What is the reliability of the IaaS provider?
In our blog on Habré, we often talk about new technologies and trends in the IaaS world. In today's post, we would like to touch on the topic of reliability and availability of clouds and talk about measures designed to meet the requirements specified in the agreement on the level of provision of service providers.
/ photo by Robert Scoble CC
First of all, you should pay attention to methods aimed at monitoring, analyzing suspicious activity and protecting against malicious programs. Various tools or configuration options help with this.
')
Using virtual IP addresses makes it possible to separate networks into internal and external, and firewalls and load balancers define the boundaries of security zones and control traffic. It should be noted that in parallel with this monitored network activity. This is necessary in order to timely detect the intrusion.
In such cases, the providers use the DPI Deep Packet Inspection technology. This method has simple logic, which is based on the analysis of protocols, ports and signatures. Based on the analysis, the package is determined to belong to one of the types of traffic, and appropriate measures are taken.
As for the transfer of legitimate traffic, encryption will be applied here. According to ZDnet, encryption is one of the most reliable ways to protect data. In this regard, IT-GRAD offers Trend Micro's SecureCloud product for encryption in the cloud.
The model of this particular solution assumes that the virtual machine disks are encrypted using keys stored in the SecureCloud system, through which all processes are initiated.
Cloud service providers can specify a variety of accessibility values in their agreements, for example, “five nines”, but modern realities are such that any unforeseen situations can disable equipment and “cut off” access to information. According to foreign statistics, the most frequent causes of accidents are equipment failures (24%), power supply system failures (16%), hurricanes (16%) and floods (15%). To avoid unwanted failures, providers are implementing disaster recovery services (DRS).
DRS systems can recover from a major failure of several data centers. This is achieved through a group of technical and infrastructure solutions. In the event of a catastrophe, a data center building may suffer, therefore, a geographically distant site is created first. There are three types of backup data centers: cold reserve, warm reserve and hot reserve.
Cold reserve is low-end servers that are ordered and set up after the occurrence of an accident. A warm standby is a weaker server (compared to the main farm) to run critical systems that are always ready to accept the load. Hot spares are servers whose performance corresponds to the servers of the main site, moreover, they always contain the most up-to-date information.
A key element of a disaster-proof solution is a geographically distributed data storage system. For example, storage systems at specified sites can completely duplicate each other, while the sites themselves are connected by redundant high-speed communication channels in order to meet the requirements for reliable data transfer and availability, including synchronous data replication. Different software solutions are involved in replication, such as vSphere Replication, or the storage-based replication systems themselves.
The vSphere Replica native mechanism is a replication at the ESXi hypervisor level, which does not depend on the type of storage. Storage-level replication is a more efficient mechanism by which the entire synchronization process is transferred to storage devices. SnapMirror, which implements a synchronous and asynchronous replication mechanism at the level of disk arrays, performed using an IP network, is an example of technology.
If a little bit away from the worst scenario - the failure of the entire data center, then we can note several other solutions to improve reliability. High requirements for fault tolerance of data centers of Tier III and Tier IV levels lead to the fact that the repair or maintenance option during a power outage is unacceptable for data centers of these classes. However, no equipment is insured against damage, and any engineering system periodically requires maintenance.
In data centers of high reliability, systems are used that allow operating with individual elements without disconnecting from the mains. In many data centers (including the SDN data center, where IT-GRAD equipment is located), the reliability of power supply systems is ensured by redundancy according to the N + 1 scheme, when each computer room receives energy from two power distribution devices.
Critical mechanical systems are connected via switchboards with dual independent power supply, and each of the power supplies is connected to separate UPS systems and diesel generators, ensuring uninterrupted operation for 84 hours.
Such an approach makes it possible to avoid trouble in the event of voltage drops — if one branch of power supply fails or is disconnected, the second takes all responsibility for itself, while maintaining operability and maintaining the level of availability prescribed in the SLA.
In addition to a variety of data recovery systems, systems for the protection of information transfer channels and replication, protection against external influences and penetration is also used to improve reliability.
This category includes the systems necessary to control access to buildings and premises and to monitor the current situation. It uses modern technology, such as face recognition or fingerprint technology in the access system. For large objects, several lines of video surveillance and security alarm systems are being formed - the use of modern equipment allows you to monitor the entire territory of the data center online.
Of course, some objects are much better protected than others. There is a data center in which an ordinary employee card scanner stands between the attacker and servers, but there are places with thick walls, bullet-proof doors and barbed wire, where biometric scanners are installed, and armed guards are on duty at the entrance.
As an example, you can look again at the SDN data center. The perimeter of the building and all interior spaces are equipped with an eight - level security system, the facility is subject to strict throughput control, and video cameras and motion sensors provide full coverage of the entire data center.
To get to the reception area, you need to go through armored sluice cabins, each of which is equipped with access card readers and biometric data and works on the principle of scanning a palm print (for more information about the SDN data center that hosts our equipment, we wrote in this post).
IaaS-provider is obliged to pay serious attention to the choice of site for placement of its own equipment in order to increase the reliability of the services provided. The data center should not only meet the requirements in different areas from power supply to security, but also have a "margin of safety" for a long time to come.
Clouds are gradually becoming a major part of IT, so cloud solutions vendors have to take action to protect customers' data and sleep at the same time, while meeting increasing demands for performance and scalability.
