Security of Zero Trust Networks in Cloud Computing: A Comparative Review
Tóm tắt
Recently, networks have shifted from traditional in-house servers to third-party-managed cloud platforms due to its cost-effectiveness and increased accessibility toward its management. However, the network remains reactive, with less accountability and oversight of its overall security. Several emerging technologies have restructured our approach to the security of cloud networks; one such approach is the zero-trust network architecture (ZTNA), where no entity is implicitly trusted in the network, regardless of its origin or scope of access. The network rewards trusted behaviour and proactively predicts threats based on its users’ behaviour. The zero-trust network architecture is still at a nascent stage, and there are many frameworks and models to follow. The primary focus of this survey is to compare the novel requirement-specific features used by state-of-the-art research models for zero-trust cloud networks. In this manner, the features are categorized across nine parameters into three main types: zero-trust-based cloud network models, frameworks and proofs-of-concept. ZTNA, when wholly realized, enables network administrators to tackle critical issues such as how to inhibit internal and external cyber threats, enhance the visibility of the network, automate the calculation of trust for network entities and orchestrate security for users. The paper further focuses on domain-specific issues plaguing modern cloud computing networks, which leverage choosing and implementing features necessary for future networks and incorporate intelligent security orchestration, automation and response. The paper also discusses challenges associated with cloud platforms and requirements for migrating to zero-trust architecture. Finally, possible future research directions are discussed, wherein new technologies can be incorporated into the ZTA to build robust trust-based enterprise networks deployed in the cloud.
Từ khóa
Tài liệu tham khảo
(2022, July 30). Share of Corporate Data Stored in the Cloud in Organizations Worldwide from 2015 to 2022. Available online: https://www.statista.com/statistics/1062879/worldwide-cloud-storage-of-corporate-data/.
Alalfi, 2021, An Enhanced Intrusion Detection System Based on Multi-Layer Feature Reduction for Probe and DoS Attacks, J. Internet Serv. Inf. Secur., 11, 61
Rahmadika, 2021, An Investigation of Pseudonymization Techniques in Decentralized Transactions, J. Internet Serv. Inf. Secur., 11, 1
Pagano, 2021, Understanding Fuchsia Security, J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl., 12, 47
Gupta, T., Choudhary, G., and Sharma, V. (2018). A survey on the security of pervasive online social networks (POSNs). arXiv.
Velumani, R., Sudalaimuthu, H., Choudhary, G., Bama, S., Jose, M.V., and Dragoni, N. (2022). Secured Secret Sharing of QR Codes Based on Nonnegative Matrix Factorization and Regularized Super Resolution Convolutional Neural Network. Sensors, 22.
(2022, July 30). Unit 42 Cloud Threat Report 2H 2021. Available online: https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-2h21.
Teerakanok, 2021, Migrating to zero trust architecture: Reviews and challenges, Secur. Commun. Netw., 2021, 9947347, 10.1155/2021/9947347
Greitzer, 2021, Use of Expert Judgments to Inform Bayesian Models of Insider Threat Risk, J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl., 12, 3
Rahmadika, S., Astillo, P.V., Choudhary, G., Duguma, D.G., Sharma, V., and You, I. (2022). Blockchain-based Privacy Preservation Scheme for Misbehavior Detection in Lightweight IoMT Devices. IEEE J. Biomed. Health Inform.
Alagappan, 2022, Augmenting Zero Trust Network Architecture to enhance security in virtual power plants, Energy Rep., 8, 1309, 10.1016/j.egyr.2021.11.272
Tyler, D., and Viana, T. (2021). Trust No One? A Framework for Assisting Healthcare Organisations in Transitioning to a Zero-Trust Network Architecture. Appl. Sci., 11.
Astillo, 2021, TrMAps: Trust management in specification-based misbehavior detection system for IMD-enabled artificial pancreas system, IEEE J. Biomed. Health Inform., 25, 3763, 10.1109/JBHI.2021.3063173
(2022, July 30). RightScale 2019 State of the Cloud Report, (March 2022). Available online: https://www.flexera.com/about-us/press-center/rightscale-2019-state-of-the-cloud-report-from-flexera-identifies-cloud-adoption-trends#:~:text=In.
