Post on 30-Jul-2020
CloudComputing
Fundamentals
Dr.Abhisak Chulya
CEO & Founder
WhatistheCloud? คลาวด คออะไร
§ Cloud computing ถกใชเหมอนกบการอปมา
สาหรบ ”the Internet.”
§ Networking solution คอความรบผดชอบ
ของคนอ<น เราไมตองดแลแลว
§ ถาเปนง Dน น<นคอการลดคาใชจายท<ด
§ Application สามารถโฮสตโดยคนอ<น
§ Data สามารถเกบไวท<ไหนกได
§ Applications สามารถเขาถงจากท<ไหนกได
Advantages to the Cloud
ประโยชน จากการใชคลาวด
Reasons Not to Use Cloud
เหตผลท:ไมควรใชคลาวด
§ Internet outages - อนเทอรเนตโดนตดขาด
§ Site Access – โฮสตมปญหา
§ Sensitive data - ขอมลมความสาคญ
CloudComponents
§ Clients
§ Mobile
§ Thin
§ Thick
Explore the components of cloud
§ Clients
§ Mobile
§ Thin
§ Thick
§ Data Center
§ Distributed
Servers
Cloud Components
CloudInfrastructure
§ Full Virtualization - การเวอรชวลไลซแบบเตม
Unique applications - แอพท<ไมเหมอนใคร
Different OSs - ระบบปฏบตการท<แตกตางกน
One way to access services on the cloud
มทางเดยวเทาน Dนท<จะเขาถงคลาวดได
§ Ideal for - เหมาะสาหรบอะไรบาง
การใชระบบคอมรวมกนระหวางผใชหลากหลาย
แยกผใชแตละคนออกจากกน
ทาตวเสมอนอปกรณบนอกเคร<องหน<ง
Cloud Infrastructure
CloudInfrastructure
§ Paravirtualization – การเวอรชวลไลซแบบไมเตม
Multiple OSs on one device
Not all elements need to be emulated
Allows for better scaling
Guest OSs talk to Hypervisor via API call
§ Ideal for - เหมาะสาหรบอะไรบาง
Disaster Recovery
Migration
Capacity management
Cloud Infrastructure
ThreemainCloudComputing
Scenarios
1. Compute Node
On-demand resources เคร<องพรอมใชเม<อตองการ
Useful to any size organization มประโยชนกบองคกรทก
ขนาด
2. Storage Node
Maintain files off-site ดแลไฟลขอมล นอกสถานท<ได
3. Cloud applications
Applications are delivered over the internet
Hosting and IT management offloaded to the
cloud
Evaluating Cloud Computing for Business
การประเมนคณคาของ คลาวดคอมพวต Dง ในเชงธรกจ
WhentoavoidCloud
Computing
§ Legislative Issue ตดขอกฏหมาย
§ Hardware dependencies ตดเงอนไขเร<อง hardware
มาก
§ Server control ใชการควบคมจาก เซรฟเวอรเปนหลก
§ Lack of need ขาดความจาเปนท<จะใช
§ Integration ไมมความจาเปนท<จะมารวมกน
Evaluating Cloud Computing for Businessการประเมนคณคาของ คลาวดคอมพวต Dง ในเชงธรกจ
OperationalBenefits
oftheCloud
§ Reduced cost ลดคาใชจาย
§ Increased storage เพ<มความจการเกบขอมล
§ Automation สรางแบบออโต ทาใหเกดความรวดเรว
§ Flexibility ยดหยน
§ Mobility คลองตว
Evaluating Cloud Computing for Business
การประเมนคณคาของ คลาวดคอมพวต Dง ในเชงธรกจ
EconomicBenefits
oftheCloud
§ People
§ Hardware: Capex vs Opex
§ Pay-as-you-go
§ Time to market
Evaluating Cloud Computing for Business
การประเมนคณคาของ คลาวดคอมพวต Dง ในเชงธรกจ
StaffingBenefits
oftheCloud
§ Software/Maintenance
§ Deployment time
§ Availability
§ SLA adherence
§ Upgrades
§ IT relief
§ More money!
