Improving Security of Ericsson Cloud System
Tarrasó Hueso, Borja (2016)
Metropolia Ammattikorkeakoulu
2016
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2016110715836
https://urn.fi/URN:NBN:fi:amk-2016110715836
Tiivistelmä
Ericsson Cloud System (ECS) is an effort by Ericsson to provide a cloud solution product.
The solution provides distributed cloud capabilities, such as computing and storage in the network and more efficient utilization of network resources. In addition, it includes capabilities to control performance and decoupling of software from hardware. This enables automatic orchestration of predefined services. The Ericsson Cloud Execution Environment (CEE) is basically a Data Center (DC) within the ECS. The ECS allows hardware virtualization for efficient deployment of multiple applications sharing the same infrastructure.
From the services ECS provides, the most relevant ones are Open Platform Network Function Virtualization (OPNFV), cloud storage as Platform as a Service (PaaS) and new-generation hyperscale data centre hardware, using optical interconnect and new equipment manager for multi-vendor environments.
In order to provide this service effectively, the solution is trustable. Achieving that goal by a secure deployable solution. New challenges from the security point of view are covered, such as specific vector attacks for a cloud as well as conventional attacks.
Based on a general architectural solution and implementation, a set of security requirements are essential. To cover those requirements, a set of tests were needed that required several different specialized testing tools and different libraries to support them, as well as choosing a correct testing framework.
This document focusing on the two main and fundamental problems that ECS will expound once the cloud is deployed: hardening by removing the hardcoded credentials, and a scalable and highly available method to authenticate users in the cloud. Ericsson provided an elegant solution avoiding security threats using a secure and optimal method for authenticating and authorizing users in a distributed and virtual environment.
The final goal of this thesis was improving the security of the ECS by hardening and enabling Authentication, Authorization, and Accounting (AAA). The solution has been verified by a full set of tests which were automated in a Continuous Integration (CI) entity. Functional and non-functional tests for security features where implemented within the project.
The solution provides distributed cloud capabilities, such as computing and storage in the network and more efficient utilization of network resources. In addition, it includes capabilities to control performance and decoupling of software from hardware. This enables automatic orchestration of predefined services. The Ericsson Cloud Execution Environment (CEE) is basically a Data Center (DC) within the ECS. The ECS allows hardware virtualization for efficient deployment of multiple applications sharing the same infrastructure.
From the services ECS provides, the most relevant ones are Open Platform Network Function Virtualization (OPNFV), cloud storage as Platform as a Service (PaaS) and new-generation hyperscale data centre hardware, using optical interconnect and new equipment manager for multi-vendor environments.
In order to provide this service effectively, the solution is trustable. Achieving that goal by a secure deployable solution. New challenges from the security point of view are covered, such as specific vector attacks for a cloud as well as conventional attacks.
Based on a general architectural solution and implementation, a set of security requirements are essential. To cover those requirements, a set of tests were needed that required several different specialized testing tools and different libraries to support them, as well as choosing a correct testing framework.
This document focusing on the two main and fundamental problems that ECS will expound once the cloud is deployed: hardening by removing the hardcoded credentials, and a scalable and highly available method to authenticate users in the cloud. Ericsson provided an elegant solution avoiding security threats using a secure and optimal method for authenticating and authorizing users in a distributed and virtual environment.
The final goal of this thesis was improving the security of the ECS by hardening and enabling Authentication, Authorization, and Accounting (AAA). The solution has been verified by a full set of tests which were automated in a Continuous Integration (CI) entity. Functional and non-functional tests for security features where implemented within the project.