Stafford, 2020, Zero trust architecture, NIST Spec. Publ., 800, 207
(2022, July 30). Moving the U.S. Government toward Zero Trust Cybersecurity Principles, Available online: https://www.whitehouse.gov/omb/briefing-room/2022/01/26/office-of-management-and-budget-releases-federal-strategy-to-move-the-u-s-government-towards-a-zero-trust-architecture.
Buck, 2021, Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust, Comput. Secur., 110, 102436, 10.1016/j.cose.2021.102436
Alevizos, 2022, Augmenting zero trust architecture to endpoints using blockchain: A state-of-the-art review, Secur. Priv., 5, e191, 10.1002/spy2.191
He, 2022, A Survey on Zero Trust Architecture: Challenges and Future Trends, Wirel. Commun. Mob. Comput., 2022, 6476274, 10.1155/2022/6476274
Syed, 2022, Zero Trust Architecture (ZTA): A Comprehensive Survey, IEEE Access, 10, 57143, 10.1109/ACCESS.2022.3174679
DeCusatis, C., Liengtiraphan, P., Sager, A., and Pinelli, M. (2016, January 18–20). Implementing zero trust cloud networks with transport access control and first packet authentication. Proceedings of the 2016 IEEE International Conference on Smart Cloud (SmartCloud), New York, NY, USA.
Kindervag, J. (2016). No More Chewy Centers: The Zero Trust Model of Information Security, Forrester Research Inc.
Kindervag, J. (2010). Build Security into Your Network’s Dna: The Zero Trust Network Architecture, Forrester Research Inc.
Zhang, P., Tian, C., Shang, T., Liu, L., Li, L., Wang, W., and Zhao, Y. (2021, January 14–16). Dynamic access control technology based on zero-trust light verification network model. Proceedings of the 2021 International Conference on Communications, Information System and Computer Engineering (CISCE), Beijing, China.
Rodigari, S., O’Shea, D., McCarthy, P., McCarry, M., and McSweeney, S. (2021, January 5–10). Performance Analysis of Zero-Trust multi-cloud. Proceedings of the 2021 IEEE 14th International Conference on Cloud Computing (CLOUD), Chicago, IL, USA.
D’Silva, D., and Ambawade, D.D. (2021, January 2–4). Building a zero trust architecture using Kubernetes. Proceedings of the 2021 6th International Conference for Convergence in Technology (i2ct), Maharashtra, India.
DeCusatis, C., Liengtiraphan, P., and Sager, A. (2018). Advanced intrusion prevention for geographically dispersed higher education cloud networks. Online Engineering & Internet of Things, Springer.
Eidle, D., Ni, S.Y., DeCusatis, C., and Sager, A. (2017, January 19–21). Autonomic security for zero trust networks. Proceedings of the 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), New York, NY, USA.
Jasim, A.C., Hassoon, I.A., and Tapus, N. (2019, January 23–26). Cloud: Privacy For Locations Based-services’ through Access Control with dynamic multi-level policy. Proceedings of the 2019 6th International Conference on Control, Decision and Information Technologies (CoDIT), Paris, France.
Albuali, A., Mengistu, T., and Che, D. (2020, January 18–20). ZTIMM: A zero-trust-based identity management model for volunteer cloud computing. Proceedings of the International Conference on Cloud Computing, Honolulu, HI, USA.
Vanickis, R., Jacob, P., Dehghanzadeh, S., and Lee, B. (2018, January 21–22). Access control policy enforcement for zero-trust-networking. Proceedings of the 2018 29th Irish Signals and Systems Conference (ISSC), Belfast, UK.
Mehraj, S., and Banday, M.T. (2020, January 22–24). Establishing a zero trust strategy in cloud computing environment. Proceedings of the 2020 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India.
Moubayed, 2019, Software-defined perimeter (sdp): State of the art secure solution for modern networks, IEEE Netw., 33, 226, 10.1109/MNET.2019.1800324
Ahmed, M., and Petrova, K. (2022, July 30). A Zero-Trust Federated Identity and Access Management Framework for Cloud and Cloud-based Computing Environments. Available online: https://aisel.aisnet.org/wisp2020/4/.
