Security considerations in ITRI cloud OS

Abstract

Over the past few years, clouds have become an important terms in different domains. ITRI (Industrial Technology Research Institute) CCMA is one of Cloud developers especially on IaaS, called ITRI Cloud OS. ITRI Cloud OS is a comprehensive data center software stack. Inside this system, server virtualization, network virtualization, and storage virtualization are included to make Cloud OS serves virtual machines. Security is an important issue which is one of Cloud OS components. In this paper we represent security from different viewpoints in the system. Cloud OS could be deployed either as a public or private cloud. To host large number of VMs, horizontal scale up is a requirement. Security implementation should be adapted to support such an environment. ITRI Cloud OS could easily accommodate new VMs by adding new computing resources. In order to make cloud OS a secure environment, how we implement security protection and service level guarantee are discussed in this paper. Security protection means VMs are under protections through different mechanism and service level agreement (SLA). That is VMs running inside Cloud OS could have service guarantee even when resource is limited. To provide security protections, the following properties are built inside Cloud OS: multi-tenant support with tenant isolation including network as well as user data volume isolations; role-based distributed L3/L4 firewall, and automatic firewall setting in Cloud OS for enterprise firewall device; Distributed WAF protection; ARP spoofing; and DDoS mitigating system. In this paper, we present our security component's algorithms, system models, performance analysis, and performance evaluation results. To support SLA, we provide a distributed traffic shaping architecture. Through SLA policy setting, VMs can achieve guaranteed network bandwidth. We will present our distributed traffic shaping performance evaluation results which demonstrate the efficiency of Cloud OS.