research-article

Secure container orchestration in the cloud: policies and implementation

Authors:

Gabriel P. Fernandez,

Andrey BritoAuthors Info & Claims

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

Pages 138 - 145

https://doi.org/10.1145/3297280.3297296

Published: 08 April 2019 Publication History

Abstract

In the late few years, cloud computing has been moving towards becoming the predominant infrastructure paradigm because of its scale economy advantages. Consequently, a great deal of sensitive and valuable information has begun to inhabit the cloud environment. At the current stage, a large amount of organizations is yet to step to the public cloud world because, primarily, the loss of infrastructure ownership gives away control of such information, and that is generally perceived as a severe security risk.

Currently available cloud security platforms fail to present a process to accomplish a secure and cloud compatible operation flow. In this work we propose a policy that enforces data security in the cloud. To implement the cloud based components of that policy we created SCO (Secure Container Orchestrator) a container orchestration engine that makes use of the most recent hardware-based trusted execution environment technologies for data protection, in our case, Intel SGX. SCO implements SGX friendly container auto-scaling schemes, load balancing routing and packs SGX compatibility features. These characteristics enable the deployment of trusted applications in alignment with standard cloud practices.

We also compare SCO to the state-of-the-practice in container orchestration (Kubernetes), demonstrate the inherent costs of employing this security enhanced solution, and present a methodology to support business decisions regarding its utilization.

References

[1]

Cloud Security Alliance. 2016. The Treacherous 12 - Cloud Computing Top Threats in 2016. Technical Report.

[2]

Gregor F. Arnautov S., Trach B. 2016. SCONE: Secure Linux Containers with Intel SGX. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association.

Digital Library

[3]

Xiaoxin Chen, Tal Garfinkel, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin, and Dan R.K. Ports. 2008. Overshadow: A Virtualization-based Approach to Retrofitting Protection in Commodity Operating Systems. In Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XIII). ACM, New York, NY, USA, 2--13.

Digital Library

[4]

ARM Corporation. 2016. ARM TrustZone. https://developer.arm.com/technologies/trustzone. {Online; accessed 01-May-2017}.

[5]

Intel Corporation. 2016. Intel Software Guard Extensions (Intel SGX). Intel's WebPage. https://software.intel.com/en-us/sgx.

[6]

Victor Costan and Srinivas Devadas. {n. d.}. Intel SGX explained. Technical Report. Cryptology ePrint Archive, Report 2016/086, 2016.

[7]

John Criswell, Nathan Dautenhahn, and Vikram Adve. 2014. Virtual Ghost: Protecting Applications from Hostile Operating Systems. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '14). ACM, New York, NY, USA, 81--96.

Digital Library

[8]

Tom Woller David Kaplan, Jeremy Powell. 2013. AMD Memory Encryption White paper. http://amd-dev.wpengine.netdna-cdn.com/wordpress/media/2013/12/AMD_Memory_Encryption_Whitepaper_v7-Public.pdf. {Online; accessed 25-November-2016}.

[9]

Cloud Endure. 2016. 2016 Cloud Migration Survey - Cloud Migration Challenges and Best Practices. Survey.

[10]

Wes Felter, Alexandre Ferreira, Ram Rajamony, and Juan Rubio. 2015. An updated performance comparison of virtual machines and Linux containers. 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS) (2015), 171--172.

[11]

Diogo A. Fernandes, Liliana F. Soares, João V. Gomes, Mário M. Freire, and Pedro R. Inácio. 2014. Security Issues in Cloud Environments: A Survey. Int. J. Inf. Secur. 13 (2014), 113--170.

Digital Library

[12]

Ian T. Foster, Yong Zhao, Ioan Raicu, and Shiyong Lu. 2016. Cloud Computing and Grid Computing 360-Degree Compared. (2016).

[13]

J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten. 2009. Lest We Remember: Cold-boot Attacks on Encryption Keys. Commun. ACM 52, 5 (May 2009), 91--98.

Digital Library

[14]

IBM. 2016. 4 key design considerations for a multi-tenant cloud. IBM webpage. https://www.ibm.com/blogs/cloud-computing/2016/08/design-considerations-multi-tenant-cloud/.