De Weever, C., and Andreou, M. (2020). Zero Trust Network Security Model in Containerized Environments, University of Amsterdam.
Zhu, G., Yin, Y., Cai, R., and Li, K. (2017, January 25–30). Detecting virtualization specific vulnerabilities in cloud computing environment. Proceedings of the 2017 IEEE 10th International Conference on Cloud Computing (CLOUD), Honololu, HI, USA.
2013, A survey of security issues in hardware virtualization, ACM Comput. Surv., 45, 1
(2022, June 30). Crowd Research Partners, Cloud Security Report 2018. Available online: https://crowdresearchpartners.com/portfolio/cloud-security-report/.
Kandias, M., Virvilis, N., and Gritzalis, D. (2011, January 8–9). The insider threat in cloud computing. Proceedings of the International Workshop on Critical Information Infrastructures Security, Lucerne, Switzerland.
(2022, June 30). Info Sheet: Embracing a Zero Trust Security Model (February 2021), Available online: https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF.
Samaniego, M., and Deters, R. (2018, January 2–7). Zero-trust hierarchical management in IoT. Proceedings of the 2018 IEEE International Congress on Internet of Things (ICIOT), San Francisco, CA, USA.
Dhar, 2021, Securing IoT devices using zero trust and blockchain, J. Organ. Comput. Electron. Commer., 31, 18, 10.1080/10919392.2020.1831870
Zhang, 2014, A novel multiple-level trust management framework for wireless sensor networks, Comput. Netw., 72, 45, 10.1016/j.comnet.2014.06.015
Luo, 2009, A trust model based on fuzzy recommendation for mobile ad-hoc networks, Comput. Netw., 53, 2396, 10.1016/j.comnet.2009.04.008
Singh, 2021, Counterfeited Product Identification in a Supply Chain using Blockchain Technology, Res. Briefs Inf. Commun. Technol. Evol., 7, 3
Lopez, 2018, Access control for cyber-physical systems interconnected to the cloud, Comput. Netw., 134, 46, 10.1016/j.comnet.2018.01.037
Dadheech, K., Choudhary, A., and Bhatia, G. (2018, January 20–21). De-militarized zone: A next level to network security. Proceedings of the 2018 Second International Conference on Inventive Communication and Computational Technologies (ICICCT), Coimbatore, India.
Tovarnák, D., Vaekova, A., Novák, S., and Pitner, T. (2013, January 9–12). Structured and interoperable logging for the cloud computing Era: The pitfalls and benefits. Proceedings of the 2013 IEEE/ACM 6th International Conference on Utility and Cloud Computing, Dresden, Germany.
Jeuk, S., Salgueiro, G., Baker, F., and Zhou, S. (2015, January 5–7). Network segmentation in the cloud a novel architecture based on UCC and IID. Proceedings of the 2015 IEEE 4th International Conference on Cloud Networking (CloudNet), Niagara Falls, ON, Canada.
Du, R., Zhao, C., Li, S., and Li, J. (2013, January 1–2). A strategy of network coding against wiretapping attack based on network segmentation. Proceedings of the Second International Conference on Communications, Signal Processing, and Systems, Tianjin, China.
Wagner, N., Şahin, C.Ş., Winterrose, M., Riordan, J., Pena, J., Hanson, D., and Streilein, W.W. (2016, January 6–9). Towards automated cyber decision support: A case study on network segmentation for security. Proceedings of the 2016 IEEE Symposium Series on Computational Intelligence (SSCI), Athens, Greece.
Wagner, N., Şahin, C.Ş., Pena, J., Riordan, J., and Neumayer, S. (2017, January 23–26). Capturing the security effects of network segmentation via a continuous-time markov chain model. Proceedings of the 50th Annual Simulation Symposium, Virginia Beach, VA, USA.
