3DS OUTSCALE provides Infrastructure as a Service (IaaS) solutions and manages more than 30k virtual machines (VMs).
Resource isolation control is a vital feature for our user security. This document explains how resources are isolated from one another and how users can control part of this isolation for their needs.
3DS OUTSCALE’s Application Programming Interface (API) exposes logical objects or resources which can be manipulated.
Each API action (read, create, link, etc.) is performed remotely by authenticated users.
Users sign their requests using the AWS signature (v4) method. This method ensures user identity and request integrity.
Once signed, the request is sent to 3DS OUTSCALE through a secured https connection (TLS).
Once the user is authenticated and request integrity is verified, TINA software ensures resource isolation and performs actions only on the resources of the authenticated user.
TINA software is tested through 3DS OUTSCALE’s secure development methods.
A dedicated Quality Assurance team develops and automates TINA software testing before and after each deployment in production.
A security group is a logical resource managed by the user and which acts as a logical firewall. Security groups contain a list of network flow rules to allow flow (a deny policy is applied by default).
A security group can then be applied to a specific resource like a VM or a gateway. This generic security framework allows users to control their resource isolation on a network level.
When applied or modified, a security group is translated to corresponding firewall rules which are deployed over the TINA architecture.
The public Cloud allows users to create VMs with Internet access.
VMs created in the public Cloud network cannot receive any communication from another VM unless the owner explicitly allows a specific incoming network flow. Therefore, users are using the same logical network, meaning an incorrect configuration of security group (logical firewall) rules can lead to isolation breach, unlike with Virtual Private Clouds (see below).
Network flows are managed by users using security group rules. A VM always has a security group applied, which is empty by default (which means no traffic is allowed access to the VM).
A Virtual Private Cloud (VPC) is a logical network, like VLANs or VXLANs. Each user can have and can manage multiple VPCs at the same time. Each VPC is fully isolated from other VPCs unless they belong to the same user.
By design, a VPC, contrary to the public Cloud, cannot be misconfigured by the user to lead to an isolation breach.
As VPC networks are isolated, users are free to choose their network addressing at VPC creation without conflicting with any existing network.
By default, no Internet route is configured on a VPC, which provides a fully isolated network from any external resource.
Subnets are a subset of a VPC network. Subnets can communicate only by adding routes which are controlled by the user using Route Tables logical objects.
VMs located in a VPC subnet still have at least one security group attached, which segregates VM access.
As part of a VPC network, subnets are fully isolated.
An optional Internet Gateway can be added or removed from a VPC in order to enable the user to configure a default route to the Internet.
Other traffic can be routed inside a VPC. For example, a user can configure a Virtual Private Gateway (VPN) to access their VPC network.
All routes and network flows can be described and managed through 3DS OUTSCALE’s API. This way, users control their resource access and isolation.
VMs are essentially a functional simulation of a physical computer. This simulation is computed in real time on real hardware (hypervisor).
Each hypervisor contains processors with Intel x86 virtualization instructions (vmx family).
These Intel processor features have been made in order to isolate running VMs from hypervisor and to accelerate simulations.
Management of VM compute and memory isolation is performed by the hypervisor’s operating system (OS): 3DS OUTSCALE uses mainly the Linux kernel with KVM module and QEMU.
VM compute and memory isolation is provided using the same method as above.
VMs running on the same hypervisor cannot alter or interact with one another without communicating over the network.
Each VM network communication is sent through a specific virtual network interface (vNIC). A vNIC provides isolation using encapsulation and tunneling to a specific firewall.
Firewalls are managed by 3DS OUTSCALE and are responsible for applying, filtering, and routing according to some specific (limited) user configurations: route tables and security group rules.
This network architecture ensures a controlled isolation of VM communications.
Furthermore, the customer can choose a dedicated hardware as an improved security measure.
3DS OUTSCALE provides mainly two types of persistent storage: Block Storage Unit (BSU) and OUTSCALE Object Storage (OOS).
A BSU is a persistent logical storage which is attached to a VM. It can be controlled by the user though API management and through the user’s VM.
When attached to a VM, a BSU is detected as a block device on which the user is free to write data (though a filesystem, for example).
Attachment of a BSU to a VM is controlled by TINA software which ensures that the user is allowed to attach the disk to a specific VM.
This way, a user cannot access data stored on a BSU of another user, thus providing BSU isolation.
Each OOS object that contains data is contained inside an OOS bucket.
Access rights on OOS objects and OOS buckets are fully managed by the users. Without proper permission, a user or an anonymous user cannot access specific user data.
Isolation is performed through access permissions. The permission system is managed by OOS software which is based on Scality’s RING technology with S3 support.
AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.