OpenIaC: Open Infrastructure as Code - The Network is My ...

17
OpenIaC: Open Infrastructure as Code - The Network is My Computer Chunming Rong ( [email protected] ) University of Stavanger https://orcid.org/0000-0002-8347-0539 Jiahui Geng University of Stavanger Thomas J. Hacker Purdue University Haakon Bryhni Simula Metropolitan Center for Digital Engineering AS Martin G. Jaatun SINTEF Digital Research Article Keywords: 5G and Beyond, Infrastructure-as-Code, Zero Trust Architecture, Decentralized Identiヲer, Blockchain Posted Date: November 9th, 2021 DOI: https://doi.org/10.21203/rs.3.rs-1055507/v1 License: This work is licensed under a Creative Commons Attribution 4.0 International License. Read Full License

Transcript of OpenIaC: Open Infrastructure as Code - The Network is My ...

OpenIaC: Open Infrastructure as Code - TheNetwork is My ComputerChunming Rong  ( [email protected] )

University of Stavanger https://orcid.org/0000-0002-8347-0539Jiahui Geng 

University of StavangerThomas J. Hacker 

Purdue UniversityHaakon Bryhni 

Simula Metropolitan Center for Digital Engineering ASMartin G. Jaatun 

SINTEF Digital

Research Article

Keywords: 5G and Beyond, Infrastructure-as-Code, Zero Trust Architecture, Decentralized Identi�er,Blockchain

Posted Date: November 9th, 2021

DOI: https://doi.org/10.21203/rs.3.rs-1055507/v1

License: This work is licensed under a Creative Commons Attribution 4.0 International License.  Read Full License

RESEARCH

OpenIaC: Open Infrastructure as Code - TheNetwork is my ComputerChunming Rong1*, Jiahui Geng1, Thomas J. Hacker2, Haakon Bryhni3 and Martin G. Jaatun1,4

Abstract

Modern information systems are built fron a complex composition of networks, infrastructure, devices, services,and applications, interconnected by data flows that are often private and financially sensitive. The 5Gnetworks, which can create hyperlocalized services, have highlighted many of the deficiencies of currentpractices in use today to create and operate information systems. Emerging cloud computing techniques, suchas Infrastructure-as-Code (IaC) and elastic computing, offer a path for a future re-imagining of how we create,deploy, secure, operate, and retire information systems. In this paper, we articulate the position that acomprehensive new approach is needed for all OSI layers from layer 2 up to applications that are built onunderlying principles that include reproducibility, continuous integration/continuous delivery, auditability, andversioning. There are obvious needs to redesign and optimize the protocols from the network layer to theapplication layer. Our vision seeks to augment existing Cloud Computing and Networking solutions withsupport for multiple cloud infrastructures and seamless integration of cloud-based microservices. To addressthese issues, we propose an approach named Open Infrastructure as Code (OpenIaC), which is an attempt toprovide a common open forum to integrate and build on advances in cloud computing and blockchain toaddress the needs of modern information architectures. The main mission of our OpenIaC approach is toprovide services based on the principles of Zero Trust Architecture (ZTA) among the federation of connectedresources based on Decentralized Identity (DID). Our objectives include the creation of an open-source hubwith fine-grained access control for an open and connected infrastructure of shared resources (sensing, storage,computing, 3D printing, etc.) managed by blockchains and federations. Our proposed approach has thepotential to provide a path for developing new platforms, business models, and a modernized informationecosystem necessary for 5G networks.

Keywords: 5G and Beyond; Infrastructure-as-Code; Zero Trust Architecture; Decentralized Identifier;Blockchain

1 Introduction and MotivationThe ongoing adoption of the 5G networking technolo-gies and applications poses a significant challenge tothe infrastructure and networking community who willbe tasked with deploying and operating a full stackof services that are a composition of hyperlocalized,municipal, regional, national, and international infras-tructure and services [1, 2, 3]. A recent (2020) pa-per by Duan et al. [4] provides an overview of chal-lenges and opportunities inherent in the convergenceof networking and cloud computing that will be at thecore of 5G. It is clear that this convergence will posesignificant challenges to operators who seek to pro-vide a secure, reliable, and sustainable infrastructure

*Correspondence: [email protected]. of Electronic Engi. and Computer Science, University of Stavanger,

Stavanger, Norway

Full list of author information is available at the end of the article

that can be compliant with the policy frameworks andlaws of overlapping corporate and governmental en-tities. 5G, as a new type of infrastructure, will pro-mote the deep penetration and mutual integration ofinnovative technologies, including artificial intelligence(AI), blockchain and the Internet of Things (IoT). Onthe one hand, large-scale communication and mission-critical communication put higher requirements on thenetwork’s rate, stability, and latency [5]. Blockchainconsensus mechanism establishment and mobile-basedmachine learning services are equally dependent oncommunication networks. On the other hand, 5G andbeyond are expected to connect more than 100 bil-lion terminal devices and heterogeneous networks [6].Therefore, there is a need to provide trusted interoper-ability for 5G service management as well as for hetero-geneous networks of IoT devices [7, 8]. And AI will not

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 2 of 11

only reduce network latency and improve efficiency [9]but also create more service scenarios and unlock datavalue on top of IoT and blockchain [10, 11].Today, mobile roaming services are now embedded in

our daily lives where identities such as the IMEI (In-ternational Mobile Equipment Identity) identifier andSIM (Subscriber Identity Module) cards are used to ac-cess the cellular network infrastructure. With new ca-pabilities provided by emerging 5G networks (and be-yond), the traditional need for network resource shar-ing is rapidly extended to computing and resourcesharing across distributed nodes, where inseparabil-ity and orchestration among the participating resourceproviders will be needed.Eduroam [12] is a current example within this prob-

lem space that provides a pathfinding example. For ed-ucational institutions, Eduroam has been operationalworldwide under an agreement protocol, where usersare authenticated by their home institution on an as-need basis as users roam across institutions. The prob-lem is simplified by the reality that sharing of a publicWiFi resource is a relatively static exchange of infor-mation that can be shared with minimal cost. How-ever, challenges arise when sharing incurs economiccosts, e.g., if a printing service becomes part of anEduroam agreement. There is an obvious need for openand dynamic sharing for participating members in afederation that can be managed via a contract agree-ment. This will require a global identifier that is rec-ognized across and within a federation.With fiber-connected large scale data centers as

