Abstract: Example embodiments of the present disclosure relate to access token revocation in security management. In an example method, in response to providing, to a second device, an access token for the second device to access a NF service from a third device, a first device stores a mapping indicating an association among the access token, the second device and the third device. In response to determining that the second device is abnormal, the first device sends, to at least one target device based on the mapping, an indication of revoking the access token. In this way, at least one target device associated with revoked access token can be informed and potential damage caused by the abnormal NF can be eliminated.

Abstract: Example embodiments of the present disclosure relate to dynamic authorization. According to embodiments of the present disclosure, a solution for dynamic access control to data is proposed. On receiving data registration from a data source, a first device checks the data types to be produced by the data source and adds policies for the data or updates existing policies for the data according to its property. It also serves as access control decision point to determine consumers' access rights based on centrally managed policies. Authorization for data access is granted/denied according to local attributes/policies. In this way, it achieves a dynamic, context-aware and risk-intelligent access control to different kind of data from various data sources (i.e., service producers).

Abstract: An example method may include receiving slice isolation policy for a network slice subnet (NSS) in a transport network (TN) domain, mapping the slice isolation policy to network resource isolation policy and traffic isolation policy, and mapping the network resource isolation policy and the traffic isolation policy to network resource allocation policy and data traffic forward policy, respectively. The network resource allocation policy and the data traffic forward policy may be applied in creation of the TN NSS.

Abstract: Example embodiments of the present disclosure relate to devices, methods and computer readable storage media for service provisioning to facilitate analysis of a service from a network function (NF). In example embodiments, one or more logs are received from at least one of a first NF, a network repository function (NRF) and a service communication proxy (SCP). The one or more logs are associated with a service from a second NF. Further, analysis of provision of the service from the second NF is facilitated based on the one or more logs.

Abstract: Methods and apparatus are provided for Service Level Agreement managements in distributed cloud environments. A method comprises monitoring enforcements of Service Level Agreements for services provided to a plurality of tenants by a cloud provider; detecting a possible Service Level Agreement violation for a service provided to one tenant of the plurality of tenants, wherein the possible Service Level Agreement violation is related to performance or security requirements; and automatically mitigating the possible Service Level Agreement violation with cooperation with at least one of a cloud manager and a security management system of the cloud provider. The possible Service Level Agreement violation can involve a possible confliction between performance requirements and security requirements, and mitigating the possible Service Level Agreement violation comprises resolving the possible confiction for self-healing. Methods for an automatic Service Level Agreement update is also provided.

Abstract: Methods and apparatus are disclosed for preventing network attacks in a network slice. A method may comprise: obtaining security requirements of a network slice instance; determining respective security policy to be applied to each of a plurality of constituent network slice subnet instances of the network slice instance based on the security requirements of the network slice instance; and causing each of the plurality of constituent network slice subnet instances to be provided with one ore more security function instances configured according to respective determined security policy. The method can be performed in a network slice layer.

Abstract: A method for network isolation management is described. The method includes assigning or creating one or more isolation groups for at least one service, wherein resources of services assigned in an isolation group are shared with or without isolation; wherein an isolation group is defined for at least one resource in each layer and each domain to gather the at least one resource of the at least one service; linking an isolation profile for each of the one or more isolation groups, wherein the isolation profile comprises at least one policy to protect the at least one resource of the one or more isolation groups, and wherein the isolation profile comprises at least an isolation level to define a type of isolation; and allocating or reallocating the at least one resource to the at least one service based on the isolation profile linked to the one or more isolation groups.

Abstract: A credential manager imports credentials for a network slice in response to deployment of the network slice. The credentials are not known to other network slices. A repository is configured to store the credentials and protect the credentials based on credential protection policies that are defined by a service profile of the network slice. The repository is implemented in the credential manager, an authentication, authorization, and accounting (AAA) server, or other location. Properties of the credentials are modified in response to a modification trigger and the credentials are withdrawn in response to a withdrawal trigger.

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants' slices to form processed security event data, and to detec

Abstract: Cloud service security management in cloud computer environment uses a first computer cloud entity with first security capabilities and under security management coordinated by a first security management service point in compliance with predefined first security requirements. Security management of a second computer cloud entity is coordinated by a second security management service point in compliance with predefined second security requirements. In the managing of the security of the cloud service in the cloud computer environment: a trusted relationship is established between the first and second security management service points, general security requirements for the cloud service are obtained; and a first security policy is defined for the first security management service point, based on the general security requirements for the cloud service, the first security capabilities and the first security requirements, for the running of the cloud service by the first computer cloud entity.

Abstract: Methods and apparatus are provided for Service Level Agreement managements in distributed cloud environments. A method comprises monitoring enforcements of Service Level Agreements for services provided to a plurality of tenants by a cloud provider; detecting a possible Service Level Agreement violation for a service provided to one tenant of the plurality of tenants, wherein the possible Service Level Agreement violation is related to performance or security requirements; and automatically mitigating the possible Service Level Agreement violation with cooperation with at least one of a cloud manager and a security management system of the cloud provider. The possible Service Level Agreement violation can involve a possible confliction between performance requirements and security requirements, and mitigating the possible Service Level Agreement violation comprises resolving the possible confiction for self-healing. Methods for an automatic Service Level Agreement update is also provided.

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants'slices to form processed security event data, and to detect

Abstract: Cloud service security management in cloud computer environment uses a first computer cloud entity with first security capabilities and under security management coordinated by a first security management service point in compliance with predefined first security requirements. Security management of a second computer cloud entity is coordinated by a second security management service point in compliance with predefined second security requirements. In the managing of the security of the cloud service in the cloud computer environment: a trusted relationship is established between the first and second security management service points, general security requirements for the cloud service are obtained; and a first security policy is defined for the first security management service point, based on the general security requirements for the cloud service, the first security capabilities and the first security requirements, for the running of the cloud service by the first computer cloud entity.