One of the main cloud models is the Infrastructure as a Service (IaaS) model where compute, storage, and network resources are provided to tenants in the form of virtual machines and networks. Organizations outsource part of their information systems to virtual infrastructures hosted on the physical infrastructure of the cloud provider. Although shifting to the cloud might provide significant cost and efficiency gains, security continues to remain one of the main concerns in the adoption of the cloud model as clouds as subject to both external and internal attacks. In this talk I will first present an overview of the INDIC project on security monitoring as a service in IaaS clouds. Our goal in this project is to enable the IaaS cloud operator to integrate security monitoring terms in its SLAs (a form of Security as a Service). A client organization should be able to simply specify its needs in terms of security monitoring (vulnerabilities to monitor) and define, in its contract with the cloud operator, a tradeoff between the security monitoring efficiency and its costs (e.g. degradation of functional performance, allocation of shared resource parts). The cloud operator should therefore have a service that, from the SLAs of the client organization, automatically configures the security monitoring components that are under its control, and automatically adapts them to the reconfigurations of the virtualized infrastructures. The dynamic behavior of a cloud environment affects the ability of a cloud security monitoring framework to successfully detect attacks and preserve the integrity of the cloud infrastructure. In the second part of the talk I will focus on the design and implementation of a self-adaptable security monitoring framework that is able to react to dynamic events that occur in a cloud infrastructure and adapt its components in order to guarantee that an adequate level of security monitoring for tenant's virtual infrastructures is achieved. The framework should be able to guarantee that adequate monitoring for specific tenant-requested types of threats will be provided. Deploying such a framework should not add new vulnerabilities in the monitored virtual infrastructure or in the provider's infrastructure and should not significantly impact the trade-off between security and cost for both tenants and the provider. We have designed, implemented, and evaluated a generic self-adaptable security monitoring framework and two instantiations with intrusion detection systems (SAIDS) and firewalls (AL-SAFE). Our self-adaptable security monitoring framework is able to alter the configuration of its components and adapt the amount of computational resources available to them depending on the type of dynamic event that occurs in a cloud infrastructure. Our framework achieves self-adaptation and tenant-driven customization while providing an adequate level of security monitoring through the adaptation process. The first instantiation of the framework focuses on network-based intrusion detection systems (NIDS). SAIDS achieves the core framework's objectives while providing a scalable solution for serving parallel adaptation requests. Our solution is able to scale depending on the load of monitored traffic and the size of the virtual infrastructure. The second instantiation of the framework focuses on application-level firewalls. AL-SAFE uses virtual machine introspection in order to create a secure application-level firewall that operates outside the monitored VM but retains inside-the-VM visibility. It follows a periodic introspection strategy and allows the tenant to specify the introspection period. We will present the experimental results showing SAIDS and AL-SAFE's ability to offer a balanced trade-off between security, performance and cost.

Schedule Add to my calendar

Back to listing