well as smaller data centers at the edge of a 5G de-ployment, digital value-chain creation should look be-yond simple data storage in data facilities. Businessvalue has greater potential to be created by secure,data-centered computing in a federated manner, basedon the exploitation of emerging technologies such asmachine learning, big data, cloud, and edge com-puting, software-defined communications, blockchain,and post-quantum cryptography. The availability of atrustworthy decentralized identity is necessary to en-able user-focused innovations in federated ecosystemswith multiple service providers. This is needed to in-tegrate digital technologies, knowledge, and data as-sets to create a distributed information ecosystem thatcould become more responsive to citizens as well asimprove customized digital services. This new decen-tralized infrastructure approach has great potential toaddress many digital ethics issues and requirementsby the GDPR (General Data Protection Regulationby the European Union), including data ownershipand usage, data quality, data privacy, security and ac-countability. These protections must be in place formanaging industry data, public sector data, and per-sonal data to ensure compliance with GDPR today

and other emerging legal requirements in the future.Noticeably, major stakeholders in IT and banking haveendorsed such research and innovations.Due to the complex legal climate surrounding data,

businesses are understandably reluctant to allow datato flow outside the legal boundaries they operatewithin into the cloud, especially when their core busi-ness value may suffer loss. Additionally, individualshave concerns over privacy and lack of control. Hence,the industry has increasingly focused on a separatedand controlled “walled gardens” rather than a commongood shared public infrastructure. What is needed is aframework of App Repository Services that is similarto Google Mobile Services (GMS) and Google Play un-der which federated framework agreements, rules, andregulations, dispute resolution mechanisms, paymentand billing are organized.We posit that in order to achieve the goals of 5G

and to provide seamless access to hyperlocalized ser-vices and information in 5G networks, a comprehensivearchitectural framework is needed that can be used toguide efforts to integrate the myriad of capabilities,open-source and commercial software, and hardwarecomponents. This architectural framework must en-sure the utmost level of security, privacy, compliancewith local laws and polices, and facilitate a viable busi-ness model that would encourage innovation and theprovisioning of local, national, and international ser-vices.Existing infrastructure approaches in use today will

require significant rethinking to accommodate highlymobile users, the ability to place an infrastructure atscale at the ”edge” near 5G devices, provide rock-solidsecurity and privacy for mobile devices as well as fixedInternet of Things devices with limited onboard com-puting capability; and to greatly simplify and ease theintegration and access to a broad range of existing andnew devices. Some examples of the potential uses in-clude: creating a virtual factory with advanced man-ufacturing that securely integrates geographically dis-tributed equipment; printing devices (3D and paper);door card reader devices and room scheduling systems;and automobile information systems. A recent articlein Forbes summarizes some of the potential applica-tions of 5G technology [13]. We are now at the thresh-old of a time when almost every item runs softwareand can be interconnected.Although existing software components and tech-

nologies can be used on an individual basis, what islacking today is a comprehensive and robust frame-work that can be used to fully and securely integratedevices and computing capabilities and scale up andout infrastructure to meet the coming needs. Gener-ally, the gaps that need to be addressed include trust,

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 3 of 11

authentication, infrastructure deployment and integra-tion, reliability, service discovery, and data control.Figure 1 provides an overview of the Computing Man-agement Services layer and a summary of the underly-ing services and resources that will be needed to sup-port the open OpenIaC layer for 5G networks.

Figure 1 Computing Management Services and resourcemanagement in an IaC cloud

The next section of this paper summarizes some ofthe challenges that motivate our position. After this,we present our proposed framework.

2 Challenges to be SolvedA myriad of challenges must be solved to create a ro-bust, secure, and reliable infrastructure platform uponwhich services based on technologies such as 5G andclouds need to operate. These challenges fall acrossmany technology areas (such as networking, comput-ing infrastructure, cloud computing, security) as wellas socio-technical and legal environments.Addressing these challenges will require the thought-

ful application of existing and emerging technologicalcomponents, and in many cases require the revisitingof the underlying assumptions that were “baked into”the technologies at the time they were created.In this section, we explore in detail some of these

challenges that would need to be carefully consideredand addressed to develop a comprehensive architec-ture. We discuss the following issues: service orchestra-tion; service level agreements focused on billing, me-tering, and capacity planning; more secure networking;sharing edge computing nodes; and accountability andreliability of service providers.

2.1 Service OrchestrationThe management and deployment of the infrastructureas well capabilities for 5G networks built on global andhyperlocalized services is likely to require extensive au-tomation. Automation of management and creation ofinfrastructure to support 5G networks will require acommon framework upon which a vast variety of ser-vice/application providers and hardware vendors canbuild on [4]. This is one of the motivations of our pro-posed OpenIaC effort. It will help break down silosbetween providers and inhibit the emergence of pro-prietary “walled gardens” that would discourage theadoption of 5G networks. Service Orchestration willbe a significant challenge that will require highly reli-able and scalable automated infrastructure and appli-cation environments built on Continuous Integration,Development, and Continuous Deployment pipelines.

Continuous Integration, Development, and Continu-ous Deployment (CI/CD) is a technique that has beendeveloped to help automate the integration, testing,and transition into production software developed byindividuals or teams that use a shared software repos-itory, along with an automated pipeline for buildingand testing new and existing code, This functionalityis at the heart of DevOps [14].DevOps pipelines can include IaC capabilities as an

integral part of operating the deployed infrastructurethat provides the foundation for 5G services. Deploy-ing CI/CD using IaC for a scaled-out hyperlocalized5G installation is likely to be a formidable challengewithout the presence of a widely adopted commonframework.Nemeth [14], a recent blog [15], and web article by

Hisaka [16] describes some of the necessary servicesneeded for basic CI/CD system, which include the fol-lowing components:

• Source Code Control. The heart of a continuousintegration, delivery, and deployment system isrepresented by a stable and secure base of sourcecode. The source code is not only for applicationsdeployed, but also for Infrastructure-as-Code ar-tifacts that are used to actually install and deploythe systems. GitHub [17] and GitLab [18] are pop-ular software systems used for this today, and canprovide a reasonable level of security as well astracking the history of changes to the code baseover time. Notably, Github is planning a transi-tion to requiring tokens for access beginning inAugust 2021 [19].

• Automation of the process of building and testingcode. As described by Nemeth [14], the CI/CDpipeline starts with a successful build operation ofthe code base, followed by automated testing anddeployment. Tools such as Jenkins can be usedto implement the workflow from build to deploy-ment.

