct joint registry. Single sign-on mode is enabled by identity management model.

Auditing and compliance. Collection distributed across multiple domains (including mixed cloud) of the audit and compliance data. Joint audit to ensure and document service level agreements and regulatory compliance requirements is necessary.

Configuration management. For the services, applications and virtual machines combined configuration data.

The meaning of existing security best practices, as its name - "security best practices." As best practice the standard end, the author recommends first designer or developer to existing standards to provide the joint model for the mechanism.

Security use case scenarios

"Cloud computing use cases of the White Paper" version 3.0 of the application designed to cover a range of types, deployment model, role model and a common scenario, in order to achieve the following formula:

Customer demand for cloud computing experience + security = successful cloud applications

White Paper seeks to use case:

  • Provide practical, based on the context of the customer experience to support the discussion of interoperability and standards.
  • Where to use existing standards to define.
  • Stressed the need to create standards where.
  • Show Open the importance of cloud computing business.

Each section start from the general scene and:

  • Use directly from the "cloud computing with the case of the White Paper" version 3.0 of the language to describe the problem scenario.
  • Discuss how to use a cloud solution to solve the problem.
  • Requirements and control, and provide a list of the joint model to achieve solutions.

Sensitive data, private infrastructure overwhelmed


An insurance company has a claim application for the collection of policy holders and their property, loss of data. A hurricane is expected to hit the U.S. Gulf of Mexico region, may cause significant property damage. This will lead to claim a sharp increase in demand, in turn, the enterprise IT infrastructure and a huge burden.

The company decided to use the public cloud providers to offer virtual machine to handle anticipated demand.

Companies must be in the enterprise systems and cloud hosting providers control access between the virtual machine, allowing only authorized agents access to the company.

Companies must secure transmission within a corporate firewall applications to create an instance of any data cloud.

Cloud providers must ensure that the closure of the virtual machine, without leaving any traces of applications or data.

Customer issues are addressed: public cloud environment will allow companies to handle up to an order of magnitude than the previous workload. Uninstall the one-time event than the cost of capital to purchase long-term deal with the physical properties of the load to be much cheaper.

Requirements and control:

  • Requirements: the application of the access is limited to a specific role.
    Security control: identity, role, access control and property; asset management; and network security.
  • Requirements: close the virtual machine must remove all traces of applications or data.
    Security control: work load and service management.

Combined mode: trust, access management, configuration management.

Limited resources, the need for new applications


An online retailer needs to develop a new Web 2.0-store application, but do not want to give IT staff and increase the burden of existing resources.

The company chose cloud providers, through the hosting of the development tools and source code libraries to provide cloud-based development environment. Cloud also choose another supplier to provide testing environment, so the new application with many different machines and a large number of Leixing Gongzuofuzai Jinhangjiaohu.

Choose two suppliers to deal with cloud-based development and testing means that the joint will become crucial.

By solving customer problems: The development of point of view, the cloud hosting development tools do not need to staff each developer's machine An Zhuang, Pei Zhi and management tools. If you have large products need to build cloud infrastructure will scale up to meet expanding demand. If the cloud has a new version of files need to test, your test environment to achieve the latest.

From the testing point of view, for more interactive Web 2.0 interface (rather than a static Web page) of the test will better determine the application of flexibility in a real environment (which expand and adapt to higher loads and larger virtual machine image of competence).

Requirements and control:

  • Requirements: a central location in the installation and maintenance of development tools.
    Safety Control: Asset Management.
  • Requirements: close the virtual machine must remove all traces of applications or data.
    Security control: work load and service management.
  • Requirements: development and testing of cloud single sign-on.
    Safety Control: encryption; endpoint security; identity, role, access control and property; and network security.
  • Requirements: the source code and test program controlled access.
    Safety Control: asset management, and identity, role, access control and property.
  • Requirements: building and testing should automatically start and shut down the virtual machine.
    Security control: service automation.
  • Requirements: building and testing the virtual machine to report on the usage and performance statistics.
    Security control: Event auditing and reporting.

Combined mode: trust, identity management, access management, single sign-on, audit and compliance, configuration management.

Store and access confidential business


A financial investment company to its agents and affiliates to introduce new investment products. Produced a lot of video to teach awareness of the company agents and branch offices the benefits of new products and features. These videos are huge in size, need to provide immediate on-demand, therefore, it is stored in the cloud can reduce the burden of the infrastructure company.

However, we must strictly control access to these videos. For competitive reasons, the only certified company agent can watch the video. An even more stringent restrictions that, according to regulations and require the company to market before the quiet period on the product details, including video, confidential.

The company decided to use the public cloud storage provider, extended security hosting and video streaming.

Cloud solution must enforce security policies can audit access control mechanisms to control the video.

Customer issues are addressed: through the public cloud storage, the company does not increase its own data center resources to manage the vast amounts of data. This case involves government regulation level (the scope of attention beyond the enterprise) means that, cloud services providers must be able to ensure compliance, or will not Kaolv.

