Conference Paper

Performance Analysis of Zero-Trust multi-cloud

  • September 2021
DOI:10.1109/CLOUD53861.2021.00097
  • Conference: 2021 IEEE 14th International Conference on Cloud Computing (CLOUD)
Authors:
Simone Rodigari
Simone Rodigari
Simone Rodigari
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Donna O'Shea
Donna O'Shea
Donna O'Shea
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Pat McCarthy
Pat McCarthy
Pat McCarthy
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Martin McCarry
Martin McCarry
Martin McCarry
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 5 authorsHide
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Thus, there are three main types of implementations, which we shall consolidate and compare according to their type. They are, namely, frameworks for the trust model, which can be used to develop and design use cases, practical zero-trust models and theoretical proof-of-concepts, which showcase individual cases of specific technologies that fall under the umbrella term of Zero Trust [27,28]. ...
... Ahmed and Petrova proposed a federated IAM framework using zero trust as a basis to stop CSP's from accessing virtual assets of their customers [37]. For zero-trust deployments in multi-cloud environments, a performance analysis was performed by Simone et al., which pointed to no negative effects [27]. ...
... It also enables data centres to create and enforce access control policies based on the previously mentioned workload identity. The system can verify and trace authentic workload identities and tags to packets received [27]. A research project by Weever and Andreou highlighted the importance of securing data in-transit from one containerized application to another. ...
Security of Zero Trust Networks in Cloud Computing: A Comparative Review
Article
Full-text available
  • Sep 2022
Recently, networks have shifted from traditional in-house servers to third-party-managed cloud platforms due to its cost-effectiveness and increased accessibility toward its management. However, the network remains reactive, with less accountability and oversight of its overall security. Several emerging technologies have restructured our approach to the security of cloud networks; one such approach is the zero-trust network architecture (ZTNA), where no entity is implicitly trusted in the network, regardless of its origin or scope of access. The network rewards trusted behaviour and proactively predicts threats based on its users’ behaviour. The zero-trust network architecture is still at a nascent stage, and there are many frameworks and models to follow. The primary focus of this survey is to compare the novel requirement-specific features used by state-of-the-art research models for zero-trust cloud networks. In this manner, the features are categorized across nine parameters into three main types: zero-trust-based cloud network models, frameworks and proofs-of-concept. ZTNA, when wholly realized, enables network administrators to tackle critical issues such as how to inhibit internal and external cyber threats, enhance the visibility of the network, automate the calculation of trust for network entities and orchestrate security for users. The paper further focuses on domain-specific issues plaguing modern cloud computing networks, which leverage choosing and implementing features necessary for future networks and incorporate intelligent security orchestration, automation and response. The paper also discusses challenges associated with cloud platforms and requirements for migrating to zero-trust architecture. Finally, possible future research directions are discussed, wherein new technologies can be incorporated into the ZTA to build robust trust-based enterprise networks deployed in the cloud.
View
... As much as the difference is recognized in the zero trust architecture literature [5,6,37], we see no effort to work at the level of data. Instead, the operational focus continues to be on the network perimeter [12,19,34,39] and adjacent access endpoints such as Internet of Things or Cloud [30,8]. ...
... Despite the brief time since its inceptions [22], zero trust has evolved a stable set of core tenets and principles governing its architecture. While specific assertions vary across the literature [38,32,31,22,8,6,5,1,13], there is consistency in implementations across a variety of technological plat-forms [12,30,36]. However, research [1] suggests zero trust architecture may be imparting a false sense of security because the dominant architecture focuses on end-points. ...
Towards a Model for Zero Trust Data
Article
  • Jun 2022
The world has realized traditional cybersecurity models are flawed because users and systems behind the perimeter are implicitly trusted. The response has been to treat access requests and behaviors post-access as untrusted. Thus, the aim of such zero trust architecture is to establish a borderless access-control framework. Accordingly, existing research is centered around network perimeters and communications layers. That is, data access channels or endpoints and not data itself. Consequently, we conducted a systematic review of relevant literature and developed a model illustrating a potential application of zero trust tenets and principles to data objects instead of data access pathways based on the findings. Concurrently, given the rising popularity of employing artificial intelligence to zero trust frameworks, our zero trust data concept targets artificial intelligence training and real-world evaluation data segments.