• Infrastructure. Computing infrastructure, pro-vided by a cloud provider and/or organizationowned resources, is needed for implementing theCI/CD pipeline. Infrastructure provisioning sys-tems such as Kubernetes [20] or Terraform [21] aswell as a container system (typically Docker [22])is needed to create and tear down the requiredinfrastructure for building and testing the codebase.

• Images for testing and deployment. When usingcontainers for implementing the CI/CD pipeline,as well as for application images for building,testing, and deploying, a container repository isneeded for holding and disseminating the images.A docker repository is one example that can be

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 4 of 11

used. Other examples include Helm [23] (for Ku-bernetes), JFrog Artifactory [24], and Nexus [25].

2.2 Infrastructure as Code (IaC)Deploying and managing services within the OpenIaCframework requires capabilities to express the infras-tructure using Infrastructure as Code (IaC) [26] tech-niques. Implementing a production IaC system willneed a consistent software and infrastructure supportenvironment to reliably and securely function. Morris[27] describes some of the underlying principles mo-tivating IaC that reflects the critical need for Ope-nIaC for 5G infrastructure. These principles include:building on the assumption that the underlying infras-tructure and systems will not be dependable; avoidingspecialization in individual systems (Morris calls these”snowflake systems”), in which every system is unique;and creating infrastructure that can be ”disposable”as needs fluctuate to support efficient scaling. Overall,this approach is focused on exploiting software version-ing, repeatability, and auditability of the infrastruc-ture. These principles are all in service to the primarygoal of seeking to fully automate the creation, deploy-ment, and retirement of the complete top-to-bottominfrastructure.As 5G infrastructure is created and deployed, there

is a critical need to fully express the infrastructure”as code” rather than a jumbled collage of one-off sys-tems that are overly complex that present users with aconfused jumble of out-of-revision services with manyvulnerabilities.In the context of Infrastructure-as-code, there are

several areas that represent challenges that will needto be addressed at the intersection of IaC and our en-visioned OpenIaC framework.

• Integration of infrastructure IaC code into appli-cation and service CI/CD pipelines. If we assumethat each application and/or service is managedusing a CI/CD pipeline, then the CI/ CD pipelinefor the code for the infrastructure will need tobe coordinated with the CI/CD pipelines for theapplications and services. This will be especiallyimportant if the applications and services requirespecialized infrastructure components, or if thereare conflicting requirements among the applica-tions and services.

• IaC language basis. As described in Morris [27],the power of declarative (e.g., Puppet) vs. imper-ative (e.g., BASH scripts) languages used to ex-press infrastructure requires a shift in thinking.Finding good balances between declarative andimperative expressions of infrastructure is likelyto be an ongoing challenge for IaC developers op-erating 5G network infrastructure.

• Managing the plethora of cloud infrastructureproviders, provisioning and configuration manage-ment tools. There are many cloud vendors offer-ing infrastructure, as well as options for owningand running infrastructure in-house. The chal-lenge will be in managing the complexity of thecombination of infrastructure, provisioning, andconfiguration management tools in an always-running production infrastructure scaled out geo-graphically and scaled up in services and appli-cations. For example, which tools (i.e., Kuber-netes and Terraform) work best for infrastructureand provisioning? For configuration management,would Puppet or Ansible be best? How would theevolution across and among these tools be man-aged over time as needs and services change overtime?

• Navigating the close vertical integration of net-working, infrastructure, applications, and ser-vices, as well as the bootstrapping and manage-ment of these services as monolithic vs. microstacks [27] that are expressed as IaC code will bean operational challenge.

• Managing the people side of this – who is autho-rized to make changes, is there an equivalent of achange control board, how are changes approved?can a change be backed out easily if it causes aproblem?

2.3 Redesign Secure NetworkingThe layer 2 network architecture available today isbased on Ethernet standards initially developed in the1980s. Although these standards have evolved some-what over time as we moved from coaxial cable totwisted pair and fiber optics, some of the fundamen-tals of how these networks operate and are used ev-ery day have not kept up with current needs and theincreasingly hostile security environment. As a conse-quence, we rely today on outmoded capabilities thathave serious inherent security drawbacks that repre-sent a potential threat. What is needed is to revisitand redesign the network architecture (hardware, soft-ware, and protocol) with an aim of updating the built-in assumptions in Ethernet from the past to increaseperformance, evolve networking for new application re-quirements, improve quality of service, improve energyefficiency and the environment (e.g., repairability andrecyclability), increase security and resilience, and toevolve networking to inherently support a model ofopen technology frameworks that can easily integrateexisting and new technologies and applications to pro-vide a suite of services for other systems as well as forusers.Ethernet has served us well, and provided a reliable

base for building applications and services over the

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 5 of 11

global Internet for layer 3 and higher-layer services.Ethernet provided a stable platform that supportedthe development of significant capabilities and inno-vations in TCP/IP, ranging from the simple (such asports and congestion avoidance) to the complex (suchas IPSec and modern routing protocols). TCP/IP hasevolved to facilitate the movement of packets acrosswide areas and many different administrative domains.In contrast to layer 3, Ethernet has been bound to pro-vide services to only a limited geographic span – bypractice and by necessity within a single administra-tive domain.The lack of evolution of Ethernet has created signifi-

cant capability gaps. The first gap is the assumption inEthernet that a network operator can completely con-trol where and when a system attaches to a network.This assumption needs to be revised to include an ac-cess control model that can be easily deployed. Therehave been many efforts to define standards for ac-cess control for wired networks (e.g. 802.1X, 802.1AE(MACsec)) over the past decade. In practice, however,these are not widely used to the same extent that ac-cess control is implemented for wireless networks. Oneexample, Open1X [28], has been quiescent for over adecade. Moreover, if an end device is not 802.1X ca-pable, or is attempting to PXE boot from the networkport, 802.1X will not directly support this device with-out complex workarounds within the network and thesystem[29, 30].With the need for enhanced network functionality

grounded in layer 2, and the pervasively hostile net-working environment, what is needed for networkingtoday and in the future is a fundamental shift to de-signing networks and applications based on a ”zerotrust” networking model based on an architectural ap-proach described in the recent paper from NIST [31].Any and all devices that attach to a wired or wirelessnetwork need a default ”zero trust” mode that doesnot permit the device to attach to the network with-out meeting security standards to protect the devicefrom attack or intrusion. The definition of a deviceranges from simple IoT devices and sensors up to en-tire clusters of hardware nodes or VMs.The second gap in Ethernet today is that it does not

