Outsourced Community Cloud

In an outsourced community cloud scenario, there is one security perimeter implemented by a community cloud provider and one security perimeter implemented by each cloud consumer. The cloud provider security perimeter is linked to the security perimeters of multiple cloud consumers in a point to multi-point configuration using trusted internet connections. 

The security of the outsourced community cloud depends on the strength of the security perimeters and the trusted internet connections. 

The cloud consumer organizations (X, Y and Z in the figure) can connect the user devices such as smartphones, tablets, laptops, and other wireless BYOD (bring your own devices) to IP over WiFi (IP / WiFi) or IP over 4G (IP / 4G WiMAX or LTE)  networks to communicate with the site's boundary controller in order to access the cloud services and resources. 

The Challenge

This outsourced community cloud scenario requires solutions to sharing - and in some cases, restricting - cloud resources since clients from multiple participant organizations access a common pool of resources

The solution to the sharing problem can be complicated when member organizations leave the community and other non-member organizations want to participate.

The link between the two boundary controllers can be vulnerable to attack, especially if it goes through the public internet. This outsourced cloud solution needs internet connections that are trusted.

The provider boundary controller links to many consumer boundary controllers in this outsourced community cloud scenario.  The boundary controller connectivity must be scalable.

The CIS Solution

The SIPbiz.net boundary controller solution based on user's unique identification to monitor and control cloud resource access. A user is authorized to access a cloud resource when the user identity is registered and included in the access list of the resource.  

A user identity must be registered with their organization's SIPbiz.net boundary controller and the remote SIPbiz.net boundary controller of the outsourced community cloud. The local SIPbiz.net boundary controller uses the local registration information to authenticate the user, and the remote SIPbiz.net boundary controller uses the remote registration to authorize the user's cloud resource accessibility.

A user can't access the cloud resources directly. All access requests must be sent to the boundary controller which would validate the user's access right before forwarding the request. SIPbiz.net boundary controller blocks the unauthorized (not registered) user.

The multiple steps of access verification as describe above enable the monitoring and control of the access of the cloud resources. The monitoring data is processed and reported by continuous monitoring applications.

The participant organizations in the outsourced community cloud scenario are connected via links between the SIPbiz.net boundary controllers that allow access through their security perimeters.
 The SIPbiz.net connection can be initiated by one of the boundary controllers.  The successful connection establishment creates a trusted internet connection over which transiting information is encrypted.

When a member organization leaves the community, its SIPbiz.net boundary controller connection to the community cloud's boundary controller is disconnected and its users' identifications are removed from the cloud resource access lists.

A new member organization is added to the community by connecting its SIPbiz.net boundary controller to the community cloud's SIPbiz.net boundary controllers.  The new member's user identifications must also be registered with local and remote cloud resources.

SIPbiz.net boundary controller has no limit on the number of connections a SIPbiz.net boundary controller can create.

Benefits and Capabilities

Security Enhancement

  • Connect user devices and servers from behind NAT firewall
  • Mutual inclusive privacy protection with PKI
  • End-to-end encrypted information via TLS

Technology Advantage

  • Scalability: There is no architectural limit on the number of trusted connections a SIPbiz.net can connect. Each SIPbiz.net can initiate and accept multiple TLS connections.
  • Encryption works with or without NAT firewall
  • Encryption works with IPv4 or IPv6 networks
  • Flexible SIPbiz.net connection configurations
    • Point-to-point
    • Point-to-multipoint
    • Full mesh

Learn More

For additional information on how your organization can benefit from SIPbiz.net Outsourced Community Cloud solution, please contact sipbiz@sipbiz.net.