Towards_Automated_Security_Policy_Enforcement_in_Multi-Tenant_Virtual_

Towards_Automated_Security_Policy_Enforcement_in_Multi-Tenant_Virtual_

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Journal of Computer Security 18 (2010) 89–121 89 DOI 10.3233/JCS-2010-0376 IOS Press Towards automated security policy enforcement in multi-tenant virtual data centers Serdar Cabuk a , Chris I. Dalton a , Konrad Eriksson b , Dirk Kuhlmann a , HariGovind V. Ramasamy c , Gianluca Ramunno d , Ahmad-Reza Sadeghi e , Matthias Schunter b and Christian Stüble f a Hewlett–Packard Labs, Bristol, UK E-mails: serdar.cabuk@gmail.com, {cid,dirk.kuhlmann}@hp.com b IBM Zurich Research Laboratory, Rüschlikon, Switzerland E-mails: {kon,mts}@zurich.ibm.com c IBM T. J. Watson Research Center, Hawthorne, NY, USA E-mail: hvramasa@us.ibm.com d Politecnico di Torino, Turin, Italy E-mail: ramunno@polito.it e Ruhr-University Bochum, Germany E-mail: ahmad.sadeghi@trust.rub.de f Sirrix AG Security Technologies, Bochum, Germany E-mail: stueble@sirrix.com Virtual data centers allow the hosting of virtualized infrastructures (networks, storage, machines) that belong to several customers on the same physical infrastructure. Virtualization theoretically provides the capability for sharing the infrastructure among different customers. In reality, however, this is rarely (if ever) done because of security concerns. A major challenge in allaying such concerns is the enforcement of appropriate customer isolation as speciFed by high-level security policies. At the core of this challenge is the correct conFguration of all shared resources on multiple machines to achieve this overall security objective. To address this challenge, this paper presents a security architecture for virtual data centers based on virtualization and Trusted Computing technologies. Our architecture aims at automating the instantiation of a virtual infrastructure while automatically deploying the corresponding security mechanisms. This deployment is driven by a global isolation policy, and thus guarantees overall customer isolation across all resources. We have implemented a prototype of the architecture based on the Xen hypervisor. Keywords: Virtualization, virtual networks, trusted computing, trusted virtual domain, virtual data center 1. Introduction Hardware virtualization is enjoying a resurgence of interest fueled in part by its cost-saving potential in data centers. By allowing multiple Virtual Machines (VMs) to be hosted on a single physical server, virtualization helps improve server uti- lization, reduces management and power costs, and controls the problem of server sprawl. 0926-227X/10/$27.50 © 2010 – IOS Press and the authors. All rights reserved
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
90 S. Cabuk et al. / Towards automated security policy enforcement A large number of the companies that outsource their operations are small and medium businesses (SMBs) that cannot afford the costs of a dedicated data center in which all the data center’s resources are used to host a single company’s IT in- frastructure. Hence, the IT infrastructure belonging to multiple SMBs may be hosted inside the same data center facility. Today, even such “shared” data centers operate in the so-called physical cages
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/01/2011 for the course EE 5373 taught by Professor Chao during the Spring '11 term at NYU Poly.

Page1 / 33

Towards_Automated_Security_Policy_Enforcement_in_Multi-Tenant_Virtual_

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online