include a conceptual equivalent of ports in IP. IP portsallow a single host to provide access points for multipleservices accessible at a single IP address. Ethernet fea-tures an EtherType field (represented in Linux in the/etc/ethertype file) that is currently populated withdefunct networking protocols (e.g., DECnet and Ap-pleTalk) that could perhaps be re-purposed to repre-sent Ethernet services using the equivalent of IP portsavailable at a single Ethernet address.There are several consequences of this lack of evolu-

tion of Ethernet that have created security problems

and capability gaps. First, we cannot easily controlwhere and when services (such as DHCP and ARP)are offered within an Ethernet broadcast domain. Thisis the source of security vulnerabilities (such as ARPspoofing and multiple DHCP providers) arising fromthe multiple offering of the same service within abroadcast domain. There is no clear analog to portsor services for Ethernet that would allow the targetedinquiry and discovery of layer 2 services using a com-bination of Ethernet multicast and EtherType frames.There is also the possibility of the multiple overlappingoffering of the same service within an Ethernet broad-cast domain, and there are no comprehensive mecha-nisms (other than broadcast queries) to discover layer2 services available in a broadcast domain.These gaps in capabilities and problems lead to poor

security and difficulties in controlling the publicationand unpublication of layer 2 services. The workaroundfor these problems is to partition broadcast domainsusing VLANs or physical network separation (such asair gapping) that are complex and difficult to scaleand manage, which leads to inherent vulnerabilities.The overall consequence is that it is complicated anddifficult to create new layer 3 protocols that can rely onlarge scale (geographic and number of stations) Eth-ernet broadcast domains.It is clear that a comprehensive effort is needed to

revisit and redesign the layer 2 network architecture(hardware, software, and protocols) with a focus ongaps existing today and with a view of anticipatingfuture needs and vulnerabilities. Open challenges in-clude performance, adaptability to application require-ments, quality of service, resilience in the face of secu-rity threats, energy efficiency, environmental consider-ations (repairability and recyclability), and being in-creasingly supportive of open and decentralized tech-nologies and services. A recent paper by Moubayed etal. [32] describes an architectural framework approachnamed Software Defined Perimeter that has the po-tential to address many of the gaps.

2.4 Sharing Edge Nodes

Figure 2 IaC nodes in a Network of networks.

Cloud computing has proved cost-effective comparedto on-premises data centers and is now the de-factochoice for enterprise and public use with some excep-tions where very strict security and legislation for na-tional control of storage location is required. However,cloud computing may not be used for an emergingclass of applications with time-sensitive requirementsdue to the high and unconstrained latency from the

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 6 of 11

application to the physical location of the processingcapacity offered. In the cloud, the location may alsochange due to virtualization and load balancing. Thisis particularly important for the emerging Industry 4.0applications and is a key feature of the 5G networkstructure. 5G provides 3 main service modes: Mas-sive Machine Type Communications (mMTC); Ultra-reliable and Low-latency Communications (uRLLC);and Enhanced Mobile Broadband (eMBB). For theuRLLC service, it is necessary to place processing el-ements close to the subscribers. This computing facil-ity is called Mobile Edge Computer (MEC) [33] andprovides a means for time-sensitive computing, whereprocessing can be guaranteed within a hard deadline.In our near future, we will see a processing contin-

uum from device, to edge processing in a MEC, toprocessing in a cloud. The cloud may belong to an or-ganization, be within a national state, a larger arealike EU, or be placed in any data center independenton location. Both application requirements to latencyand bandwidth, cost of the different alternatives andthe applicable legal frameworks like GDPR may man-date where processing is performed. The EU HORI-ZON program has recognized this challenge, and hascalled for large academic and industrial collaborationrelated to how AI can enable computing continuumfrom Cloud to Edge [34].Figure 2 shows the OpenIaC network architecture.

Similar to the Internet architecture, the different lev-els of service provider in OpenIaC (IaCSP) codify thedistributed infrastructure as services to cover a widerrange of consumers, enabling flexible and rapid remotedeployment and proximity services, reducing the im-pact of spatial distance.

2.5 Accountability and reliability of service providersOne of the drawbacks of Eduroam is that when oneroams to a different institution and cannot successfullyconnect to local services, it is difficult to find supportat the roaming institution or one’s home institutionto quickly resolve the problem. This is a dual problemof accountability and reliability. A described by priorwork by co-author Jaatun [35], any service providerwho wishes to be accountable must adhere to a setof principles that can be summarised as define, mon-itor, remedy, and explain. These have been set out inthe context of personal and business confidential in-formation [35], but can be applied to the provisionof services in general. More explicitly, as described in[35], the necessary elements that need to be presentare:1 Obligation: An organization willing to be obli-

gated to accountability needs to accept responsi-bility for its actions and practices related to data.

2 Policy Clarity: Clear policy definitions regard-ing practices are necessary for organizational ac-countability.

3 Compliance Monitoring: Ongoing monitoringof compliance of data practices with policies.

4 Amelioration: Correction of identified violationsof data polices.

5 Policy Auditing: Beyond active monitoring, anessential element is the ability of an organizationto show that it has complied with data policesover time.

Using the example of Eduroam, it is not clear who isresponsible for ensuring that services work while roam-ing. Two parties are involved in ensuring that the ser-vice is available and reliable: the home institution ofthe person roaming, and the local provider of the ser-vice. Theoretically, every pair of institutions partici-pating in Eduroam should be accountable for ensuringthat the roaming network service is available and re-liable. This is an O(n2) problem if n institutions par-ticipate in Eduroam. In 5G networks, with extensiveroaming and potentially many hyperlocalized services,n will be much larger, and the problems will becomemuch more difficult.Potentially, willingness to be accountable could be

used as a competitive advantage, if customers are suffi-ciently concerned to choose accountable providers overothers [35].