[15]

Youngjin Kwon, Alan M. Dunn, Michael Z. Lee, Owen S. Hofmann, Yuanzhong Xu, and Emmett Witchel. 2016. Sego: Pervasive Trusted Metadata for Efficiently Verified Untrusted System Services. SIGOPS Oper. Syst. Rev. 50, 2 (March 2016), 277--290.

Digital Library

[16]

Yanlin Li, Jonathan McCune, James Newsome, Adrian Perrig, Brandon Baker, and Will Drewry. 2014. MiniBox: A Two-Way Sandbox for x86 Native Code. In 2014 USENIX Annual Technical Conference (USENIX ATC 14). USENIX Association, Philadelphia, PA, 409--420. https://www.usenix.org/conference/atc14/technical-sessions/presentation/li_yanlin

Digital Library

[17]

Jonathan M. McCune, Yanlin Li, Ning Qu, Zongwei Zhou, Anupam Datta, Virgil Gligor, and Adrian Perrig. 2010. TrustVisor: Efficient TCB Reduction and Attestation. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP '10). IEEE Computer Society, Washington, DC, USA, 143--158.

Digital Library

[18]

Jonathan M. McCune, Bryan J. Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki. 2008. Flicker: An Execution Infrastructure for Tcb Minimization. SIGOPS Oper. Syst. Rev. 42, 4 (April 2008), 315--328.

Digital Library

[19]

Leandro Ventura Silva, Rodolfo Marinho, Jose Luis Vivas, and Andrey Brito. 2017. Security and privacy preserving data aggregation in cloud computing. In Proceedings of the Symposium on Applied Computing. ACM, 1732--1738.

Digital Library

[20]

Stephen Soltesz, Herbert Pötzl, Marc E. Fiuczynski, Andy Bavier, and Larry Peterson. 2007. Container-based Operating System Virtualization: A Scalable, High-performance Alternative to Hypervisors. In Proceedings of the 2Nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007 (EuroSys '07). ACM, New York, NY, USA, 275--287.

Digital Library

[21]

Andrea Tosatto, Pietro Ruiu, and Antonio Attanasio. 2015. Container-Based Orchestration in Cloud: State of the Art and Challenges. In Ninth International Conference on Complex, Intelligent, and Software Intensive Systems, CISIS 2015, Santa Catarina, Brazil, July 8--10, 2015. 70--75.

Digital Library

[22]

Andrea Tosatto, Pietro Ruiu, and Antonio Attanasio. 2015. Container-Based Orchestration in Cloud: State of the Art and Challenges. In Proceedings of the 2015 Ninth International Conference on Complex,Intelligent, and Software Intensive Systems (CISIS '15). IEEE Computer Society, Washington, DC, USA, 70--75.

Digital Library

[23]

Johannes Wettinger, Uwe Breitenbücher, and Frank Leymann. 2014. Compensation-Based vs. Convergent Deployment Automation for Services Operated in the Cloud. In Service-Oriented Computing - 12th International Conference, ICSOC 2014, Paris, France, November 3--6, 2014. Proceedings. 336--350.

[24]

Jisoo Yang and Kang G. Shin. 2008. Using Hypervisor to Provide Data Secrecy for User Applications on a Per-page Basis. In Proceedings of the Fourth ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE '08). ACM, New York, NY, USA, 71--80.

Digital Library

[25]

Fengzhe Zhang, Jin Chen, Haibo Chen, and Binyu Zang. 2011. CloudVisor: Retrofitting Protection of Virtual Machines in Multi-tenant Cloud with Nested Virtualization. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP '11). ACM, New York, NY, USA, 203--216.

