Tag Archives: technologies

CCIE Evolving Technologies – Cloud Security and Privacy

CCIE Coaching, CCIE Data Center, CCIE General, CCIE R&S, CCIE Security, CCIE SP, , ,

cloud

Cloud Security and Privacy Overview

Here is another post to help you with the new Evolving Technologies section of the written exams for CCIE. This is from the Cloud section, and specifically addresses the Security and Privacy sub-bullet.

The Top Concerns

What should be your top most concerns in this area? Here they are:

  • Secure data transfers – ensuring data travels over IPsec, or similarly protected channels is critical as information moves from your users to private, or public, or hybrid clouds; obviously public and hybrid clouds can present more risk as the Internet is often the medium of transfer.
  • Secure software interfaces – the APIs you and your provider use in your cloud services must also offer security and privacy mechanisms.
  • Secure stored data – for storage in the cloud ecosystem, is your data receiving the security and privacy it requires; what about proper disposal of data by cloud providers?
  • User access control – who has access to your data in the cloud? This is especially critical if your data is maintained by a public provider with users that fall outside of your corporate scope.
  • Data separation – if you are using cloud services in a multi-tenant environment, what techniques are in use to protect data breaches from one organization to another.

Cloud Security Controls

These tend to fall into these categories:

  • Deterrent controls – intended to reduce attacks on a cloud system. Much like a warning sign on a fence or a property, deterrent controls typically reduce the threat level by informing potential attackers that there will be adverse consequences for them if they proceed.
  • Preventive controls – strengthen the system against incidents, generally by reducing if not actually eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that unauthorized users can access cloud systems, and more likely that cloud users are positively identified.
  • Detective controls – intended to detect and react appropriately to any incidents that occur. In the event of an attack, a detective control will signal the preventative or corrective controls to address the issue. System and network security monitoring, including intrusion detection and prevention arrangements, are typically employed to detect attacks on cloud systems and the supporting communications infrastructure.
  • Corrective controls – reduce the consequences of an incident, normally by limiting the damage. They come into effect during or after an incident. Restoring system backups in order to rebuild a compromised system is an example of a corrective control.

Pearson Education (InformIT)

CCIE Emerging Technologies – SDN APIs

CCIE General, , ,

CCIE Emerging Technologies

What is the glue that allows the Software Defined Networking (SDN) architecture to function so well? That communication process between the Control and Data planes? It is the Application Programming Interface or API.

What is a classic example of an API in the SDN world? The answer is OpenFlow.  Recall from other discussions here at AJSNETWORKING that the OpenFlow specification defines both a protocol between the control and data planes and an API by which the control plane can invoke the OpenFlow protocol.

 APIs are implemented by writing function calls in the program. This provides the linkage to the required subroutine for execution. An open or standardized API can ensure the portability of the application code and the vendor independence of the called service.

SDN controllers can be implemented directly on a server or on a virtual server. OpenFlow or some other open API is used to control the switches in the data plane. In addition, controllers use information about capacity and demand obtained from the networking equipment through which the traffic flows.

SDN controllers also expose northbound APIs. As we have discussed here at the blog, this allows developers and their network engineers to deploy a wide range of off-the-shelf and custom-built network applications. Obviously, many of these applications were never before possible before SDN.

As yet there is no standardized northbound API nor a consensus on an open northbound API. A number of vendors offer a REpresentational State Transfer (REST)-based API to provide a programmable interface to their SDN controller.

Also envisioned but not yet defined are horizontal APIs (east/westbound), which would enable communication and cooperation among groups or federations of controllers to synchronize state for high availability.

At the application plane are a variety of applications that interact with SDN controllers. SDN applications are programs that may use an abstract view of the network for their decision-making goals. These applications convey their network requirements and desired network behavior to the SDN controller via a northbound API. Examples of applications are energy-efficient networking, security monitoring, access control, and network management.

Want more information – check out the excellent – Foundations of Modern Networking: SDN, NFV, QoE, IoT, and Cloud