현재와미래의클라우드컴퓨팅과정보보안 2009. 11. 17
위기속의지구 (SOURCE: NASA)
위기속의지구 (SOURCE: Ndaily)
위기를타개하기위한비즈니스요구 High-Efficiency Synergy Cost Reduction Globalization Mobility Communication Open Standard Federation Collaboration Convergence
비즈니스요구에대한 IT 의답변 Cloud Computing
클라우드컴퓨팅이란? 새로운사용방식이자비즈니스모델 클라우드컴퓨팅은하드웨어, 소프트웨어, 데이터등의 IT 자원이웹을통해표준화된 서비스 의형태로제공되는모델입니다. 클라우드로제공되는서비스에대해사용자는언제, (IP 지원이되는 ) 어떤장비를통해서든, 원하는만큼의서비스를골라서사용할수있으며, 사용량에기반하여비용을지불하는비즈니스모델입니다. 고도의인프라관리표준요구 클라우드인프라는기존인프라의통합과고도의가상화를통하여사용률의극대화를지향합니다. 따라서인프라의단순화 (Simplification) 를실현하며, 궁극적으로비용절감에기여하게됩니다. 클라우드서비스관리자 데이터센터자원들 서비스사용자 Cloud 서비스에접근 클라우드서비스및자원을관리하고모니터 컴포넌트업체 / 소프트웨어공급자 서비스카탈로그, 컴포넌트라이브러리
클라우드컴퓨팅의속성 유연한가격체계 특징 사용한만큼과금하는형태이기때문에지불의형태가다양하고자유로워기존과는달리 IT 서비스를유연한가격체계로이용되게함 사용자이익 사용한만큼비용을지불하는 Cloud computing 의모델은고객이 TCO 절감을할수있도록해주며, 운영효율성과생산성을향상시켜줌 탄력적인자원할당 요구변화에신속히대처할수있는가변적용량분배기능을갖추고있음. 24 시간가용성이확보되어있으며, 자원분배 / 회수가자동화되어있음 기존자원의 utilization 의향상및최적화할수있음 신속한자원배포 ( 자원배포와회수의자동화 ) IT 와네트워크용량할당이거의자동적으로이루어지기때문에신속한자원배포가이루어지고, 리소스의 ownership 변경없이인터넷표준을통해사용할수있음 기존에자원할당을위한시간을줄일수있어신속한서비스수행이가능, Time to market 역량향상으로비즈니스창출에기여 진보된가상화 표준화된서비스제공 분산되어있는서버, 스토리지, 네트워크등 IT 자원을물리적으로가상화하여독립적이고효율적인인프라사용이가능토록함 사용할수있는서비스를미리정의하고카탈로그형태로제공함. 별도의 customization 이없음. 효율적인인프라사용가능 Customization 을위한시간및비용절감효과를볼수있음
클라우드컴퓨팅의분류 클라우드제공형태 Public Clouds ( 서비스 Provider - 인터넷 ) Private Clouds ( 데이터센터 - 인트라넷 ) Hybrid Clouds (Public and Private) 서비스 Software as a service (SaaS) ( 서비스로써의어플리케이션, 프로세스, 정보 ) 클라우드서비스모델 Platform as a service (PaaS) ( 최적화된미들웨어, 개발환경, 포탈서버등 ) Infrastructure as a service (IaaS) ( 가상화된서버, 스토리지, 네트워크 )
클라우드컴퓨팅의환경 Thin Client SAML (SOURCE: Wikipedia)
기업내클라우드컴퓨팅사례 IBM RC2 1 전세계 IBM 연구소에서연구에필요한컴퓨팅리소스를셀프서비스온디맨드형태로제공하는클라우드환경을구축 Research Compute Cloud (RC2) India Zurich Watson 3 $3.4M Annual Expense 기대효과 (TAP 기준 ) Without cloud New Development Software and Other Costs With cloud $1.03M Annual Expense Liberated funding for transformation investment or direct saving 2 연구에필요한리소스요청 요청에대한승인 Email 알림 자원할당 자원모니터링의전과정이자동화됨 Labor Costs (Operations and Maintenance) New Development (for Business Enabling Capabilities) Deployment (1-time) Software and other costs Depreciation (and Amortization) Labor Cost ( - 80.7 percent) Depreciation ( - 91.6 percent)
기업내클라우드컴퓨팅사례 IBM RC2
Next! 클라우드컴퓨팅서비스간연합 CeBIT 2009 - New Cloud Technology: Real-Time Application Mobility
Next! 모바일클라우드컴퓨팅 항상연결되어있다!!! Cloud Computing Phone Phone Phone = Thin Client 무한한가능성 Self-Revolution
클라우드보안? 오늘날전산센터 미래의클라우드컴퓨팅환경??? 통제할수있다. 자산들은특정위치에있고. 서버의수량과종류를알고있다. 주기적인백업과관리자에의해접근통제를수행한다. 가동시간은충분하며, 보안팀을운영하고, 정해진기간에감사를받는다.??? 누가통제하는가? 우리의정보가어디에있고? 어디에저장되며? 누가백업하고? 누가접근하며? 어떻게서비스지속성을확복하고? 어떻게감사하며? 어떻게우리보안팀이관여할것인가?
