Networking experts create an experimental system to offer better security in the promiscuous world of the cloud.
Today even the simplest web app can rely on a diverse mix of online services.
These services support a range of crucial functions in modern applications: Facebook for authentication, Box for storage, Twilio for messaging, Square for payments, Google AdSense for advertising and more.
Moving further down the software stack, it is also becoming increasingly common to weave together apps using even smaller on-demand components, such as Amazon ElastiCache or the cloud-based graph database GrapheneDB.
IBM predicts this trend of gluing together online services into "mesh applications" will accelerate as the number of cloud platforms continues to increase, growing beyond Amazon Web Services, Microsoft Azure, Google Cloud Platform, Heroku, IBM BlueMix, CloudFoundry and others available today.
The challenge for firms is that every time they bolt a new cloud-based service onto an app the company is trusting data and the smooth running of their software to a potentially unknown third party.
A new security model for the cloud
In a world where many different and sometimes geographically dispersed services regularly share data, networking experts say a new approach to application security is needed.
"Despite the shift in how applications are being disaggregated, the management of security between services and tenants remains largely the same: one focused on a perimeter defense with a largely static security configuration," write researchers from IBM Watson Research Center, the University of Colorado and Princeton University.
"While isolation enables tenants to reason about their perimeter, perimeter defense is widely considered insufficient."
With the many different cloud services that make up these applications regularly swapping data and commands, attacks on apps can be hard to detect, the researchers argue, as criminals can "rely on their relative anonymity to bypass the perimeter".
While the programmable infrastructures that SDN and NFV enable can boost security for these mesh applications, the researchers believe these automated systems need better guidance.
To help address the issue of knowing which cloud services can be trusted, IBM and its research partners have designed an experimental system called Seit, which means reputation in Arabic.
Seit is designed to be integrated into cloud management systems to help track the reputation of different services.
Seit allows cloud-based services to interface with its reputation manager, which acts as a repository for ratings assigned to cloud-based services or tenants. These ratings are based on the past behaviour of these services and are automatically generated from alerts, events, and status updates from the cloud infrastructure components these services rely on, such as firewalls, load balancers and network controllers.
When different online services are preparing to interact, they query Seit to discover each other's crowd-sourced reputation. Using this information each service can then decide how, and if, they should interact, based on their respective reputations and expectations.
To allow cloud services to engage in this reputation sharing, Seit provides a framework that enables a software shim to be created around cloud infrastructure components. This shim allows cloud services and tenants to interface with Seit's reputation manager.
The researchers say Seit makes it easier to isolate cloud services and tenants that are likely to cause problems, as well as optimizing communication between services.
Because reputations are updated each time cloud services or tenants interact with each other, Seit also proved able to warn about malicious and problematic behaviour as it emerged. For example, in a recreation of a denial of service (DoS) attack similar to that launched from AWS EC2 instances in 2014, Seit lowered the reputation of the compromised virtual machines spewing out large amounts of DoS traffic, to the point where the instances driving the attack were isolated.
The researchers provide various examples of how they used Seit - including creating an SDN controller that blocked or screened network traffic from virtual machines with a low reputation, allowing a cloud service broker to filter services offered on CloudFoundry by reputation and building a reputation-guided load balancer.
"Using our emulated environment, we show that Seit can provide improved security by isolating malicious tenants, reduced costs by adapting the infrastructure without compromising security, and increased revenues for high quality service providers by enabling reputation to impact discovery," the researchers claim in the paper.
IBM and its partners have trialled Seit with various cloud and network components, including the Floodlight SDN controller, CloudFoundry, the HAProxy load balancer, the Snort intrusion detection system and the Nagios monitoring system.
In future they plan to integrate more components with Seit, improve the system's performance and study scalability challenges when managing a large number of components and tenants spread across autonomous clouds in different locations.