Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.

Published byLizbeth Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification."— Presentation transcript:

1 11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Khalid Bijon, Ram Krishnan and Ravi Sandhu University of Texas at San Antonio Institute for Cyber Security 5th ACM Conference on Data and Applications Security and Privacy (CODASPY 2015)

2 22 World-Leading Research with Real-World Impact! Outline Introduction Motivation Goal Methodology Enforcement (in Cloud IaaS) Implementation (in OpenStack) Conclusion

3 3 World-Leading Research with Real-World Impact! Introduction Three Different Mapping Types Shared Responsibility Only Consider Type-3 Mappings Complex Management Process Network Host Rack Compute Host Physical Storage Virtual Machine VM Image Virtual Network Virtual Router Virtual Storage Physical ResourcesVirtual Resources Type-1 Type-2 Type-3

4 4 World-Leading Research with Real-World Impact! Motivation Inefficient and Tedious Management Plane Manual Identification User Centric (unnecessary indirection) No Direct Misconfiguration Detection/Prevention Elevate Security Vulnerability Virtual Storage Virtual Machine ec2:AttachVolumes Policies Tenant Admin Users Specifies Tenant Users Credit: www.iconarchive.com www.consulting.ky www.acm.icpc.org Manual Detection Solution?? Figure 1

5 5 World-Leading Research with Real-World Impact! Goal Easily Manageable Type 3 Mapping High-level Policy Configure Diverse Requirements Establish Direct Relations Keep Users Out of Loop Automatically Prevent Misconfiguration Credit: www.bartley.hants.sch.uk Requirements Tenants Virtual Storage Virtual Machine

6 6 World-Leading Research with Real-World Impact! Methodology Credit: www.iconarchive.com Constraint for Mapping #1 Satisfied By Individual Virtual Resources Virtual Storage Virtual Machine VM Image Virtual Network Virtual Router Constraint Policy Mapping #2 Mapping #3 Mapping #4 Mapping #1 Constraint Policy For Each Type-3 Mappings Virtual Storage Instance i Virtual Machine Instance j Yes No Allow Mapping Deny Mapping Figure 2 Figure 3

7 7 World-Leading Research with Real-World Impact! An Attribute Based Approach Virtual Machine Attribute Specifies Virtual Resource Properties A name:value Pair Owner tenant Workload Sensitivity Level Purpose tenant: BOF tier: database Virtual Machine tier Domain database presentatio n application Codomain (Scope) Virtual Storage volumeSize ioType volumeSize: large ioType: fast Figure 4 Figure 5 Designed as Functions Figure 6

8 8 World-Leading Research with Real-World Impact! Constraint Policy A Constraint Logical Formula Compares Certain Attribute Values Simple but Powerful Hadoop Cluster 3-tier business application tier: x ioType:y Request volumeAttach If tier=database’ Then ioType=‘fast’ Constraint Format True False Virtual Storage Instance i Virtual Machine Instance j

9 9 World-Leading Research with Real-World Impact! UseCase (3-Tier System) ioType If tier=‘presentation’ Then ioTYpe!=‘fast’ Constraint 1: If a VM is for presentation layer, attaching storage’s ioType cannot be fast. Virtual Storage Virtual Machine Virtual Network Virtual Router Mapping #2 Mapping #3 Mapping #1 If tier=‘application’ Then netType=‘psNet’ Constraint 2: Only an application layer VM can connect to a virtual network which is created for passing application layer data. then netType =‘psNet’ If route=‘outer’ Or netType =‘webFront’ Constraint 3: If a router is for connecting to out-side internet, only presentation layer network or web-fornt network can connect to it. tier netType route

10 10 World-Leading Research with Real-World Impact! Enforcement Two Components Specifier and Enforcer

11 11 World-Leading Research with Real-World Impact! Specifier Implemented in OpenStack Execution of “attribute-creation” operation Similarly, Attribute-value specification Constraint Specification Attribute-value assignment Tenant Users KEYSTONE (Authentication) NOVA (Compute) VM Attribute Table 1. Get User Token 2. Request Attribute Name, Token 3. Token Revoked? 4. Verify Admin Role? 5. Enter Attribute Name and Tenant Name 6. Allow/Deny Credit: www.portalguard.com