Evaluating Cloud Computing for Business
การประเมนคณคาของ คลาวดคอมพวต Dง ในเชงธรกจ
KnowSecurityRisksof
CloudComputing
§ Privileged user access
§ Regulatory compliance
§ Data location
§ Data segregation
§ Recovery
§ Long time viability
Cloud Computing Risks - ความเส:ยง
Evaluating Cloud Computing for Business
การประเมนคณคาของ คลาวดคอมพวต Dง ในเชงธรกจ
CloudStorage§ Anywhere access
§ Ideal for travelers
CloudStorage
§ Anywhere access
§ Ideal for travelers
§ Wide variety of
Providers & Services
§ Data kept safe
§ Cost savings
§ Google Docs for Office files
§ Outlook, Yahoo! Mail and
Gmail for email
§ iCloud and Google Photos
for digital photos
§ YouTube for video files
§ Public cloud providers
§ Linkedln and Facebook for
data and pictures
§ Dropbox for any digital data
Cloud Storage Providers - ผใหบรการ
CloudStorageSecurity
§ Encrytion
§ Authentication
§ Authorization practices
CloudStorageConsiderations
§ Safely protects data
§ Can used a mixed approach
§ Outages
§ Theft
CloudTools&Services
§ Google and G Suite
§ Microsoft Office 365
§ Work with OneDrive
§ Sync files with iCloud
§ Work with Evernote
MakeaCloudmigrationplan
§ Get Educated
ศกษาใหดกอน
§ Access security
ประเมนความปลอดภย
§ Hire Professional
จางมออาชพ
Migration to the Cloud การยายข Dน
คลาวด
DefineDisiredOutcomes
§Enhance or Jump ahead
§Compliance and legal issues
§Plan for multi-server handling
§Start Small เร<มจากเลก ทละข Dน
Migration to the Cloud การยายข Dนคลาวด
RunTestMigrations
§Migrate to a test cloud
§Run load tests
§Try to ”break” things
Migration to the Cloud การยายข Dนคลาวด
PrepareforLiveCutover
§Create a step-by-step checklist
§Plan for outages
§Build a rollback strategy
Migration to the Cloud การยายข Dนคลาวด
คาแนะนา MigrationTips
§Start small
§Consider participation
§Know the costs
§Choose the right providers
Migration to the Cloud การยายข Dนคลาวด
EnterpriseClass
§Private Cloud – on-premises
§Private Cloud – off-premises
§Public Cloud - local
§Public Cloud - global
Migration to the Cloud การยายข Dนคลาวด
Analyze services and service providers
TheWave
Approach
§Releasing your data to the
cloud in phrases, or “waves”
Migration to the Cloud การยายข DนคลาวดReleasing the data using wave approach
Migration to the Cloud การยายข DนคลาวดReleasing the data using wave approach
Migration to the Cloud การยายข DนคลาวดReleasing the data using wave approach
Migration to the Cloud การยายข DนคลาวดReleasing the data using wave approach
BeforeMigration
§Track seats
§Determine what information
needs safeguarding
§Determine legal and sector-
specific guidelines
§Create internal guidelines and
categorize information
Migration to the Cloud การยายข DนคลาวดSecure your data
AfterMigration
§Track and monitor data
§Segregate data into
sensitivity and privacy
catagories
Migration to the Cloud การยายข DนคลาวดSecure your data
Establishatrainingplan
§ Communication
§ Information and sessions
materials
§ Training sessions
§ Evaluation
§ Ongoing training and
support
Migration to the Cloud การยายข DนคลาวดEstablish a training plan
Respondingtochange
§ Stay current on apps
§ Analyze apps
§ Keep current on vendors
Migration to the Cloud การยายข DนคลาวดPredict and respond to change
Programmable infrastructure that lays a common set of APIs on top of compute, networking and storage
What is OpenStack
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
One platform for virtual machines, containers and bare metal
OpenStack Cloud Models
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
Public cloud: shared resource, “pay-as-you-go” models are common. OpenStack public cloud is available in 60+ datacenters globally.
Private Cloud: dedicated to a single user. Can be hosted private cloud in a vendor’s data center or yours, or remotely managed private cloud.
Hybrid cloud: a mix of private cloud and public cloud orchestrated together to meet company needs
THERE’S A GLOBAL SHIFT TOWARD CLOUD. THE BENEFITS: AGILITY, SCALABILITY, DECREASED HARDWARE COSTS.
