TY - GEN
T1 - Security-as-a-service for microservices-based cloud applications
AU - Sun, Yuqiong
AU - Nanda, Susanta
AU - Jaeger, Trent
N1 - Publisher Copyright:
© 2015 IEEE.
PY - 2016/2/1
Y1 - 2016/2/1
N2 - Microservice architecture allows different parts of an application to be developed, deployed and scaled independently, therefore becoming a trend for developing cloud applications. However, it comes with challenging security issues. First, the network complexity introduced by the large number of microservices greatly increases the difficulty in monitoring the security of the entire application. Second, microservices are often designed to completely trust each other, therefore compromise of a single microservice may bring down the entire application. The problems are only exacerbated by the cloud, since applications no longer have complete control over their networks. In this paper, we propose a design for security-as-a-service for microservices-based cloud applications. By adding a new API primitive FlowTap for the network hypervisor, we build a flexible monitoring and policy enforcement infrastructure for network traffic to secure cloud applications. We demonstrate the effectiveness of our solution by deploying the Bro network monitor using FlowTap. Results show that our solution is flexible enough to support various kinds of monitoring scenarios and policies and it incurs minimal overhead (~6%) for real world usage. As a result, cloud applications can leverage our solution to deploy network security monitors to flexibly detect and block threats both external and internal to their network.
AB - Microservice architecture allows different parts of an application to be developed, deployed and scaled independently, therefore becoming a trend for developing cloud applications. However, it comes with challenging security issues. First, the network complexity introduced by the large number of microservices greatly increases the difficulty in monitoring the security of the entire application. Second, microservices are often designed to completely trust each other, therefore compromise of a single microservice may bring down the entire application. The problems are only exacerbated by the cloud, since applications no longer have complete control over their networks. In this paper, we propose a design for security-as-a-service for microservices-based cloud applications. By adding a new API primitive FlowTap for the network hypervisor, we build a flexible monitoring and policy enforcement infrastructure for network traffic to secure cloud applications. We demonstrate the effectiveness of our solution by deploying the Bro network monitor using FlowTap. Results show that our solution is flexible enough to support various kinds of monitoring scenarios and policies and it incurs minimal overhead (~6%) for real world usage. As a result, cloud applications can leverage our solution to deploy network security monitors to flexibly detect and block threats both external and internal to their network.
UR - http://www.scopus.com/inward/record.url?scp=84964318260&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964318260&partnerID=8YFLogxK
U2 - 10.1109/CloudCom.2015.93
DO - 10.1109/CloudCom.2015.93
M3 - Conference contribution
AN - SCOPUS:84964318260
T3 - Proceedings - IEEE 7th International Conference on Cloud Computing Technology and Science, CloudCom 2015
SP - 50
EP - 57
BT - Proceedings - IEEE 7th International Conference on Cloud Computing Technology and Science, CloudCom 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 7th IEEE International Conference on Cloud Computing Technology and Science, CloudCom 2015
Y2 - 30 November 2015 through 3 December 2015
ER -