Bringing compliance to the cloud

Revolutionizing cloud and 5G security compliance with Concordia University

5G networks are now a reality as they are being deployed by several carriers around the world. To unlock its full potential, 5G relies on technological advancements such as Cloud, virtualization and softwarization. Given the complexity, flexibility and elasticity inherent to these technologies, providing evidence of end-to-end compliance (the process known as security compliance auditing) can be challenging. In collaboration with Montreal-based Concordia University, Ericsson Security Research is leveraging its previous collaborations on Cloud Security Compliance auditing to tackle new issues in NFV/SDN domains – a move which is critical to the future of the Internet of Things (IoT).


A fusion of expertise

Established in 2002, the Concordia Institute for Information System Engineering (CIISE) offers graduate programs in information system security. With a total of 65 cybersecurity researchers, including 10 professors, 55 graduate students and postdoctoral fellows and high levels of funding, the Institute is a thriving environment for interdisciplinary research.

The collaboration fuses Ericsson's strong tradition of security research and development with Concordia's advanced capabilities within information systems engineering and cyber security in the field of cloud computing.

The two organizations began discussing the project after it became clear that there was a need for a new set of tools that could manage security compliance within the cloud.

Typically, traditional IT security auditing involves the manual generation and inspection of regularly created reports. However, the characteristics of the cloud make this technique time consuming and costly.

For example, the presence of multiple layers means that, using traditional techniques, each layer has to be independently verified and the results correlated. In addition, current practices, such as manual network topology verification, are ineffective in an environment that dynamically changes and where tenants share resources.

people looking at laptop

Security expectations drive cutting-edge research in cloud

Read this earlier blog post by Prof. Mourad Debbabi for more background.

Exploring new solutions for the cloud

The project officially began in 2015 with an exploration of user authentication and ownership in the cloud. Then, in 2016, the focus moved to a key issue faced by cloud service providers: verification of network isolation.

One of the results of this part of the project was an innovative new solution, TenantGuard – a scalable system for verifying cloud-wide VM-level network isolation at runtime. Published in the NDSS Symposium 2017, TenantGuard:

  • Takes advantage of the hierarchical structure found in most virtual networks to reduce performance overhead
  • Adopts a top-down approach, by first performing verification at the IP prefix level, and then propagating the partial results down to the VM-level
  • Leverages existing cloud policy services to check isolation results against tenant-specific high-level security policies

The ultimate aim of the project was to develop a toolkit of scalable, automated and efficient security auditing and compliance verification algorithms that meet the needs of the cloud.

The first stage of the collaboration has been successfully executed, resulting in a number of published papers and sparking interest within the industry and security research communities. Significantly, successful proofs-of-concept have also been performed, with the developed algorithms prototyped into OpenStack cloud management systems. 

people discussing

Security compliance in 5G

The next stage of the research collaboration will focus on getting closer to the requirements for security auditing and compliance within 5G systems – which will raise new challenges, such as those related to Network Functions Virtualization (NFV), a key technology in 5G.

In particular, a key goal for this stage will be achieving near real-time compliance-driven security monitoring, attack prevention, detection and mitigation solutions. This will be an important feature of future solutions if they are to keep up with the high speeds of 5G.

The results of this research will be highly significant for the industry. From robotics to self-driving cars, 5G will be a critical enabler of many IoT use cases – and all will need to provide evidence that they meet security requirements.

By addressing compliance challenges in cloud and 5G, Ericsson and Concordia University are helping to make a secure, connected future a reality.

Robot in a kitchen

Securing the cloud with compliance auditing

Read more in this  Ericsson Technology Review article.