As an increasing number of organizations move data to the cloud and offer cloud services, cloud security has fallen under the spotlight. Many of these organizations – from governments to vehicle manufacturers – are highly regulated. Considering the complexity of the cloud environment, providing evidence of conformity to security-related requirements (the process known as security compliance auditing) is challenging. In collaboration with the Montreal-based Concordia Institute for Information Systems Engineering (CIISE), Ericsson Security Research is tackling this issue– a move which is critical to the future of the Internet of Things (IoT).
A fusion of expertise
Established in 2002, CIISE offers graduate programs in information system security. With 16 permanent researchers, hundreds of graduate students and high levels of funding, the Institute is a thriving environment for interdisciplinary research.
The collaboration fuses Ericsson's strong tradition of security research and development with CIISE's advanced capabilities within information systems engineering and cyber security in the field of cloud computing.
The two organizations began discussing the project after it became clear that there was a need for a new set of tools that could manage security compliance within the cloud.
Typically, traditional IT security auditing involves the manual generation and inspection of regularly created reports. However, the characteristics of the cloud make this technique time consuming and costly.
For example, the presence of multiple layers means that, using traditional techniques, each layer has to be independently verified and the results correlated. In addition, current practices, such as manual network topology verification, are ineffective in an environment that dynamically changes and where tenants share resources.
Exploring new solutions
The project officially began in 2015 with an exploration of user authentication and ownership in the cloud. Then, in 2016, the focus moved to a key issue faced by cloud service providers: verification of network isolation.
One of the results of this part of the project was an innovative new solution, TenantGuard – a scalable system for verifying cloud-wide VM-level network isolation at runtime. Published in the NDSS Symposium 2017, TenantGuard:
- Takes advantage of the hierarchical structure found in most virtual networks to reduce performance overhead
- Adopts a top-down approach, by first performing verification at the IP prefix level, and then propagating the partial results down to the VM-level
- Leverages existing cloud policy services to check isolation results against tenant-specific high-level security policies
The ultimate aim of the project is to develop a toolkit of scalable, automated and efficient security auditing and compliance verification algorithms that meet the needs of the cloud.
So far, it's been a great success, resulting in a number of published papers and sparking interest within the industry and security research communities. Significantly, successful proofs-of-concept have also been performed, with the developed algorithms prototyped into OpenStack cloud management systems.
Preparing for 5G
The next stage of the research will focus on getting closer to the requirements for security auditing and compliance within 5G systems – which will raise new challenges, such as those related to Network Functions Virtualization.
In particular, a key goal for the project's second stage will be achieving near real-time security auditing. This is difficult within cloud systems, but will be an important feature of future solutions if they are to keep up with the high speeds of 5G.
The results of this research will be highly significant for the industry. From robotics to self-driving cars, 5G will be a critical enabler of many IoT use cases – and all will need to provide evidence that they meet security requirements.
By addressing cloud compliance challenges, Ericsson and CIISE are helping to make a secure, connected future a reality.