Towards Secure Management of Edge-Cloud IoT Microservices using Policy as Code
- URL: http://arxiv.org/abs/2406.18813v2
- Date: Fri, 28 Jun 2024 02:53:32 GMT
- Title: Towards Secure Management of Edge-Cloud IoT Microservices using Policy as Code
- Authors: Samodha Pallewatta, Muhammad Ali Babar,
- Abstract summary: IoT application providers increasingly use MicroService Architecture (MSA) to develop applications that convert IoT data into valuable information.
The proposed framework contains a "control plane" to intelligently and dynamically utilise and configure cloud-native (i.e., container orchestrators and service mesh) technologies to enforce security policies.
We implement a prototype of the proposed framework using open-source cloud-native technologies such as Docker, Istio, and Open Policy Agent to validate the framework.
- Score: 6.200058263544999
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: IoT application providers increasingly use MicroService Architecture (MSA) to develop applications that convert IoT data into valuable information. The independently deployable and scalable nature of microservices enables dynamic utilization of edge and cloud resources provided by various service providers, thus improving performance. However, IoT data security should be ensured during multi-domain data processing and transmission among distributed and dynamically composed microservices. The ability to implement granular security controls at the microservices level has the potential to solve this. To this end, edge-cloud environments require intricate and scalable security frameworks that operate across multi-domain environments to enforce various security policies during the management of microservices (i.e., initial placement, scaling, migration, and dynamic composition), considering the sensitivity of the IoT data. To address the lack of such a framework, we propose an architectural framework that uses Policy-as-Code to ensure secure microservice management within multi-domain edge-cloud environments. The proposed framework contains a "control plane" to intelligently and dynamically utilise and configure cloud-native (i.e., container orchestrators and service mesh) technologies to enforce security policies. We implement a prototype of the proposed framework using open-source cloud-native technologies such as Docker, Kubernetes, Istio, and Open Policy Agent to validate the framework. Evaluations verify our proposed framework's ability to enforce security policies for distributed microservices management, thus harvesting the MSA characteristics to ensure IoT application security needs.
Related papers
- Microsegmented Cloud Network Architecture Using Open-Source Tools for a Zero Trust Foundation [0.0]
This paper presents a multi-cloud networking architecture built on zero trust principles and micro-segmentation.
The proposed design includes the multi-cloud network to support a wide range of applications and workload use cases.
arXiv Detail & Related papers (2024-11-19T01:58:40Z) - Authentication and identity management based on zero trust security model in micro-cloud environment [0.0]
The Zero Trust framework can better track and block external attackers while limiting security breaches resulting from insider attacks in the cloud paradigm.
This paper focuses on authentication mechanisms, calculation of trust score, and generation of policies in order to establish required access control to resources.
arXiv Detail & Related papers (2024-10-29T09:06:13Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - Software-based Security Framework for Edge and Mobile IoT [0.5735035463793009]
This work focuses on designing secure communication among remote servers and embedded IoT devices.
The proposed approach uses lightweight cryptography, optimizing device performance and security without overburdening their limited resources.
arXiv Detail & Related papers (2024-04-09T16:25:13Z) - A Deep Reinforcement Learning Approach for Security-Aware Service Acquisition in IoT [2.765106384328772]
We propose a complete framework that defines suitable levels of privacy and security requirements in the acquisition of services in the Internet of Things.
Through the use of a Reinforcement Learning based solution, a user agent, inside the environment, is trained to choose the best smart objects granting access to the target services.
arXiv Detail & Related papers (2024-04-04T08:00:12Z) - Differentiated Security Architecture for Secure and Efficient Infotainment Data Communication in IoV Networks [55.340315838742015]
Negligence on the security of infotainment data communication in IoV networks can unintentionally open an easy access point for social engineering attacks.
In particular, we first classify data communication in the IoV network, examine the security focus of each data communication, and then develop a differentiated security architecture to provide security protection on a file-to-file basis.
arXiv Detail & Related papers (2024-03-29T12:01:31Z) - HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs)
TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks.
We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z) - The Security and Privacy of Mobile Edge Computing: An Artificial Intelligence Perspective [64.36680481458868]
Mobile Edge Computing (MEC) is a new computing paradigm that enables cloud computing and information technology (IT) services to be delivered at the network's edge.
This paper provides a survey of security and privacy in MEC from the perspective of Artificial Intelligence (AI)
We focus on new security and privacy issues, as well as potential solutions from the viewpoints of AI.
arXiv Detail & Related papers (2024-01-03T07:47:22Z) - HBFL: A Hierarchical Blockchain-based Federated Learning Framework for a
Collaborative IoT Intrusion Detection [0.0]
We propose a hierarchical blockchain-based federated learning framework to enable secure and privacy-preserved collaborative IoT intrusion detection.
The proposed ML-based intrusion detection framework follows a hierarchical federated learning architecture to ensure the privacy of the learning process and organisational data.
The outcome is a securely designed ML-based intrusion detection system capable of detecting a wide range of malicious activities while preserving data privacy.
arXiv Detail & Related papers (2022-04-08T19:06:16Z) - Safe RAN control: A Symbolic Reinforcement Learning Approach [62.997667081978825]
We present a Symbolic Reinforcement Learning (SRL) based architecture for safety control of Radio Access Network (RAN) applications.
We provide a purely automated procedure in which a user can specify high-level logical safety specifications for a given cellular network topology.
We introduce a user interface (UI) developed to help a user set intent specifications to the system, and inspect the difference in agent proposed actions.
arXiv Detail & Related papers (2021-06-03T16:45:40Z) - A Privacy-Preserving Distributed Architecture for
Deep-Learning-as-a-Service [68.84245063902908]
This paper introduces a novel distributed architecture for deep-learning-as-a-service.
It is able to preserve the user sensitive data while providing Cloud-based machine and deep learning services.
arXiv Detail & Related papers (2020-03-30T15:12:03Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.