Intent-driven network isolation for the cloud computing continuum

The computing continuum is a revolutionary cloud paradigm that integrates edge, fog, and cloud layers into a cohesive distributed system of interconnected devices, enabling seamless resource sharing across heterogeneous environments and administrative domains. Its interwoven nature introduces novel challenges, including enforcing proper network isolation between workloads by managing all possible communications. Existing solutions are inadequate as they fail to address the dynamicity and heterogeneity of the computing continuum, exposing users to security risks like cross-tenant interference or side-channel attacks. To address these security challenges, this paper proposes a security solution to automate the configuration of network isolation across the computing continuum. The solution facilitates the enforcement of advanced security patterns, such as zero trust and least privilege, across the several cloud layers involved in the continuum. It employs an intent-based approach, enabling users to specify security requirements in an intuitive, high-level language. The process relies on two core phases: smart verification and harmonization, followed by translation. Their design aims to ensure consistency in the defined intents and adaptability in addressing the evolving nature of the continuum, by simplifying the configuration of advanced security patterns and providing tenants with fine-grained control over network isolation. The approach was implemented in Kubernetes, demonstrating its effectiveness in automating the enforcement of user-defined intents via Kubernetes Network Policies, a common mechanism for network isolation in Kubernetes. The developed implementation was validated both qualitatively in a comprehensive use case, confirming its effectiveness for security management, and quantitatively to assess the performance of the different phases of the process.