security services lifecycle management and geysers service delivery framework
DESCRIPTION
Security Services Lifecycle Management and GEYSERS Service Delivery Framework. Yuri Demchenko, UvA Cloud Security BOF 26 October 2010 OGF30 25-28 October 2010, Brussels. Outline. Cloud Security – New challenges On-Demand Infrastructure Services Provisioning - PowerPoint PPT PresentationTRANSCRIPT
Security Services Lifecycle Management and
GEYSERS Service Delivery Framework
Yuri Demchenko, UvA
Cloud Security BOF
26 October 2010
OGF30 25-28 October 2010, Brussels
Outline
Cloud Security – New challenges On-Demand Infrastructure Services Provisioning Background – TMF Service Delivery Framework (SDF) GEYSERS SDF Security Services Lifecycle Management
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels Security Services Lifecycle Management Slide_2
Cloud Security – New challenges
Clouds as infrastructure services provisioning model/environment Security along the whole provisioning process and service/infrastructure
lifecycle Manageable/user controlled security Securing remote executing environment Security context/session management
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels ISOD RG Chapter Discussion Slide_3
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels Security Services Lifecycle Management Slide_4
Security Service Lifecycle Management in On-Demand Resources/Services Provisioning
On-Demand Infrastructure Services Provisioning requires definition of Services Lifecycle Management
Multidomain multi-provider environment Includes standard virtualisation procedures and mechanisms
Requires dynamic creation of Security/Trust Federations in multi-domain environment
Access control infrastructure dynamically created and policy/attributes dynamically configured
Access/authorisation session/context management
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels Security Services Lifecycle Management Slide_5
GEYSERS Service Delivery Framework (SDF)
Service provisioning workflow by VIP: Creation of the Virtual Infrastructure (VI) May include more engineers support
Service provisioning workflow by VIO: Creation and operation of the Virtual Infrastructure on-demand for specific project,
tasks or user groups Should be completely automatic
Should also include activities/stages for infrastructure re-planning, restoration and migration
Adopted TeleManagement Forum Service Delivery Framework (TMF SDF)
GEYSERS Project - http://www.geysers.eu/
GEYSERS Reference Model
Role:
• VIO
• VIP
• PIP
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels ISOD RG Chapter Discussion Slide_6
Virtual IT Management (VITM)
Service Middleware Layer (SML)
Physical Infrastructure
Virtual Resource Pool
Virtual Infrastructure
IT-aware Network Control Plane (NCP+)
Logi
cal I
nfra
stru
ctur
e C
ompo
sitio
n La
yer (
LIC
L)
Service Consumer
Physical IT resource
Virtual IT resource
Physical Network resource
Virtual Network resource
Virtual Network node controller
Virtual IT node controller
Role of GEYSERS actors with respect to its architectural layers
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels ISOD RG Chapter Discussion Slide_7
Service Middleware Layer (SML)
VI-1
Service Middleware Layer (SML)
VIPi
Virtual IT Manager (VITM)
IT-aware NCP
VIOn
VI-n
...
...
Service Consumers
Virtual IT Manager (VITM)
IT-aware NCP
VIO
1
Virtual Resource Pool
Service Consumers
Virtual Infrastructure Virtual Infrastructure
PIP
Physical Infrastructure
Logi
cal I
nfra
stru
ctur
e Co
mpo
sition
Laye
r (LI
CL)
TMF Service Delivery Framework (SDF)
GN3-JRA3-T3 Discussion Security Services Lifecycle Management Slide_8
Goal: Automation of the whole service delivery and operation process (TMF SDF, http://www.tmforum.org/ServiceDeliveryFramework/4664/home.html)
End-to-end service management in a multi-service providers environment
End-to-end service management in a composite, hosted and/or syndicated service environment
Management functions to support a highly distributed service environment, for example unified or federated security, user profile management, charging etc.
