An Interaction-based Software-Defined Security Model and Platform to secure cloud resources

Publication Type:
Issue Date:
Full metadata record
Cloud computing has transformed a large portion of the IT industry through its ability to provision infrastructure resources – computing, networking, storage, and software– as services. Transferring to such an infrastructure relies on virtualization and its dynamic construction ability to spread over a geographical area. The challenge is in finding effective mechanisms for isolating security issues in cloud infrastructure. Isolation implies creating security boundaries for protecting cloud assets at different levels of a cloud security architecture. Building security boundaries is critical not only for recognizing security violations but also for creating security solutions. However, it is challenging as virtual boundaries are not as clear-cut as physical boundaries in traditional infrastructure. The difficulty rises as virtual boundaries among components are not well defined and often undefined, and hence they are not visible/controllable by the providers. Additionally, defining object boundaries is extremely difficult because virtual objects are dynamic in both characteristics and functionality. Many efforts have been made to address security isolation challenges, but no attempt has been made to consider an overall solution to a dynamic, intelligent, programable, and on-demand security isolation system. Moreover, there is no platform/framework to deliver programmable and on-demand construction of security boundaries to protect cloud resources. We develop a new method to protect cloud infrastructure with new intelligent isolation mechanisms to detect and predict security breaks. This research applies promising new technologies, including software-defined networking and network function virtualization, in providing on-demand security services over large-scale cloud infrastructure and overcoming challenges in constructing dynamic security boundaries. To protect cloud resources, we propose a Policy-based Interaction Model and develop the Software-Defined Security Service. We develop a novel intelligent security isolation interaction algorithm to model security boundaries. To do so, we proposed a Policy-driven Interaction Model to construct dynamic security boundaries intelligently. A Software-Defined Security Service (SDS2) model was developed with three novel components, including security controller, Sec-Manage protocol, and the virtual security function. The SDS2 carries the concepts of a logically centralized security controller to provision on-demand security services. The research novelty lies in its innovative and intelligent security isolation interaction model, novel approach in detecting and predicting security violations, and constructing dynamic, programmable, and on-demand VSFs. It enables i) overall visibility on security boundaries within the cloud infrastructure, ii) the automation of provisioning security services on-demand, iii) a proactive security technique against security interaction violations, iv) separation of security services for both cloud providers and tenants.
Please use this identifier to cite or link to this item: