Cloud computing changes the way people use computers. A basic cloud service model, commonly referred to as the Infrastructure as a Service (IaaS) model, allows cloud customers to dynamically scale up and down their usage on as many machines as needed inside the cloud in a “pay as you go” manner. Thus, the customers can dynamically provision resources to meet their current demand by leasing different amounts of resources from the cloud provider at different times. The cloud provider can leverage economies of scale to provide on-demand resources at a lower cost.
To take advantage of the economic benefits, cloud providers support multi-tenancy on their systems, where virtual machines from multiple customers can share the same sets of physical servers and the network. Given the large amount of servers and customers, the management of the infrastructure needs to be highly automated to allow customer to request the creation or removal of a virtual machine without human intervention.
Despite its promising potentials, a major burden to the widespread adoption of cloud computing is security, as customers are often reluctant to export sensitive data and computation into the cloud. Threats arise not only from privacy leaks at the cloud operating company but also due to the multi-tenant nature of the cloud.
To enforce network security in a cloud environment, cloud providers define network security policies and rules for their data centers and networks. The policies and rules can be quite complex. As a result, in a typical cloud environment, cloud servers can be reached only through complex communication patterns governed by network access control, such as traversal of firewalls and intrusion detection systems (IDSs).
The cloud computing environment is dynamic because many new customers may join and leave the cloud in short periods of time. The complexity of the application behavior and the sheer number of applications make it difficult, costly and error prone to write down by hand different network security enforcement rules for different data centers. Further, it is often necessary for cloud providers to automate and orchestrate security for all aspects of the cloud infrastructure. Human intervention is too slow and not realistic given the pace of changes and the size of the cloud.
Cloud models or gateway-based techniques that are currently available in the industry today sometimes require a specific topology of the cloud network, which cannot adapt to the changing needs of the customers. Some existing methods use Virtual Local Area Networks (VLANs) to configure isolated virtual networks. Nevertheless, the VLAN segmentation approach is static and fails to provide sufficient flexibility and automatism, especially when the number of tenants is large (i.e., beyond 1K). Some flow-based segmentation approach provides traffic isolation, scalability and automatism. Nonetheless, this approach fails to guarantee the consistency of security policies in scenarios of Virtual Machine (VM) migration.