Extended specification of Oktawave cloud platform security aspects
Posted by on 26.02.2014 19:41
This document is devoted to security aspects of data entrusted in Oktawave cloud platform. The purpose of the document is to clarify the applied safeguards, as well as to describe the mechanisms, procedures and algorithms of data security.
The document is divided into two parts. The first concerns the security of data on the physical range and the second part is devoted to the logical layer (with the exception of data security management done with the application used to process the data, supplied by the customer and installed in Oktawave infrastructure).
According to the definition, Oktawave provides IaaS type cloud computing services (Infrastructure as a Service). The essence of this type of services is to provide resources in a virtualized environment, allowing for allocation of specific computing resources for a customer in a dynamic and "ready on demand" model. In the case of IaaS cloud, its individual services are components of analogical dedicated server infrastructure, while canceling all its limitations:
We distinguish three main services that form the core of IaaS cloud (they are provided to users in the same way as it is being done while providing dedicated servers). In Oktawave these are:
This division of resources means, that in order to run server in Oktawave cloud - which from the perspective of devices and operating system is corresponding to a dedicated server - it is necessary to use at least two of these three components: OCI (which is computing component) and OVS (which is respectively assigned disk space resource).
Such prepared service is fully compatible with almost any currently existing operating system and - just like a dedicated server - inherits the same set of rules for safety. Therefore you can use and implement almost the same architectural procedural and safety rules as in the classical hosting solution.
This means that in the case of migration services to the IaaS cloud (or in the case of starting a new environment) the context of data security designed patterns is analogous to classical (traditional, on premise) solution.
Due to the similarity between IaaS cloud and dedicated environment, also in the case of IaaS clouds customer should consider essential security division of data into two main areas, namely:
In this document both areas will be addressed alternately without taking into account the uniform division. This is due to the need of assessing the risks arising from both areas in the context of different types of securities issues described in the next section.
Oktawave is a company registered in the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register under KRS number 0000426334, at the address: Domaniewska 44a Street (Platinum 5), 02-672 Warsaw, Poland.
All shares of Oktawave belong to K2 Internet S.A., which is listed on the GPW, registered in the District Court for the Capital City of Warsaw, XII Commercial Division of the National Court Register under the number 0000059690 with registered capital of 2 485 032 PLN (paid in full).
The owner of the entire infrastructure used by thy cloud platform is Oktawave. It includes all the necessary infrastructure components, including:
No element of this infrastructure is leased from another entity. Full control over all components is directly and exclusively on Oktawave.
The physical aspect of the protection and security of data should be clearly divided into 4 areas.
All the devices of Oktawave cloud are currently working in Thinx data center, located on the Konstruktorska 5 Street, Warsaw, Poland. The owner of the data center is ATM S.A. (Grochowska 21a Street, 04-186 Warsaw, Poland). Oktawave rents from the ATM S.A. technical floor surface on which Oktawave own devices are installed within the standard 19-inch rack. ATM S.A. supplies following services:
Full specification of Thinx data center is available at: http://en.thinx.pl/data_center/technical_specifications.
The data center is certified based on the following standards:
Used security systems :
All the block data stored in the Oktawave infrastructure (OVS service, analogous to the hard disk drive), is written by a completely proprietary technology, forming the so-called data network - based on the data nodes. Architecture introduces the concept of physical multilevelness of data:
In Oktawave, classical disk array has not been used, which means that there is no single point of storage, as there is no single point of backup storage. Network that stores data is characterized by the independent analysis of the state feature, verification of data integrity and the ability to replace any node showing a disability. In fact, on the Oktawave data network we can look the same way as at the matrix, but with an extremely high capacity and scalability (to eliminate the risk of data loss).
In terms of access to the data it is necessary to distinguish between two ways of access:
In the case of the first method, direct access to the data is not possible, only access to the infrastructure is possible. The presence in the data center cannot be identified with the situation of getting knowledge of the physical location of data on specific part of infrastructure (eliminating the risk of losing control over data). Information about the location of stored data is stored only at the level of Oktawave management platform. Although customer may consider the risk of stealing a part of the infrastructure from the data center, but one of the essential characteristics of the Oktawave data network described above makes the data loss very unlikely because thus someone must have known before the exact parts of infrastructure that should be taken.
As a result - even in the event of removing of part of the infrastructure outside the data center - information contained therein will be useless without access to the rest of the infrastructure and the knowledge on write method of data stored on them. In this way, a clear advantage of cloud computing over the classical hosting solution based on dedicated servers reveals. In such traditional solutions, simply geting out a specific server or disk from the data center is enough to access the data.
Naturally, you should take into account the very high level of data center security from unauthorized access and the extreme marginalized risk of unauthorized removing any part of infrastructure. At the same time, all the requirements set by the law on the protection of personal data are met - Oktawave is able at any time to pinpoint the exact location of data within one data center.
In the case of the second method, customer using OVS disk resources is assigned physically to a specific area of space from the data network that is equivalent of hard drives addressing in classic dedicated servers (eliminating the risk of losing control over data). There is virtually no risk of allowing one user to access the OVS drives assigned to another user.
The process responsible for mapping areas of disk space, uses mechanism built-in with VMware ESX/vShpere Server, which will be discussed in the section on logical security.
In this case, we should distinguish two areas of the network:
In the Oktawave cloud environment, for public interfaces we use a solution based on PVLAN technology (Private VLAN). This technology enables the automatic creation (segmentation) of the network in a manner that guarantees no direct communication between OCI instances belonging to one client and the separation between OCI instances belonging to different customers.