Requirements and control:

  • Requirements: on the video is limited to a specific role in the visit.
    Security control: identity, role, access control and property; asset management; network security; and strategies.
  • Requirements: must ensure that the data stored in the cloud security.
    Safety Control: encryption and data / storage security.
  • Requirements: the data stored in the cloud must be returned within the corporate firewall.
    Safety Control: encryption, data / storage security, endpoint security and network security.

Combined mode: trust, identity management, access management, audit and compliance.

Cross-reference security control, joint models, and scenes

The following table summarizes the security control of two joint models and the relationship between scenes. Table 1 summarizes the security control and the relationship between customer scenarios, Table 2 summarizes the joint relationship between model and scene.

Table 1. Safety control and scene

Security control High load /
Development & Test /
Security Storage /
Asset Management + + +
Encryption + +
Data / Storage Security +
Endpoint Security + +
Event auditing and reporting +
Identity, role, access control and property + + +
Network Security + +
Tactics +
Service Automation +
Work load and service management + +

Table 2. Joint model and scene safety

Joint model High load /
Development & Testing /
Security Storage /
Trust + + +
Identity Management + +
Access Management + + +
Single Sign-On +
Audit and Compliance + +
Configuration Management + +


"Cloud computing use cases of the White Paper" version 3.0 of the author points out that "the customer tries to migrate their data and applications to the cloud, the security is often the biggest problem."

"Cloud computing use cases of the White Paper" version 3.0 come safety on the conclusions of the clouds is very clear:

  • Cloud computing does not introduce new security problems in the administrators, planners and developers to consider the time of the general IT security will not be met.
  • On general IT security and cloud security implementation and execution, the main difference is that when using the public cloud always involves a third party. (Preset cloud is another matter.)
  • Cloud providers to provide meaningful transparency and appropriate disclosure is necessary.
  • If you have an existing standard to meet security requirements, the user must insist that cloud providers use it; if no such standards for the development of a community.

Summary and review of the benchmarks and to provide an overview of the scene, described the cloud safety regulations and control. We recommend that you learn the original version of "cloud computing use case White Paper", Yin Wei In the book, cloud computing use case discussion Zu comprehensive analysis of the developer and planning staff Yingdang what to cloud Ti Gongshang requirements, Caineng As a valuable of data and applications provide a safe environment.

<! - CMA ID: 521217 --><!-- Site ID: 10 --><!-- XSLT stylesheet used to transform this file: dw-article-6.0-beta.xsl ->

Reference material


  • The original document by the use cases of cloud computing group of experts in the preparation. [ English | Traditional Chinese | Simplified Chinese ] PDF format to provide the latest version of the White Paper. Other formats on the site may also be provided.
  • Open Cloud Declaration is to uphold the principles of cloud computing open in a statement.
  • KMIP, OASIS interoperability key management protocol is a simple, comprehensive protocol for encryption system with a variety of old and new communication between enterprise applications, including e-mail, database and storage devices.
  • IEEE P1619 is used to store data encryption a standard item, but more generally refers to the IEEE P1619 Working Group on Storage Security (SISWG), including the protection of stored data and management of encryption keys corresponding to a set of standards.
  • SAML, OASIS Security Assertion Markup Language is an XML-based framework for conveying user authentication, rights and property information.
  • X.509 Certificates is the ITU public key and attribute certificate frameworks part of the proposal is for single sign-on (SSO) and privilege management infrastructure (PMI) of the Public Key Infrastructure (PKI) of an ITU-T standard. X.509 public key certificate key specified standard format, certificate revocation list, attribute certificate and a certificate path validation algorithm.
  • XACML, OASIS eXtensible Access Control Markup Language is a strategy that the core mandate and the right to XML schema.
  • SPML, OASIS Service Provisioning Markup Language is an XML-based framework for exchanging user, resource and service configuration information.
  • Cloud development in the developerWorks resources, find and share applications and services developers to build their cloud deployment project knowledge and experience.
  • In the developerWorks's open-source resources , the discovery and sharing of open source applications and services developers the knowledge and experience.
  • developerWorks technical events and webcasts : Stay current with developerWorks technical events and webcasts.

Access to products and technologies

  • Use can be downloaded directly from developerWorks IBM trial software, build your next development project.


  • Join My developerWorks on cloud computing group.
  • Read My developerWorks cloud all the good blog.
  • Join My developerWorks community, this is a professional network, with a uniform for connecting, sharing and collaboration of community tools.


