SmartX Multi-Sec: A Visibility-Centric Multi-Tiered Security Framework for Multi-Site Cloud-Native Edge Clusters

Abstract

Recently, to match the emerging demands for multi-site edge clouds, the cloud-based information and communication technology (ICT) infrastructure is rapidly expanding. To protect distributed edge-based cloud assets from networking-based threats by recognizing suspicious traffic, cloud operators should monitor the overall underlying topology to categorize and identify diversified networking packet traffic, flowing through various paths among virtualized and containerized cloud nodes. Perimeter-based networking security, which employs security appliances in fixed locations, cannot address this visibility challenge. As a result, in this paper, we propose the SmartX Multi-tier Security (Multi-Sec) framework, which aims to provide intuitive and systematic visibility for multi-site edge-cloud security. SmartX Multi-Sec abstracts the underlying networking topology among multi-site edge clusters as multiple onion-ring-based tiers of physical, virtualized, and containerized cloud nodes. It also provides collective DevSecOps automation features for monitoring, visualizing, and filtering targeted networking traffic from the respective tiers of the abstracted networking topology. The resulting flow-centric visibility using SmartX Multi-Sec can be featured with extended Berkeley Packet Filter and eXpress Data Path (eBPF/XDP)-leveraged lightweight flow capture and filtering, three-dimensional onion-ring visualization, and automated deployment of DevSecOps functions. By integrating these features, the Proof-of-Concept (PoC)-version of the SmartX Multi-Sec framework is realized to verify the flexible and scalable flow-centric security for multi-site cloud-native edge clouds.