The use of cloud Infrastructure as a Service (IaaS) for enterprise applications is at an all-time high and is charted to continue growing to approximately 73% by 2022. IaaS suffers from several security concerns, such as hypervisor hijacking, virtual machine (VM) hopping, and account hijacking. With such a large percentage of enterprise traffic on the cloud, a strong security framework is demanded. To secure IaaS, this article proposes a software-defined perimeter (SDP) as a solution. SDP provides a logical perimeter to restrict access to services with a layer of authentication and authorization to allow. Only authorized clients may connect to services hidden by SDP gateways. SDP is implemented and verified in an AWS cloud environment. Port scanning is used to verify SDP behavior as well. The results demonstrate the SDP’s ability to “darken” services behind a gateway. The performance of SDP against a denial-of-service (DoS) attack is demonstrated in a local environment. The test results demonstrate that SDP is indeed capable of resisting DoS attacks while allowing legitimate user traffic even under the duration of the attack. These results lead to a discussion on future research for SDP in IaaS.

中文翻译：

---

为基础设施即服务采用软件定义边界 (SDP) 架构

云基础设施即服务 (IaaS) 用于企业应用程序的使用率创历史新高，预计到 2022 年将继续增长至约 73%。 IaaS 面临多个安全问题，例如管理程序劫持、虚拟机 (VM ) 跳跃和帐户劫持。由于云上的企业流量比例如此之大，因此需要一个强大的安全框架。为了保护 IaaS，本文提出了一种软件定义边界 (SDP) 作为解决方案。SDP 提供了一个逻辑边界来限制对服务的访问，并允许通过一层身份验证和授权。只有经过授权的客户端才能连接到 SDP 网关隐藏的服务。SDP 在 AWS 云环境中实施和验证。端口扫描也用于验证 SDP 行为。结果证明了 SDP 能够“暗化”网关背后的服务。SDP 针对拒绝服务 (DoS) 攻击的性能在本地环境中得到了证明。测试结果表明，SDP 确实能够抵抗 DoS 攻击，同时即使在攻击持续时间内也允许合法用户流量。这些结果引发了对 IaaS 中 SDP 未来研究的讨论。