Engineering Intrusion Prevention Services for IaaS Clouds: The Way of the Hypervisor

Strong user expectations for protecting their cloud-hosted IT systems make enhanced security a key element for cloud adoption. This means that cloud infrastructure security should be guaranteed, but also that security monitoring services should be correctly designed to protect the user Virtual Machines (VMs), using Intrusion Detection and Prevention Services (IDPS). This paper gives an overview of available and emerging techniques for building intrusion monitoring services, analyzing their ability to address the VM protection requirements in a cloud context. While network- and host-based security monitoring are shown not to be well suited for the cloud, this paper makes a position statement, recommending a new monitoring approach, called hyper visor-based, as an alternative. This approach benefits from virtualization to monitor through the hyper visor, and from outside the user execution context, the security of computing, networking, and storage resources allocated to user VMs. Compared to traditional IDPS designs, hyper visor-based architectures are shown to be the most promising, greatly improving user VM security. This analysis also highlights the privileged role of the cloud provider to operate such type of IDPS, since it may perform integrated security monitoring as provider of both infrastructure and security services.