security services lifecycle management
play

Security Services Lifecycle Management in On-Demand Infrastructure - PowerPoint PPT Presentation

Security Services Lifecycle Management in On-Demand Infrastructure Services Provisioning Yuri Demchenko System and Network Engineering Group University of Amsterdam CPSRT 2010 Workshop 2 December 2010 CloudCom2010 Conference 30 October - 3


  1. Security Services Lifecycle Management in On-Demand Infrastructure Services Provisioning Yuri Demchenko System and Network Engineering Group University of Amsterdam CPSRT 2010 Workshop 2 December 2010 CloudCom2010 Conference 30 October - 3 December 2010, Indianapolis

  2. Outline • Background for this research • On-Demand Infrastructure Services Provisioning and Composable Services Architecture (CSA)  CSA Service Delivery Framework and Services Lifecycle Management • Proposed Security Services Lifecycle Management and related security mechanisms • Implementation – GAAA Toolkit and Security sessions management • Summary and Discussion Slide _ 2 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  3. Background to this research • Current projects  GEANT3 JRA3 Composable Services – European NREN infrastructure  GEYSERS – On-demand Optical + IT infrastructure resources provisioning – Wide participation from large European network (Telefonika, Alcatel-Lucent, Interoute) and application providers (SAP) • Past projects  EGEE Grid Security middleware – gLite Java Authorisation Framework  Phosphorus project Security architecture for multi-domain Network Resource Provisioning – GAAA-NRP and XACML-NRP profile – Multidomain Network Resource Provisioning (NRP) model and workflow Slide _ 3 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  4. Use Case – e-Science infrastructure Initial effort to build – Control & Instrument Grid estimated 2 Yrs Monitoring Storage T0 (Manufactoring) Outsource to current telco provider – approx. 2 Grid Grid months Center Storage T1 User A Visualisation Target with new business User K Grid Grid model – 2 hrs Storage T1 Center User P Visualisation Computing Cloud Cloud Storage Permanent link High Speed link provisioned on demand Link provisioned on-demand Components of the typical e-Science infrastructure involving multidomain and multi-tier Grid and Cloud resources and network infrastructure Slide _ 4 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  5. Use Case – e-Science infrastructure Control & Instrument Grid On-demand infrastructure Monitoring Storage T0 (Manufactoring) services provisioning environment Grid • Grid Security along the whole Center Storage T1 User A provisioning process and Visualisation service/infrastructure lifecycle User K Grid Grid • Manageable/user Storage T1 Center controlled security User P • Securing remote Visualisation executing environment Computing Cloud • Security context/session Cloud Storage management Permanent link High Speed link provisioned on demand Link provisioned on-demand Components of the typical e-Science infrastructure involving multidomain and multi-tier Grid and Cloud resources and network infrastructure Slide _ 5 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  6. GEYSERS Reference Model for Infrastructure Virtualisation Roles: • VIO – Virtual Infrastructure Operator • VIP - Virtual Infrastructure Provider • PIP - Physical Infrastructure Provider Slide _ 6 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  7. Security Service Lifecycle Management in On-Demand Resources/Services Provisioning • On-Demand Infrastructure Services Provisioning requires definition of Services Lifecycle Management  Multidomain multi-provider environment  Includes standard virtualisation procedures and mechanisms • Requires dynamic creation of Security/Trust Federations in multi-domain environment  Based on available Trust Anchors – Physical Resources (hosting platforms) – SLA or SLA negotiators/contractors – All other security context/credentials/keys should be derived from them • Access control infrastructure dynamically created and policy/attributes dynamically configured  Access/authorisation session/context management • Composable Services Architecture (CSA) as a platform for dynamically configurable composable services provisioning Slide _ 7 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  8. Composable Services Architecture Composable Services Applications and User Terminals lifecycle/provisioning User Virtual Infrastructure/Resources level Client stages Proxy (adaptors/containers) – Composed/Virtualised Services and Resources (1) Request (2) Composition/ Reservation Composition Control & Composable Services Middleware (3) Deployment Layer/Serv Management (GEMBus) (4) Operation Plane (Reservation (5) Decommissioning SLA (Operation, Negotiatn) Orchestration) MD SLC Registry Logging Security Separation of Data Plane, Control Plane, Management Plane Logical Abstraction Layer for Component Services and Resources Proxy (adaptors/containers) - Component Services and Resources Control/ Storage Compute Network Infrastructure Mngnt Links Resources Resources Data Links Component Services & Resources – Physical Resources level Slide _ 8 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  9. CSA Services Delivery Framework (SDF) Composable Services Provisioning Workflow Main stages/phases Service Request/ • Service Request (including SLA SLA Negotiation negotiation) • Composition/Reservation (aka design) Composition/ • Service Deployment, including Reservation Lifecycle Reqistration/Synchronisation Metadata Re-Compo • Operation (including Monitoring) sition Service • (SL MD) Decommissioning Deployment Additional stages • Re-Composition should address Registr&Synchro incremental infrastructure changes • Recovery/ Recovery/Migration can use SL-MD Provisiong Migration Session to initiate resources re- Managnt Operation synchronisation but may require re- (Monitoring) composition The whole workflow is supported by the Service Lifecycle Metadata Service (SL MD) Decommissioning Based on the TMF SDF Slide _ 9 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  10. TMF Service Delivery Framework (SDF) Goal: Automation of the whole service delivery and operation process (TMF SDF, http://www.tmforum.org/ServiceDeliveryFramework/4664/home.html) End-to-end service management in a multi-service providers environment End-to-end service management in a composite, hosted and/or syndicated service environment Management functions to support a highly distributed service environment, for example unified or federated security, user profile management, charging etc. Any other scenario that pertains to a given phase of the service lifecycle challenges, such as on-boarding, provisioning, or service creation Slide _ 10 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  11. SDF Reference Architecture (refactored from SDF) 1 – Service Instance Design 2 - Service Management Interface 16 9 3 – Service Functional Interface SDF Service Design SDF Service 10 4 - Management Support Service (SDF Management (ISS) Repository (ISS) MSS) SDF Service 8 - Infrastructure Support Service (ISS) Lifecycle Metadata DESIGN stage Deploy Repository (ISS) 17 9 - Service Repository 11 SDF Service 10 - Service Lifecycle Metadata SDF Service Lifecycle Deployment Repository Metadata Management (ISS) Coordination (ISS) 16 - Service Design Management DEPLOYMENT stage 2 10 - Service Lifecycle Metadata Operate 12 SDF Service State Repository Monitor (ISS) 6 11 - Service Lifecycle Metadata SDF Service Provisng Coordinator 1 13 SDF Service Mngnt (MSS) SDF Service Resource 17 - Service Deployment Management Instance Fulfillment (ISS) OPERATION stage 6 5 - Service Provisioning Management SDF Service Quality/ 14 SDF Service Resource 3 Problem Mngnt (MSS) 6 - Service Quality/Problem Management Monitor (ISS) 7 - Service Usage Monitor 7 15 12 - Service State Monitor SDF Service Usage Composite Services SDF Service Resource Mngnt (MSS) provisioned on-demand 13 - Service Resource Fulfillment Usage Monitor (ISS) 14 - Service Resource Monitor SDF MSS 4 SDF ISS 8 15 - Resource Usage Monitor Slide _ 11 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

  12. Composable Services Architecture – Lifecycle stages workflow 4 4 Composable Serv Serv Serv Applications and User Terminals User Services Client lifecycle/provisioning Proxy (adaptors/containers) – Composed/Virtualised Services and Resources 4 3 stages 1 2 2 3 3 (1) Request Composition Control & Composable Services Middleware 1 Layer /Serv (2) Composition/ Management (GEMBus/GESB) Plane Reservation (Reservation SLA (3) Deployment (Operation, Negotiatn) 4 2 Orchestration) (4) Operation MD SLC Registry Logging Security (5) Decommissioning 3 2 MD SLC – Service Lifecycle Metadata Logical Abstraction Layer for Component 2 3 Services and Resources GEMBus – GEANT 4 Multidomain Bus 4 3 2 Proxy (adaptors/containers) - Component Services and Resources Control/ Storage Compute Mngnt Links Network Infrastructure Resources Resources Data Links Component Services & Resources Slide _ 12 CPSRT2010 Workshop, 2 December 2010 Security Services Lifecycle Management

Recommend


More recommend