Main Article Content
Cloud Infrastructure, security policies, security isolation, security boundaries, interaction
The ever-increasing number and gravity of cyberattacks against the cloud's assets, together with the introduction of new technologies, have brought about many severe cloud security issues. The main challenge is finding effective mechanisms for constructing dynamic isolation boundaries for securing cloud assets at different cloud infrastructure levels. Our security architecture tackles these issues by introducing a policy-driven interaction model. The model is governed by cloud system security policies and constrained by cloud interacting entities' locations and levels. Security policies are used to construct security boundaries between cloud objects at their interaction level. The novel interaction model relies on its unique parameters to develop an agile detection and prediction mechanism of security threats against cloud resources. The proposed policy-based interaction model and its interaction security algorithms are developed to protect cloud resources. The model deals with external and internal interactions among entities representing diverse participating elements of different complexity levels in a cloud environment. We build a security controller and simulate various scenarios for testing the proposed interaction model and security algorithms.
Basile, C., Valenza, F., Lioy, A., Lopez, D. R., & Perales, A. P. (2019). Adding Support for Automatic Enforcement of Security Policies in NFV Networks. IEEE/ACM Transactions on Networking, 27(2), 707-720. http://doi.org/10.1109/TNET.2019.2895278
Cai, F., Zhu, N., He, J., Mu, P., Li, W., & Yu, Y. (2018). Survey of access control models and technologies for cloud computing. Cluster Computing, 22, 6111–6122. https://doi.org/10.1007/s10586-018-1850-7
Chen, C., Li, D., Li, J., & Zhu, K. (2016). SVDC: A Highly Scalable Isolation Architecture for Virtualized Layer-2 Data Center Networks. IEEE Transactions on Cloud Computing, 6(4), 1178-1190. http://doi.org/10.1109/TCC.2016.2586047
Damiani, M. L., Bertino, E., Catania, B., & Perlasca, P. (2007). GEO-RBAC: a spatially aware RBAC. ACM Transactions on Information and System Security (TISSEC), 10(1), 2.
Del Piccolo, V., Amamou, A., Haddadou, K., & Pujolle, G. (2016). A survey of network isolation solutions for multi-tenant data centers. IEEE Communications Surveys & Tutorials, 18(4), 2787-2821. https://doi.org/10.1109/COMST.2016.2556979
Factor, M., Hadas, D., Harnama, A., Har'El, N., Kolodner, H., Kurmus, A., Shulman-Peleg, A., & Sorniotti, A. (2013). Secure logical isolation for multi-tenancy in cloud storage. Paper presented at the 2013 IEEE 29th Symposium on Mass Storage Systems and Technologies (MSST). https://doi.org/10.1109/MSST.2013.6558424
Farahmandian, S., & Hoang, D. B. (2017). SDS 2: A novel software-defined security service for protecting cloud computing infrastructure. Paper presented at the 2017 IEEE 16th International Symposium on Network Computing and Applications (NCA). https://doi.org/10.1109/NCA.2017.8171388
Hoang, D. B., & Farahmandian, S. (2017). Security of Software-Defined Infrastructures with SDN, NFV, and Cloud Computing Technologies. In Guide to Security in SDN and NFV (pp. 3-32): Springer.
Jararweh, Y., Al-Ayyoub, M., Darabseh, A., Benkhelifa, E., Vouk, M., & Rindos, A. (2016). Software defined cloud: Survey, system and evaluation. Future Generation Computer Systems, 58, 56-74. https://doi.org/10.1016/j.future.2015.10.015
Karmakar, K. K., Varadharajan, V., Tupakula, U., & Hitchens, M. (2016). Policy based security architecture for software defined networks. Paper presented at the Proceedings of the 31st Annual ACM Symposium on Applied Computing. https://doi.org/10.1145/2851613.2851728
Kosiur, D. (2001). Understanding policy-based networking (Vol. 20): John Wiley & Sons.
Li, F., Li, Z., Han, W., Wu, T., Chen, L., Guo, Y., & Chen, J. (2018). Cyberspace-Oriented Access Control: A Cyberspace Characteristics-Based Model and its Policies. IEEE Internet of Things Journal, 6(2), 1471-1483. https://10.1109/JIOT.2018.2839065
Mavridis, I., & Karatza, H. (2019). Combining containers and virtual machines to enhance isolation and extend functionality on cloud computing. Future Generation Computer Systems, 94, 674-696. https://doi.org/10.1016/j.future.2018.12.035
Mundada, Y., Ramachandran, A., & Feamster, N. (2011). SilverLine: Data and Network Isolation for Cloud Services, HotCloud 2011, Portland, OR, USA. Available at https://static.usenix.org/event/hotcloud11/tech/final_files/Mundada6-1-11.pdf
NIST [National Institute of Standards and Technology]. (2015). Information security policy. Committee on National Security Systems Instruction, CNSSI 4009, Glossary. Revised April 6, 2015. US Department of Commerce.
Pfeiffer, M., Rossberg, M., Buttgereit, S., & Schaefer, G. (2019). Strong Tenant Separation in Cloud Computing Platforms. Paper presented at the Proceedings of the 14th International Conference on Availability, Reliability and Security. https://doi.org/10.1145/3339252.3339262
Rajkumar, P.V., & Sandhu, R. (2016). POSTER: security enhanced administrative role based access control models. Paper presented at the Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. https://doi.org/10.1145/2976749.2989068
Son, J., He, T., & Buyya, R. (2019). CloudSimSDN?NFV: Modeling and simulation of network function virtualization and service function chaining in edge computing environments. Software: Practice and Experience. https://doi.org/10.1002/spe.2755
Stone, G. N., Lundy, B., & Xie, G. G. (2001). Network policy languages: a survey and a new approach. IEEE network, 15(1), 10-21. https://doi.org/10.1109/65.898818
Tarkhanov, I. (2016). Extension of access control policy in secure role-based workflow model. Paper presented at the 2016 IEEE 10th International Conference on Application of Information and Communication Technologies (AICT). https://doi.org/10.1109/ICAICT.2016.7991691
Varadharajan, V., Karmakar, K., Tupakula, U., & Hitchens, M. (2018). A policy-based security architecture for software-defined networks. IEEE Transactions on Information Forensics and Security, 14(4), 897-912. https://doi.org/10.1109/TIFS.2018.2868220
Wang, X., Shi, W., Xiang, Y., & Li, J. (2015). Efficient network security policy enforcement with policy space analysis. IEEE/ACM Transactions on Networking, 24(5), 2926-2938. https://doi.org/10.1109/TNET.2015.2502402
Yin, X., Chen, X., Chen, L., Shao, G., Li, H., & Tao, S. (2018). Research of Security as a Service for VMs in IaaS Platform. IEEE Access, 6, 29158-29172. https://doi.org/10.1109/ACCESS.2018.2837039