Designing Efficient Security Services Infrastructure for Virtualization Oriented Architectures

Designing Efficient Security Services Infrastructure for Virtualization Oriented Architectures

Dr. Eng. Syed Naqvi (Birmingham City University, UK)
DOI: 10.4018/978-1-61692-000-5.ch011


Virtualization technologies are emerging as a promising solution for managing the rapidly growing complexities of modern distributed ICT infrastructures. However, a mainstream operational concern for these virtualization oriented architectures is to provide efficient security services. Establishment of in-depth security services and trust relationships are the most desirable features for the effective functioning of these systems. This chapter presents a security architecture to address the comprehensive security needs of today’s virtualization oriented architectures. The concept of virtualization of security services is introduced so as to have absolute freedom to choose the underlying security mechanisms. This concept of virtualization of security services is realized through distributed virtual engines that enable unification of security service calls according to requirements and not according to the underlying technologies. A configurable mechanism for the invocation of security services is proposed to address the security needs of different kinds of users. This approach permits the evolution of efficient security infrastructure with minimal impact on the resource management functionalities. In this way, users and resource providers can configure the security services according to their requirements and satisfaction level. The resulting extensible set of security services include both core security services and contemporary security services required for the modern virtualization oriented infrastructures.
Chapter Preview

Proposed Architecture


In the large scale distributed systems, such as computational Grids, Clouds, etc., the need for efficient and secure data transportation over potentially insecure channels creates new security and privacy issues, which are exacerbated by the heterogeneous nature of the collaborating resources. Traditional security approaches require adequate overhauling to address these paradigms. The two-pronged approach proposed in (Naqvi, 2004) to address these security issues is elaborated in this section. The proposed model is called VIPSEC: Virtualized and Pluggable Security Services Architecture. In this model, first, the virtualization of security services provides an abstraction layer on top of the security infrastructure that harmonizes the heterogeneity of underlying security mechanisms. Second, the configurable/pluggable nature of various security services permits the users and resource providers to configure the security architecture according to their requirements and satisfaction level. This approach allows the security infrastructure to be developed with minimal impact on the resource management functionalities.

Since security implementations are more and more numerous and complex, it has become almost impossible for an inexperienced user to understand their meaning and especially how they should be used. Additionally, the heterogeneity of networks does not simplify the understanding and definition of a security system. Therefore, it is currently impossible to establish a security policy for a communication by using the low level properties of the different networks that are being crossed. The classical solution to this problem consists in setting up a secured high-level ciphered tunnel from end to end. This is acceptable in some situations, but it may not satisfy future evolutions of networks. The goal of virtualization is to reinstate security principles (transparency, responsibility, traceability, etc.), security objectives (integrity, availability, confidentiality, etc.), security policies (protection, deterrence, vigilance, etc.) and security functions (identification, authentication, access control, management of secret elements, privacy, etc.) in their rightful place. Virtualization aims at describing a policy and at refining it. Actually, a unique security policy cannot be implemented on several heterogeneous networks, architectures or environments. The current complexity of networks comes from the fact that on the one hand each element defines its own security policy in accordance with the security domain to which it pertains (a priori…), and on the other hand each security domain has its own security policy. In the virtual paradigm, the policy of the element (wherever it may be) shall be merged with the policy of the domain to which it belongs. Then, this policy will be automatically implemented depending on the available security functions.

Complete Chapter List

Search this Book: