Security-Aware Resource Allocation in Clouds

Abstract

Elasticity and economic considerations make Infrastructure-as-a-Service (IaaS) clouds attractive propositions for hosting enterprise IT applications. However, for prospective cloud customers, that potential is tempered by concerns, chief among them being security. We consider the problem of resource allocation in IaaS clouds while factoring in reachability and access control requirements of the cloud virtual machines (VMs). We describe a security-aware resource allocation framework that allows for effective enforcement of defense-in-depth for cloud VMs by determining (1) the grouping of VMs into security groups based on the similarity of their reachability requirements, and (2) the placement of virtual machines in a manner that reduces residual risks for individual VMs as well as security groups. We formalize security-aware resource allocation as a Constraint Satisfaction Problem (CSP), which can be solved using widely available Satisfiability Modulo Theories (SMT) solvers. Our experimental evaluation shows the effectiveness of our approach in reducing risk and improving manageability of security configurations for the cloud VMs.