A TOSCA-Oriented Software-Defined Security Approach for Unikernel-Based Protected Clouds

摘要

Cloud infrastructures provide new facilities to build elaborated added-value services by composing and configuring a large variety of computing resources, from virtualized hardware devices to software products. In the meantime, they are further exposed to security attacks than traditional environments. The complexity of security management tasks has been increased by the multi-tenancy, heterogeneity and geographical distribution of these resources. They introduce critical issues for cloud service providers and their customers, with respect to security programmability and scenarios of adaptation to contextual changes. In this paper, we propose a software-defined security approach based on the TOSCA language, to enable unikernel-based protected clouds. We first introduce extensions of this language to describe unikernels and specify security constraints for their orchestrations. We then describe an architecture exploiting this extended version of TOSCA for automatically generating, deploying and adjusting cloud resources in the form of protected unikernels with a low attack surface. We finally detail a proof-of-concept prototype, and evaluate the proposed solution through extensive series of experiments.