A New Vision of SINET5: Leap into the Universities’ ICT Infrastructure
Goals of SINET5 in the Age of Cloud Computing
by Kento Aida, Professor, NII
Prof. Aida discussed why SINET5 needs to offer cloud services and what kind of cloud computing they are trying to achieve through SINET5 by outlining the issues and challenges they need to overcome. Aida concluded that it is essential to work together with universities and institutions to achieve a state-of-the-art research and education environment for all.
SINET4 is already providing low cost, high-performing and highly secure cloud services by connecting commercial cloud providers directly to its system. JAIRO Cloud is set up within NII’s system and serves as a repository in which institutions can set up their repositories without having to have their own server act as a repository. Innovative HPCI (High Performance Computing Infrastructure) connects super computers throughout the country by means of SSO authentication.
Why do we need to offer the next level of cloud services through SINET5? First, the universities’ financial burden for IT resources is increasing as the demands for new IT resources such as on-line education and big-data increase. Second, universities have concerns about using cloud computing because: 1) it requires advance technological knowledge to run; and 2) commercial services have slow connections, have security issues (e.g. data loss or leakage), and can be relatively expensive. Third, the international direction is to build state-of-the-art research and education environments using cloud computing. For these reasons, it is necessary for NII to build a cutting-edge research and education environment for Japanese institutions by utilising the cloud infrastructure.
The design of SINET5’s can include not only connecting a campus and various cloud services (this is already achieved using SINET4) but also: 1) connecting resources of different intuitions as an inter-cloud (e.g. connecting computing resources); and 2) connecting people.
First, SINET5 can connect existing computing resources on campus or on the cloud via a virtual network on demand, and realise high speed and secure communication. The execution environment for a program can also be constructed on demand in the computing resource on the cloud. This will allow the high speed and secure backup of precious data, increase the availability of services, and encourage collaborative work between different groups. In order to achieve such an inter-cloud using SINET5, NII needs to reinforce SINET’s network and adapt the technology to build an on-demand virtual network as well as an on-demand program execution environment.
Second, SINET5 can connect people and encourage the use of the cloud. By working together with institutions, NII will create a cluster of cloud services that are desired by the research and education community and verify the security of each service. By collectively procuring the commercial cloud services, it will realise an economy of scale. In order to encourage the use of the cloud, SINET5 will provide a gateway and service portal; it will create a package of services that suit the particular needs of individual users; display the quality of these services (e.g. level of service and security); and conduct authentication and access management via GakuNin. In order to develop these, NII needs to improve technologies for searching cloud services and managing authentication and access.
Aida concluded in his presentation that the goal of SINET5 is to realise a new research and education environment for the Japanese academic community. However, there are a lot of challenges to overcome as outlined here. We can overcome these only by working together with institutions that specialise in each field and reflecting their expertises in the architecture of SINET5.
Advancing the Future of Academic Information Infrastructure through Japanese Version NET+:
The international trend of NET+ and the way to build it in Japan
by Hideaki Noda, Academic Infrastructure Division, NII
Mr Noda outlined the international trend of NET+, what it is, and how it is delivered, and suggested what we can do to create a Japanese version of it. He concluded his presentation by asking for ideas for its name and by calling for the collaboration of various parties.
There is significant interest among the Japanese academic community for ‘everyday’ cloud services (i.e. services that support the daily business of a university such as teaching, research and administration). However, there are also concerns for security, convenience and cost for using the cloud. Noda argued that, if there was an ‘academic market place’ for cloud services that guarantees a certain level of security, customises service models suitable for the academic community, and offers reasonable contract terms, it should encourage the academic community to use more cloud services. NET+ is indeed a market place that serves as such.
NET+ is a strategy for the academic community to effectively use cloud services and a ‘market place’ that meets the three required conditions of being: 1) safe and secure; 2) convenient; and 3) easy to purchase. In the USA, Internet 2 NET+ functions as a portfolio of solutions for cloud services and applications and works as a broker of cloud services (i.e. it provides 49 services). On behalf of the participating institutions, it negotiates service models with providers, evaluates and verifies the security and contract terms, and provides services via a secure federated authentication (i.e. InCommon). They have several cash flow patterns for the payment of usage. The criterion is that a service must meet the needs of technical staff, research and education staff, students, or administrators. They appoint one Sponsor Institution per service who works with Internet 2 throughout the registration process, including technical integration and the negotiation of various conditions such as security and contract. A number of Participating Institutions also help the Sponsor Institution throughout the process. Internet 2 NET+ conducts a security assessment by using a framework based on Cloud Controls Matrix (CCM), which is a checklist for assessing the security of cloud products. CCM is compatible with general security indicators such as ISO27001. As described, Internet 2 NET+ has achieved three points: 1) Security through InCommon federated authentication and Cloud Control Matrix; 2) Convenience, as it reflects the needs of the academic community (i.e. the Sponsor Institution system works as a filter and thus only the services that are desired by users are registered); and 3) Cost saving, as agreements are reached collectively and contracts are made according to the standardised conditions. The advantages for service providers include: 1) being able to manage access using reliable attribute information; 2) being able to grasp the needs of the academic community and to try a new service model; 3) being able to remove barriers, such as legal and contractual, smoothly by working with legal support staff at Internet 2; and 4) being able to explore the academic market easily. There are similar systems in other countries such as the Netherland’s SURFconext and the UK’s Janet Brokerage.