Any other scenario that pertains to a given phase of the service lifecycle challenges, such as on-boarding, provisioning, or service creation
SDF Reference Architecture (refactored from SDF)
Security Services Lifecycle Management Slide_9
SDF ServiceRepository (ISS)
SDF Service Lifecycle Metadata
Coordination (ISS)
SDF Service DesignManagement (ISS)
SDF Service Deployment
Management (ISS)
SDF Service ProvisngMngnt (MSS) SDF Service
Instance
SDF Service Lifecycle Metadata
Repository (ISS)
Design
Operate
Deploy
SDF Service Resource Fulfillment (ISS)
SDF Service StateMonitor (ISS)
SDF Service Resource Monitor (ISS)
SDF Service Resource Usage Monitor (ISS)
SDF Service Quality/Problem Mngnt (MSS)
SDF Service UsageMngnt (MSS)
Composite Services provisioned on-demand
9
3
7
6
6
84
2
1
10
16
15
14
13
12
1117
SDF MSS SDF ISS
1 – Service Instance2 - Service Management Interface3 – Service Functional Interface4 - Management Support Service (SDF MSS)8 - Infrastructure Support Service (ISS)DESIGN stage9 - Service Repository10 - Service Lifecycle Metadata Repository16 - Service Design ManagementDEPLOYMENT stage10 - Service Lifecycle Metadata Repository11 - Service Lifecycle Metadata Coordinator17 - Service Deployment Management OPERATION stage5 - Service Provisioning Management6 - Service Quality/Problem Management7 - Service Usage Monitor12 - Service State Monitor13 - Service Resource Fulfillment14 - Service Resource Monitor15 - Resource Usage Monitor
GEYSSERS Service Delivery Workflow
Geysers SDF supports both Geysers infrastructure development and deployments and its operation for on-demand Infrastructure services provisioning by VIO
GN3-JRA3-T3 Discussion Security Services Lifecycle Management Slide_10
Service Request/SLA Negotiation
Planning(Design)
Deployment(Instant&
Config&Synchro)
Operation&Monitoring
(by VIO)
Decommissioning
Service Request/SLA Negotiation
Planning (Compos/Reserv)
Deployment
Operation(Monitoring)
Decommissioning
Registr&Synchro
Network+ITServices
Provisioning Workflow
by VIO
Recovery/ Migration
Re-Planning
Services Provisioning
Workflow by VIP
Recovery/ Migration
Re-planning
SDF main stages and phases
Main stages/phases Service Request (including SLA negotiation) Planning (including Composition, Reservation and Design) Deployment (including Reqistration/Synchronisation) Operation (including Monitoring) Decommissioning
Additional stages Re-Composition should address incremental infrastructure changes Recovery/Migration can use SL-MD to initiate resources re-synchronisation but may require re-
composition
The whole workflow should be supported by the Service Lifecycle Metadata Service (SL MD)
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels Security Services Lifecycle Management Slide_11
Security Services Lifecycle Management Slide_12
SDF use for defining Security Services Lifecycle Management Model
Security Service request and generation of the GRI that will serve as a provisioning session identifier and will bind all other stages and related security context.
Reservation session binding that provides support for complex reservation process including required access control and policy enforcement.
Deployment stage begins after all component resources have been reserved and includes distribution of the security context and binding the reserved resources or services to GRI as a common provisioning session ID.
Registration&Synchronisation stage (optional) specifically targets possible scenarios with the provisioned services migration or failover/interruption. In a simple case, the Registration stage binds the local resource or hosting platform run-time process ID to the GRI as a provisioning session ID.
Operation stage - security services provide access control to the provisioned services and maintain the service access or usage session.
Decommissioning stage ensures that all sessions are terminated, data are cleaned up and session security context is recycled.
Service Request (GRI)
Reserv Session Binding
Deploy- ment & RsrBind
Operatn Access
Decom-mision
Registr Synchro (Opt)
Security Services Lifecycle Management Slide_13
Relation between SSLM and general SLM
Service Request stage may include SLA negotiation Security service instantiation may use SLA security context
SecServ Request (GRI)
Reserv Session Binding
Deploy- ment & RsrBind
Operatn Access
Decom-mision
Registr Synchro (Ext)
Service Request (GRI)
Operate Maintain
Decom-mision
Design Development Reservation
Deployment (a) Services Lifecycle Stages
(b) Security Services Lifecycle Stages
Security Services Lifecycle Management Slide_14
Relation between SSLM/SLM stages and supporting general and security mechanisms
SLM stages
Request Design/Reservation Development
Deployment Operation Decomissioning
Process/ Activity
SLA Nego tiation Service/ Resource Composition Reservation
CompositionConfiguration
Orchestration/ Session Management
Logoff Accounting
Mechanisms/Methods
SLA V V
Workflow (V) V
Metadata V V V V
Dynamic Security Associatn
(V) V V
AuthZ Session Context
V (V) V
Logging (V) (V) V V
SSLM – Existing developments
GAAA Toolkit Library with tickets/tokens handling functionality for security session context management
GAAA-NRP (GAAA profile for Network Resource Provisioning) On-going work in GEYSERS project to develop Security Architecture for
On-Demand Infrastructure Services provisioning Possible Contribution to planned ISOD RG
Visit ISOD BOF today 15:00-18:30 (no security discussions planned but …) http://www.gridforum.org/gf/event_schedule/index.php?id=2099
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels Security Services Lifecycle Management Slide_15
Additional Information
TMF SDF Lifecycle Management model
Security Services Lifecycle Management Slide_16
Discussion
CSA is proposed as a possible deliverable for ISOD RG
Who is interested to contribute?
Any interested people to review and verify against other usecases?
ISoD BoF, OGF30, 25-29 Ocftober 2010, Brussels Security Services Lifecycle Management Slide_17