No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FusionCloud 6.3.1.1 Solution Description 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
System Security

System Security

Challenges

The way to use and manage computing resources in the cloud computing system has changed, bringing new risks and threats.

Risks and threats for administrators are as follows:

  • The virtualization management layer becomes the new high-risk area.

    The cloud computing system provides computing resources for a large number of users through virtualization technologies. Therefore, the virtualization management layer becomes the new high-risk area.

  • It is difficult to track and isolate malicious users.

    The on-demand and self-service allocation of resources makes it much easier for malicious users to launch attacks in the cloud computing system.

  • Open interfaces make the cloud computing system vulnerable to external attacks.

    Users access the cloud computing system using open interfaces, making the cloud computing system vulnerable to external network attacks.

Risks and threats for end users are as follows:

  • Uncontrollable risks due to data stored on the cloud
    • Computing resources and data are controlled and managed by the cloud computing service provider, which brings the risk that the provider administrator may illegally invade the user system.
    • Data may not be entirely cleared after the computing resource or storage space is released.
    • The data processing may breach laws and regulations.
  • Data leakage and attacks caused by multi-tenant resource sharing
    • User data may leak out due to inappropriate isolation methods.
    • A user may be attacked by other users within the same physical environment.
  • Security risks caused by open network interfaces

    In the cloud computing environment, users operate and manage computing resources through networks. The open network interfaces bring more security risks.

Security Architecture

Huawei provides the FusionCloud solution to face the threats and challenges posed to the cloud computing system. The infrastructure layer of FusionCloud is based on the FusionSphere cloud operating system and its management system ManageOne. FusionSphere virtualizes physical resources into virtual resources and forms a virtualization resource pool, including computing virtualization, storage virtualization, and network virtualization. ManageOne is a management system of the virtualization platform. It manages different heterogeneous virtualization platforms, provides operation and O&M for data centers, and displays resources and management GUIs in a unified manner.

  • Cloud infrastructure security refers to the cloud operating system and Hypervisor security, including virtual resource isolation, data storage security, and network transmission security.
    • Data storage security

      User data isolation, data access control, and residual information protection, and data backup are adopted to ensure the integrity and security of user data.

    • VM isolation

      Resources of VMs on the same physical server are isolated, preventing data theft and malicious attacks and ensuring the independent running environment for each VM. End users can only access resources allocated to their own VMs, such as hardware and software resources and data, ensuring secure VM isolation.

    • Network transmission security

      Network plane isolation, firewalls, and transmission encryption are adopted to ensure service operation and security.

    • O&M and operation management security

      Security measures are carried out from the aspects of the account, password, user rights, logs, and transmission to enhance security of daily O&M operations.

      In addition, the security of each management host is ensured by repairing web application vulnerabilities, hardening the OS and database, and installing patches and antivirus software.

  • Cloud service security and security as a service (SECaaS)

    Provides tenants with all resources, functions, and performance required for performing specific security tasks. Tenants can perform security configuration, query, and monitoring on controllable resources as required.

Security Value

  • Comprehensive and unified security policies

    The centralized management of computing resources makes it easier to deploy border protection. Comprehensive security management measures, such as security policies, unified data management, security patch management, and unexpected event management, can be taken to manage computing resources. In addition, professional security expert teams can protect resources and data for users.

  • Low costs of security measures

    Because security measures are taken for all computing resources shared among many users, security costs paid by each user are low.

  • On-demand security protection services

    Based on fast and elastic resource allocation, security is offered to users as services. Users can use the services on demand. In addition, this approach improves computing resource utilization of the cloud computing system.

  • Enhanced protection capability

    In a data center, network traffic is classified into two types:

    • One is the traffic between external users of a data center and internal servers. Such traffic is called north-south or vertical traffic.
    • The other is the traffic exchanged between internal servers in the data center, which is also called east-west traffic or horizontal traffic. The east-west traffic includes traffic between VMs of the same subnet of the same tenant, traffic between different subnets of the same tenant, and traffic between different tenants.

    The traditional security protection solution based on fixed physical boundaries only protects north-south traffic. However, the solution is incapable of protecting east-west traffic. SDN or host-based security protection measures can effectively cope with security issues of east-west traffic, thereby improving the security protection capabilities of the entire data center.

  • Shared responsibility and varied duties

    The security responsibilities of applications deployed in the cloud data center are jointly borne by the platform and tenants. The platform ensures the security of the cloud service platform while tenants are responsible for the security of application systems that are deployed in the cloud data center.

    • The cloud platform is responsible for the security of physical infrastructure, cloud OSs, and cloud service products, and provides customers with technical measures to protect cloud applications and data.

      The security assurance of the cloud platform includes hardware, software, and network security, such as system and database patch management, vulnerability fixing, network access control, and disaster recovery. It also includes third-party supervision and audit organizations' evaluation of the compliance of the cloud platform. The technical measures provided for tenants include Identity and Access Management (IAM), basic services (built-in security functions), security services, security audit methods, and industry security solutions provided by third-party security vendors.

    • Tenants are responsible for constructing their own cloud application systems based on cloud infrastructure and services, and protecting their service systems by properly using security functions of cloud products, security services, and third-party security products. For example, tenants can use IAM for user identity management, logs for operation audit, and Elastic Cloud Server (ECS) and Virtual Private Cloud (VPC) for VM management and security configurations to ensure O&M security. For other applications, such as the cloud database (RDS), Big Data services, and microservices, customers do not need to consider instance maintenance as well as patch upgrade and configuration hardening of OSs and databases. They only need to manage the accounts and authorization of these services, and use security functions provided by those services.
Translation
Download
Updated: 2019-10-23

Document ID: EDOC1100063247

Views: 63609

Downloads: 182

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next