Network-level Access Control Management for the Cloud

One of the major security threats that public cloud computing platforms face today is that the active cloud virtual machine instances are visible and accessible via the public internet, which allows hackers to carry out several types of attacks such as Denial of Service (DoS) and intrusion over a long durations which increases the probabilities of successful penetration. Security logs of the failed attempts attest to the real threat and the intensity and duration of these. Most systems running on public cloud instances today are not security-hardened to withstand such persistent and long attacks. It is not only dangerous but also disastrous for the enterprise that uses such instances to deliver cloud services, for the users that use such services, and for the cloud provider that provides the cloud infrastructure. Therefore, what is required is a network-level access control solution that facilitates delivery of cloud services while protecting the network perimeter of the solution in a useable and dynamically customizable manner. In this paper, we have described such a network-based access control solution for public cloud services that we have designed and developed and is applicable to any of the various cloud platforms available today. We have deployed our solution as part of the "Security-as-a-Service" model on IBM Smart Cloud Enterprise (SCE), and has been used for commercial delivery of cloud services. These applications have led to not only high level of security with no security attacks via network exposure on the services, but also significant savings on the cost of maintaining the security of such instances and services. We have also studied the challenges that network address translators (NATs) pose for network-based access control on public cloud, and have developed solutions for such challenges.