A. Eghtesadi, Yosr Jarraya, M. Debbabi, M. Pourzandi
{"title":"Preservation of Security Configurations in the Cloud","authors":"A. Eghtesadi, Yosr Jarraya, M. Debbabi, M. Pourzandi","doi":"10.1109/IC2E.2014.14","DOIUrl":null,"url":null,"abstract":"The dynamic and elastic nature of cloud computing introduces new security challenges when it comes to maintaining consistent security configurations. This is emphasized by the fact that virtual machines are abruptly migrated between physical hosts, in the same or even in different data centers under different security policies. If security is not correctly enforced at the destination locations, and not properly updated in the source locations, security of the migrating virtual machine as well as the co-located machines can be compromised. In this paper, we intend to tackle this problem, specifically for intrusion detection/prevention and VPN/IPsec as main security mechanisms. More precisely, we propose a systematic verification approach to check the compliance of security configurations. To this end, we first elaborate on two properties, namely intrusion monitoring configuration preservation and VPN/IPsec protection configuration preservation. Then, we derive a set of formulas that compare security configurations before and after migration. This allows reasoning on whether the aforementioned security properties hold. To this end, we encode these formulas as constraint satisfaction problems. The obtained constraints are then submitted to a constraint solver, namely Sugar, in order to verify the properties and to pinpoint potential misconfiguration problems.","PeriodicalId":273902,"journal":{"name":"2014 IEEE International Conference on Cloud Engineering","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE International Conference on Cloud Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IC2E.2014.14","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 6
Abstract
The dynamic and elastic nature of cloud computing introduces new security challenges when it comes to maintaining consistent security configurations. This is emphasized by the fact that virtual machines are abruptly migrated between physical hosts, in the same or even in different data centers under different security policies. If security is not correctly enforced at the destination locations, and not properly updated in the source locations, security of the migrating virtual machine as well as the co-located machines can be compromised. In this paper, we intend to tackle this problem, specifically for intrusion detection/prevention and VPN/IPsec as main security mechanisms. More precisely, we propose a systematic verification approach to check the compliance of security configurations. To this end, we first elaborate on two properties, namely intrusion monitoring configuration preservation and VPN/IPsec protection configuration preservation. Then, we derive a set of formulas that compare security configurations before and after migration. This allows reasoning on whether the aforementioned security properties hold. To this end, we encode these formulas as constraint satisfaction problems. The obtained constraints are then submitted to a constraint solver, namely Sugar, in order to verify the properties and to pinpoint potential misconfiguration problems.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
