Security Considerations

Overview

This section provides design specification details related to the security of the CloudCenter Suite.

This section DOES NOT provide on operational policies such as key rotation, incident management and business continuity policies are not covered in this document.

Product Overview

CloudCenter Suite is an enterprise-class solution that offers a secure, scalable, extendable, and multi-tenant solution that can scale to meet the needs of the most demanding IT organizations and cloud service providers.

CloudCenter Suite uses various types of metadata, authentication information (such as customer credentials and keys), cloud usage metrics, and users associated with cloud applications to deploy and manage applications on cloud infrastructures.

The CloudCenter Suite does not store customer application data (data  that is created, used, or managed by the user’s cloud applications). 

  • Customer application data is only stored on customer premises or on cloud infrastructures. 
  • Customer application data is not stored or accessed by CloudCenter Suite at any point.

CloudCenter Suite provides end-to-end security with:

  • A comprehensive key management mechanism
  • Full application and application tier network isolation (micro-segmentation)
  • Data encryption for data both in transit and at rest
  • User identity management and authentication control
  • User, application, and object-level access control

CloudCenter Suite Architecture

The CloudCenter Suite architecture is deployed as a distributed architecture and is composed of several key architectural components as described in The CloudCenter Suite Architecture

User Authentication

CloudCenter Suite supports user password, hash-based authentication, and SAML 2.0-based Single Sign-On (SSO) authentication. CloudCenter Suite also provides authentication for REST API endpoint access.

CloudCenter Suite authenticates users through a unique username and password. The password is not stored in clear-text, but is converted using a secure one-way hash algorithm (SHA256) with a random salt. If different users use the same password, this will not result in the same password hash. This hash code is generated and stored when the user creates the password for the first time or changes the password at a later time. Upon login, the hash code is regenerated using the specified password and matched against the stored hash code to authenticate the user. Since this is a one-way hash algorithm, no Cisco employee or third-parties can discover the user password. The password is neither reverse recoverable, nor subject to brute force dictionary attack.

CloudCenter Suite leverages SAML (2.0) to integrate with customer identity platforms such as Active Directory (AD) and LDAP. For SAML-based SSO authentication, the user directory, password, and authentication mechanism are controlled by the customer. Customers may further choose to enable multi-factor authentication on their user login page through well-known identity provider platforms such as ADFS, Ping Identity, Okta, and so forth. The CloudCenter Suite only uses the user’s email address as the user identity in SSO mode. Customers can configure unique SAML Identity Providers (IdP) properties on a per tenant basis. The CloudCenter Suite tenant admin can optionally set additional mapping rules to automatically sync user groups and user group membership based on custom properties provide by IdP

Cloud Authentication

The CloudCenter Suite authenticates to public, private, and hybrid clouds using cloud account credentials provided to CloudCenter Suite when a user configures cloud environments. These cloud account credentials are stored securely in the CloudCenter Suite database using AES-256 encryption. 

Configuring and registering clouds and cloud accounts in CloudCenter Suite is limited to CloudCenter Suite administrators. The CloudCenter Suite administrator can decide if additional tenant administrators and end-users can configure their own cloud account information. See Initial Administrator Setup for details.

REST API Calls

Cisco provides CSRF protection for all API calls. See CSRF Token Protection for additional details.


Access to the REST API interface is limited to configured user accounts. To authenticate API requests, all CloudCenter Suite REST APIs require basic authentication using an API key as the password. For example:

curl -H "Accept:application/json" -H "Content-Type:application/json" -u <user_accountNumber>:<api_key> -X GET https://<HOST>:<PORT>/api/v1/suite-idm/currentUser/userInfo

In addition to the user's accountNumber:apikey combination, all CloudCenter Suite REST APIs can also accept the JSON Web Token (JWT). For example:

curl -H "Accept:application/json" -H "Content-Type:application/json" -H "Authorization: Bearer <JWT>" -X GET https://<HOST>:<PORT>/api/v1/suite-idm/currentUser/userInfo

A REST API key is a 36-character, randomly generated, case-sensitive, hexadecimal UUID string. This key, combined with the user’s unique Account Number (accountNumber), is used for REST API authentication. During authentication, the REST API key specified in the HTTPS request is matched with the REST API key stored in the CloudCenter Suite database. This prevents the user from revealing the real user password in any automation script, and also allows REST API authentication to work with either user/password hash-based or SAML SSO-based authentication.

To provide data security, all REST API requests must be issued over a secure, encrypted, HTTPS connection.

The REST API key for each user is stored securely in CloudCenter Suite database using SHA256 one-way hash. The API Key section provides additional details about secure key storage and key operations. See Suite Admin API for details on CloudCenter Suite REST APIs and how to use them.

All users can generate their own API keys – the Suite Admin has no control over this function.

UI Authentication

The CloudCenter Suite UI requires user authentication. Each authenticated user will have a unique Session ID to track activities and a JWT to ensure API access. The JWT expires in 15 minutes and the UI auto-refreshes the JWT token if it detects the user actively using the UI. If the user is logged off or if the user is disabled or deleted, the user's active JWT is no longer valid.

Module Security

The CloudCenter Suite connects to a Cisco hosted Helm repository and a Docker registry to check for available modules and updates. These repositories are fully compliant with export control and requires authentication for each user connecting to the repository. All CloudCenter Suite module are packaged as Helm Chart and Docker images. The Helm Chart refers to Docker images via the image's SHA256 hash. The Helm Chart itself is signed and verified by the CloudCenter Suite upon installation or upgrade. This way the integrity of the Helm Chart and Docker images are guaranteed.

Role-Based Access Control

The CloudCenter Suite offers granular control of access to each CloudCenter Suite resource through role-based, module-level access control. Access to resources like services, clouds, application profiles, deployment environments, and other CloudCenter Suite resources can be managed based on roles associated with users or user groups. See Understand Roles for details.



Back to: CloudCenter Suite 5.1 Home

  • No labels
© 2017-2019 Cisco Systems, Inc. All rights reserved