Where can we start to build a Japanese version NET+? Noda listed three points he considered to be useful for the Japanese academic community. The first point is security. This can be achieved using GakuNin and its secure authentication system. But the products to be listed should also meet certain security criteria. Second, it needs to provide convenience. The products should be customised for the academic community and accessible via SSO. Finally, it should contribute to cost reduction. This could be achieved through a centralised contract negotiation, standardised contracts, and the allocation of academic prices for collective purchase. Some of these functions, however, already exist in Japan. For example, JUSTICE (Japan Alliance of University Library Consortia for E-Resources) collectively negotiates contract conditions of e-journals. And AXIES (Academic eXchange for Information Environment and Strategy) has already agreed with Microsoft a comprehensive licence program on behalf of the academic community.
Noda suggested three starting points for creating an initial service model. First, we need to examine the required standards for products by working together with the academic community. Second, we need to assess the service’s compatibility with security checklists (e.g. Hiroshima University’s Cloud Service Usage Guideline could be utilised). Finally, we need to ensure security by establishing access via GakuNin. The roadmap for Japanese NET+ is as follows. By summer 2014, NII will set up a group and call for participation from universities and providers. By autumn 2014, NII will examine the service model, exchange information (with a potential event with relevant organisations), and publish the results. By autumn 2015, NII will launch a pilot service and continue to examine a sustainable system. NII is planning to expand the service gradually and to make it available for general use by the launch of SINET5. Noda concluded his presentation by calling for active participation from academic community as well as service providers.
SINET5 Security Cloud that Protects University Security
by Hiroshi Yamada, Professor by Special Appointment, NII
Prof. Yamada outlined the reality and issues of security; four important aspects for defence; what kind of questions should be asked to understand the situation; and a flow of attack and defence. He then showed how SINET5 could reinforce the security of universities by identifying the three points described below.
It is widely recognised that it is critical for any organisation to protect its own network from outside attacks; however, in reality this is not necessarily reflected in security systems. Attackers are becoming more tactical and adapting complicated methods, and there is a lot of available information on attacks and vulnerability on the Internet. How can we protect ourselves from external attacks when staff are few and probably have to deal with security issues alongside other duties?
There are four aspects for defence: technology; system (CSIRT, NOC, and SOC); rules; and mindset. In terms of technology, it is important to implement security equipment and to set it up appropriately. It is also important to reduce misconfiguration to a minimum and to conduct and log information analysis, packet information analysis, correlated analysis, and malware analysis. Second, ‘system’ does not only mean providing information but also educating users and administrators. It also includes the system to deal with an incident and to change associated settings. It is important to obtain evidence for the route and influence of entries and to conduct audit and vulnerability checks. Third, general rules/policy should be outlined for users and administrators as well as responsibilities and duties of each individual in case of incidents such as shutting down machines, conducting checks, dealing with data and information, etc. Finally, the mindset of users and administrators are equally important. They must have a high ethics to comply with the rules and to protect their own data and machines. All of these issues cannot be overlooked.
It is critical to grasp the institution’s own system configuration, settings, usage situation and rules. The following are the list of questions that should be asked: Is there a machine that is not managed or connected without authorisation?; Are public servers and internal servers used together within a segment?; How far do you allow certain traffic to go through the network?; Is there a system that you can check (Syslog) or the amount of traffic?; Are machines updated according to vulnerability?; Are virus scans conducted regularly?; Does the management system function as an organisation?; and Are settings, policy, and rules updated and secure? By asking these questions one can gather the information necessary to analyse the cause and to understand the extent of potential damage.
The attack comes in stages: searching (i.e. foot printing, scanning, and enumeration); entrance and obtaining access (i.e. gaining access, escalating privilege, and pilfering); covering track; creating back doors; and attack to shut down (DDoS/Dos). The flow of the attack and defence can be examined using a simple penetration test tool such as BackTrack5. After the examination, it is important to analyse the different layers and think about the depth of defence that is required for each layer. There are two ways to think about the defence. One is vulnerability-centric defence and the other is threat-centric defence. The former is a strategy to defend against known attacks; thus, it cannot defend against unknown attacks. The latter is based on the behaviour and need to monitor communications; thus, it requires handling a large amount of data and privacy information. Both are necessary, but both must be traded-off in terms of costs. Network Forensic is a process to find out the cause and identify the extent of damage and influence to others when an incident has happened. It is important not to miss anything, deal with the problem, and reinforce security based on what has been learnt from the process.
To conclude, Yamada showed what NII and SINET5 can do to reinforce the security of the participating institutions. First, SINET5 will reinforce the security of its own network. This can be achieved by configuring secure settings by referring to other systems, implementing DDoS mitigation, and visualising the information such as where the network is connected. Second, NII will provide security services by setting up a security infrastructure within SINET5. It will support small-to-medium size institutions by providing virtual FW and IPS. NII will also build a log analysis infrastructure (i.e. SIEM: Security Information and Event Management) for detection. SINET SOC (tentative) will allow NII to collect data (e.g. log and packet information), analyse these, and advise participants. Finally, NII will collaborate with participating institutions and create a security community. Through the collaboration with CSIRT groups, NII will exchange information and know-how, improve the level of security, and create a system that allows members to cooperate with each other in the case of an emergency.
