Security Services Lifecycle Management and GEYSERS Service Delivery Framework Yuri Demchenko, UvA Cloud Security BOF 26 October 2010 OGF30 25-28 October.

Slides:

Advertisements

Similar presentations

Geneva, Switzerland, 17 October 2011 ITU Workshop on Service Delivery Platforms (SDP) for Telecommunication Ecosystems: from todays realities to requirements.

Advertisements

Abstraction Layers Why do we need them? –Protection against change Where in the hourglass do we put them? –Computer Scientist perspective Expose low-level.

Multi-level SLA Management for Service-Oriented Infrastructures Wolfgang Theilmann, Ramin Yahyapour, Joe Butler, Patrik Spiess consortium / SAP.

Security Services Lifecycle Management in Dynamically Provisioned Composable Services GEMBus Infrastructure for Composable Services ITU-T standards seria.

The FI-WARE Project – Base Platform for Future Service Infrastructures FI-WARE MAY 2011 Presentation at proposers day.

Yuri Demchenko SNE Group, University of Amsterdam

Cloud Management Mechanisms

Infrastructure layer Massonet Philippe, CETIC RESERVOIR Dissemination Activity Leader John Kennedy, INTEL Infrastructure Leader.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

SmartER Semantic Cloud Sevices Karuna P Joshi University of Maryland, Baltimore County Advisors: Dr. Tim Finin, Dr. Yelena Yesha.

Cloud Interoperability

December 3, 2010 SAIF Governance Framework A Brief Update on work to date.

WORKFLOWS IN CLOUD COMPUTING. CLOUD COMPUTING  Delivering applications or services in on-demand environment  Hundreds of thousands of users / applications.

System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

SOA – Development Organization Yogish Pai. 2 IT organization are structured to meet the business needs LOB-IT Aligned to a particular business unit for.

Introduction to Cloud Computing

Initial slides for Layered Service Architecture

Achieving Agility with WSO2 App Factory S. Uthaiyashankar Director, Cloud Solutions WSO2 Inc. Dimuthu Leelarathne Software Architect WSO2 Inc.

© Drexel University Software Engineering Research Group (SERG) 1 Based on the paper by Philippe Kruchten from Rational Software.

 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.

© Copyright 2011 Hewlett-Packard Development Company, L.P. 1 Sundara Nagarajan (“SN”) CLOUD SYSTEMS AUTOMATION.

WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE II - Network Service Level Agreement (SLA) Establishment EGEE’07 Mary Grammatikou.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

Gordon Mangione VP, Emerging Virtualization Products Citrix Systems, Inc. Gordon Mangione VP, Emerging Virtualization Products Citrix Systems, Inc.

ASG - Towards the Adaptive Semantic Services Enterprise Harald Meyer WWW Service Composition with Semantic Web Services

OOI CI LCA REVIEW August 2010 Ocean Observatories Initiative OOI Cyberinfrastructure Architecture Overview Michael Meisinger Life Cycle Architecture Review.

Geneva, Switzerland, 17 October 2011 Summary of Session 4: SDP standardization status and requirements Huilan Lu, Ph.D. SG 13 Vice Chairman ITU Workshop.

Vic Liu Liang Xia Zu Qiang Speaker: Vic Liu China Mobile Network as a Service Architecture draft-liu-nvo3-naas-arch-01.

07/09/04 Johan Muskens ( TU/e Computer Science, System Architecture and Networking.

NMI End-to-End Diagnostic Advisory Group BoF Fall 2003 Internet2 Member Meeting.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Cracow Grid Workshop ‘06 17 October 2006 Execution Management and SLA Enforcement in Akogrimo Antonios Litke Antonios Litke, Kleopatra Konstanteli, Vassiliki.

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

Adam Hall Technology Strategist Gavin Bennett Systems Engineer – Citrix NZ Session Code: SVR309.

Centre d’Excellence en Technologies de l’Information et de la Communication Evolution dans la gestion d’infrastructure de type Cloud (SDI)

Independent Insight for Service Oriented Practice Summary: Service Reference Architecture and Planning David Sprott.

ICOM TC Charter TC’s Scope –Specify the normative standards for collaboration objects, along with their attributes, relationships, constraints, and behavior,

Omniran CF00 1 Fault Diagnosis and Maintenance Date: [ ] Authors: NameAffiliationPhone Hao WangFujitsu R&D

© 2004 IBM Corporation ICSOC2004 Panel Discussion: Grid Systems: What is needed from web service standards? Jeffrey Frey IBM.

Mark Gilbert Microsoft Corporation Services Taxonomy Building Block Services Attached Services Finished Services.

Infrastructure Breakout What capacities should we build now to manage data and migrate it over the future generations of technologies, standards, formats,

Managing deployment and activation of Web Applications in a distributed e-Infrastructure EGI Technical Forum September 2011 Lyon

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

Networks ∙ Services ∙ People Sonja Filiposka, Yuri Demchenko, Tasos Karaliotas, Migiel de Vos, Damir Regvart TNC 2016 DISTRIBUTED CLOUD SERVICES.

