IBM J. Res. Dev

Security intelligence for cloud management infrastructures

View publication


In this paper, we address the problem of protecting cloud infrastructures and customer workloads via smart auditing and logging, satisfying regulatory and compliance requirements. We observe that traditional approaches of logging and auditing events in cloud-scale infrastructures will not be effective without taking into account other controls. We introduce the concept of Cloud Security Intelligence (CSI), a new systematic approach for collecting, aggregating, correlating, and analyzing data from management, control, and data planes of cloud infrastructures, using a closed-loop architecture. Our approach cross-correlates control and data plane events, automatically deriving rules for monitoring and audits. Specifically, it sets dynamic rules concerning what and how to audit, adapting the logging accordingly, while comparing the data access patterns and configurations with the desired privileges and specifications. We have implemented CSI on two OpenStack®-based systems: a closed loop network protection scheme and a cloud storage audit and risk analysis scheme for monitoring data access. In order to make cloud security approaches effective and scalable, we suggest that it is essential to use an intelligent approach such as correlating cloud logic from multiple cloud layers and components-e.g., IaaS (Infrastructure as a Service) or PaaS (Platform as a Service)-providing workload context that is maintained by cloud management systems, and using analytics on historical logs.