클라우드컴퓨팅하에서의보안이슈
가상환경에서의보안위협 Application/Service Application/Service Application/Service Application/Service Application/Service Application/Service 기존보안위협과 동일 잠재적인 관리취약성노출 Management Service Partition (Dom0, Svc Console) Operating System Hypervisor/VMM Operating System Hyper-jacking 과 VM 도난 Hardware Virtualization Hardware 가상화지원하드웨어를목표로하는악성코드 매력적인정보저장소로써의동기부여!!
새로운보안환경과과제 Server sprawl on steroids Enterprise management options are not where they need to be Virtual Network Software implementations of switches, adapters, connections Management Application/Service Application/Service Service Partition (Dom0, Svc Console) Application/Service Application/Service Operating System Hypervisor/VMM Application/Service Application/Service Operating System Compliance and Patching New layers to patch - virtualization software and management stack Maintaining security posture of VMs in a dynamic environment Hardware Virtualization Hardware Virtual Disk Protection Entire servers are now files Mobility Are VMs moving to less secure machines, networks, datacenters, etc? Static security policies no longer apply
Cloud Platform Cloud Delivered Services SAAS PAAS IAAS 전형적인클라우드서비스구성 Application as a service Application software licensed for use as a service provided to customers on demand Platform as a service Optimized middleware application servers, database servers, portal servers Infrastructure as a service Virtualized servers, storage, networking Business Support Services Offering Mgmt, Customer Mgmt, Ordering Mgmt, Billing Operational Support Services Infrastructure Provisioning Instance, Image, Resource / Asset Mgmt Virtualized Resources Virtual Network, Server, Storage System Resources Network, Server, Storage Physical System and Environment
Standards Based Interfaces 클라우드컴퓨팅을위한 IBM 아키텍처모델 Service Request & Operations Service Provider Service Creation End Users, Operators Cloud Services Application/Software as a Service Service Planning Role-based Access Platform as a Service Infrastructure as a Service Service Definition Tools Service Catalog Operational Console Cloud Management Platform Business Support Systems (BSS) Service Delivery Platform Operational Support Systems (OSS) Service Publishing Tools Service Reporting & Analytics
Standards Based Interfaces 클라우드보안 = 기존보안 + Security as a Service Identity & Security as a Service Service Request & Operations Service Provider Service Creation End Users, Operators Application / Software as a Service Role-based Access Platform as a Service Infrastructure as a Service Identity & Security as a Service Cloud Services Application/Software as a Service Infrastructure as a Service Service Planning 기존보안체계와통합 Federated identity / identity as a service를통해개인정보및법적문제해결 Platform as a Service 로그관리및감사, 컴프라이언스관리 침입탐지, Anti-Virus, Web-Filtering Service Definition Tools Secure Runtime for Virtual Infrastructure Service Catalog Operational Console 20 9/15/2009 Business Support Services Operational Support Services Virtualized Resources System Resources Physical System / Environment Cloud Management Platform Service Process isolation, data segregationpublishing Control of privileged user access Tools Provisioning w/ security and location constraints Image provenance, image & VM integrity Multi-tenant security services (identity, compliance reporting, etc.) Multi-tenant intrusion prevention Consistency top-to-bottom Business Support Systems (BSS) Service Delivery Platform Operational Support Systems (OSS) Service Reporting & Analytics
Identity and Security as a Service IBM Rational AppScan OnDemand IBM Tivoli Federated Identity Manager Federated Cloud IBM Tivoli Security Policy Manager WS-Security SAML XACML
Security as a Service Security as a Service 특성 새로운위협에따라지속적이고실시간업데이트가필요한분야 : Anti-Virus, Anti- Spyware 원격에서지원가능하지만, 높은수준의경험이필요한분야 : Scanning, Patch Management, Security Maintenance 아웃소싱하는경우, 더비용이젃감되는분야 : 로그관리, 인증관리 Email, Instant Messaging, Web Security (Symantec 인수 ) Secure Web gateway (Barracuda 인수 ) Web Filtering & Security Web Filtering & Security (CISCO 인수 ) Web Filtering & Security 로그및인증관리, 취약점관리 Maintenance
Secure Runtime for Virtual Infrastructure * 기존보안인프라응용
Secure Runtime for Virtual Infrastructure IBM ISS Proventia Virtualized Network Security Platform 네트워크분할기반의물리 & 가상네트워크보호 가상패치 Contents 기반필터링과웹방화벽 IBM Tivoli Security Policy Manager for Infrastructure 보다안젂한하이퍼바이저와가상머신 IBM Tivoli Key Lifecycle Manager 보다향상된데이터암호화와데이터암호화키관리
Secure Runtime for Virtual Infrastructure Security Virtual Machine VM 네트워크내프로토콜분석모듈기반 IPS 방화벽과 VNAC ( 침해 VM 은격리및대응을위한제한적접근 ) Anti-Virus, Anti-Rootkit Virtual Infrastructure audit reporting 보안성이보장된이동성확보
Thank you!