Security Policy driven Security Orchestration for Distributed Cloud Services
Manfred Schäfer, Nokia Bell Labs

The presentation discusses concepts for security management (SM) and orchestration for distributed cloud services, elaborated in the Celtic-Plus SENDATE-PLANETS project. The concepts are targeting Telco Clouds (TC), but also embrace mixed cloud systems. Starting with ETSI NFV and the MANO architecture we demonstrate, how to evolve SM towards distributed services in multi-provider, multi-tenant environments. Based on typical security scenarios we analyze essential requirements for automated and adaptive SM and present approaches to enable and to organize centralized, service-oriented, and automated SM, driven by security policies. Besides challenges emerging from the flexibility and dynamicity of virtualization, hybrid aspects are considered, as usually Telco Clouds cannot be realized and secured by virtualized systems alone, but must always interact with non-virtual systems (e.g., due to usage of physical network technology and the need of physical security appliances). Moreover, datacenters not only vary in virtualization technologies, but also due to regulative and legal reasons - such as obligatory requirements of lawful interception and of privacy protection, depending on the regions over which services may be spread. To enable interfacing between different realms, we introduce Security Management Service Points (SMSP). SMSPs coordinate and mediate security management across administrative domains and support dynamic security policy negotiation, as well as SM automation based on agreed, trusted relationships. Our concepts rely on security policies to describe security requirements and capabilities and to support automation at several stages of a distributed Security Management Life Cycle Process for services.