2.6 Challenges from SLA, Billing, Metering andCapacity Planning

An essential aspect of providing a multilayered suite ofservices in a 5G service ecosystem will be the ability tooffer, negotiate, invoice, and audit provider and con-sumer relationships. Service Level Agreements (SLAs)provide a means to define service providers’ content(SPs) to consumers of those services. Gomez [36] pro-vides a brief discussion of this problem in the contextof cloud computing. SLAs can be among software ser-vice industries, between hardware infrastructure andsoftware service providers, and between software ser-vice providers and general users.When considering the problem of providing and

billing services from a marketplace of local, regional,national, and global providers, the ability to verify andaudit invoices and payments is necessary to establishand maintain trust in the system and overall growthin the marketplace.One example today of this need is the reliability

of cable TV services. If some of the subscribed chan-nels become temporarily unavailable, then the contrac-tual agreement to deliver the service of that channelto a customer is violated. Ideally, the cable companywould actively monitor reliability and accordingly ad-just monthly billing. However, in practice, customers

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 7 of 11

are expected to contact the providers to seek creditswhen an outage occurs [37].Alzubaidi [38] describes some of the issues related

to SLAs related to IoT services, and describes theirblockchain-based approach for monitoring and enforc-ing SLAs.Hardware infrastructure providers offer parts or even

complete IT infrastructure to virtual service providers.Due to the lack of transparency in the billing invali-dating process, providers’ compliance with service levelagreements (SLAs) can be challenging to track. It canerode customers’ trust in the service provider.There are several advantages to moving to a blockchain-

based mechanism for enforcing and monitoring SLAs.These advantages include:

• Blockchain supports an environment where bothparties do not need to trust each other, thus re-ducing market barriers, as trust is a priority whenchoosing a service provider.

• Participants will send process data directly fromtheir system of record to the blockchain, helpingto avoid errors during manual data entry, grantingvisibility to selected participants, and protectingprivacy when multiple parties are involved.

• It brings transparency to service delivery, whereall rules for SLA management are clearly definedin a public smart contract, minimizing the needfor disputed cases and escalations.

• Improved incident management process. Reportedincidents can be raised automatically and pro-cessed immediately in a non-repudiation manner.

• Better relationships are built with value chainpartners, suppliers, and customers.

The challenges related to managing SLAs and smartcontracts will be significant, and if not solved may posea severe impediment to the adoption of 5G networkbased services.

3 Our position: the Network is My

Computer

Figure 3 Services based on distributed membership in afederation

Figure 4 IaC Service Platform design: Membership andvirtualized resources

Sun Microsystems and Cloudflare created the con-cept that ”the network is the computer” [39]. We positthat in reality the network is my computer. Eduroamis an early example of the direction that we posit

needs to be pursued more generally and broadly withthe emergence of 5G networks. Eduroam provides forsharing of access to institutional WiFi networks acrosshigher education institutions internationally.Another example is cell phone roaming. Roaming

refers to the ability for a cellular customer to continueto use the communication and the Internet functionswhen traveling outside the coverage area of the oper-ators. Roaming can be divided into “SIM-based” or“username/password-based” cases. A typical exampleof the former is the mobile international roaming ser-vice, and the latter is Eduroam. Roaming also includesthe processes of mobility management, authentication,authorization and accounting billing.In this section, we describe several emerging techno-

logical capabilities that we argue will be essential foroperating the 5G infrastructure to realize the visionof my network is the computer. These technologies in-clude blockchain-powered smart contracts, decentral-ized identity management and zero-trust informationarchitecture. Figure 3 illustrates the provision of feder-ated services in the OpenIaC system. Based on a zero-trust network and decentralized identity system, allservices will need to be developed on shared resources,including software and hardware resources, ensuringcryptography, auditability, and traceability. And arti-ficial intelligence, incentives, and service orchestrationwill accelerate the flow and interconversion of data andvalue.IaC authorizes all computing resources, and the

preparatory work can be done through code. Comput-ing resources include computation, storage, network,security, etc. The IaC service platform, as illustratedin Figure 4 includes three cores: configuration, includ-ing templates, policies, etc., mapping infrastructureto programmable code; Orchestration engine, consist-ing of Terraform, Kubernetes, etc., creating resourcesbased on configuration; and the bottom infrastructure.The whole orchestration is automated, starting withthe system architecture design, considering load bal-ancing and RDS resources. Then the designed architec-ture is converted into a configuration, which describesthe relationships between resources. The created con-figuration is given to the orchestration engine, whichmanages the infrastructure according to the configu-ration, including allocation, updates, and upgrades.

3.1 Zero-Trust Architecture(ZTA)The goal of our proposed OpenIaC approach is to pro-vide borderless, mobile access to infrastructure ser-vices. Users can access services anytime and anywhereon any device, which increases convenience and pro-ductivity, but security risks inevitably increase.The traditional network security model assumes that

a network perimeter exists around intranet devices as a

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 8 of 11

Figure 5 Security management in OpenIaC based on zerotrust Principles

trust zone, where any operation inside is considered tobe trusted after proper authentication. However, dueto the mobility and heterogeneity of 5G and beyond,such an assumption has been broken. This has resultedin significant cybersecurity challenges, for example, theColonial Pipeline cyber attack [40] and JBS S.A. cy-berattack [41] in May 2021. Once inside the firewallor VPN, the control is minimal because of the defaulttrust in the illusory network perimeter.The concept of Zero Trust has been introduced

and has evolved significantly over the past decade asperimeter-based network security architectures strug-gle to address today’s cyber threats. The Zero Trustmodel was first proposed by Kindervag in 2010, whoargued that any network traffic should not be trusteduntil it was verified [42]. Google has also focused onZero Trust and published several papers related toBeyondCorp [43, 44, 45], providing a comprehensiveoverview of the BeyondCorp architecture and Google’spractice from 2011 to the present. In 2013 CloudSecurity Alliance (CSA) proposed Software-DefinedPerimeter (SDP) [46], the core idea of which is tohide core network assets and facilities from exposureto the Internet. In 2017 Gartner proposed the Contin-uous Adaptive Risk and Trust Assessment (CARTA)approach, in which continuous detection was imple-mented to assess risks, and access control was adap-tively changing according to context. The National In-stitute of Standards and Technology (NIST) publisheda special publication [47] defining the zero trust archi-tecture in detail in 2020, which has attracted muchattention from research and industry.OpenIaC proposes an innovative zero-trust security

solution using smart contracts and decentralized iden-tity(DID). As illustrated in Figure 5, the upper part isthe control pane, and the lower part represents users,security agents, and resources, respectively. The secu-rity agent establishes a secure connection between theuser and the resource mainly through a user-side plug-in and a resource-side gateway. The gateway forwardsall traffic for monitoring traffic and evaluating accessrequests. Resources include computation, storage, anddata assets, etc.Control Pane consists of a policy engine, which

integrates components including continuous diagnos-tics and mitigation (CDM), security information andevent management(SIEM), activity logs, smart con-tract, DID (our identity management system describedin the next section 3.2), industry compliance, and acontrol engine, which is responsible for responding to

abnormal traffic at the gateway based on the policy en-gine’s analysis. The unique AI security model providessituational awareness for overall system security, mod-eling user and user behavior and resources respectivelyby assessing in real time the user’s confidence score,the risk of each operation request, and the vulnerabil-ity of specific devices within the system and possibleattacks.