View
... Industry standard technologies have also been adopted to realise zero-trust models in the academic sphere. Rodigari et al. [43] performed experiments whereby a zero trust implementation based on Istio was successfully deployed in various Kubernetes platforms, with a view to minimising latency and system resources. Scoppetta [42] upgraded a zero-trustbased system implemented with Spring Boot and Microsoft Azure with Istio. ...
A Survey on Microservices Trust Models for Open Systems
Article
Full-text available
  • Jan 2023
The microservices architecture (MSA) is a form of distributed systems architecture that has been widely adopted in large-scale software systems in recent years. As with other distributed system architectures, one of the challenges that MSA faces is establishing trust between the microservices, particularly in the context of open systems. The boundaries of open systems are unlimited and unknown, which means they can be applied to any use case. Microservices can leave or join an open system arbitrarily, without restriction as to ownership or origin, and scale extensively. The organisation of microservices (in terms of the roles they play and the communication links they utilise) can also change in response to changes in the environment that the system is situated in. The management of trust within MSAs is of great importance as the concept of trust is critical to microservices communication, and the operation of an open MSA system is highly reliant on communication between these fine-grained microservices. Thus, a trust model should also be able to manage trust in an open environment. Current trust management solutions, however, are often domain-specific and many are not specifically tailored towards the open system model. This motivates research on trust management in the context of open MSA systems. In this paper, we examine existing microservices trust models, identify the limitations of these models in the context of the principles of open microservices systems, propose a set of qualities for open microservices trust models that emerge from these limitations, and assess selected microservices trust models using the proposed qualities.
View
... Moreover, in [71], the authors dig into architectural complexities of deploying service mesh at edge environment and evaluate the performance impact across communications inside and outside a service mesh by harnessing the popular open source Istio/Envoy service mesh in an on-premise Kubernetes cluster. Finally, in [72], the authors evaluate the performance, in terms of latency and physical resources (CPU, memory) of a Zero Trust security implementation using Istio service mesh in a multi-cloud environment. On the one hand, the service mesh enables zero trust using a side-car proxy without changing the application code, and the zero trust model secures cloud native applications while encrypting all network communication, authenticating, and authorizing each request. ...
Kubernetes as a Standard Container Orchestrator - A Bibliometric Analysis
Article
Full-text available
  • Dec 2022
Container orchestration systems simplify the deployment and maintenance of container-based applications, but developing efficient and well-defined orchestration systems is a challenge. Nowadays, Kubernetes is a leading open-source container orchestration platform that has become the de facto standard. The aim of this paper is to provide a comprehensive overview of the Kubernetes orchestrator and grasp the current research emphasis by using a bibliometric analysis. Bibliometrix software was adopted as bibliometric analysis tools to find hot research topics and guide the future researching in the area. The Web of Science core collection database was used as the primary source for data collection. Data were collected from 803 articles published from 2014 to September 2022. In particular, publication outputs and research areas can provide insight into the development trends and current domains in terms of Kubernetes research. The most influential and productive authors, institutions, countries and journals contributed to this bibliometric analysis. The hottest research topics on Kubernetes are mainly centered on “cloud/fog/edge computing and Internet of Things (IoT)”, “containers and virtualization”, “docker”, “resource scheduling”, “microservices” and “artificial intelligent (AI)”. A cluster analysis was conducted from a keyword perspective to obtain emerging trends and frontiers for Kubernetes. The results showed that future research should focus on “automation”, “5G”, “scalability”, “resource scheduling”, “serverless”, “service mesh” and “blockchain”. Therefore, this paper aims to assist academics and practitioners in gaining a comprehensive understanding of the status quo and trends in Kubernetes research.