PS Several other interesting topics from our corporate IaaS blog:
/ photo by Robert Scoble CC
Software solutions
First of all, you should pay attention to methods aimed at monitoring, analyzing suspicious activity and protecting against malicious programs. Various tools or configuration options help with this.
')
Using virtual IP addresses makes it possible to separate networks into internal and external, and firewalls and load balancers define the boundaries of security zones and control traffic. It should be noted that in parallel with this monitored network activity. This is necessary in order to timely detect the intrusion.
In such cases, the providers use the DPI Deep Packet Inspection technology. This method has simple logic, which is based on the analysis of protocols, ports and signatures. Based on the analysis, the package is determined to belong to one of the types of traffic, and appropriate measures are taken.
As for the transfer of legitimate traffic, encryption will be applied here. According to ZDnet, encryption is one of the most reliable ways to protect data. In this regard, IT-GRAD offers Trend Micro's SecureCloud product for encryption in the cloud.
The model of this particular solution assumes that the virtual machine disks are encrypted using keys stored in the SecureCloud system, through which all processes are initiated.
Duplication of equipment
Cloud service providers can specify a variety of accessibility values in their agreements, for example, “five nines”, but modern realities are such that any unforeseen situations can disable equipment and “cut off” access to information. According to foreign statistics, the most frequent causes of accidents are equipment failures (24%), power supply system failures (16%), hurricanes (16%) and floods (15%). To avoid unwanted failures, providers are implementing disaster recovery services (DRS).
DRS systems can recover from a major failure of several data centers. This is achieved through a group of technical and infrastructure solutions. In the event of a catastrophe, a data center building may suffer, therefore, a geographically distant site is created first. There are three types of backup data centers: cold reserve, warm reserve and hot reserve.
Cold reserve is low-end servers that are ordered and set up after the occurrence of an accident. A warm standby is a weaker server (compared to the main farm) to run critical systems that are always ready to accept the load. Hot spares are servers whose performance corresponds to the servers of the main site, moreover, they always contain the most up-to-date information.
A key element of a disaster-proof solution is a geographically distributed data storage system. For example, storage systems at specified sites can completely duplicate each other, while the sites themselves are connected by redundant high-speed communication channels in order to meet the requirements for reliable data transfer and availability, including synchronous data replication. Different software solutions are involved in replication, such as vSphere Replication, or the storage-based replication systems themselves.
The vSphere Replica native mechanism is a replication at the ESXi hypervisor level, which does not depend on the type of storage. Storage-level replication is a more efficient mechanism by which the entire synchronization process is transferred to storage devices. SnapMirror, which implements a synchronous and asynchronous replication mechanism at the level of disk arrays, performed using an IP network, is an example of technology.
If a little bit away from the worst scenario - the failure of the entire data center, then we can note several other solutions to improve reliability. High requirements for fault tolerance of data centers of Tier III and Tier IV levels lead to the fact that the repair or maintenance option during a power outage is unacceptable for data centers of these classes. However, no equipment is insured against damage, and any engineering system periodically requires maintenance.
In data centers of high reliability, systems are used that allow operating with individual elements without disconnecting from the mains. In many data centers (including the SDN data center, where IT-GRAD equipment is located), the reliability of power supply systems is ensured by redundancy according to the N + 1 scheme, when each computer room receives energy from two power distribution devices.
Critical mechanical systems are connected via switchboards with dual independent power supply, and each of the power supplies is connected to separate UPS systems and diesel generators, ensuring uninterrupted operation for 84 hours.
Such an approach makes it possible to avoid trouble in the event of voltage drops — if one branch of power supply fails or is disconnected, the second takes all responsibility for itself, while maintaining operability and maintaining the level of availability prescribed in the SLA.
Physical protection
In addition to a variety of data recovery systems, systems for the protection of information transfer channels and replication, protection against external influences and penetration is also used to improve reliability.
This category includes the systems necessary to control access to buildings and premises and to monitor the current situation. It uses modern technology, such as face recognition or fingerprint technology in the access system. For large objects, several lines of video surveillance and security alarm systems are being formed - the use of modern equipment allows you to monitor the entire territory of the data center online.
Of course, some objects are much better protected than others. There is a data center in which an ordinary employee card scanner stands between the attacker and servers, but there are places with thick walls, bullet-proof doors and barbed wire, where biometric scanners are installed, and armed guards are on duty at the entrance.
As an example, you can look again at the SDN data center. The perimeter of the building and all interior spaces are equipped with an eight - level security system, the facility is subject to strict throughput control, and video cameras and motion sensors provide full coverage of the entire data center.
To get to the reception area, you need to go through armored sluice cabins, each of which is equipped with access card readers and biometric data and works on the principle of scanning a palm print (for more information about the SDN data center that hosts our equipment, we wrote in this post).
IaaS-provider is obliged to pay serious attention to the choice of site for placement of its own equipment in order to increase the reliability of the services provided. The data center should not only meet the requirements in different areas from power supply to security, but also have a "margin of safety" for a long time to come.
Clouds are gradually becoming a major part of IT, so cloud solutions vendors have to take action to protect customers' data and sleep at the same time, while meeting increasing demands for performance and scalability.
PS Several other interesting topics from our corporate IaaS blog:
- High technology in the world of sports: why the cloud will become the standard of the future
- Cloud technologies in the film industry: how DreamWorks solved the problem of processing large amounts of data
- "Litera5": how the cloud-based spell checker is used in life
- Moving to the cloud: the transformation of technology and business
Source: https://habr.com/ru/post/307490/
All Articles