Towards a Software-Defined Security Framework for Supporting Distributed Cloud

Compastié, Maxime; Badonnel, Rémi; Festor, Olivier; He, Ruichun; Kassi-Lahlou, Mohamed

doi:10.1007/978-3-319-60774-0_4

Cited by 5 publications

(5 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The software-defined security concept [ 34 ] sets out to uncouple the security management from the resources needing protection to propose unified security supervision. In [ 35 ], the authors applied this approach to multi-tenant and multi-cloud infrastructures by leveraging the programmability of security enforcers.…”

Section: Related Workmentioning

confidence: 99%

PALANTIR: An NFV-Based Security-as-a-Service Approach for Automating Threat Mitigation

Compastié

Martínez

Fernández

et al. 2023

Sensors

Self Cite

View full text Add to dashboard Cite

Small and medium enterprises are significantly hampered by cyber-threats as they have inherently limited skills and financial capacities to anticipate, prevent, and handle security incidents. The EU-funded PALANTIR project aims at facilitating the outsourcing of the security supervision to external providers to relieve SMEs/MEs from this burden. However, good practices for the operation of SME/ME assets involve avoiding their exposure to external parties, which requires a tightly defined and timely enforced security policy when resources span across the cloud continuum and need interactions. This paper proposes an innovative architecture extending Network Function Virtualisation to externalise and automate threat mitigation and remediation in cloud, edge, and on-premises environments. Our contributions include an ontology for the decision-making process, a Fault-and-Breach-Management-based remediation policy model, a framework conducting remediation actions, and a set of deployment models adapted to the constraints of cloud, edge, and on-premises environment(s). Finally, we also detail an implementation prototype of the framework serving as evaluation material.

show abstract

Section: Related Workmentioning

confidence: 99%

PALANTIR: An NFV-Based Security-as-a-Service Approach for Automating Threat Mitigation

Compastié

Martínez

Fernández

et al. 2023

Sensors

Self Cite

View full text Add to dashboard Cite

show abstract

“…Approaches such as [7] support modular security functions that can be then composed into security chains to protect resources, but are often limited to specific enforcers. We showed in our previous work [3] an architecture for programmable security mechanisms in cloud infrastructures. It relies on the generation of specific resources based on unikernels, that integrate security mechanisms [4].…”

Section: Related Workmentioning

confidence: 99%

“…The first one corresponds to the control plane which takes charge of security decisions, while the second one stands for the resource plane which includes the resources to be protected together with dedicated programmable security mechanisms (such as firewalls, intrusion detection systems, control access mechanisms) [2]. We have already analyzed the feasibility of such a security programmability layer for addressing multi-cloud and multi-tenant environments, through different realistic scenarios in [3]. The foundation of this layer relies on the SDSec logic to express and propagate security policies to the considered cloud resources, and on the autonomic paradigm to dynamically configure and adjust these mechanisms to distributed cloud constraints.…”

Section: Introductionmentioning

confidence: 99%

A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds

Compastié

Badonnel

Festor

et al. 2019

2019 IEEE Conference on Network Softwarization (NetSoft)

Self Cite

View full text Add to dashboard Cite

“…The author of [6] proposes a cloud management framework caping with multi-tenancy, but this one is limited to access control policies and cannot support other security mechanisms. We have already argued in favor of a SDSec framework for distributed computing in [7] where we described the main building blocks and analyzed its benefits.…”

Section: Related Workmentioning

confidence: 99%

Unikernel-based approach for software-defined security in cloud infrastructures

Compastié

Badonnel

Festor

et al. 2018

NOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium

Self Cite

View full text Add to dashboard Cite

The heterogeneity of cloud resources implies substantial overhead to deploy and configure adequate security mechanisms. In that context, we propose a software-defined security strategy based on unikernels to support the protection of cloud infrastructures. This approach permits to address management issues by uncoupling security policy from their enforcement through programmable security interfaces. It also takes benefits from unikernel virtualization properties to support this enforcement and provide resources with low attack surface. These resources correspond to highly constrained configurations with the strict minimum for a given period. We describe the management framework supporting this software-defined security strategy, formalizing the generation of unikernel images that are dynamically built to comply with security requirements over time. Through an implementation based on MirageOS, and extensive experiments, we show that the cost induced by our security integration mechanisms is small while the gains in limiting the security exposure are high.

show abstract

Towards a Software-Defined Security Framework for Supporting Distributed Cloud

Cited by 5 publications

References 11 publications

PALANTIR: An NFV-Based Security-as-a-Service Approach for Automating Threat Mitigation

PALANTIR: An NFV-Based Security-as-a-Service Approach for Automating Threat Mitigation

A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds

Unikernel-based approach for software-defined security in cloud infrastructures

Contact Info

Product

Resources

About