Cloud Computing Data Center Security Solution

Data centers play an important role in IT-based development and IT applications in the oil and gas industry. Operational systems used in
oil and gas companies, including enterprise resource planning (ERP) systems, logistics systems, delivery systems, retail systems, portals,
customer management systems, oil and gas prospecting systems, and marketing systems, are all dependent on data centers.
As the Internet is used more extensively, data centers that used to run on clients and servers are migrating to central servers connected to the
Internet. Multi-layer applications under the infrastructure architecture interact with hardware, networks, and operating systems with increased
complexity. It is this complexity that creates a lot of uncertainty for security systems of data centers. Data centers on which security strategies
are inappropriately implemented risk frequent intrusion from hackers and worms. Although most system administrators are aware of the
serious damage caused by Internet-based malicious attacks and have deployed security devices to defend data centers at the access control
layer, these traditional defense measures are becoming less effective in dealing with the latest types of attacks that use mature technologies.
Security threats to data centers can appear on any layer, including terminals, network, business applications, data, management
systems, and risk control, as shown in the following figure "Data Center Security Threats".

Huawei Solution
Application system
Prospecting and exploration system

Oil and gas production system

Production command system

OA & production management system

Data center

Prospecting and exploration database

...

Oil and gas exploitation database

Management system database

ERP database

IP backbone transmission network

Central control room

OTN Ring
Access network
2G/CDMA/Wi-Fi/WiMAX/Microwave/GPON

Access network
Communications gateway

Sensor network
ZigBee/RFID

RTU

SCADA/Automatic control
ZigBee/Wi-Fi

Video surveillance

DDoS attack
Attacks to perimeter network
Network attacks between
different internal departments
Visible virtual memory
(VM) flow and mutual access
security control

Illegal terminal or
illegal user access
Terminal data leakage
Malicious attacks from
terminals

Attacks between
Hypervisor and VM
Data transmission security
Cyberloafing lowers
office efficiency.

As a large quantity of
access to point-to-point (P2P)
and videos takes up
bandwidth at network
egress points, important service
operations are delayed.
Trojan-intruded websites
and Structured Query
Language (SQL) injection
Email virus transmission,
email phishing, email
information leakage
Virus intrusion and
dissemination in applications
Hosts and Hypervisor
systems are vulnerable
to threats.

Mobile terminal

Security of data
transmission via internal
and external networks

Systems for different

use run independently
from each other.

Data theft by malicious

internal users

Without unified security

strategies, data centers
are vulnerable to threats.

Database intrusion
risks and data theft
Data disaster recovery
Data leakage due to
vulnerabilities in document
security management
Storage data theft

Security log audit separation

Regulatory compliance
and legal risks from cloud
computing
Malicious administrators
overstep their authorities.

Leakage risks due to poor

isolation of VM resources

DC hierarchical model

Terminal

Network

Service application

Figure: Data Center Security Threats

Data

Management
and risk control

Customer Benefits
The focus of enterprise data centers' security lies in the safe and
efficient operation of data centers, secure access to services
anywhere and anytime, and the capability to keep services
confidential, integrated, and available.
Huawei's enterprise data center security system consists of five
dimensions: identification & authentication (who are you), access &
authorization (what information is available for you), audit trail (behavior
records are traceable for audit), response & recovery (capability to quickly
respond and recover), and content security (what attacks are threatening
data centers). Collectively, these protections are abbreviated as IAARC.
This five-dimensional security approach helps provide differentiated
security solutions to secure the operations of enterprise data centers.

Solution Architecture
Huawei's enterprise data center security architecture secures services in three layers: cloud, pipe, and device.
An overall terminal access security solution is provided to help ensure device security at mobile terminals, virtual desktop infrastructure (VDIs),
and office automation terminals.
A hierarchical network security protection solution is provided to protect perimeter networks, internal networks, and virtual layer networks
against attacks from within or outside data centers.
This solution secures the major services (like Web and email) at the cloud end, and offers an all-around data security solution that helps
ensure document security, database security, virtual machine full-disk encryption, and data leakage prevention (DLP). By securing the
services at these three layers (cloud, pipe, and device), this solution helps ensure access security, network security, application security, and
data security for data center services.
The security service package offered by Huawei's professional teams integrates security management consulting, service security evaluation,
security penetration testing, security hardening, and other services that help customers build highly secure and reliable data centers.
Enterprise data center
Internet

Internet

External networks

iCache

LLB

Extranet

DDOS/FW/IPS
SSL VPN

Branch

Extranet

Local
branch

UTM

DMZ

DMZ

UTM
ASG

WAN/MAN
Network
service zone

Network
service zone

CSS
Network core layer

UTM
iStack

iStack

iStack

iStack

Server

Server
Prospecting and
exploration area

Server

Server

OA area

Oil and gas

production area

Highly secured production area

FC Switch

Data leakage
prevention
PC SAN storage

Network security:
perimeter network security,
internal network security, and
virtual layer network security.
Application security:
host security, service security,
and data security.
Security management:
O&M audit, security device
service management, and
security operation.

iStack
iStack

Operations
management area

Private OA
network

Disaster
recovery
center

Device security:
mobile access security, desktop
cloud terminal access security, and
office automation terminal access
security.

FC SAN storage

Security services:
infrastructure security service
and security management
consulting service.