3 CLOUD MODELS
OPENSTACK PRINCIPLES
OPEN SOURCE
OPEN DESIGN
OPEN DEVELOPMENT
OPEN COMMUNITY
1
2
3
4
Choice & control: ability to choose between and switch vendors
Ability to contribute or directly influence the roadmap
Widely adopted open source APIs are the new standards
Part of a vibrant community to share knowledge and help each other
OpenStack is open sourceHERE’S WHY THAT MATTERS
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
Primary business drivers
WHY USE IT THE COMMUNITY USING OPENSTACK FAQSWHAT IT IS
#1 avoid vendor lock-in
#2 accelerate innovation
#3 operational efficiencySource: User Survey, April 2017
Which industries choose OpenStack?RETAIL/E-COMMERCE
WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
FINANCIAL TELECOM ACADEMIC/RESEARCH
ENERGY AND MANUFACTURING INSURANCE ENTERTAINMENT
WHAT IT IS
See more at openstack.org/user-stories
What runs on OpenStack?TELECOM/NFV
WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
HPC ENTERPRISE APPS BIG DATA
WHAT IT IS
MULTI-CLOUD E-COMMERCE DEVELOPER PRODUCTIVITY WEB SERVICES
86% of telecoms say OpenStack is important to their business; many are using OpenStack to virtualize their networks and implement edge computing to achieve agility significant cost savings.
DigitalFilm Tree uses interoperable OpenStack private and public clouds to process thousands of hours of raw footage into a one-hour TV show.
Walmart moved their global e-commerce platform to OpenStack, powering desktop, mobile, tablet and kiosk users.
Adobe Digital Marketing uses OpenStack to convert their existing virtualization environment into self-service IT.
CERN runs one of the largest OpenStack clouds to process data from the Large Hadron Collider, giving physicists the resources they need to unleash the secrets of the universe.
Comcast powers customer-facing and internal applications and services for both production and development environments with OpenStack.
Banco Santander runs 1,000 compute nodes of OpenStack in data centers across the world, and uses Cloudera on OpenStack to power fraud detection.
Workday moved their on-demand software services from static, virtualized environments to a fully elastic and scalable platform based on OpenStack.
History of OpenStack
WHY USE IT THE COMMUNITY USING OPENSTACK FAQSWHAT IT IS
2010
NASA + Rackspace develop the basis of OpenStack
2012
OpenStack Foundation established
2014
OpenStack Marketplace opens to showcase maturing ecosystem; “Juno” release seen as enterprise grade
2017
OpenStack emerges as one platform for containers,
VMs and bare metal
2015
OpenStack Powered interop certification launched
2016 - April
Half the Fortune 100 run OpenStack; Certified OpenStack Administrator program launched
2016
China booms; 86% of telecoms say OpenStack important to their business
About the OpenStack Foundation
WHY USE IT THE COMMUNITY USING OPENSTACK FAQSWHAT IT IS
Maintain infrastructure for development & communication
Coordinate software releases
Trademark and legal management
Host summits & development meetings
Promote the use of open source infrastructure projects
openstack.org/foundation
OpenStack Foundation Sponsors
WHY USE IT THE COMMUNITY USING OPENSTACK FAQSWHAT IT IS
PLATINUM MEMBERS
GOLD MEMBERS
The OpenStack Community
WHY USE IT THE COMMUNITY USING OPENSTACK FAQSWHAT IT IS
MEMBERS ORGANIZATIONS81,000+
COUNTRIES
187 670+
How does the community collaborate?
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
HACKATHONS
REGIONAL OPENSTACK DAYS &
LOCAL MEETUPS
CONTRIBUTING CODE, DEVELOPER
PLANNING SESSIONSTOPICAL MAILING LISTS
GLOBAL OPENSTACK SUMMITS VOTING ON REPRESENTATIVES
Cross-community collaboration
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
OpenStack integrates with a number of other technologies, including many popular open source projects, enabling users to combine them with OpenStack.
Containers PaaS NFV Provisioning
OpenStack’s software releases
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
QUEENS
February 2018ROCKY
April 2018STEIN
April 2019TRAIN
February 2020
Releases happen every 6 months
In development
Most clouds run one of the two most recent releasesLearn more about the releases at openstack.org/software
The OpenStack Framework
WHAT GETS CALLED OPENSTACK?
