Giano: Toward Large Scale Access Security Management in Private Cloud

Access control related problems and solutions are commonly taken for granted as the No.1 enterprise security concern. Today, as more and more companies shift their business to cloud, while blurring the boundary of information exchange and management, this inevitably introduces serious technical challenges and difficulties to the realm of access security management for loss of cognitive central control in some degree, thereby increasingly receiving more attentions and investigations on their original basis. Big internet companies such as Google, Facebook in the US., and Baidu in China, their IDCs consist of huge amount of physical servers and millions of virtual machines or containers, usually deemed as a profound private cloud. At meantime, doing daily jobs, hundreds and thousands of employees (most of them are engineers with different roles) demand to access multi-categorical resources in IDC frequently. For example, SREs may need to remotely logon production servers to configure environment or rectify system mistakes; RDs might logon by certain account associated to machines, initiating services to fulfill development work. Moreover, IDC is the place where tremendous applications are running dynamically and endlessly, among which they exchange information one another by accessing to data storage and computing services probably across domains. As a consequence, a very complicated topology based on accessing relationships is emerged due to interactions among massive people-devices-services. In order to solve such large-scale distributed access control centered problems, this apparently leads to a line of security technologies needing to be considered, including identity management, authentication methods, authorization models, auditing and reporting, regulatory compliance, tracing and forensic, domain isolation, intrusion detections, and even more the administration toolkits for security evaluation criteria. Toward designing and implementing this desired type of comprehensive security platform, while simultaneously circumventing relative reliable, scalable and performance issues in engineering, as is highly concerned in industrial-level products, it is really a daunting task if without developing appropriate abstraction on targets and innovative applicable theorem in depth, for reducing complexity and unifying mechanisms. In this talk, we just present such a real-world existing system developed by our team, namely Giano which embraces most aforementioned security techniques, already widely used for Baidu IDC operating management and integrated into many business products. Some important related theoretical work such as delegation logic, attribute-based authentication, proof-carrying authorization, et al. are about to be illustrated, with the focus on their applications in practice.