SecShift

With the full title 'SecShift: Analysis and Conception of Traffic Security for the OpenShift Platform', SecShift is the master's thesis of Dominik Pataky, finished in June 2019 at the Chair of Computer Networks, Faculty of Computer Science, TU Dresden, Germany.

Most content can be found in the related blog article. The full thesis and presentation will be published here in the near future.

Abstract

Cloud infrastructures are becoming the prevalent environments for application deployments, ranging from the execution of small single binaries to distributed high-availability clusters with web servers, caches and multi-tier database instances. With new needs, new platforms emerge in the perpetually faster technology cycles. In this context, security of data and systems, with its inherited underprivileged priority in development sprints, is slowly catching up in an ever increasing hostile networking and computing landscape.

This thesis poses a contribution to the field of cloud security. With SecShift, Red Hat's Kubernetes-based OpenShift platform is extended with a transparent network encryption layer, securing tenant-internal network traffic of deployed applications. SecShift not only covers encryption, but key management as well. With its hybrid distributed design, only a small fraction of OpenShift's central components are needed for the autonomous operation of SecShift's daemons.

Further design alternatives are examined and evaluated, allowing future work on the topic of cloud traffic security to benefit from the groundwork in threat modelling as well as from the creation of design and topology variations for extensions and improvements.

Demo

The video below is a 5-minute demonstration of the SecShift reference implementation, showing traffic security in action.