on-premises

On-premises responsibilities cover operating and securing physical datacenter infrastructure and private clusters—provisioning servers, storage and network equipment, running virtualization (VMware) or Kubernetes on bare metal, applying backups, patches, and network/security controls to meet organizational compliance and latency requirements.

on-premises

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

Inside Job: Defending Kubernetes Clusters Against Network Misconfigurations

Jun 26, 2025
JB
Jacopo Bufalino
🏛️ CNAM | Aalto University | Universitat Politècnica de València

This study systematically reveals the significant impact of network misconfigurations on lateral movement attack risks in Kubernetes clusters. Addressing the limited coverage of existing detection tools, we propose a security assessment framework that integrates static configuration analysis with lateral movement path modeling. We conduct a large-scale, cross-organizational empirical study across 287 open-source applications, identifying— for the first time—634 real-world network misconfiguration vulnerabilities, far exceeding the detection capacity of mainstream tools. Our findings have driven remediation efforts in over 30 critical open-source projects; the proposed mitigation strategies have been adopted by multiple enterprises, substantially enhancing network isolation and overall security posture in production Kubernetes deployments.

Analyzing Kubernetes network misconfigurations affecting securityEvaluating real-world misconfigurations in 287 open-source applicationsIdentifying lateral movement risks in Kubernetes deployments

Considerations for Cloud Security Operations

Jan 23, 2016
JJ
James J. Cusick
🏛️ Wolters Kluwer | CT Corporation

This paper addresses the fragmentation of information security governance and insufficient standard alignment in cloud computing environments. Methodologically, it proposes a layered security operations reference framework that integrates cloud service models (IaaS/PaaS/SaaS) with mainstream security frameworks (ISO/IEC 27001 and the OWASP Cloud Security Guidelines), and—novelty—systematically unifies cloud-native architectural characteristics with Secure SDLC practices to establish an actionable security governance pathway across public cloud, private cloud, and all three cloud service layers. The core contribution is a structured cloud security operations checklist and a control-mapping matrix that jointly aligns regulatory compliance requirements and risk mitigation objectives. This dual-dimension alignment significantly enhances security controllability and accelerates standards implementation during cloud migration.

Covers topics like Private Cloud, Public Cloud, SaaS, PaaS, IaaSDiscusses security needs and mitigation approaches for Cloud ComputingExplores Information Security in Cloud Computing environments

Enterprise cloud environments are frequently exposed to security threats due to misconfigurations, excessive permissions, and fragmented security tooling, compounded by the absence of unified, coordinated protection across Kubernetes, OpenStack, and Infrastructure-as-Code (IaC) platforms. This work proposes the first open-source microservices-based security framework that uniquely integrates identity governance, multi-platform configuration auditing, runtime threat detection, and automated IaC remediation into a single closed-loop system. Designed with standardized REST/gRPC interfaces and scalable for medium-to-large deployments, the framework synergistically combines Falco, ELK, Terraform, Checkov, and OPA. In enterprise evaluations, it reduced vulnerability assessment time from 120 to 18 minutes, achieved a false positive rate below 5%, decreased security incidents by 62%, and lowered operational costs by approximately 40%, all while being released under the Apache 2.0 license.

cloud securitycloud-nativemisconfiguration

Analysis of Security in OS-Level Virtualization

Jan 02, 2025
KS
Krishna Sai Ketha
🏛️ The Ohio State University

Containerized environments suffer from isolation uncertainty due to kernel sharing, undermining security guarantees across the container lifecycle. Method: This paper introduces the first structured threat modeling methodology tailored to the full container lifecycle—creation, runtime, and termination—extending the STRIDE framework to formally characterize verifiable attack surfaces at each stage. Leveraging systematic analysis of Linux namespaces and cgroups, we conduct empirical isolation testing. Contribution/Results: Our study identifies six distinct cross-container attack vectors inherent to shared-kernel architectures and quantitatively demonstrates that, under default configurations, PID and network namespace isolation fails in 37% of cases. The work delivers a reproducible, actionable theoretical framework and empirical benchmark for container security assessment—fundamentally diverging from conventional hypervisor-based virtualization security paradigms.

Resource SharingSecurityVirtualization

Resource Management Schemes for Cloud-Native Platforms with Computing Containers of Docker and Kubernetes

Oct 20, 2020
YM
Ying Mao
🏛️ Fordham University | Dublin City University | Wageningen University

This study addresses prolonged task completion times, low resource utilization, and high resource release latency in Docker/Kubernetes containers on cloud-native platforms running compute-intensive workloads (e.g., big data and deep learning). We systematically evaluate the performance impact of diverse resource scheduling strategies through system-level monitoring—leveraging cgroups and metrics-server—and multi-workload stress testing. For the first time, we empirically quantify how key resource configurations significantly affect task completion time (±79.4% variation) and resource release latency (+116.7% degradation). Based on these findings, we propose an evidence-driven configuration optimization paradigm that reduces maximum task completion time by up to 79.4% and precisely identifies configuration bottlenecks responsible for latency. Our results provide reproducible, transferable empirical foundations for resource management tuning and deployment decisions in cloud-native environments.