USING THE SAMPLE CONFIGURATIONS
CORE SERVICES & OPTIONAL SERVICES
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
It costs less and does more
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
Watch this session:
Elephant in the Room: What's the
TCO for an OpenStack Cloud?
“In all private cloud-based applications…we expect approximately 70% of cost savings as
compared to classical IT solutions.”
–Holger Urban, Volkswagen
“TD Bank...experienced a 25% to 40% costs savings on their platforms and virtual machines over their
previous solution by deploying OpenStack.”
–Forbes, “3 Reasons Why An OpenStack Private Cloud May Cost You Less Than Amazon
Web Services”
OpenStack is recognized for its security
“The OpenStack community is taking
security seriously…”
WHAT IT IS WHY USE IT THE COMMUNITY USING OPENSTACK FAQS
openstack.org/software/security
OpenStack services
Khomkrit Viangvises, Principal OpenStack Engineer
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
OpenStack services overviewOpenStack is made up of a variety of services that are all written in the Python programming language and serve a specific function. OpenStack's modular nature facilitates the modern cloudy application design philosophy and also allows easy expandability; any person, community, or company can develop an OpenStack service that can easily integrate into its ecosystem.
The OpenStack Foundation has successfully identified nine key services they consider part of the core of OpenStack, which we'll explore in detail.
CORE Services
Optional Services
Keystone - identity serviceKeystone handles authentication. It acts as a common authentication system across all core services in an OpenStack environment. Both human users and services must authenticate to Keystone to retrieve a token before interacting with other services in the environment.
Visualize the process of logging on to a website with your username and password. When a user does this on the Horizon dashboard, they authenticate against Keystone to successfully login and begin creating virtual resources. Keystone also stores the service catalog, users, domains, projects, groups, roles, and quotas—exam objective concepts you'll examine in Chapter 3, Keystone Identity Service.
Keystone - identity service
Glance - image serviceGlance provides discovery, registration, and delivery services for disk images.
When one boots a virtual machine (also known as an instance), it is typically required to provide a disk image. These typically contain an operating system (such as Ubuntu or Red Hat Enterprise Linux), and are best described as a snapshot of a disk's contents. Examples of disk image types include QCOW2, VMDK, VHDX, ISO, and RAW. The disk image has usually been previously created by a person or script who has gone through the initial installation procedure and has installed specific configuration files to ensure it is cloud-aware. Glance can store images in a variety of data stores, including the local filesystem or OpenStack Swift.
Glance - image service
Nova - compute serviceInspired by Amazon EC2, Nova is the compute service and the core of the OpenStack cloud. It is designed to manage and automate pools of compute resources, and can work with widely available virtualization technologies as well as bare metal servers.
It's important to note that Nova is not a hypervisor. It's a system of services that sit above the hypervisor, orchestrating availability of compute resources. Some examples of hypervisors include Hyper-V, VMware ESXi, Xen, and the most popular, KVM (Kernel-based Virtual Machine). Nova also supports the ability to utilize Linux container technology such as LXC and Docker.
In OpenStack, the term booting is used to refer to the creation of a virtual machine. A virtual machine booted with Nova is often called an instance.
Nova - compute service
Neutron - networking serviceNeutron is a service that allows users to manage virtual network resources and IP addresses.
If one wants to boot an instance, they typically need to provide a virtual network on which to boot that instance so that it has network connectivity. With Neutron, users can view their own networks, subnets, firewall rules, and routers—all through the Horizon dashboard, CLI, or API. One's ability to create and manage network resources depends on the specific role they have been assigned.
Neutron also contains a modular framework powered by a variety of plugins, agents, and drivers, including Linux bridge and Open vSwitch.
Neutron - networking service
Cinder - block storage serviceInspired by Amazon's Elastic Block Storage (EBS) offering, Cinder allows users to create volumes that can be mounted as devices by Nova instances.
Cinder volumes behave as if they were raw unformatted hard drives. Once data is written to these volumes, the data persists even after terminating the instance or an instance failure. This is because the written data is stored on a dedicated Cinder storage server, not the compute nodes where the instances reside. Cinder also supports snapshots which capture the current state of a volume. These are useful for providing backup protection, and they can also be used to instantiate new volumes that contain the exact data of the snapshot. You can also write images to a block storage devices for compute to use as a bootable persistent instance.
