huawei cloud computing data center security solution for petroleum industry
DESCRIPTION
Huawei Cloud Computing Data Center Security Solution for Petroleum Industry.pdfTRANSCRIPT
Data centers play an important role in IT-based development and IT applications in the oil and gas industry. Operational systems used in
oil and gas companies, including enterprise resource planning (ERP) systems, logistics systems, delivery systems, retail systems, portals,
customer management systems, oil and gas prospecting systems, and marketing systems, are all dependent on data centers.
As the Internet is used more extensively, data centers that used to run on clients and servers are migrating to central servers connected to the
Internet. Multi-layer applications under the infrastructure architecture interact with hardware, networks, and operating systems with increased
complexity. It is this complexity that creates a lot of uncertainty for security systems of data centers. Data centers on which security strategies
are inappropriately implemented risk frequent intrusion from hackers and worms. Although most system administrators are aware of the
serious damage caused by Internet-based malicious attacks and have deployed security devices to defend data centers at the access control
layer, these traditional defense measures are becoming less effective in dealing with the latest types of attacks that use mature technologies.
Security threats to data centers can appear on any layer, including terminals, network, business applications, data, management
systems, and risk control, as shown in the following figure "Data Center Security Threats".
Cloud Computing Data Center Security Solution
Figure: Data Center Security Threats
Huawei Solution
……
Systems for differentuse run independently
from each other.
Without unified securitystrategies, data centers
are vulnerable to threats.
Data theft by maliciousinternal users
Regulatory complianceand legal risks from cloud
computing
Malicious administratorsoverstep their authorities.
Security log audit separation
……
Leakage risks due to poorisolation of VM resources
……
Attacks to perimeter network
Network attacks betweendifferent internal departments
Visible virtual memory (VM) flow and mutual access
security control
Attacks betweenHypervisor and VM
Data transmission security
Cyberloafing lowersoffice efficiency.
……
……
Illegal terminal orillegal user access
Terminal data leakage
Malicious attacks fromterminals
Application system
Prospecting and exploration system Oil and gas production system Production command system OA & production management system
Data center
IP backbone transmission network
Access network
Management system database ERP databaseProspecting and exploration database Oil and gas exploitation database ...
OTN Ring
Sensor networkZigBee/RFID
Central control room
SCADA/Automatic controlZigBee/Wi-Fi
Access network2G/CDMA/Wi-Fi/WiMAX/Microwave/GPON
Video surveillance Mobile terminal
Communications gateway RTU
DC hierarchical model Terminal Network Service application Data Managementand risk control
Security of datatransmission via internaland external networks
As a large quantity ofaccess to point-to-point (P2P)
and videos takes upbandwidth at network
egress points, important serviceoperations are delayed.
Data leakage due tovulnerabilities in document
security management
Storage data theft
Data disaster recovery
Database intrusionrisks and data theft
Trojan-intruded websitesand Structured Query
Language (SQL) injection
Email virus transmission,email phishing, emailinformation leakage
Virus intrusion anddissemination in applications
Hosts and Hypervisorsystems are vulnerable
to threats.
DDoS attack
Customer Benefits
The focus of enterprise data centers' security lies in the safe and
efficient operation of data centers, secure access to services
anywhere and anytime, and the capability to keep services
confidential, integrated, and available.
Huawei's enterprise data center security system consists of five
dimensions: identification & authentication (who are you), access &
authorization (what information is available for you), audit trail (behavior
records are traceable for audit), response & recovery (capability to quickly
respond and recover), and content security (what attacks are threatening
data centers). Collectively, these protections are abbreviated as IAARC.
This five-dimensional security approach helps provide differentiated
security solutions to secure the operations of enterprise data centers.
Solution Architecture
Huawei's enterprise data center security architecture secures services in three layers: cloud, pipe, and device.
An overall terminal access security solution is provided to help ensure device security at mobile terminals, virtual desktop infrastructure (VDIs),
and office automation terminals.
A hierarchical network security protection solution is provided to protect perimeter networks, internal networks, and virtual layer networks
against attacks from within or outside data centers.
This solution secures the major services (like Web and email) at the cloud end, and offers an all-around data security solution that helps
ensure document security, database security, virtual machine full-disk encryption, and data leakage prevention (DLP). By securing the
services at these three layers (cloud, pipe, and device), this solution helps ensure access security, network security, application security, and
data security for data center services.
The security service package offered by Huawei's professional teams integrates security management consulting, service security evaluation,
security penetration testing, security hardening, and other services that help customers build highly secure and reliable data centers.
Device security:• mobile access security, desktop cloud terminal access security, and office automation terminal access security.
Network security:• perimeter network security, internal network security, and virtual layer network security.
Application security:• host security, service security, and data security.
Security management:• O&M audit, security device service management, and security operation.
Security services:• infrastructure security service and security management consulting service.
InternetiCacheInternet
LLB
SSL VPN
DMZ
DDOS/FW/IPS
Networkservice zone
iStack
Server
iStack
Server
PC SAN storage FC SAN storage
FC Switch
iStack
Server
iStack
Server
iStack
Operationsmanagement area
Prospecting andexploration area
Data leakageprevention
OA areaOil and gas
production area Highly secured production area
Network core layer
CSSNetwork
service zone
ASG
Enterprise data center
Extranet
WAN/MAN
Disasterrecoverycenter
Localbranch
BranchExtranet
Private OAnetwork
DMZ
External networks
UTM
UTM
UTM
iStack