Analyzing system overhead and resource usage in cloud-native environmentsEvaluating performance of big data and deep learning applicationsInvestigating resource management schemes for Docker and Kubernetes platforms

Latest Papers

What's happening recently
View more

This study addresses inefficient virtual machine (VM) scheduling and resource allocation in enterprise cloud environments. Leveraging real-world operational telemetry from the SAP Cloud Platform—comprising 1,800 physical hosts and 48,000 VMs—we construct and publicly release, for the first time, a fine-grained, full-stack time-series telemetry dataset covering both SAP S/4HANA and general-purpose applications. Using observability tools, we collect infrastructure-level metrics across the entire stack and perform large-scale time-series analysis. Our analysis uncovers critical bottlenecks: CPU contention exceeding 40%, maximum VM ready-time latency reaching 220 seconds, CPU load imbalance affecting 99% of hosts, and sustained CPU utilization below 70% for over 80% of VMs. These findings establish the first enterprise-grade empirical foundation and reproducible dataset to guide the design of adaptive, workload-aware scheduling algorithms grounded in production realities.

Analyzing VM scheduling and placement in SAP's cloud platformDeriving requirements for improved cloud scheduling algorithmsIdentifying suboptimal resource allocation and performance issues

This study addresses the widespread adoption of cloud computing by small and medium-sized enterprises (SMEs) in critical infrastructure, where deployment models and associated security and reliability risks remain poorly understood. Focusing specifically on multi-cloud strategies in this context, the research employs a systematic review of academic, industry, governmental, and online sources, complemented by content analysis, to holistically assess current deployment practices and risk characteristics. Findings reveal that while SMEs exhibit high levels of cloud adoption, their risk management practices significantly lag behind, highlighting an urgent need for targeted policy guidance and practical frameworks. The results provide empirical evidence and actionable insights for both regulatory bodies and enterprise decision-makers to better navigate the complexities of secure and resilient cloud deployment in critical sectors.

Cloud computingCritical infrastructureCybersecurity risks

This work addresses the challenge of observing co-location attacks and denial-of-service risks in serverless computing, which stem from scheduling and resource-sharing mechanisms and are difficult to detect in production environments. The paper presents the first security-oriented discrete-event simulator that explicitly models attackers and victims as first-class entities. By accurately capturing function invocation arrivals, scheduling policies, container reuse, and resource contention dynamics, the framework enables controlled and reproducible experimental analysis of security risks. It supports quantitative evaluation of key security metrics, including co-location probability, tail latency, and invocation drop rate. Experimental results demonstrate that scheduler choice significantly influences co-location risk—varying by multiple orders of magnitude under identical load—while denial-of-service behavior is primarily governed by service time, queuing policies, and cluster capacity.

co-location attacksdenial-of-serviceresource contention

Modeling and Simulation of Data Protection Systems for Business Continuity and Disaster Recovery

Dec 01, 2025
SN
Sašo Nikolovski
🏛️ AUE -FON University | University "St. Kliment Ohridski"

In cloud environments, selecting optimal data protection strategies for business continuity and disaster recovery remains challenging due to the lack of quantitative foundations for evaluating reliability and aligning with organizational Recovery Time Objectives (RTOs) and operational requirements. Method: This paper proposes an integrated assessment framework that synergistically combines system dynamics modeling and simulation-based optimization. It quantitatively evaluates key performance indicators—including recovery timeliness, data integrity, and system robustness—across public and hybrid cloud scenarios by simulating mainstream recovery mechanisms. Contribution/Results: The framework innovatively applies system dynamics to model time-varying dependencies during recovery processes and establishes interpretable, traceable mappings between policy parameters, technical metrics, and business objectives. Empirical validation demonstrates its reproducibility and practical utility, providing cloud-native organizations with a quantifiable, verifiable, and actionable decision-support methodology for data protection strategy selection.

Comparative analysis of cloud-based recovery solutions for reliabilityModeling and simulation of data protection systems for business continuityProposes a framework for selecting and maintaining organizational recovery solutions

This work addresses the critical security vulnerability in traditional monolithic kernels, where a flaw in any single component can compromise the entire system. Existing isolation approaches often entail extensive kernel modifications or incur substantial performance overhead. To overcome these limitations, the authors propose a lightweight hardware-assisted isolation architecture that leverages extended page tables (EPT) and fine-grained access control policies to enforce strong inter-component isolation with minimal changes to the kernel source code. A sentinel function mechanism is introduced to efficiently validate cross-domain calls, thereby avoiding frequent and costly transitions into the hypervisor. Evaluation on the Linux networking stack and the igc network driver demonstrates that, when isolation boundaries are judiciously defined, the performance overhead for processing MTU-sized packets is negligible.

compartmentalizationkernel isolationleast privilege

Hot Scholars

DM

Daniel Mendez

Full Professor at Blekinge Institute of Technology and fortiss GmbH
Empirical Software Engineering
MK

Marcos Kalinowski

Professor, Pontifical Catholic University of Rio de Janeiro (PUC-Rio)
Empirical Software EngineeringAI EngineeringAI4SEHuman Aspects in Software Engineering
FC

Fabio Calefato

Associate Professor, University of Bari
Human Factors in Sw EngSE4AIMining Software RepositoriesPersonality + Sentiment Analysis
GH

Guilherme Horta Travassos

Full Professor of Software Engineering, PESC/Coppe, Universidade Federal do Rio de Janeiro (UFRJ)
ExperimentationSoftware EngineeringSoftware QualitySoftware Testing
RP

Rafael Prikladnicki

Professor at Escola Politécnica da Pontifícia Universidade Católica do Rio Grande do Sul, Brazil
Software EngineeringGlobal Software EngineeringEmpirical Software EngineeringAgile Software