A secure cross-organizational container deployment approach to enable ad hoc collaborations

IF 1.5 4区 计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Laurens Van Hoye, Tim Wauters, Filip De Turck, Bruno Volckaert
{"title":"A secure cross-organizational container deployment approach to enable ad hoc collaborations","authors":"Laurens Van Hoye,&nbsp;Tim Wauters,&nbsp;Filip De Turck,&nbsp;Bruno Volckaert","doi":"10.1002/nem.2194","DOIUrl":null,"url":null,"abstract":"<div>\n \n <p>When organizations need to collaborate urgently, for example, in the case of an emergency situation, it is needed to deploy software components into the different domains in order to allow crucial data to be exchanged. The ad hoc aspect is important as it does not allow the participating organizations to negotiate entire workflows and/or contracts upfront. To enable these ad hoc cross-organizational collaborations, a container orchestration platform, like Kubernetes, can be used to quickly deploy pods of containers in a cross-organizational overlay network, even fully automated. Although this is technically feasible, there may be a trust issue from the perspective of a participating organization when an external organization is capable of deploying any software inside its network domain. This concern is examined and resolved in this article, by proposing an extension to the existing deployment scheme used in vanilla Kubernetes. It allows the participating organizations to assess whether a suggested deployment conforms to the goal of the project and to maintain an overview of all activities related to a single collaboration. This intermediate step prevents an honest organization against potentially malicious behaviour of external entities, either the orchestrator and/or the other organizations, solving the aforementioned trust issue. Evaluation of the implemented prototype shows that a secure collaboration, which requires at most tens of containers, can be attained with sub-second deployment overheads per container, apart from the required manual interventions for trust management purposes.</p>\n </div>","PeriodicalId":14154,"journal":{"name":"International Journal of Network Management","volume":"32 4","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2021-12-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Network Management","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1002/nem.2194","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 2

Abstract

When organizations need to collaborate urgently, for example, in the case of an emergency situation, it is needed to deploy software components into the different domains in order to allow crucial data to be exchanged. The ad hoc aspect is important as it does not allow the participating organizations to negotiate entire workflows and/or contracts upfront. To enable these ad hoc cross-organizational collaborations, a container orchestration platform, like Kubernetes, can be used to quickly deploy pods of containers in a cross-organizational overlay network, even fully automated. Although this is technically feasible, there may be a trust issue from the perspective of a participating organization when an external organization is capable of deploying any software inside its network domain. This concern is examined and resolved in this article, by proposing an extension to the existing deployment scheme used in vanilla Kubernetes. It allows the participating organizations to assess whether a suggested deployment conforms to the goal of the project and to maintain an overview of all activities related to a single collaboration. This intermediate step prevents an honest organization against potentially malicious behaviour of external entities, either the orchestrator and/or the other organizations, solving the aforementioned trust issue. Evaluation of the implemented prototype shows that a secure collaboration, which requires at most tens of containers, can be attained with sub-second deployment overheads per container, apart from the required manual interventions for trust management purposes.

Abstract Image

一种安全的跨组织容器部署方法,支持临时协作
当组织需要紧急协作时,例如,在紧急情况下,需要将软件组件部署到不同的域中,以便交换关键数据。临时方面很重要,因为它不允许参与组织预先协商整个工作流和/或合同。为了实现这些特别的跨组织协作,可以使用Kubernetes这样的容器编排平台在跨组织的覆盖网络中快速部署容器,甚至是完全自动化的。尽管这在技术上是可行的,但从参与组织的角度来看,当外部组织能够在其网络域内部署任何软件时,可能存在信任问题。本文通过对现有Kubernetes中使用的部署方案进行扩展,研究并解决了这个问题。它允许参与组织评估建议的部署是否符合项目的目标,并维护与单个协作相关的所有活动的概述。这个中间步骤可以防止诚实的组织对抗外部实体(编排者和/或其他组织)的潜在恶意行为,从而解决前面提到的信任问题。对实现的原型的评估表明,除了出于信任管理目的所需的手动干预之外,安全协作(最多需要数十个容器)可以通过每个容器的次秒部署开销获得。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
International Journal of Network Management
International Journal of Network Management COMPUTER SCIENCE, INFORMATION SYSTEMS-TELECOMMUNICATIONS
CiteScore
5.10
自引率
6.70%
发文量
25
审稿时长
>12 weeks
期刊介绍: Modern computer networks and communication systems are increasing in size, scope, and heterogeneity. The promise of a single end-to-end technology has not been realized and likely never will occur. The decreasing cost of bandwidth is increasing the possible applications of computer networks and communication systems to entirely new domains. Problems in integrating heterogeneous wired and wireless technologies, ensuring security and quality of service, and reliably operating large-scale systems including the inclusion of cloud computing have all emerged as important topics. The one constant is the need for network management. Challenges in network management have never been greater than they are today. The International Journal of Network Management is the forum for researchers, developers, and practitioners in network management to present their work to an international audience. The journal is dedicated to the dissemination of information, which will enable improved management, operation, and maintenance of computer networks and communication systems. The journal is peer reviewed and publishes original papers (both theoretical and experimental) by leading researchers, practitioners, and consultants from universities, research laboratories, and companies around the world. Issues with thematic or guest-edited special topics typically occur several times per year. Topic areas for the journal are largely defined by the taxonomy for network and service management developed by IFIP WG6.6, together with IEEE-CNOM, the IRTF-NMRG and the Emanics Network of Excellence.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信