Leveraging Network Functions Virtualization Orchestrators to Achieve Software-Defined Access Control in the Clouds

Network Functions Virtualization (NFV) has been widely recognized as an effective way to implement and consolidate hardware-based network functions by using software-based approaches, with a potential to significantly reducing CAPEX and OPEX. In particular, NFV orchestrators (e.g., Tacker, Cloudify, and ONAP) play a vital role in managing and orchestrating various virtualized network resources (e.g., VMs, Virtualized Network Functions), and TOSCA is one of the standard data models to fulfil such a role. However, it remains unclear how the security mechanisms can be seamlessly integrated into the entire lifecycle of those virtualized network assets. Starting with a comparative analysis on the available NFV orchestrators, we extend the TOSCA model to incorporate security attributes of interest, and leverage the extended model to create access control policies at cloud scale. Specifically, a security orchestrator is developed, which contains a TOSCA-parser and a novel tenant-specific access control paradigm. One of the salient features of our security orchestrator is that it allows to dynamically generate access control models and policies for different tenant domains, resulting in a flexible and scalable protection coverage that is across different NFV layers and multiple data centers. To validate its feasibility and effectiveness, we develop a security orchestrator prototype and test its performance with respect to throughput, scalability, and adaptability. The experimental results demonstrate that all the desirable properties can be achieved, and the throughput of our security orchestrator can be maintained at a satisfactory level regardless of the varying number of tenants, users, or objects that are deployed in the cloud.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Antonio F. Gómez-Skarmeta,et al.  ANASTACIA: Advanced networked agents for security and trust assessment in CPS IoT architectures , 2017, 2017 Global Internet of Things Summit (GIoTS).

[3]  Ahmed Meddahi,et al.  NFV Security Survey: From Use Case Driven Threat Analysis to State-of-the-Art Countermeasures , 2018, IEEE Communications Surveys & Tutorials.

[4]  Antonio F. Gómez-Skarmeta,et al.  Towards provisioning of SDN/NFV-based security enablers for integrated protection of IoT systems , 2017, 2017 IEEE Conference on Standards for Communications and Networking (CSCN).

[5]  Filip De Turck,et al.  Network Function Virtualization: State-of-the-Art and Research Challenges , 2015, IEEE Communications Surveys & Tutorials.

[6]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[7]  Bernd Jäger,et al.  Security Orchestrator: Introducing a Security Orchestrator in the Context of the ETSI NFV Reference Architecture , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[8]  Poul E. Heegaard,et al.  Dependability of the NFV Orchestrator: State of the Art and Research Challenges , 2018, IEEE Communications Surveys & Tutorials.

[9]  Seungjoon Lee,et al.  Network function virtualization: Challenges and opportunities for innovations , 2015, IEEE Communications Magazine.

[10]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[11]  Zonghua Zhang,et al.  SDAC: A New Software-Defined Access Control Paradigm for Cloud-Based Systems , 2017, ICICS.

[12]  Jianping Wu,et al.  Towards secure dynamic collaborations with group-based RBAC model , 2009, Comput. Secur..

[13]  Raj Jain,et al.  Network virtualization and software defined networking for cloud computing: a survey , 2013, IEEE Communications Magazine.

[14]  Ahmed Meddahi,et al.  SecMANO: Towards Network Functions Virtualization (NFV) Based Security MANagement and Orchestration , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[15]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[16]  Hyoungshick Kim,et al.  Security challenges with network functions virtualization , 2017, Future Gener. Comput. Syst..

[17]  Ahmed Meddahi,et al.  A First Step Towards Security Extension for NFV Orchestrator , 2017, SDN-NFV@CODASPY.

[18]  Christoph Meinel,et al.  Infrastructure as a service security: Challenges and solutions , 2010, 2010 The 7th International Conference on Informatics and Systems (INFOS).

[19]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.