TY - GEN
T1 - Understanding security group usage in a public IaaS cloud
AU - Jin, Cheng
AU - Srivastava, Abhinav
AU - Zhang, Zhi-Li
PY - 2016/7/27
Y1 - 2016/7/27
N2 - To ensure security, cloud service providers employ security groups as a key tool for cloud tenants to protect their virtual machines (VMs) from attacks. However, security groups can be complex and often hard to configure, which may result in security vulnerabilities that impact the entire cloud platform. The goal of this paper is to investigate and understand how cloud tenants configure security groups and to assist them in designing better security groups. We first conduct a measurement-based analysis of security group configuration and usage by tenants in an IaaS cloud. We then propose and develop a tool called Socrates, which enables tenants to visualize and hence understand the static and dynamic access relations among VMs. Socrates also helps diagnose potential misconfigurations and provides suggestions to refine security group configurations based on observed traffic traversing tenants' VMs. Applying Socrates to all tenants hosted on the IaaS cloud, we analyze the common usage (good as well as bad practices) of cloud security groups and report the key lessons learned in our study. To the best of our knowledge, our work is the first to analyze cloud security group usage based on real-world datasets, and to develop a system to help cloud tenants understand, diagnose and better refine their security group configurations.
AB - To ensure security, cloud service providers employ security groups as a key tool for cloud tenants to protect their virtual machines (VMs) from attacks. However, security groups can be complex and often hard to configure, which may result in security vulnerabilities that impact the entire cloud platform. The goal of this paper is to investigate and understand how cloud tenants configure security groups and to assist them in designing better security groups. We first conduct a measurement-based analysis of security group configuration and usage by tenants in an IaaS cloud. We then propose and develop a tool called Socrates, which enables tenants to visualize and hence understand the static and dynamic access relations among VMs. Socrates also helps diagnose potential misconfigurations and provides suggestions to refine security group configurations based on observed traffic traversing tenants' VMs. Applying Socrates to all tenants hosted on the IaaS cloud, we analyze the common usage (good as well as bad practices) of cloud security groups and report the key lessons learned in our study. To the best of our knowledge, our work is the first to analyze cloud security group usage based on real-world datasets, and to develop a system to help cloud tenants understand, diagnose and better refine their security group configurations.
UR - http://www.scopus.com/inward/record.url?scp=84983372200&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84983372200&partnerID=8YFLogxK
U2 - 10.1109/INFOCOM.2016.7524508
DO - 10.1109/INFOCOM.2016.7524508
M3 - Conference contribution
AN - SCOPUS:84983372200
T3 - Proceedings - IEEE INFOCOM
BT - IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 35th Annual IEEE International Conference on Computer Communications, IEEE INFOCOM 2016
Y2 - 10 April 2016 through 14 April 2016
ER -