© Boris Lublinsky, Michael Rosen 2008 SOA Architecture and Design Strategies Boris Lublinsky, NAVTEQ. Mike Rosen, Wilton Consulting Group Copyright is.

Grant agreement n° Logical Infrastructure Composition Layer The GEYSERS Holistic Approach for Infrastructure Virtualisation Joan A. García-Espín.

Context-Aware Middleware for Resource Management in the Wireless Internet US Lab 신현정.

Understanding SaaS Architecture

Issues in Cloud Computing. Agenda Issues in Inter-cloud, environments  QoS, Monitoirng Load balancing  Dynamic configuration  Resource optimization.

Project Cumulus Overview March 15, End Goal Unified Public & Private PaaS for GlassFish/Java EE Simplify deployment of Java EE Apps on top of.

RESERVOIR Service Manager NickTsouroulas Head of Open-Source Reference Implementations Unit Juan Cáceres

ONAP and MEF LSO External API Framework Functional Reference Architecture 12 July 2017 Andy Mayer, Ph.D. © 2016 AT&T Intellectual Property. All rights.

Federated IdM Across Heterogeneous Clouding Environment

EMI Interoperability Activities

MEF LSO Legato SDK 24 October 2017 Andy Mayer, Ph.D. Tara Cummings.

ATIS’ Cloud Services Activity

Cloud Management Mechanisms

Use Cases and Requirements for I2NSF_

Hyper-V Cloud Proof of Concept Kickoff Meeting <Customer Name>

Cisco’s Intelligent Automation for Cloud

Envisioning: Service Provider Organization

Management of Virtual Execution Environments 3 June 2008

Cloud Management Mechanisms

Service Oriented Architecture (SOA)

Introduction to SOA Part II: SOA in the enterprise

ONAP Architecture Principle Review

End-to-End Reconfigurability (E2R)

Presentation transcript:

Security Services Lifecycle Management and GEYSERS Service Delivery Framework Yuri Demchenko, UvA Cloud Security BOF 26 October 2010 OGF October 2010, Brussels

Outline  Cloud Security – New challenges  On-Demand Infrastructure Services Provisioning  Background – TMF Service Delivery Framework (SDF)  GEYSERS SDF  Security Services Lifecycle Management ISoD BoF, OGF30, Ocftober 2010, Brussels Security Services Lifecycle Management Slide _ 2

Cloud Security – New challenges Clouds as infrastructure services provisioning model/environment u Security along the whole provisioning process and service/infrastructure lifecycle u Manageable/user controlled security u Securing remote executing environment u Security context/session management ISoD BoF, OGF30, Ocftober 2010, Brussels ISOD RG Chapter Discussion Slide _ 3

ISoD BoF, OGF30, Ocftober 2010, Brussels Security Services Lifecycle Management Slide _ 4 Security Service Lifecycle Management in On-Demand Resources/Services Provisioning  On-Demand Infrastructure Services Provisioning requires definition of Services Lifecycle Management u Multidomain multi-provider environment u Includes standard virtualisation procedures and mechanisms  Requires dynamic creation of Security/Trust Federations in multi-domain environment  Access control infrastructure dynamically created and policy/attributes dynamically configured u Access/authorisation session/context management

ISoD BoF, OGF30, Ocftober 2010, Brussels Security Services Lifecycle Management Slide _ 5 GEYSERS Service Delivery Framework (SDF)  Service provisioning workflow by VIP: u Creation of the Virtual Infrastructure (VI) u May include more engineers support  Service provisioning workflow by VIO: u Creation and operation of the Virtual Infrastructure on-demand for specific project, tasks or user groups u Should be completely automatic  Should also include activities/stages for infrastructure re-planning, restoration and migration  Adopted TeleManagement Forum Service Delivery Framework (TMF SDF)  GEYSERS Project -

GEYSERS Reference Model Role: VIO VIP PIP ISoD BoF, OGF30, Ocftober 2010, Brussels ISOD RG Chapter Discussion Slide _ 6

Role of GEYSERS actors with respect to its architectural layers ISoD BoF, OGF30, Ocftober 2010, Brussels ISOD RG Chapter Discussion Slide _ 7

TMF Service Delivery Framework (SDF) GN3-JRA3-T3 Discussion Security Services Lifecycle Management Slide _ 8 Goal: Automation of the whole service delivery and operation process (TMF SDF, End-to-end service management in a multi-service providers environment End-to-end service management in a composite, hosted and/or syndicated service environment Management functions to support a highly distributed service environment, for example unified or federated security, user profile management, charging etc. Any other scenario that pertains to a given phase of the service lifecycle challenges, such as on-boarding, provisioning, or service creation