  • Cloud security review and sum up the scene 2010-09-25

    This article discusses the use cases of cloud computing discussion group issued a "cloud computing with the case of the White Paper" version 3.0 - a more than 900 participants from the open web community to create an information base. The origin

  • Cloud computing researcher Ali Han Qing Wu: On Ali cloud security [transfer] 2011-05-06

    TechWeb reported] [Dec. 4, by the Alibaba Group, cloud computing, and phpwind Ali co-hosted the second tripartite local and industry websites in China Summit will be overseas this sea in Hangzhou International Exhibition Center was held. The summit o

  • Ext of ExtGrid CRUD query review and sum up 2010-04-17

    Learning Ext has some promise time and found the process of practical application is still the most commonly used ExtGrid series, originally wanted to write some words to sum up, and accidentally saw my dear friend long ago summed up the position, so

  • Interpretation of cloud age security: security of cloud cloud computing security ≠ 2010-11-02

    Original What is cloud computing? To talk about cloud computing, so far not a very standard industry definition. Every business has its own definition of cloud computing. There are two types, one is runni

  • Gartner: Cloud Computing How can security? 2010-12-13

    IT security managers are usually considered the primary concern when the cloud scene content. How cloud security? According to Gartner analyst, cloud computing can be used to create the potential safety and SOA governance, XML gateway and XML firewal

  • Oracle 11g release enterprise gateway security for SOA and cloud 2011-05-04

    Oracle recently released a Fusion Middleware 11g enterprise gateway security and management tools. Company said the tool adds the service-oriented architecture (SOA) and cloud application of additional protection, while improving performance. As a co

  • Oracle released 11g enterprise gateway security for SOA and cloud 2011-05-04

    Oracle recently released a Fusion Middleware 11g enterprise gateway security and management tools. Company said the tool to add a service-oriented architecture (SOA) and cloud application of additional protection, while improving performance. As a co

  • Ziyun world --- purple cloud computing through the development and release strategy 2011-03-23

    Purple cloud computing through the development and release strategy Text / purple pass and Technology Management Center In the first year of cloud computing on the last day of 2010, and released through the purple cloud computing its ambitious strate

  • Turn: to promote the standardization of the top ten organizations cloud computing 2011-08-18

    Cloud Ten promote standardization organization Cloud Ten promote standardization organization 2011-8-12 I want to comment on share: Digg This blog references Large | Medium | Small REVIEW: This article discusses the standardization of the basic needs

  • Inventory of cloud computing company in the heavyweight 2010-05-24

    Cloud computing in the cloud of some prominent companies evaluate a number of suppliers, but no surprise is that Yun computing some of the name of Zai computer world is not outstanding reputation. In this article, we discuss in more detail some of th

  • Those things cloud computing 2010-05-29

    Cloud Computing (Cloud computing), is a new method of sharing infrastructure, the system can be a huge pool of connected together to provide various IT services. Many factors drive the demand for this type of environment, including connected devices,

  • Cloud computing based on the structure and characteristics of intelligent NIPS 2010-06-25

    (Research Center of China Electronic Commerce News) Abstract: Cloud computing is Internet-based super-computing model, the Internet and network security is a new technology and trends. This paper analyzes the characteristics of cloud computing, form

  • You can call it cloud computing, but do not really think it is a power station 2010-09-15

    Since the concept of cloud computing google made, and its a landmark paper MapReduce Simplified Data Processing on Large Clusters published, a night full of cloud computing to every corner of the whole network, more and more enterprises are rushing t

  • Internet Banking Security: two-factor authentication to ensure online security 2010-10-14

    California Avenue, Palo Alto Edison Spa Federal Credit Union plans to use the dual variable password authentication measures to strengthen the security of its network of banks, this also makes them one of the few in the industry to take such security

  • Eight products from the start with a giant cloud cloud you know 2010-10-31

    Original Many people have heard of cloud computing, the latest hype of cloud computing for the overwhelming coverage hitting us. So in the end do what is cloud computing? Below we list a

  • Cloud computing in 2010 the top ten hot events 2010-12-17

    This switched 2010 in the cloud , a very important year of development, whether disruptions or upgrades. Although cloud computing market continues to grow, but some well-known giants in the developmen

  • Characteristics of global cloud computing development 2011-02-11

    Characteristics of the development time global cloud computing: 2011-01-26 Views: 26 ● Private and open source implementation of cloud computing service providers from the current situation, the private cloud platform and open source implementation i

  • Cloud computing industry overview 2010 2011-03-23

    2010 Cloud computing industry overview text / purple pass and IT Service Center Global Insight September 2009, Obama announced the start of the implementation of far-reaching long-term cloud computing policy, hoping to be used to reduce government ex

  • REST of the two major problems plagued Twitter 2010-08-31

    Written before some of the REST of us and views. Not long ago, just another in the Chinese version of the infoQ site to see an article, recently translated into Chinese and found some problems, so again the whole REST vs. SOAP read carefully the cont

  • Textile pre-treatment agent of ecological issues and alternatives 2010-02-16

    Keywords: pre-processing, additives, ecology, textile Zhang Jie 0 Introduction on the market a lot of pre-treatment agent containing or will have on the human body and the environment of harmful chemicals. Many countries and organizations on a variet