IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation

Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to res...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on dependable and secure computing pp. 1 - 18
Main Authors Ma, Zixuan, Li, Chen, Zhang, Yuqi, You, Ruibang, Tu, Bibo
Format Journal Article
LanguageEnglish
Published IEEE 12.06.2024
Subjects
Access control
Business
dynamicity processing
intent-driven system
Micro-segmentation
policy verification
Process control
Prototypes
Security
Surface treatment
zero-trust
Online AccessGet full text

Cover

More Information
Summary:Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to resolve policy inconsistencies, where policy overlap can cause conflicts that violate the security requirements, and to verify policy reachability to avoid erroneously blocking necessary traffic. Meanwhile, current MSG systems lack comprehensive dynamicity processing, including maintaining invariants when updating MSG policies and promptly adjusting policy enforcement for endpoint status changes. We propose IMS, the first intent-driven MSG system towards computability and dynamicity. IMS innovatively defines the endpoint group space and algebra, providing the computability foundation for formally and automatically verifying and processing MSG policies. Based on this, IMS implements functionalities to resolve policy inconsistencies and to verify policy reachability. Meanwhile, IMS achieves comprehensive and prompt dynamicity processing. IMS fulfils the verification and dynamicity processing requirements of intent-driven systems. We implement a prototype and evaluations show that the processing time of IMS functionalities scales linearly with the number of policies, and the average endpoint dynamicity processing time is 5.05 ms in the setup of 1,000 endpoints, illustrating that IMS is scalable and can process dynamicity promptly.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2024.3413752