Cinder - block storage service
Swift - object storage serviceInspired by Amazon S3, Swift is a redundant storage system that provides developers and IT teams with secure, durable, and highly scalable cloud storage. A user creates a container and stores static files, also known as objects, in the container. These objects can be anything from pictures or movies to spreadsheets and HTML files. From the end user's perspective, storage is limitless, inexpensive, and accessible via a REST API. Features can also be turned on via the Swift API. These include hosting a static website, versioning, setting specific objects to expire, and even setting Access Control Lists (ACLs) allowing public access to the objects inside the container.
Swift - object storage serviceOn the backend of Swift, static files (also known as objects) are written to multiple disk drives spread throughout servers in a data center. The Swift software is responsible for ensuring data replication and integrity across the cluster. Should a server or hard drive fail, Swift replicates its contents from other active nodes to a new location in the cluster.
Swift - object storage service
Heat - orchestration serviceInspired by Amazon's CloudFormation service, Heat helps operators model and set up OpenStack resources so that they can spend less time managing these resources and more time focusing on the applications that run on OpenStack.
You begin with a blueprint or Heat Orchestration Template (HOT) that describes all the OpenStack resources to be provisioned. Heat then takes care of provisioning and configuring, with no need to worry about dependencies or order of execution—a template describes all the resources and their parameters. After the stack has been created, your resources are up and running.
Heat - orchestration serviceTemplates are extremely convenient because they allow operators to check them into a version control system to easily track changes to the infrastructure. If problems occur after deploying a Heat template, you simply restore to a previous version of the template. If you want to make a change to the stack, you can easily update it by providing a modified template with new parameters.
Heat - orchestration service
Interacting with OpenStack
Horizon dashboardIf you are new to OpenStack, this is the best place to begin your journey. You simply navigate to the Horizon URL via the web browser, enter your username and password, verify you are scoped to the proper project, and then proceed creating instances, networks, and volumes with the click of a button.
Horizon dashboard
OpenStack API communication
Security inResource-Sharing EraThotsaphon Tungjitviboonkun, Solutions Architect Manger
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Agenda● Why do we need to concern about security● Basic security we should know● Resource-sharing trend● Security in resource-sharing era● In Cloud We Trust
Why do we need to concern about security?
Scenario1● Someone check the lock of my house● He able to crack the lock and get in● He close the door and lock it back● He get back and come again on the next day with his comrade
● Bot check the remote connection● The password is weak and bot able to get in● It report back to control server
Why do we need to concern about security?
Why do we need to concern about security?
Scenario2● Someone walked into my house uninvited● He painted on my wall and walked out
● Bot get into your server/application● Bot modify your website/data and
disconnected
Why do we need to concern about security?
Scenario3● Someone walked into my house uninvited● He kick me out and change the lock● I cannot get into my house● He use my house as base and keep checking on my neighbor house
● Bot get into your server/application● Bot modify your password and use your server to spread his virus
Why do we need to concern about security?
Why do we need to concern about security?● I don't want to lose my sensitive data● I don't want others to steal my sensitive data● I don't want redo my work● I don't want others to use my resource
● CIA (Confidentiality, Integrity, Availability)
Basic security we should know
● Nothing is unhackable● Human are greatest security weakness● Security VS Convenience
Nothing is unbreakable● 100 to 1 A.D. - Caesar Cipher was used● 9th Century - Caesar Cipher was break by Frequency Analysis
Plain text: THE QUCIK BROWN FOXCipher text: QEB NRFZH YOLTK CLU
Nothing is unbreakable● 1917 - Enigma machine was invented● 1932 - Military Enigma machine was break
by Bombe
Nothing is unbreakable● 1976 - DES encryption is approved
as standard● 1980 - Time-memory tradeoff was proposed● 1995 - Triple DES (3DES;TDES;TDEA)
is published (RFC1851)● 1997 - DES encryption was break
for the first time in public● 2005 - DES was withdraw by NIST● 2016 - 3DES was break● 2017 - 3DES was withdraw by NIST
Nothing is unbreakable● 1997 - AES was developed to replace DES● 2001 - AES was annouced by NIST
AES-128, AES-192, AES-256● 2016 - NIST predict that AES-128 will secure until 2030
(NIST SP 800-57, Page56, Table4)
Nothing is unbreakable● 1987 - Rivest Cipher4 (RC4) was designed● 1997 - RC4 was used in encryption protocol such as WEP● 2001 - WEP was cracked● 2003 - WPA-PSK (TKIP) was published to replace WEP without requiring
the replacement of hardwareIt just a quick fix until WPA2 available
● 2008 - WPA-PSK (TKIP) was break● 2004 - WPA2 was available● 2017 - WPA2 is reported as vulnerable and require a patch from vendor● 2018 - WPA3 is annouced
Nothing is unbreakable● 1977 - RSA was first published● 2012 - There is a research paper show that RSA is vulnerable.