Figure 6 Virtual remote computing supported by OpenIaC

Figure 6 shows a usage scenario in OpenIaC, con-trollable remote computing. It is a secure computingparadigm for privacy protection. People have gradu-ally realized the importance of data sovereignty andregulations like GDPR require that data access be ver-ifiable and restrict data transmission without adequateprotection. On the premise of not copying or upload-ing data, the user analyzes the data on the serverof the data owner. A smart contract is a computerprotocol that is self-executing and self-verifying with-out additional human intervention after the protocolhas been developed and deployed. The decentralizedand tamper-evident technology of blockchain makesthe content of the contract and the record of each calltamper-evident. The data owner updates the data ac-cess policy, and the Zero Trust security model contin-uously assesses the risk of the system at the gateway,and the smart contract checks whether to grant theuser access to remote computing.

3.2 Decentralized Identity (DID)

At the inception of the World Wide Web, no digi-tal identity was designed into the underlying proto-col. The TCP/IP protocol does not force users to pro-vide proof of their identity, although the user’s localInternet access point (e.g., some universities) may re-quire users seeking Internet access to provide their realnames. Despite this, the user’s information is also heldby the local Internet access point and is not used aspart of the transmission of information over the In-ternet. In the traditional identity management(IdM)model, users need to register separate accounts foreach service, which complexity user account manage-ment. Mainstream websites now offer identity federa-tion services. As an identity provider, they will senda statement to the service provider after verifying theuser’s identity with the information required by theservice provider, including the username. The usercan access the service more quickly, and the identityprovider also increases user stickiness. Armed withvast amounts of user data, they can better analyze

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 9 of 11

user behavior patterns and conduct commercial pro-motions to both users and service providers. Hand-ing over personal identity information to a commer-cial organization poses a privacy risk. The British con-sultancy Cambridge Analytica accessed the personaldata of millions of Facebook users without their con-sent and used the information for political advertis-ing [48]. Governments and public organizations aretrying to promote digital identity and identity feder-ation. In the digital era, e-commerce, digital govern-ment, education, healthcare, and insurance will bene-fit from IdM. An impressive example of identity feder-ation is eduGAIN (EDUcation Global AuthenticationINfrastructure) [49], co-funded by the European Unionand Europe’s NREN (National Research and Educa-tion Network), which aims to achieve an identity fed-eration for national education and research networksacross countries and to enable the sharing of global ed-ucation and research resources. the sharing of globaleducation and research resources.Trust is the biggest challenge to achieving identity

federation, and it occurs between individuals and or-ganizations and among organizations. Users can beconcerned about personal privacy, and reaching trustbetween organizations requires lengthy communica-tion and negotiation. Now with cryptography andblockchain techniques, a trusted identity federation isconsidered to be feasible. Relying on the decentralized,traceable, and untamperable nature of blockchain, de-centralized identity (DID) allows users to take backdata sovereignty and the underlying decentralized pub-lic key infrastructure (DPKI) will help enable identityand statement verification. Working groups from theDecentralized Identity Foundation (DIF) [50] and theWorld Wide Web Consortium (W3C) [51] are definingand developing standards for DID. Several commer-cial companies are also promoting DID technology so-lutions, such as Indy [52], Veramo [53] and civic [54].Recent work by Maram [55] describes a DID systemthe authors developed (CanDID) that is a step towardsa user-oriented DID system.OpenIaC regards identity federation as a critical as-

pect of open systems. Identity federation allows exter-nal users in one organization to access services pro-vided by another organization with their own iden-tities. Heterogeneous infrastructures, different secu-rity levels, SLAs, and billing systems require universalidentity management for OpenIaC.OpenIaC proposes a framework consisting of a DID

resolution protocol, a DPKI-based DID ledger, and achallenge-claim authentication system. The new userwill receive a DID Identifier and a DID Document afterauthentication. The DID document will be uploadedto the DPKI-based DID ledger and will be accessible

to all. When the service provider (SP) wants to de-termine the quality of service based on the user’s at-tributes, he will send a challenge to the user, and theuser will provide the corresponding claim in response.The challenge-claim pair will be forwarded to the DIDResolver by the SP according to the DID resolutionprotocol, and the DID Identifiers of both parties con-tained in it will be resolved on the DID Ledger to verifythe identity of both parties. The user’s access recordwill be recorded in the distributed ledger for trace-ability. The challenge-claim authentication system is aprotocol designed to protect user privacy.The DID resolution process relies on the server: DID

Resolver, which functions similarly to a DNS Serverand translates DID Identifier into DID document ad-dresses. Based on the DID Identifier provided by auser, a browser sends a request to a DID server, suchas the local DID service provider, to send a DID res-olution request. If this server has the DID address inits cache, it will then provide the correct informationto the host sending the request. If the DID address isnot found on this server, it will contact the root server.Usually, the root server will redirect this server to thecorrect top-level DID server.A verifiable claim or credential is a statement issued

by an issuer about specific attributes, and the digitalsignature is attached to prove the authenticity. Claimscan be stacked, increasing the flexibility of identity ver-ification. The general pre-issued claims containing userattributes can only handle simple scenarios. On theone hand, user data is enormous, Issuer may be a plat-form or enterprise, and it is impractical to transfer thevast data saved to the user device, and the user is con-cerned about the authorization of data access. On theother hand, complex attribute verification still requiresinteraction with the Issuer’s database for confirmationbased on the specific content of the challenge.

Figure 7 The DID system proposed by OpenIaC.