Raj, 2019, Efficient information maintenance using computational intelligence in the multi-cloud architecture, J. Soft Comput. Paradig., 1, 113, 10.36548/jscp.2019.2.006
Sulochana, 2015, Preserving data confidentiality using multi-cloud architecture, Procedia Comput. Sci., 50, 357, 10.1016/j.procs.2015.04.035
Kacsuk, 2018, Occopus: A multi-cloud orchestrator to deploy and manage complex scientific infrastructures, J. Grid Comput., 16, 19, 10.1007/s10723-017-9421-3
Gundu, 2020, Hybrid IT and Multi Cloud an Emerging Trend and Improved Performance in Cloud Computing, SN Comput. Sci., 1, 256, 10.1007/s42979-020-00277-x
Alshammari, M.M., Alwan, A.A., Nordin, A., and Al-Shaikhli, I.F. (December, January 29). Disaster recovery in single-cloud and multi-cloud environments: Issues and challenges. Proceedings of the 2017 4th IEEE International Conference on Engineering Technologies and Applied Sciences (ICETAS), Salmabad, Bahrain.
Endo, 2011, Resource allocation for distributed cloud: Concepts and research challenges, IEEE Netw., 25, 42, 10.1109/MNET.2011.5958007
Hogade, 2021, Energy and network aware workload management for geographically distributed data centers, IEEE Trans. Sustain. Comput., 7, 400, 10.1109/TSUSC.2021.3086087
Rodriguez-Martinez, M., Seguel, J., and Greer, M. (2010, January 5–10). Open source cloud computing tools: A case study with a weather application. Proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing, Miami, FL, USA.
Huang, 2013, Evaluating open-source cloud computing solutions for geosciences, Comput. Geosci., 59, 41, 10.1016/j.cageo.2013.05.001
Voras, I., Mihaljević, B., Orlić, M., Pletikosa, M., Žagar, M., Pavić, T., Zimmer, K., Čavrak, I., Paunović, V., and Bosnić, I. (2011, January 23–27). Evaluating open-source cloud computing solutions. Proceedings of the 34th International Convention MIPRO, Opatija, Croatia.
Esposito, 2017, Security and privacy for cloud-based data management in the health network service chain: A microservice approach, IEEE Commun. Mag., 55, 102, 10.1109/MCOM.2017.1700089
Lakhan, 2022, Cost-efficient mobility offloading and task scheduling for microservices IoVT applications in container-based fog cloud network, Clust. Comput., 25, 2061, 10.1007/s10586-021-03333-0
Amaral, M., Polo, J., Carrera, D., Mohomed, I., Unuvar, M., and Steinder, M. (201, January 28–30). Performance evaluation of microservices architectures using containers. Proceedings of the 2015 IEEE 14th International Symposium on Network Computing and Applications, Cambridge, MA, USA.
Kyryk, M., Pleskanka, N., Pleskanka, M., and Kyryk, V. (2022). Infrastructure as Code and Microservices for Intent-Based Cloud Networking. Future Intent-Based Networking, Springer.
(2022, June 30). State of the Cloud Report, (March 2022). Available online: https://info.flexera.com/CM-REPORT-State-of-the-Cloud.
Mujib, M., and Sari, R.F. (2020, January 6–8). Performance evaluation of data center network with network micro-segmentation. Proceedings of the 2020 12th International Conference on Information Technology and Electrical Engineering (ICITEE), Yogyakarta, Indonesia.
Dzogovic, B., Santos, B., Hassan, I., Feng, B., Jacot, N., and Van Do, T. (2022, January 26–28). Zero-Trust Cybersecurity Approach for Dynamic 5G Network Slicing with Network Service Mesh and Segment-Routing over IPv6. Proceedings of the 2022 International Conference on Development and Application Systems (DAS), Suceava, Romania.
Ramezanpour, K., and Jagannath, J. (2021). Intelligent Zero Trust Architecture for 5G/6G Networks: Principles, Challenges, and the Role of Machine Learning in the context of O-RAN. arXiv.
Bello, 2022, On Sustained Zero Trust Conceptualization Security for Mobile Core Networks in 5G and Beyond, IEEE Trans. Netw. Serv. Manag., 19, 1876, 10.1109/TNSM.2022.3157248
Stewart, 2020, Three Emerging Innovative Technologies Required for Cyber Operations to Execute Commander’s Intent at Machine Speed, Mil. Cyber Aff., 4, 3