It can be fixed by make sure there is no public keys sharing the prime number
● 2012 - NIST predicts that 2048 bits RSA will secure until 2030
● There are currently no published methods to defeat the system if a large enough key is used
Nothing is unbreakable● 1992 - MD5 hash function was publish (RFC1321)● 1993 - SHA-0 was publish● 1995 - SHA-1 was publish● 2001 - SHA-2 (256-bit and 512-bit) was publish● 2011 - SHA-1 is insecure● 2015 - SHA-3 was pubish
Nothing is unbreakable● 1995 - SSL 2.0 released● 1996 - SSL 3.0 released● 1999 - TLS 1.0 released to replace SSL 3.0● 2001 - SSL 2.0 deprecated● 2006 - TLS 1.1 released● 2008 - TLS 1.2 released● 2015 - SSL 3.0 deprecated● 2018 - TLS 1.3 released● 2020 - TLS 1.0 and TLS 1.1 are going to deprecated
Nothing is unbreakableRecommend
● AES - for semetric key encryptionAES-128 as minimum, AES-256 is better
● RSA - for asymmetric key encryption2048 bits RSA as minimum, 4096 bits RSA is better
● SHA - for hash functionSHA-2 as minimum, SHA-3 is better
● TLS - for HTTPSTLS1.2 as minimum, TLS1.3 is better
Human are greatest security weakness
Human are greatest security weakness
Human are greatest security weakness● top 10 most common password on 2019
1. 12345 6. 123456782. 123456 7. zinch3. 123456789 8. g_czechout4. test1 9. asdf5. password 10. qwerty
● https://haveibeenpwned.com/
Human are greatest security weakness
Human are greatest security weakness
Human are greatest security weakness
Human are greatest security weakness
Human are greatest security weakness
Human are greatest security weakness
Human are greatest security weakness
Recommend● Do not use insecure password● Minimum password length should greater than 8● Password should contain Capital letter, Lower letter, Number, and Special
character● Password should be changed every 3 month● Do not use password similar to your previous password (pattern)● Seperate your personal password from organization password● Enable multi-factor authentication if it support
Human are greatest security weakness
Recommend● Lock your screen when you not using it● Logout from everything when you not using it● Do not note your password on desktop● Do not share your password with anyone● Do not panic
Human are greatest security weakness
Recommend● Do not make your own security algorithm● Encryption is prefer when transmit data● Do not store password as plaintext● Do not use a deprecated function or program● You should update your software frequently● Do not expect the user is a good user● Validate on every field, every input, and the passed value● Beware of the SQL injection attack
Human are greatest security weakness
Recommend if you got hacked● Stop using that compromised code/software/server● Separate it from your production environment● Find the root cause● Re-install all with fixed● Do not repeat it again
Security VS Convenience
Security VS Convenience
Security VS Convenience
Resource-sharing trend● Trend nowadays...● Social network and Internet become important things● Data is valuable● We are going to join in Big-data, Cloud, and IOT trend
Resource-sharing trend● Cloud benefits
- Efficiency / Cost reduction- Data security- Scalability- Mobility (Work from anywhere)- Reliability (Disaster recovery)- Control- Competetiveness
Resource-sharing trend● Open Source is rapidly growth● Based on LINUXFOUNDATION document (year 2018)
Resource-sharing trend● Web scale companies open up and share
- Google: Kubernetes, Tensorflow- Facebook: OpenCompute, HHVM, OpenCellular- Twitter: Mesos, Aurora, Parquet, Heron- LinkedIn: Kafka- Netflix: NetflixOSS
Resource-sharing trend● Open Source Trend is not slowing down● Based on SourceClear survey, almost 80% of all companies, from
enterprises to hot silicon valley startups, say they now rely on open-source.
