ABSTRACT
Security has become a major concern in cloud computing. Existing solutions to secure the cloud rarely take in consideration the traversal of middle-boxes, as they focus mainly on cresting an isolation between the different tenants. Through our project, we aim to create a cloud architecture allowing the application of security policies per tenant. The security will consist in sequences of middle-boxes to be traversed, as it is the way commonly used by enterprises to secure their networks. The enforcement of security policies will have to take in consideration the multi-tenant aspect of the cloud, as well as the node migration. We propose a method of leveraging the current Software-Defined Network (SDN) architecture for efficient policy enforcement. In order to route the packets through the middle-boxes, our model defines labels to apply to each flow of packets. This model provides a simple way to automatically enforce security policies, while keeping them consistent despite node migration. Furthermore, we allow the network to be partitioned in different zones, each zone being ruled by a specific controller. When the VM source and destination belong to different zones, the enforcement of security policies can be spread between the different zones. We created a prototype of our model that we tested in a simulated environment. Although many aspects of our implementation will have to be improved in order to obtain a viable commercial solution, testing our prototype provided us with a proof of concept. Particularly, it showed how the security policies remain consistent despite node migration.
