This talk presents VESPA, an open self-protection architecture and framework for cloud infrastructures that overcomes the previous limitations. Developed in the OpenCloudWare project, VESPA adopts a policy-based management approach, and allows a two-level regulation of security, both within a software layer and across layers. Flexible coordination between self-protection loops allows enforcing a rich spectrum of security strategies such as cross-layer detection and reaction. A multi-plane, extensible architecture also enables simple integration of commodity detection and reaction components. Evaluation results on a VESPA KVM-based implementation show that the design is applicable for effective and yet flexible self-protection of cloud infrastructures.

1. VESPA: Multi-Layered Self-Protection
for Cloud Resources
Marc Lacoste
Orange Labs
Self-protection has raised growing interest as possible element of answer to the cloud protection
challenge. However, previous solutions miss flexible security policies, cross-layered defense,
multiple control granularities, and open security architectures.
This talk presents VESPA, an open IaaS self-protection architecture and framework that
overcomes such limitations. Key features are regulation of security at two levels, both within and
across software layers; flexible coordination of multiple feedback loops enabling enforcement of a
rich spectrum of protection strategies; and an extensible architecture allowing simple integration of
commodity security components.
OW2Con’12, November 28-29, 2012
Orange Labs, Paris. www.ow2.org

2. Motivation
s Security = #1 adoption stopper to cloud computing.
s Mushrooming threats:
 From outside: rootkits, malware, intrusions…
 From inside: "honest-but-curious" legitimate users, over-privileged admins…
s Heterogeneous defenses:
 Vertically: layer-specific mechanisms.
 Horizontally: system. vs. network placement.
 Self-protection as possible next step of security management with promise of
simpler, stronger, more efficient, But…flexible protection.
more
…How to design self-protecting clouds?
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org 2

3. 3 Major Challenges
Challenge #1: Multi-Layering
 Each cloud layer has its own security mechanisms, oblivious to other layers.
 But attacks may span several layers at once!
Challenge #2: Multi-Laterality
 Each cloud stakeholder has its own security objectives and policies.
 Flexiblility is needed in monitoring granularity and security policies!
Challenge #3: Openness
 Cloud stakeholder topology is dynamic, and threats may be unknown.
 Interoperability is needed with 3rd-party security policies/components!
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org 3

4. ● Principle
Cloud Self-Protection Design Principles
Self-Protection
Policy-Based
Principle #2:
Principle #1:
Cross-Layer
Defense
Self-Protecting Cloud
Principle #3:
Multiple Self- Open Architecture
Protection Loops Principle #4:
Principle #1: Policy-Based Self-Protection
Principle #3: #4: OpenSelf-Protection Loops
Principle #2: Cross-Layer Defense
Multiple Architecture
The self-protection architecture should be aperformed withinwell-defined securitybe but
Multiple detectionreaction should not be refinement of a agranularity shouldsecurity
Detection and and reaction strategies and mechanisms single third-partylayer,
Several control loops of variable levels of supervision (e.g., software
components)and coordinated. integrated in the security architecture.
may also span several layers.
defined should be easily
adaptation model based on policies.
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org 4

5. VESPA Goals
s VESPA = Virtual Environments Self-Protecting Architecture:
An autonomic security framework for regulating protection of IaaS resources.
1. Cross-layer approach to security.
2. Multiple levels of supervision granularity.
3. Open and flexible architecture for easy security interoperability.
s Implementation: KVM-based IaaS infrastructure.
s Typical application: risk-aware dynamic VM confinement.
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org 5

6. VESPA System Architecture
1. Policy-based security regulation, with well-defined SP model.
2. Automated protection at two levels, within and across IaaS layers.
3. Flexible orchestration of multiple SP loops, for rich defense strategy.
4. OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org integration.
Layered, extensible architecture for easy security COTS 6

7. Security Model
Critical assets
to protect
PR DM
Threats impact
one layer
(or more)
SM PM
RM
Security supervision
DM: Detection
RM: Reaction Policy-orientation
PM: Detection+Reaction
of the framework
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org 7

8. Agent Model
DECISION-MAKING
REACTION
REFINEMENT CONTEXT
AGGREGATION
NFORCEMENT SENSING
Agents performs mediation between security and decision-making:
 Security context aggregation.
 Reaction policy refinement.
 API adaptation for easy infrastructure integration of security COTS.
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org 8

9. Implementing Risk-Aware VM Quarantine
Three levels of self-protection:
1. Intra-layer [VM-level]: anti-virus for analysis and cleaning.
2. Cross-layer [VM+hypervisor levels]: hypervisor firewalling for VM isolation.
3. Cross-layer [VM+hypervisor levels]: hypervisor migration manager to move
VM OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org
to quarantine zone and back. 9

10. Conclusions
s Key points:
 VESPA: architecture for effective and flexible SP of IaaS resources.
 Two-level tuning of security policies, within and across layers.
 Coordination of multiple loops allows rich spectrum of defense strategy.
 Multi-plane open design for easy integration of detection/reaction COTS.
s Ongoing:
 VESPA v0 = 8000 Python LoC. Underlying infrastructure = KVM.
 C version under development using Fractal / Cecilia framework.
Security services: IDS, anti-virus, log analysis, firewall, MAC.
 Extend VESPA to the multi-cloud setting using security domains.
s More …
Available soon in open source! Check-out our ICAC 2012 paper!
[ICAC 12] Aurélien Wailly, Marc Lacoste, Hervé Debar.
VESPA: Multi-Layered Self-Protection for Cloud Resources.
OW2Con’12, November 28-29, 2012 Orange Labs, Paris. www.ow2.org
9th ACM International Conference on Autonomic Computing (ICAC), 10
San José, California, September 2012.

11. Thanks!
Contact:
Marc Lacoste
Senior Research Scientist
Orange Labs, Security Dept.
E-mail: marc.lacoste@orange.com