SDF Reference Architecture (refactored from SDF) Security Services Lifecycle Management Slide _ 9 SDF Service Repository (ISS) SDF Service Lifecycle Metadata Coordination (ISS) SDF Service Design Management (ISS) SDF Service Deployment Management (ISS) SDF Service Provisng Mngnt (MSS) SDF Service Instance SDF Service Lifecycle Metadata Repository (ISS) Design Operate Deploy SDF Service Resource Fulfillment (ISS) SDF Service State Monitor (ISS) SDF Service Resource Monitor (ISS) SDF Service Resource Usage Monitor (ISS) SDF Service Quality/ Problem Mngnt (MSS) SDF Service Usage Mngnt (MSS) Composite Services provisioned on-demand SDF MSS SDF ISS 1 – Service Instance 2 - Service Management Interface 3 – Service Functional Interface 4 - Management Support Service (SDF MSS) 8 - Infrastructure Support Service (ISS) DESIGN stage 9 - Service Repository 10 - Service Lifecycle Metadata Repository 16 - Service Design Management DEPLOYMENT stage 10 - Service Lifecycle Metadata Repository 11 - Service Lifecycle Metadata Coordinator 17 - Service Deployment Management OPERATION stage 5 - Service Provisioning Management 6 - Service Quality/Problem Management 7 - Service Usage Monitor 12 - Service State Monitor 13 - Service Resource Fulfillment 14 - Service Resource Monitor 15 - Resource Usage Monitor

GEYSSERS Service Delivery Workflow Geysers SDF supports both Geysers infrastructure development and deployments and its operation for on-demand Infrastructure services provisioning by VIO GN3-JRA3-T3 Discussion Security Services Lifecycle Management Slide _ 10 Service Request/ SLA Negotiation Planning (Design) Deployment (Instant& Config&Synchro) Operation &Monitoring (by VIO) Decommissioning Service Request/ SLA Negotiation Planning (Compos/Reserv) Deployment Operation (Monitoring) Decommissioning Registr&Synchro Network+IT Services Provisioning Workflow by VIO Recovery/ Migration Re- Planning Services Provisioning Workflow by VIP Recovery/ Migration Re- planning

SDF main stages and phases Main stages/phases  Service Request (including SLA negotiation)  Planning (including Composition, Reservation and Design)  Deployment (including Reqistration/Synchronisation)  Operation (including Monitoring)  Decommissioning Additional stages  Re-Composition should address incremental infrastructure changes  Recovery/Migration can use SL-MD to initiate resources re-synchronisation but may require re- composition The whole workflow should be supported by the Service Lifecycle Metadata Service (SL MD) ISoD BoF, OGF30, Ocftober 2010, Brussels Security Services Lifecycle Management Slide _ 11

Security Services Lifecycle Management Slide _ 12 SDF use for defining Security Services Lifecycle Management Model Security Service request and generation of the GRI that will serve as a provisioning session identifier and will bind all other stages and related security context. Reservation session binding that provides support for complex reservation process including required access control and policy enforcement. Deployment stage begins after all component resources have been reserved and includes distribution of the security context and binding the reserved resources or services to GRI as a common provisioning session ID. Registration&Synchronisation stage (optional) specifically targets possible scenarios with the provisioned services migration or failover/interruption. In a simple case, the Registration stage binds the local resource or hosting platform run-time process ID to the GRI as a provisioning session ID. Operation stage - security services provide access control to the provisioned services and maintain the service access or usage session. Decommissioning stage ensures that all sessions are terminated, data are cleaned up and session security context is recycled.

Security Services Lifecycle Management Slide _ 13 Relation between SSLM and general SLM  Service Request stage may include SLA negotiation u Security service instantiation may use SLA security context

Security Services Lifecycle Management Slide _ 14 Relation between SSLM/SLM stages and supporting general and security mechanisms SLM stages RequestDesign/Reservation Development DeploymentOperationDecomissioni ng Process/ Activity SLA Nego tiationService/ Resource Composition Reservation Composition Configuration Orchestration/ Session Management Logoff Accounting Mechanisms/Methods SLA VV Workflow (V)V Metadata VVVV Dynamic Security Associatn (V)VV AuthZ Session Context V(V)V Logging (V) VV

SSLM – Existing developments  GAAA Toolkit Library with tickets/tokens handling functionality for security session context management  GAAA-NRP (GAAA profile for Network Resource Provisioning)  On-going work in GEYSERS project to develop Security Architecture for On-Demand Infrastructure Services provisioning  Possible Contribution to planned ISOD RG u Visit ISOD BOF today 15:00-18:30 (no security discussions planned but …) u ISoD BoF, OGF30, Ocftober 2010, Brussels Security Services Lifecycle Management Slide _ 15

Additional Information  TMF SDF Lifecycle Management model Security Services Lifecycle Management Slide _ 16

Discussion  CSA is proposed as a possible deliverable for ISOD RG  Who is interested to contribute?  Any interested people to review and verify against other usecases? ISoD BoF, OGF30, Ocftober 2010, Brussels Security Services Lifecycle Management Slide _ 17