View
... 6) Security: Service meshes are claimed to provide secure infrastructure for microservices without any implementation in microservices. Rodigari et al. proposed a multi-cloud framework and a testing workflow to analyse performance of the data plane under load and the impact on the control plane, when Zero Trust is enabled [75]. Weever et al. investigate operational control requirements for Zero Trust network security, and then implement Zero Trust security in a microservice environment to protect and regulate traffic between microservices [76]. ...
Service Mesh and eBPF-Powered Microservices: A Survey and Future Directions
Conference Paper
Full-text available
  • Aug 2022
Modern software development practice has seen a profound shift in architectural design, moving from monolithic approaches to distributed, microservice-based architectures. This allows for much simpler and faster application orchestration and management, especially in cloud-based systems, with the result being that orchestration systems themselves are becoming a key focus of computing research. Orchestration system research addresses many different subject areas, including scheduling, automation, and security. However, the key characteristic that is common throughout is the complex and dynamic nature of distributed, multi-tenant cloud-based microservice systems that must be orchestrated. This complexity has led to many challenges in areas such as inter-service communication, observability, reliability, single cluster to multi-cluster, hybrid environments, and multi-tenancy. The concept of service meshes has been introduced to handle this complexity. In essence, a service mesh is an infrastructure layer built directly into the microservices - or the nodes of orchestrators - as a set of configurable proxies that are responsible for the management, observability, and security of microservices. Service meshes aim to be a full networking solution for microservices; however, they also introduce overhead into a system - this can be significant for low-powered edge devices, as service mesh proxies work in user space and are responsible for processing the incoming and outgoing traffic of each service. To mitigate performance issues caused by these proxies, the industry is pushing the boundaries of monitoring and security to kernel space by employing eBPF for faster and more efficient responses. We propose that the movement towards the use of service meshes as a networking solution for most of the required features by industry - combined with their integration with eBPF - is the next key trend in the evolution of microservices. This paper highlights the challenges of this movement, explores its current state, and discusses future opportunities in the context of microservices.
View
... This Zero Trust philosophy-turned-strategy fundamentally changes the way security is approached since trust is a vulnerability that can be exploited (Wylde, 2021). Cloud applications and security are treated equally to on-premises systems and apps under the Zero Trust approach (Rodigari, O'Shea, McCarthy, McCarry, & McSweeney, 2021). For improved identification of risks and breaches, the model supports the use of sophisticated analytics, artificial intelligence, and machine learning. ...
A Comprehensive SWOT Analysis for Zero Trust Network Security Model
Article
Full-text available
  • Jun 2022
The Zero Trust approach is a cybersecurity preventive measure based on the notion that nothing should be trusted within or near, or outside your network unless their identities are validated. Identities are regularly verified using authentication and authorization mechanisms in this framework. Security does not end once a user enters the network; identities are continually confirmed as they travel across the network. Instead of relying on network perimeters, Zero Trust's approach to security focuses on your identity infrastructure. Systems and networks can no longer rely on a user's affiliation with an organization or the password they supply. Users' traits and activity patterns must be examined by systems and networks to determine who is attempting to access resources, how they might get access, and what they might do with that access. This is a case of Zero Trust. Zero Trust has pros and limitations when compared to other security systems. It is also seen as the final answer to decentralized usage of resources over the internet. This paper's prescription focuses on Zero Trust's strengths, shortcomings, possibilities, and threats.
View
View
Impact of etcd deployment on Kubernetes, Istio, and application performance
Article
Full-text available
  • Aug 2020
This experience article describes lessons learned as we conducted experiments in a Kubernetes‐based environment, the most notable of which was that the performance of both the Kubernetes control plane and the deployed application depends strongly and in unexpected ways on the performance of the etcd database. The article contains (a) detailed descriptions of how networking with and without Istio works in Kubernetes, based on the Flannel Container Networking Interface (CNI) provider in VXLAN mode with IP Virtual Server (IPVS)‐backed Kubernetes Services, (b) a comprehensive discussion about how to conduct load and performance testing using a closed‐loop workload generator, and (c) an open source experiment framework useful for executing experiments in a shared cloud environment and exploring the resulting data. It also shows that statistical analysis may reveal the data resulting from such experiments to be misleading even when careful preparations are made, and that nondeterministic behavior stemming from etcd can affect both the platform as a whole and the deployed application. Finally, it is demonstrated that using high‐performance backing storage for etcd can reduce the occurrence of such nondeterministic behaviors by a statistically significant (P < .05) margin. The implication of this experience article is that systems researchers studying the performance of applications deployed on Kubernetes cannot simply consider their specific application to be under test. Instead, the particularities of the underlying Kubernetes and cloud platform must be taken into account, in particular because their performance can impact that of etcd.
