Stay Thrifty, Stay Secure: A VPN-based Assurance Framework for Hybrid Systems

2021 IEEE International Conference on Web Services (ICWS)

et al. 2021

Self Cite

The advent of cloud computing and Internet of Things (IoT) has deeply changed the design and operation of IT systems, affecting mature concepts like trust, security, and privacy. The benefits in terms of new services and applications come at a price of new fundamental risks, and the need of adapting risk management frameworks to properly understand and address them. While research on risk management is an established practice that dates back to the 90s, many of the existing frameworks do not even come close to address the intrinsic complexity and heterogeneity of modern systems. They rather target static environments and monolithic systems thus undermining their usefulness in real-world use cases. In this paper, we present an assurance-based risk management framework that addresses the requirements of risk management in modern distributed systems. The proposed framework implements a risk management process integrated with assurance techniques. Assurance techniques monitor the correct behavior of the target system, that is, the correct working of the mechanisms implemented by the organization to mitigate the risk. Flow networks compute risk mitigation and retrieve the residual risk for the organization. The performance and quality of the framework are evaluated in a simulated industry 4.0 scenario.

Section: Related Workmentioning

confidence: 99%

An Assurance-Based Risk Management Framework for Distributed Systems

2021 IEEE International Conference on Web Services (ICWS)

et al. 2021

Self Cite

“…Security assurance is defined as the mean to obtain justifiable confidence that an IT system behaves as expected demonstrating some non-functional properties (e.g., confidentiality) [3]. In the last decade, assurance has become a well-established practice, increasing the trustworthiness of service and cloud systems [3], with some methodologies addressing hybrid clouds [6] and edge systems [5]. However, hybrid cloud/edge and IoT systems raise some significant challenges, impairing the effectiveness of state of art solutions.…”

Section: Challenges and Requirements A Challengesmentioning

confidence: 99%

Towards an Assurance Framework for Edge and IoT Systems

2021 IEEE International Conference on Edge Computing (EDGE)

et al. 2021

Self Cite

Current distributed systems increasingly rely on hybrid architectures built on top of IoT, edge, and cloud, backed by dynamically configurable networking technologies like 5G. In this complex environment, traditional security governance solutions cannot provide the holistic view needed to manage these systems in an effective and efficient way. In this paper, we propose a security assurance framework for edge and IoT systems based on an advanced architecture capable of dealing with 5G-native applications.

“…We present a framework that provides a lightweight assurance solution addressing the peculiarities of modern distributed systems, mixing public endpoints on the cloud, microservices, and private deployments not directly reachable from the outside (e.g., traditional private corporate networks and private clouds). The framework has been first defined in [4] and here extended to address requirements complementarity and automation. The original framework in [4], offering only a graphical dashboard, constrained the ability to integrate framework's functionalities with existing security processes, and to trigger such functionalities in a automated way.…”

Section: Assurance Frameworkmentioning

confidence: 99%

“…The framework has been first defined in [4] and here extended to address requirements complementarity and automation. The original framework in [4], offering only a graphical dashboard, constrained the ability to integrate framework's functionalities with existing security processes, and to trigger such functionalities in a automated way. To address all requirements in Section 2, it adopts a layer-3 VPN that connects the framework with the private deployments under verification (i.e., the target networks), and offers a REST API providing full and programmatic access to framework's functionalities.…”

Section: Assurance Frameworkmentioning

confidence: 99%

“…In this paper, we extend our assurance framework in [4] enabling a centralized security assurance, complementing existing security processes and systems, and providing automation of assurance activities. The framework implements an API-based approach facilitating integration and automation, and relies on Virtual Private Networks (VPNs) to target both public and private infrastructures.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Assurance Framework and Process for Hybrid Systems

E-Business and Telecommunications

et al. 2021

Self Cite

Security assurance is a discipline aiming to demonstrate that a target system holds some non-functional properties and behaves as expected. These techniques have been recently applied to the cloud, facing some critical issues especially when integrated within existing security processes and executed in a programmatic way. Furthermore, they pose significant costs when hybrid systems, mixing public and private infrastructures, are considered. In this paper, we a present an assurance framework that implements an assurance process evaluating the trustworthiness of hybrid systems. The framework builds on a standard API-based interface supporting full and programmatic access to the functionalities of the framework. The process provides a transparent, non-invasive and automatic solution that does not interfere with the working of the target system. It builds on a Virtual Private Network (VPN)-based solution, to provide a smooth integration with target systems, in particular those mixing public and private clouds and corporate networks. A detailed walkthrough of the process along with a performance evaluation of the framework in a simulated scenario are presented.