In Figure 7, we show the DID system with privacyprotection proposed by OpenIaC. When faced with acomplex Challenge request, the user selects the appro-priate Claim from the DID wallet and signs it to sendback to the service provider, the Verifier. The Claimcontains the DID Identifiers of the user and Issuer.The service provider forwards the information to theDID Resolver. Through DID Resolver parsing, the ap-propriate DID Driver is selected to communicate withIssuer’s database, and Issuer sends the challenge re-sults to the DID Driver. DID Driver will confirm Chal-lenge, Claim, and Proof digital signatures against theauthentication material stored in the DID distributed

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 10 of 11

ledger to ensure data authenticity during this period.The hash results of the entire DID system log, includ-ing DID Resolver and DID Driver, will be recordedin the blockchain to ensure the trustworthiness of theresults. Zero-Knowledge Proof and Privacy Set Inter-section techniques can be used to protect user privacyand prevent leakage of Issuer and Verifier user distri-butions.

4 ConclusionIn this paper, we presented our position that an openand community adaptable framework is needed to formand operate the infrastructure needed to build out fu-ture 5G networks and services. We summarized someof the challenges that needed to be solved, service or-chestration, infrastructure as code expression of infras-tructure, the need for a significant security-orientedredesign of networking; and accountability and reli-ability. We presented a position that the network ismy computer, which motivates the need for distributedidentity, zero-trust architectures, and blockchain basisfor metering, invoicing, and billing for the use of ser-vices. We sketched out a framework, OpenIaC, thatwill help establish a community-driven body of in-teroperability standards that will present an alterna-tive path as a counterpoint to the motivation to de-velop ”walled garden” vendor locked-in 5G networkand service ecosystems that would present impedi-ments to sharing and mobility. In essence, future 5Gnetworks should be globally interoperable, as WiFinetworks are today, to avoid the development of non-interchangeable infrastructure - i.e., the way in whichpower systems globally use different voltages and plugstandards.

Acknowledgements

The authors would like to thank to the reviewers for nice comments on the

manuscript.

Competing interests

Co-author Rong is the Editor-in-Chief of the SpringerOpen Journal of Cloud

Computing. Co-Authors Hacker and Jaatun serve as Associate Editors of

the SpringerOpen Journal of Cloud Computing.

Author details1Dept. of Electronic Engi. and Computer Science, University of Stavanger,

Stavanger, Norway. 2Department of Computer and Information

Technology, Purdue University, West Lafayette, Indiana, USA. 3Simula

Metropolitan Center for Digital Engineering, Oslo, Norway. 4SINTEF

Digital, Trondheim, Norway.

References

1. Aydemir, M., Cengiz, K.: Emerging infrastructure and technology

challenges in 5g wireless networks. In: 2017 2nd International

Multidisciplinary Conference on Computer and Energy Science

(SpliTech), pp. 1–5 (2017)

2. Storck, C.R., Duarte-Figueiredo, F.: A survey of 5g technology

evolution, standards, and infrastructure associated with

vehicle-to-everything communications by internet of vehicles. IEEE

Access 8, 117593–117614 (2020). doi:10.1109/ACCESS.2020.3004779

3. Chen, X., Chen, S., Zeng, X., Zheng, X., Zhang, Y., Rong, C.:

Framework for context-aware computation offloading in mobile cloud

computing. Journal of Cloud Computing 6(1), 1–17 (2017)

4. Zhao, Z., Rong, C., Jaatun, M.G.: A trustworthy blockchain-based

decentralised resource management system in the cloud. In: 2020 IEEE

26th International Conference on Parallel and Distributed Systems

(ICPADS), pp. 617–624 (2020).

doi:10.1109/ICPADS51040.2020.00086

5. Zhang, Q., Fitzek, F.H.: Mission critical iot communication in 5g. In:

Future Access Enablers of Ubiquitous and Intelligent Infrastructures,

pp. 35–41 (2015). Springer

6. Yue, K., Zhang, Y., Chen, Y., Li, Y., Zhao, L., Rong, C., Chen, L.: A

survey of decentralizing applications via blockchain: The 5g and

beyond perspective. IEEE Communications Surveys Tutorials, 1–1

(2021). doi:10.1109/COMST.2021.3115797

7. Nguyen, D.C., Pathirana, P.N., Ding, M., Seneviratne, A.: Blockchain

for 5g and beyond networks: A state of the art survey. Journal of

Network and Computer Applications 166, 102693 (2020)

8. Wu, M., Wang, K., Cai, X., Guo, S., Guo, M., Rong, C.: A

comprehensive survey of blockchain: From theory to iot applications

and beyond. IEEE Internet of Things Journal 6(5), 8114–8154 (2019)

9. Cayamcela, M.E.M., Lim, W.: Artificial intelligence in 5g technology:

A survey. In: International Conference on Information and

Communication Technology Convergence, ICTC 2018, Jeju Island,

Korea (South), October 17-19, 2018, pp. 860–865. IEEE, ??? (2018).

doi:10.1109/ICTC.2018.8539642.

https://doi.org/10.1109/ICTC.2018.8539642

10. Rabah, K.: Convergence of ai, iot, big data and blockchain: a review.

The lake institute Journal 1(1), 1–18 (2018)

11. Singh, S., Sharma, P.K., Yoon, B., Shojafar, M., Cho, G.H., Ra, I.-H.:

Convergence of blockchain and artificial intelligence in iot network for

the sustainable smart city. Sustainable Cities and Society 63, 102364

(2020)

12. Wierenga, K., Florio, L.: Eduroam: past, present and future.

Computational methods in science and technology 11(2), 169–173

(2005)

13. Raynovich, R.S.: The Real Year of 5G: What it Means For Cloud

Technology. Forbes (2021).

https://www.forbes.com/sites/rscottraynovich/2021/03/31/the-real-

year-of-5g-what-it-means-for-cloud-technology/

14. Nemeth, E., Snyder, G., Hein, T.R., Whaley, B., Mackin, D.: UNIX

and Linux System Administration Handbook, Fifth Editio (2018)

15. What is CI/CD? Continuous integration and continuous delivery

explained. https://www.infoworld.com/article/3271126/what-is-cicd-

continuous-integration-and-continuous-delivery-explained.html.