Each public interface of server in the cloud (OCI) has been working in the so-called isolated mode. This mode allows transmission only between the server, on the second layer of Ethernet (OCI) and the access gateway to the network. Also, the exchange of data between different servers (OCI) within one network is implemented using the access gateway (Proxy ARP). The gate is equipped with a number of filters that prevent carrying out a wide range of attacks, including DHCP snooping, sniffing and arp spoofing (eliminating the risk of losing control over data).
In the case of OPN private networks used in Oktawave infrastructure, we create a fully functional VLAN including all elements of the infrastructure used by the client. In order to gain an access from a specific server instance (OCI) to OPN, it must be created an interface, which then has to be mapped to a selected OPN and set the appropriate IP addresses. Each client can have multiple OPN networks. Access to the created OPN is limited on the physical level, using network switches only for a specific client.
Due to its complete separation, OPN networks are also completely cut off from the public networks and are mainly used for the segmentation of the network in architecture of the client application, allowing the separation of the individual segments of the network with each other (e.g., the separation of application network segments from databases or web servers).
Communication between different OPN client networks (or public network) is only possible using the server (OCI) equipped with software to filter traffic - the so-called firewall. The role of the client is to run and configure the appropriate firewall rules (elimination of the risk of loss of control over the data).
This is known from classical dedicated architecture, where the selected servers act as firewalls, controlling traffic between created VLAN's.
From the perspective of data security, protection of the public network using PVLAN effectively protects data against attempts to take over of data packets during transmission (loss of control, swapping). The use of OPN service is used to protect internal data (not transmitted through public channel) against the attempts of unauthorized eavesdropping of the transmission and enables filtering and assignment of access rights to individual segments.
As in the case of physical security, logical protections range should be divided into four areas.
Oktawave uses only VMware ESX solutions (VMware vShpere 5.0), which are widely known on the market, as a manager of processes serving each OCI run by customers. VMware vShpere is a software with EAL4+ certification, considered as the leading standard in safety, especially important in the case of institutional clients and government. More information about the certificate: http://en.wikipedia.org/wiki/EAL4. More information about VMware Certification can be found here:
In addition, Oktawave uses many own protective mechanisms, including solutions ensuring customers block data isolation. One of them is the use of Kerberos protocol in the authorization mechanism for management platform (http://admin.oktawave.com). This ensures that all operations carried out by the platform, at every stage, are made in the context of the logged-in user (leasing rights).
Another protective mechanisms is a logical separation of data at the level of the OVS drives using the SCSI protocol in the layer of providing data to the hypervisor. Each OVS disk volume is also connected to a specific OCI chosen by the customer using a dedicated LUN (unique identifier for the disk).
Managing access to data method is determined by the mechanisms of allocating OVS disk space. Oktawave allows the client to assign the necessary number of OVS volumes to the OCI server - however, the application installed on a OCI server by client, must have functions regulating the access to data. It is analogous scenario as in the case of physical servers, where the application determines who has the right of access to data stored on the local hard disk of the server. In the OCI case, the application in the same way will manage access rights to data stored on OVS disks.
In this context Oktawave responsibility for the allocation and revocation of access to the data is reduced to allowing for the allocation of the corresponding OVS disk to a specific OCI server with a guarantee of exclusive access to the data stored on the disk only by the OCI, to which the drive is connected.
In the case of sensitive data, OVS disk encryption may be used, done by encryption software installed on the OCI. Data encryption is then done in the context of the OCI operating system and Oktawave (supplier) has no real way of acquiring and decrypting data (does not have the encryption keys).
The following properties are noteworthy:
In the case of Oktawave infrastructure data removal is simple as removing OVS disk volume. We should distinguish the following division:
In the case of deleting data by the supplied/operational application on OCI, the application should have mechanisms to safely remove the data (multiple implementation of overwriting data mechanism with random sequences of bytes). Oktawave does not intervene at any time in the process of writing/erasing data on OVS drives.
In the case of removing the OVS disk from Oktawave infrastructure - removal of map indicating addressation of data blocks belonging to the removed OVS disk will follow. At this point there is no overwriting proccess. However, in each case of creation of new OVS disk, the data area that was assigned to him is pre-set to zero (0 bytes overwritten). Consequently, any newly created OVS disk (even if it contains the data blocks previously used by deleted OVS) is devoid of any data.
To provide the opportunity to build HA environments (High Availability) in Oktawave infrastructure, the concept of subregions was introduced. Subregions are physically independent Oktawave network segments (clusters) that do not share with each other any physical devices. Individual sub-regions are arranged in a single data center.
As a result, instances of OCI and OVS drives run in different sub-regions have the ability to work even in the event of failure of one of them. This design allows the customer to put the system/application in one subregion with a redundant copy of the second subregion. Then - using load balancing functionality (another Oktawave service) - the user can dissipate the load to applications between two (or more) subregions.
This function does not directly affect the risk of data loss or control over the data, however, can significantly increase the level of data availability.
Regardless of the concept of subregions, Oktawave also provides mechanisms for ensuring HA provided in the VMware hypervisor software.
Due to the processing of various types of data entrusted in Oktawave infrastructure, including transactional data, the Oktawave platform is regularly (on a quarterly basis) the subject to security scan, required by the PCIDSS certificate. Current result of the last scan of the infrastructure is at this link: https://pci.usd.de/compliance/3514-FCBB-F7A9-8321-8A8D-CAB9/details_en.html.
In addition to the data security mechanisms above, Oktawave, under the contracts has the ability to determine the appropriate (non-primary) rules relating to: