Modern networking continues to provide improvements and expansion for communication and information access. The continuing growth of networking systems and technology seems limitless and the speed of networked communications has brought benefits to nearly every human endeavor.
Recent trends in information technology have seen large enterprises and other users moving towards a new paradigm of network utilization, the provisionable utility data center (UDC). A UDC allows a centralization of information technology (IT) services and enterprise-wide, or even internet-wide, access to specialized data and functions. The various moves to re-centralize IT systems of all kinds is driven in part by shortages in IT staff and by the intrinsic inefficiencies of distributed systems. Notably, many IT managers are migrating to a smaller number of large data centers. Enabled by abundant and relatively inexpensive network bandwidth, IT services can now be distributed to users globally. The need to nest server-side technology near the client workstation is lessening, which has led to this dramatic change in IT architecture.
This re-centralization requires greater resilience, reliability and security, since a failure of shared resources or a loss of critical data can affect an enterprise using a UDC to a large degree. At the same time, though, consolidated provisionable UDCs can more easily be engineered to eliminate single points of failure.
Another trend is the growing importance of third-party service providers. Networking enterprises are finding it advantageous to turn to service providers instead of bearing the cost of internal development, deployment, and maintenance of their own in-house systems. In areas such as global networking, service providers dominate in provisioning a commodity resource that enterprises would find it difficult to develop individually. Storage service providers allow enterprises to cache data conveniently. A small, but growing, contingent of application service providers (ASPS) now are able to operate enterprise software systems. IT service providers are exploiting the opportunity to consolidate across enterprises, which allows them to be highly competitive with internal IT organizations.
The system management tools available to reliably operate and secure the resultant necessarily complex network systems are also emerging. Constant, dynamic, reprovisioning of resources to match shifting clients and client needs depends on a strong IT resource management foundation.
Even more than earlier distributed networks, provisionable data center networks are exposed to possible security lapse and even attack through the multitudinous communications links such systems entail. Because there is necessary communication within and between resources contained within the provisionable data center, as well as communication with users outside the network, the possible avenues of security failure are many.
Referring to Prior Art FIG. 1, UDC 100 is comprised of three trust domains. Each domain is separated by security technology that controls access across the trust boundary. The three trust domains are the Operations Center (OC) 110, the Utility Controller (UC) 120 and the Resource Pool 130. Resource Pool 130 contains the resources that are deployed into “farms” of dynamically provisioned computer systems, storage and networks, such as Farm A 180a, Farm B 180b, Farm C 180c and Farm D 180d. These farms comprise allocated devices. Resource Pool 130 can also contain non-allocated devices that are available for future allocation. This is an untrusted domain.
The OC 110 contains systems that permit operators to define the allocation and reallocation of resources and to perform business management for the storage service provider. The UC 120 contains systems and software for implementing operator instructions from the OC 110. The UC 120 provides the control logic to actually provision farms 180a–180d with resources and to allocate devices. The OC 110 is a high trust domain, but not as highly trusted as the UC 120 domain, and is separated from UC 120 by firewall 145. Together UC 120 and resource pool 130 constitute service core 115. The UC 120 is the most highly trusted of the trust domains.
Systems in the UC 120 and OC 110 are assigned either real or virtual disks that contain data that is important to the operation of service core 115. In order to protect the provisional service core's 115 resource pool from a denial of service resulting from the loss or corruption of data, the utility controller 120 provides a mechanism to automatically archive and retrieve all data that is logically associated with systems in the operations center and utility controller. This archiving mechanism operates within the UC 120 and is protected by the firewall 145 of the highly trusted domain. The Operations Center (OC) and the UC are also protected by firewall 155 that separates the OC from the outside world. Cell manager 140 contains a list of the systems and files that are to be backed up and the schedules for backing up the various systems. A disk agent 150 resides on each system that is to be backed up. At an appointed backup time, cell manager 140 sends a message to disk agent 150 to begin the backup process. Cell manager 140 also sends a message to media agent 160, advising that data is about to be received. Disk agent 150 then sends the data to media agent 160 and media agent 160 forwards the data to data backup storage device 170 (e.g., tape or disk storage).
OC 110, having a lower level of trust than the Utility Controller 120, has no access to the automatic archival (or backup) and retrieval mechanism used by the UC 120 for backing up utility controller 120. Therefore, operators of the UDC wishing to backup the OC 110 data need to configure the OC 110 with its own archival storage media, such as a tape storage unit or a tape drive, that is connected to its computer systems. Software would be needed on each computer system to copy data files to the backup media on the system where the storage unit is provisioned. In order to perform a backup of the system, it would be necessary to shut down any applications that are running before the backup would commence to prevent incomplete transactions from being backed up. In addition, safeguards would be needed to prevent backup data from being lost, being restored to the wrong system, or being incorrectly associated with a system when the backup is created. Such software development is manpower intensive and expensive.