12 12 World-Leading Research with Real-World Impact! Specifier (cont.) API Specification Rest API NameURLType att-create/v2/{tenant_id}/attributesPOST att-delete/v2/{tenant_id}/attributes/{id}DELET E att-list/v2/{tenant_id}/attributesGET att-value-set/v2/{tenant_id}/scopesPOST att-value-delete/v2/{tenant_id}/scopes/{id}DELET E att-value-get/v2/{tenant_id}/scopes/GET constraint-add/v2/{tenant_id}/constriantsPOST constraint-delete/v2/{tenant_id}/constraints/{id}DELET E constraint-get/v2/{tenant_id}/constraintsGET meta/v2/{tenant_id}/servers/ {resource_id}/metadata POST Attribute Name Attribute Value Assignment

13 13 World-Leading Research with Real-World Impact! Validation Check If tier=‘database’ Then ioType=‘fast’ Constraint Format Validity of Attribute Name and Value Tenant-Specific Attribute System or Inter-Tenant Attribute tier, database ioType, fast Tenant Specific System

14 14 World-Leading Research with Real-World Impact! Enforcer Implementation Implemented in OpenStack A Constraint Parser Invoked by Resource Mapping Operations (e.g., volume-attach) Tenant Users KEYSTONE NOVA VM Attribute Table 1. Get User Token 2. Request volume-attach with VM Id, Storage Id and Token 3. Token Revoked? 6. Verify Project of VM, Storage and User 11. Allow/Deny Storage Attribute Table Storage Table VM Table Constraint Table 4 5 7 8 9 10. Evaluate Constraint

15 15 World-Leading Research with Real-World Impact! Automated Constraint Construction Helps the tenants to find policy From Previous Configurations Configuration Log Assigned Attributes Assigned Attributes Credit: www.iconarchive.com ioType: fast Virtual Machine Virtual Storage tier: database Construct Relation between values of two attributes tier, database ioType, fast Figure 7 Figure 8

16 16 World-Leading Research with Real-World Impact! Approach Configuration Log 1. Frequent- ItemSet Mining Assigned Attributes Assigned Attributes Attribute Relations 2. Constraints Construction Constraints Frequent-ItemSet Mining Apriori Algorithm with customization for IaaS (CVRM-Apriori) Virtual Machine Virtual Storage

17 17 World-Leading Research with Real-World Impact! Evaluation Policy for VM-Network Connectivity Mapping From VM-Network Table (table virtual_interfaces in Nova, OpenStack) 10 Attributes each with 10 values 10 Virtual Networks At least three Networks per VM Mine relations between every two pair of attribute values

18 18 World-Leading Research with Real-World Impact! Conclusion Credit: www.iconarchive.com A Constraint Specification Framework Easily manageable and generic Can be applied for Misconfiguration Prevention Also, for detection (flag-generator) Automatic Generation of Constraints Requirements Tenants Future Work Flag Generator System Semantic meaning of mined Attribute Relation Improve mining (incorporate noise)

19 Language

20 20 World-Leading Research with Real-World Impact! Backup

21

22

Download ppt "11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification."

Similar presentations

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
Institute for Cyber Security

Institute for Cyber Security
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.

CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks or: How to Provide Security Monitoring as a Service in Clouds? Seungwon.
Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.

Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,

Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,
Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.

Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.

1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
1 Draft of a Matchmaking Service Chuang liu. 2 Matchmaking Service Matchmaking Service is a service to help service providers to advertising their service.

1 Draft of a Matchmaking Service Chuang liu. 2 Matchmaking Service Matchmaking Service is a service to help service providers to advertising their service.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.

System Center 2012 Setup The components of system center App Controller Data Protection Manager Operations Manager Orchestrator Service.
1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

Similar presentations

Ads by Google