Leveraging Network Functions Virtualization Orchestrators to Achieve Software-Defined Access Control in the Clouds

Network Functions Virtualization (NFV) has been increasingly recognized as an effective way to consolidate hardware-based network functions and implement them using software-based approach, ultimately leading to significant reduction of CAPEX and OPEX. In particular, NFV orchestrators (e.g., Tacker, Cloudify, ONAP) play a vital role in dynamically and optimally managing and orchestrating various virtualized network resources (e.g., VMs, Virtualized Network Functions), and TOSCA is one of the standard models to fulfill such a role. However, it remains unclear how the security mechanisms are managed, so that the virtualized network assets can be offered with seamless protection in their entire lifecycles, achieving so-called security by design. To explore this potential, we conduct a comparative analysis on the existing NFV orchestrators and extend TOSCA model with particular security attributes, which are then leveraged to create access control policies that are eventually enforced in the cloud infrastructure. Specifically, a security orchestrator is developed, which consists of a TOSCA-parser and a software-defined tenant-specific access control paradigm. The major function of such a security orchestrator is to enable access control models and policies to be dynamically generated for different tenant domains, which can be across different NFV layers and multiple data centers. To validate its feasibility, we develop a security orchestrator prototype and test its performance in a carrier grade data center in terms of throughput, scalability, and adaptability. The experimental results demonstrate that all the desirable properties can be achieved, e.g., the throughput of our security orchestrator can be maintained at a satisfactory level regardless of the varying number of tenants, users, or objects that are deployed in the cloud.