There are two main aspects to security in relation to the OpenECOMP platform: security of the platform itself and the capability to integrate security into the cloud services. These cloud services are created and orchestrated by the OpenECOMP platform. This approach is referred to as security by design.
Figure 1. OpenECOMP Platform Decompositionplatform decomposition
The enabler for these capabilities within OpenECOMP is an API-based Security Framework, depicted in Figure 1 . The right-hand boundary of the OpenECOMP region depicts OpenECOMP's Security APIs, which call as the "Security Framework" box. One such set of APIs is the Application Authorization Framework (AAF) <<DocRef: AAF API Specification>>, which in turn calls external security platforms.
Security of the platform begins with a strong foundation of security requirements and following security best practices as an inherent part of the OpenECOMP design. Some examples include:
- deployment of the platform on a secure physical and network infrastructure
- adherence to secure coding best practices
- security analysis of source code
- vulnerability scanning
- defined vulnerability patching process
Building upon this foundation, external security platforms that provide additional security capabilities such as identity and access management, micro-perimeter controls, and security event analysis are integrated onto the platform through advantageous use of the OpenECOMP Security Framework. The additional security these external platforms provide are described below.
Security modulesSecurity modules such as
an Identity and Access Management (IAM) platform provide critical security
capabilities to the OpenECOMP solution. Access
management enhancements deliver preventive and
detective access controls for the OpenECOMP portal and
related front ends. Options for fine grained
authorization capability also exist. For identity
lifecycle management, this platform provides user
provisioning, access request, approval and review
capabilities and
is
designed to minimize
the administrative burden.
Security event analysis, provided by a
securitysecurity analytics platform
,
will
use
the OpenECOMP DCAE data
collection and analytics engine to gather VNF data,
network data, logs and events. Once the
securitysecurity analysis has determined that a security event has
occurred, a pre
-
determined policy can be invoked via
the OpenECOMP platform. The ability to respond
automatically to a security
-
related event, such as a
Distributed Denial of Service (DDoS) attack,
will
enable closed loop security controls, such as
modifying firewall rules, or
updating Intrusion
Prevention System (IPS) signatures, etc. In the event
that a pre
-
determined policy has not been created for
an event, it will be sent to a ticket system, and then a
new policy can be generated for the next time that
event occurs.
The
ECOMPOpenECOMP platform also enables security by design
for services it orchestrates by engaging a
securitysecurity trust model and engine. This begins with validation
of security characteristics of resources as part of the
ASDCSDC resource certification process. This assures
service designers are using resource modules that
have accounted for security.
Using
the
OpenECOMPOpenECOMP security framework to access an external
securitysecurity engine, additional security logic can be applied and
enforced during service creation.
OpenECOMP is a platform
forfor many types of services.
Because of its inherent security, it is also a powerful
means to provide security as a service. In many ways,
securitysecurity services are similar to other services;
however, even more so than other services,
securityservicessecurity services must be
providedprovided via a platform
/and infrastructure that is inherently secure.
Many types of security services can be offered,
spanning access control, authentication,
authorization, compliance monitoring, logging, threat
analysis and management, etc
. Management of. For example,
when a
customer has a need for
firewall capabilitya vFW (Virtual Firewall), the customer provides the needed information
via the
Portal to enable OpenECOMP to determine and
orchestrate
the firewall placement. In addition, the
firewall capabilities (e.g., rules, layer 7 firewall) are
instantiated at the appropriate locations within the
architecture. If necessary
,
manymany security controls and
technologies including firewalls, URL blocking
, etc.
,
can be service
-
chained to provide all the needed
functionality. As part of an overall
securitysecurity architecture, the log data from the firewalls can be
captured by DCAE and used by the threat
management application to perform
securitysecurity analytics.
ShouldShould a threat be detected, various
mitigation steps can be taken, such as altering IPS
settings,
changechanging routing, or
deploydeploying more resources to
better absorb an attack. This can be achieved by
Astraan external security mechanism working with OpenECOMP to deploy the appropriate
updates across
thethe infrastructure,
thereby
minimizing
the service interruption due to the security threat
.13.
T