Proactive Verification of Security Compliance for Clouds Through Pre-computation: Application to OpenStack

摘要

The verification of security compliance with respect to security standards and policies is desirable to both cloud providers and users. However, the sheer size of a cloud implies a major challenge to be scalability and in particular response time. Most existing approaches are either after the fact or incur prohibitive delay in processing user requests. In this paper, we propose a scalable approach that can reduce the response time of online security compliance verification in large clouds to a practical level. The main idea is to start preparing for the costly verification proactively, as soon as the system is a few steps ahead of potential operations causing violations. We present detailed models and algorithms, and report real-life experiences and challenges faced while implementing our solution in OpenStack. We also conduct experiments whose results confirm the efficiency and scalability of our approach.