View
Software-Defined Perimeter (SDP): State of the Art Secure Solution for Modern Networks
Article
Full-text available
The boom in the evolution and adoption of new technologies, architectures, and paradigms such as cloud computing, SDN, and NFV in recent years has led to a new set of security and privacy challenges and concerns. These challenges/ concerns include proper authentication, access control, data privacy, and data integrity, among others. SDP has been proposed as a security model/framework to protect modern networks in a dynamic manner. This framework follows a need-to-know model where a device's identity is first verified and authenticated before gaining access to the application infrastructure. In this article, a brief discussion of the security and privacy challenges/concerns facing modern cloud-based networks is presented along with some of the related work from the literature. The SDP concept, architecture, possible implementations, and challenges are described. An SDP-based framework adopting a client-gateway architecture is proposed with its performance being evaluated using a virtualized network testbed for an internal enterprise scenario as a use case. To the best of our knowledge, no previous work has provided a quantitative performance evaluation of such a framework. Performance evaluation results show that the SDP-secured network is resilient to denial of service attacks and port scanning attacks despite needing longer initial connection setup time. The achieved results confirm the promising potential of SDP as a security model/framework that can dynamically protect current and future networks.
View
View
Secure Kubernetes Networking Design Based on Zero Trust Model: A Case Study of Financial Service Enterprise in Indonesia
Chapter
Full-text available
  • Jan 2020
To provide better services and new future offerings to their customers, an enterprise in the financial services industry in Indonesia has decided to use Kubernetes, an application container technology, to serve their digital services through applications, developed with micro-services architecture concepts. The new services and technology were expected to utilize their existing virtualized resources without introducing any additional hardware. The goal of this study was to provide a secure network infrastructure design for the Kubernetes deployment in their Data Center. Network and security were still viewed as important aspects and focus. This study provided a design with network recommendations from the likes of Cisco and VMware, and Forrester’s Zero Trust model as its security guideline. Each of the recommendations has been evaluated and written through this study. The simulation results showed that the proposed design was able to conform with the enterprise’s requirements and constraints, and successfully applying Zero Trust’s requirement in the container networks.
View
Key Characteristics of a Container Orchestration Platform to Enable a Modern Application
Article
Full-text available
  • Sep 2017
As compute evolves from bare metal to virtualized environments to containers towards serverless, the efficiency gains have enabled a wide variety of use cases. Organizations have used containers to run long running services, batch processing at scale, control planes, Internet of Things, and Artificial Intelligence workloads. Further, methodologies for software as a service, such as twelve-factor app, emphasize a clean contract with the underlying operating system and maximum portability between execution environments.1 In this paper, we address a set of capabilities required of a container orchestration platform to embody the design principles as illustrated by twelve factor app design. This paper also provides a non-exhaustive and prescriptive guide to identifying and implementing key mechanisms required in a container orchestration platform. We will cover capabilities such as cluster state management and scheduling, high availability and fault tolerance, security, networking, service discovery, continuous deployment, monitoring, and governance.
View
View
Modernize digital applications with microservices management using the istio service mesh
  • O Sheikh
  • S Dikaleh
  • D Mistry
  • D Pape
  • C Felix
Zero trust architecture
  • S Rose
  • O Borchert
  • S Mitchell
  • S Connelly
Software Defined Perimeter(SDP) and Zero Trust
  • J Koilpillai
  • N A Murray
Modernize digital applications with microservices management using the istio service mesh
  • 359
  • sheikh
Zero trust architecture
  • Jan 2019
  • rose