Efficient Security Provisioning in the Cloud Based on Network Security Defense Patterns Using Service Chaining
In modern large data centers hundreds of thousands of VMs run simultaneously on thousands of physical computing nodes and networking nodes with different security policies. A centralized security architecture based on managing all their security policies in a few large security appliances would cause major security policy complexities and choke points in the cloud infrastructure. We will investigate to propose a network security pattern based approach for cloud infrastructure and its optimal placement in the cloud. We believe our approach breaks away from the traditional centralized network security approach, i.e. concentrating more and more security functionality in the same appliance in order to have more efficient implementation. From this perspective, we assemble a set of security functions, deploy them optimally and dynamically and connect them through SDN, all on the basis of the security needs captured through our proposed defense patterns. These security modules thereafter can be composed/decomposed inside larger security nodes to achieve a more efficient implementation. Ericsson will benefit from our security solution by providing an optimal placement for finer granularity security functions distributed among less loaded nodes results in a system more resilient to attacks, such as DDoS attacks.