Accessed: 2021-08-16

16. Hisaka, A.: Service Orchestration: What It Is and Why You Need It.

https://d2iq.com/blog/service-orchestration-what-it-is-and-why-you-

need-it? Accessed: 2021-09-21

17. GitHub. https://github.com/. Accessed: 2021-08-16

18. GitLab. https://gitlab.com/. Accessed: 2021-08-16

19. Langlois, M.: Token authentication requirements for Git operations

(2020). https://github.blog/2020-12-15-token-authentication-

requirements-for-git-operations/

20. Kubernetes. https://kubernetes.io/. Accessed: 2021-08-16

21. Terraform. https://www.terraform.io/. Accessed: 2021-08-16

22. Docker. https://www.docker.com/. Accessed: 2021-08-16

23. Helm. https://helm.sh/. Accessed: 2021-08-16

24. Artifactory. https://jfrog.com/artifactory/. Accessed: 2021-08-16

25. Nexus. https://www.sonatype.com/products/container. Accessed:

2021-08-16

26. Morris, K.: Infrastructure as Code: Managing Servers in the Cloud. ”

O’Reilly Media, Inc.”, ??? (2016)

27. Morris, K.: Infrastructure as Code. O’Reilly Media, ??? (2020)

28. Open1X. http://open1x.sourceforge.net/. Accessed: 2021-08-16

29. Cisco: Wired (2011).

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec 1-

99/Dot1X Deployment/Dot1x Dep Guide.html

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Rong et al. Page 11 of 11

30. BOB, C.: Ring the Bell, 802.1x is Dead (2019).

https://www.forescout.com/company/blog/ring-the-bell-8021x-is-

dead/

31. Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero Trust

Architecture. NIST Special Publication 800-207.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-

207.pdf

32. Moubayed, A., Refaey, A., Shami, A.: Software-defined perimeter

(sdp): State of the art secure solution for modern networks. IEEE

network 33(5), 226–233 (2019). doi:10.1109/MNET.2019.1800324

33. Gupta, L., Jain, R.: Mobile edge computing - an important ingredient

of 5g networks. IEEE Softwareization (2016)

34. WORLD LEADING DATA AND COMPUTING TECHNOLOGIES 2022

(HORIZON-CL4-2022-DATA-01). https://ec.europa.eu/info/funding-

tenders/opportunities/portal/screen/opportunities/topic-

details/horizon-cl4-2022-data-01-02. Accessed: 2021-08-30

35. Jaatun, M.G., Pearson, S., Gittler, F., Leenes, R., Niezen, M.:

Enhancing accountability in the cloud. International Journal of

Information Management (2016). doi:10.1016/j.ijinfomgt.2016.03.004

36. Gomez, S.G., Rueda, J.L., Chimeno, A.E.: Management of the

business slas for services econtracting. In: Wieder, P., Butler, J.M.,

Theilmann, W., Yahyapour, R. (eds.) Service Level Agreements for

Cloud Computing, pp. 209–224. Springer, New York, NY (2011)

37. Gadsden, T.: Does your provider owe you money for their service

outages? allconnect.com/blog/get-bill-credits-for-service-outages.

Accessed: 2021-09-07

38. Alzubaidi, A., Mitra, K., Patel, P., Solaiman, E.: A blockchain-based

approach for assessing compliance with sla-guaranteed iot services. In:

2020 IEEE International Conference on Smart Internet of Things

(SmartIoT), pp. 213–220 (2020).

doi:10.1109/SmartIoT49966.2020.00039

39. The Network is the Computer.

https://blog.cloudflare.com/the-network-is-the-computer/. Accessed:

2021-08-16

40. Colonial Pipeline attack made possible by compromised VPN

password. https://www.techradar.com/news/colonial-pipeline-attack-

made-possible-by-compromised-vpn-password. Accessed: 2021-08-16

41. JBS, world’s largest meat producer, getting back online after

cyberattack. https://www.cnbc.com/2021/06/02/jbs-worlds-largest-

meat-producer-getting-back-online-after-cyberattack.html

42. Kindervag, J., et al.: Build security into your network’s dna: The zero

trust network architecture. Forrester Research Inc, 1–26 (2010)

43. Ward, R., Beyer, B.: Beyondcorp: A new approach to enterprise

security. ;login: Vol. 39 No. 6, 6–11 (2014)

44. Osborn, B., McWilliams, J., Beyer, B., Saltonstall, M.: Beyondcorp:

Design to deployment at google. ;login: 41, 28–34 (2016)

45. Beyer, B.A.E., Beske, C.M., Peck, J., Saltonstall, M.: Migrating to

beyondcorp: Maintaining productivity while improving security. Login

Summer 2017 VOl 42 No 2 (2017). ISSN 1044-6397

46. Group, S.D.P.W., et al.: Software defined perimeter. Cloud Security

Alliance, Toronto, Canada (2013)

47. Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero trust

architecture (2nd draft). Technical report, National Institute of

Standards and Technology (2020)

48. ”Cambridge Analytica and Facebook: The Scandal and the Fallout So

Far”. https://www.nytimes.com/2018/04/04/us/politics/cambridge-

analytica-scandal-fallout.html. Accessed: 2021-08-16

49. Howlett, J., Nordh, V., Singer, W.: Deliverable ds3. 3.1: edugain

service definition and policy initial draft. Project Deliverable, May

(2010)

50. Decentralized Identity Foundation. https://identity.foundation/.

Accessed: 2021-08-16

51. Decentralized Identifiers (DIDs) v1.0 - Core architecture, data model,

and representations, W3C Candidate Recommendation Draft, 2021.

https://www.w3.org/TR/did-core/. Accessed: 2021-08-16

52. Hyperledger Indy. https://www.hyperledger.org/use/hyperledger-indy.

Accessed: 2021-08-16

53. Veramo, A JavaScript Framework for Verifiable Data.

https://veramo.io/. Accessed: 2021-08-16

54. Identity Verification by Civic. https://www.civic.com/. Accessed:

2021-08-16

55. Maram, D., Malvai, H., Zhang, F., Jean-Louis, N., Frolov, A., Kell, T.,

Lobban, T., Moy, C., Juels, A., Miller, A.: Candid: Can-do

decentralized identity with legacy compatibility, sybil-resistance, and

accountability. In: 2021 IEEE Symposium on Security and Privacy

(SP), pp. 1348–1366 (2021). doi:10.1109/SP40001.2021.00038

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

Figures

Figure 1

Computing Management Services and resource management in an IaC cloud

Figure 2

IaC nodes in a Network of networks.

Figure 3

Services based on distributed membership in a federation

Figure 4

IaC Service Platform design: Membership and virtualized resources

Figure 5

Security management in OpenIaC based on zero trust Principles

Figure 6

Virtual remote computing supported by OpenIaC

Figure 7

The DID system proposed by OpenIaC.