Resource-sharing trend● Open Source that Startup companies share
- Box- Dropbox- Uber- Github
Resource-sharing trend● Enterprise companies that use Open Source and being
LINUXFOUNDATION members
Resource-sharing trend● Open Source belongs to everyone
Everyone can use it● Accelerates access to technology
Everyone helps make it better● Open Source builds in community
Everyone help each others
Security in resource-sharing era● There are at least seven types of open-source library vulnerabilities that
we should all be extremely concerned about● The Seven Deadly Sins of Open-Source Libraries
1. Disclosed Vulnerability - a vulnerability where information is available in public databases such as the National Vulnerability Database in the form of CVE’s. CVE is a claim based system and claims require secondary analysis, verification and data enrichment such as the vulnerable versions and the vulnerable methods.
Security in resource-sharing era● The Seven Deadly Sins of Open-Source Libraries
2. Inherited Vulnerability - a new vulnerability that is the result of a library inheriting a library with another vulnerability via its dependency & call graph (both conditions needed). The typical Java library inherits four other libraries and the typical NPM module inherits nine other libraries, making inherited vulnerabilities quote common.
Security in resource-sharing era● The Seven Deadly Sins of Open-Source Libraries
3. Embedded - a new vulnerability that is the result of inheriting a library with a another vulnerability by embedding its code (usually as a result of cut-and-paste or adding a JAR file or XML parser in a parent library). Sites like Conjars make these type of vulnerabilities a growing problem.
Security in resource-sharing era● The Seven Deadly Sins of Open-Source Libraries
4. Similar - a new vulnerability that is the same or similar to another known vulnerability but that is now found in a different library.5. Reintroduced - the same vulnerability that has been fixed in a previous release of the library but that has been reintroduced in a later version of the same library. This is quite common when libraries maintain multiple versions.
Security in resource-sharing era● The Seven Deadly Sins of Open-Source Libraries
6. Zero Days - new issues that have not yet been the subject of disclosure but known about by someone and likely being used by the bad guys in the wild.7. Half Days - new issues that have not yet been the subject of disclosure but can be found in places like commit logs, change-logs and issue trackers if you know where to look. Half days are often obscured and sometimes hidden but more often than not hiding in plain-sight.
Security in resource-sharing era● What about Cloud Security?● Security of Cloud or Security in Cloud● Let's take a look on AWS and GCP
Security in resource-sharing era● US government is using GCP, AWS, and Azure Cloud too● GDCC Cloud is VMware-based and OpenStack-based● Common Security in GDCC Cloud
Security in resource-sharing era● Secure Datacenter
- ISO/IEC 27001 Certified- Data Center access logs- Data Center access monitoring
● Secure Cloud Software- M/A without user notice- Software will be up-to-date
Security in resource-sharing era● Secure Network
- User have their own network- Other user unable to capture your network data
● Secure Datatransmit between Compute Node and Volume- User data is encrypted
● Secure Compute Node- No data store on Compute Node
Security in resource-sharing era● Secure Volume
- Volume Disk is encrpyted- Volume Disk is formatted when terminate
● Secure Cloud Image- Cloud Image is up-to-date- Cloud Image is VA scan passed
Security in resource-sharing era● What you need to remember
- This is resource sharing- GDCC responsible for security "of" Cloud, not security "in" Cloud
In Cloud We Trust
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Nipa Cloud Platform (NCP)
Pipitpon Noalngam, System Analyst
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Command Line
Managing OpenStack
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Horizon
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Nipa Cloud Platform
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Marketplace (One-Click App)
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Billing System● Prepaid / Postpaid account● Cost estimation
○ How much you pay each month?
○ How long your credit will be last?
● Cost comparison from previous months
● Track usage on dailey basis● Cost calculated based on per hour
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
Project Management and Software Implementation Processes
ISO/IEC 29110 : 2018
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
NCP Customer PortalCustomer Portal● Replace OpenStack Horizon
● Registration○ email verification○ OTP verification
● New user journey● Secured by design● Control complexity● Add more features..
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
NCP Admin Portal● Bring more hidden features from
OpenStack API ● SLA & Impact Monitor● Audit logs● made for daily-use operation more efficient
Customer Portal
Backend Portal
copyright© 2019, Nipa Technology Co., Ltd. | All Rights Reserved.
DEMO