Digital Library

Cited By

Thijsman JSebrechts MDe Turck FVolckaert B(2024)Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers2024 33rd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN61486.2024.10637515(1-6)Online publication date: 29-Jul-2024
https://doi.org/10.1109/ICCCN61486.2024.10637515
Zhao XClear TLal R(2024)Identifying the primary dimensions of DevSecOpsJournal of Systems and Software10.1016/j.jss.2024.112063214:COnline publication date: 18-Jul-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112063
Verderame LCaviglione LCarbone RMerlo A(2023)SecCoProceedings of the 2023 International Conference on Research in Adaptive and Convergent Systems10.1145/3599957.3606222(1-6)Online publication date: 6-Aug-2023
https://dl.acm.org/doi/10.1145/3599957.3606222
Show More Cited By

Index Terms

Secure container orchestration in the cloud: policies and implementation
1. Computer systems organization
  1. Architectures
    1. Distributed architectures
      1. Cloud computing
2. Security and privacy
  1. Security in hardware
    1. Hardware security implementation

Recommendations

The Prospects for Multi-Cloud Deployment of SaaS Applications with Container Orchestration Platforms
Middleware Doctoral Symposium'16: Proceedings of the Doctoral Symposium of the 17th International Middleware Conference

Recent years have seen an increased adoption of container technology for software deployment and lightweight virtualization. More recently, container orchestration systems provide a platform for container deployment and management of cluster resources.

...
Cost-Effective Container Orchestration Using Usage Data
SMA 2020: The 9th International Conference on Smart Media and Applications

Recent cloud IDE services provide containers as development environment to users. Since users have little knowledge on specific tasks to run and computing resources required in their containers, it is difficult to decide exactly how many containers to ...
Cloud service engineering
ICSE '10: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - Volume 2

Building on compute and storage virtualization, Cloud Computing provides scalable, network-centric, abstracted IT infrastructure, platforms, and applications as on-demand services that are billed by consumption. Cloud Service Engineering is the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '19: Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing

April 2019

2682 pages

ISBN:9781450359337

DOI:10.1145/3297280

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University, Marietta, Georgia
,
George A. Papadopoulos
University of Cyprus, Nicosia, Cyprus

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 April 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

RNP

Conference

SAC '19

Sponsor:

SIGAPP

SAC '19: The 34th ACM/SIGAPP Symposium on Applied Computing

April 8 - 12, 2019

Limassol, Cyprus

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
438
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)6

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Thijsman JSebrechts MDe Turck FVolckaert B(2024)Trusting the Cloud-Native Edge: Remotely Attested Kubernetes Workers2024 33rd International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN61486.2024.10637515(1-6)Online publication date: 29-Jul-2024
https://doi.org/10.1109/ICCCN61486.2024.10637515
Zhao XClear TLal R(2024)Identifying the primary dimensions of DevSecOpsJournal of Systems and Software10.1016/j.jss.2024.112063214:COnline publication date: 18-Jul-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112063
Verderame LCaviglione LCarbone RMerlo A(2023)SecCoProceedings of the 2023 International Conference on Research in Adaptive and Convergent Systems10.1145/3599957.3606222(1-6)Online publication date: 6-Aug-2023
https://dl.acm.org/doi/10.1145/3599957.3606222
Zhou NZhou HHoppe D(2023)Containerization for High Performance Computing Systems: Survey and ProspectsIEEE Transactions on Software Engineering10.1109/TSE.2022.322922149:4(2722-2740)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1109/TSE.2022.3229221
Zhou NGeorgiou YPospieszny MZhong LZhou HNiethammer CPejak BMarko OHoppe D(2021)Container orchestration on HPC systems through KubernetesJournal of Cloud Computing: Advances, Systems and Applications10.1186/s13677-021-00231-z10:1Online publication date: 22-Feb-2021
https://dl.acm.org/doi/10.1186/s13677-021-00231-z
Zhou N(2021)Containerization and Orchestration on HPC SystemsSustained Simulation Performance 2019 and 202010.1007/978-3-030-68049-7_10(133-147)Online publication date: 2-Mar-2021
https://doi.org/10.1007/978-3-030-68049-7_10
Lim JLee D(2020)A Load Balancing Algorithm for Mobile Devices in Edge Cloud Computing EnvironmentsElectronics10.3390/electronics90406869:4(686)Online publication date: 23-Apr-2020
https://doi.org/10.3390/electronics9040686

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten