arxiv: 2604.03331 · v2 · submitted 2026-04-03 · 💻 cs.CR

Recognition: no theorem link

Design and Implementation of an Open-Source Security Framework for Cloud Infrastructure

Wanru Shao

Authors on Pith no claims yet

Pith reviewed 2026-05-13 20:30 UTC · model grok-4.3

classification 💻 cs.CR

keywords cloud securitymisconfiguration detectionKubernetesOpenStackpolicy enforcementidentity graphalert correlationremediation workflow

0 comments

The pith

An open-source framework builds identity-resource graphs across Kubernetes and OpenStack to cut cloud security assessment time from 120 minutes to 18 minutes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents an open-source security framework that constructs a cross-platform graph linking identities and resources in Kubernetes and OpenStack deployments. It adds a data model that ties policy outputs from OPA/Gatekeeper and Checkov directly to live assets, applies an identity-aware algorithm to filter runtime alerts, and supplies a workflow that turns validated violations into patches or Terraform plans. In controlled tests on 50-200 node private clouds the system shortened assessment time, lowered false positives, and raised the fraction of components examined. These gains address the persistent problem of misconfigurations and excessive privileges that trigger many cloud incidents. The evaluation specifies workloads, injected errors, repetitions, and metrics so others can reproduce the measurements.

Core claim

The framework contributes a cross-platform identity-resource graph for Kubernetes and OpenStack, a policy-to-evidence data model that connects OPA/Gatekeeper and Checkov results to live assets, an identity-aware correlation algorithm that reduces noisy alerts, and a guarded remediation workflow that converts violations into Kubernetes patches or Terraform plans. In a 50-200 node private-cloud testbed the system reduced assessment time from 120.4 +/- 6.8 min to 18.2 +/- 1.7 min, lowered the false-positive rate from 12.1% to 4.7%, and increased checked component coverage from 48% to 92%.

What carries the argument

The cross-platform identity-resource graph that links live assets to policy violations and enables the correlation algorithm.

If this is right

Security assessment time drops by roughly 85 percent in comparable private-cloud settings.
False-positive alerts fall by more than half, reducing operator overload.
Checked component coverage rises from under half to over 90 percent.
Observable events tied to injected violations decrease by 62 percent within the 30-day test window.
One-year operating costs for a 200-node deployment fall by about 40 percent under the reported model.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same graph-plus-correlation approach could be tested on additional cloud platforms beyond Kubernetes and OpenStack.
Guarded remediation steps might shorten the time from detection to fix in automated pipelines.
The identity-aware filtering technique could apply to other high-volume alert systems such as network or application monitoring.
Releasing the framework as open source allows direct measurement of adoption and maintenance costs outside the original testbed.

Load-bearing premise

Results from a 50-200 node private-cloud testbed with injected misconfigurations and a 30-day operational window accurately represent real production cloud environments and workloads.

What would settle it

Running the same workloads on a public-cloud cluster of several hundred nodes with live traffic and finding that assessment time stays above 60 minutes or false-positive rate stays above 8 percent.

Figures

Figures reproduced from arXiv: 2604.03331 by Wanru Shao.

**Figure 1.** Figure 1: Framework architecture 2.2.Original Methodological Contributions The framework adds three mechanisms beyond tool integration. First, the normalized identity-resource graph resolves Kubernetes subjects and OpenStack principals into a platform-independent tuple <subject, role, scope, resource, action>. Second, the policyevidence schema maps OPA, Checkov, Falco, and custom OpenStack findings into the same re… view at source ↗

read the original abstract

Misconfiguration, excessive privilege, and fragmented controls remain major causes of cloud-infrastructure incidents. This paper proposes an open-source framework that contributes a cross-platform identity-resource graph for Kubernetes and OpenStack, a policy-to-evidence data model linking OPA/Gatekeeper and Checkov results to live assets, an identity-aware correlation algorithm for reducing noisy runtime alerts, and a guarded remediation workflow that converts validated policy violations into Kubernetes patches or Terraform plans. The evaluation is made reproducible by specifying workload generation, injected misconfiguration classes, run repetitions, metric definitions, and statistical reporting. In a 50-200 node private-cloud testbed, the framework reduced assessment time from 120.4 +/- 6.8 min to 18.2 +/- 1.7 min, lowered the false-positive rate from 12.1% to 4.7%, and increased checked component coverage from 48% to 92%. The reported 62% reduction in observable events corresponding to injected violations and approximately 40% cost reduction are scoped to the defined 30-day operational test and one-year 200-node cost model, respectively, and are not claimed as hyperscale results.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper delivers a practical open-source integration of existing policy tools with a new graph and correlation layer, showing clear testbed speedups and scoped claims, but the private-cloud injected-misconfig setup needs more external validation.

read the letter

The paper's main contribution is a practical open-source framework that links policy engines like OPA and Gatekeeper with Checkov through a new cross-platform identity-resource graph. It adds an identity-aware correlation algorithm to cut noisy alerts and a guarded remediation workflow that turns violations into patches or plans. In the 50-200 node private-cloud testbed the numbers show assessment time dropping from 120 minutes to 18, false-positive rate from 12% to 5%, and coverage rising from 48% to 92% with error bars attached.

Referee Report

2 major / 2 minor

Summary. The paper proposes an open-source security framework for cloud infrastructure featuring a cross-platform identity-resource graph for Kubernetes and OpenStack, a policy-to-evidence data model linking OPA/Gatekeeper and Checkov outputs to live assets, an identity-aware correlation algorithm to reduce noisy alerts, and a guarded remediation workflow that produces Kubernetes patches or Terraform plans. The evaluation, conducted in a 50-200 node private-cloud testbed with specified workload generation, injected misconfiguration classes, 30-day operational runs, and statistical reporting, claims reductions in assessment time (120.4 ± 6.8 min to 18.2 ± 1.7 min), false-positive rate (12.1% to 4.7%), and increases in checked component coverage (48% to 92%), plus a 62% drop in observable events and ~40% cost reduction under a one-year 200-node model.

Significance. If the reported deltas are robust, the work would deliver a practical, reproducible open-source contribution to cloud security by addressing alert fatigue and coverage gaps through graph-based correlation and policy linking. The explicit specification of workload generation, metrics, and statistical methods is a strength that supports potential community reuse and extension, though the private-cloud scope limits immediate claims about hyperscale production impact.

major comments (2)

[Evaluation] Evaluation section: the manuscript specifies workload generation, injected misconfiguration classes, run repetitions, metric definitions, and statistical reporting to support reproducibility, but does not report sensitivity analysis showing that the identity-resource graph and OPA/Checkov correlation retain the claimed FP reduction (12.1% → 4.7%) and coverage increase (48% → 92%) when the injected violation taxonomy is replaced by an independent set drawn from public incident corpora. This analysis is load-bearing for the central empirical claims.
[Evaluation] Evaluation section: the 50-200 node private-cloud testbed with fixed injected classes over 30 days is used to support the assessment-time and cost-model results, yet no quantitative comparison or ablation is provided against organic misconfiguration distributions or multi-tenant production workloads; without this, the representativeness of the observed deltas remains unverified.

minor comments (2)

[Abstract] Abstract: the scoping language ('not claimed as hyperscale results') is appropriate and should be retained or expanded in the main text.
[Introduction] The paper introduces the terms 'cross-platform identity-resource graph' and 'policy-to-evidence data model' without an early dedicated figure or table summarizing their data schemas; adding one would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. The comments highlight important aspects of evaluation robustness that we address point-by-point below. We plan to make targeted revisions to the evaluation section to improve clarity on scope and limitations while preserving the reproducibility strengths of the current design.

read point-by-point responses

Referee: [Evaluation] Evaluation section: the manuscript specifies workload generation, injected misconfiguration classes, run repetitions, metric definitions, and statistical reporting to support reproducibility, but does not report sensitivity analysis showing that the identity-resource graph and OPA/Checkov correlation retain the claimed FP reduction (12.1% → 4.7%) and coverage increase (48% → 92%) when the injected violation taxonomy is replaced by an independent set drawn from public incident corpora. This analysis is load-bearing for the central empirical claims.

Authors: We acknowledge the value of sensitivity analysis using an independent violation set from public incident corpora. Our injected taxonomy was derived from widely cited sources including CIS Kubernetes and OpenStack benchmarks, OWASP cloud security top risks, and common misconfiguration patterns from industry reports to ensure coverage of high-impact issues. A full re-run with a newly curated public corpus would require extensive additional data collection and mapping effort beyond the current study scope. In the revised manuscript we will add an expanded discussion in the evaluation section justifying the taxonomy selection with explicit references to these sources, report alignment statistics between our classes and public benchmarks, and clearly delineate this as a limitation with planned future work on external corpora validation. This will better contextualize the reported FP reduction and coverage gains without overstating generalizability. revision: partial
Referee: [Evaluation] Evaluation section: the 50-200 node private-cloud testbed with fixed injected classes over 30 days is used to support the assessment-time and cost-model results, yet no quantitative comparison or ablation is provided against organic misconfiguration distributions or multi-tenant production workloads; without this, the representativeness of the observed deltas remains unverified.

Authors: The private-cloud testbed with controlled injections was deliberately selected to support statistical rigor, precise timing measurements, and full reproducibility as documented in the workload generation and metric sections. Organic multi-tenant production data introduces privacy constraints, incomplete ground truth, and uncontrolled variability that would undermine the controlled statistical reporting we provide. We agree this limits direct claims about hyperscale representativeness. In the revision we will insert a new limitations subsection that (1) details the rationale for the testbed design, (2) provides a qualitative mapping of our injected classes to distributions reported in public cloud incident surveys (e.g., Verizon DBIR, Cloud Security Alliance reports), and (3) discusses implications for multi-tenant settings. We will also add a brief ablation note on how the identity-resource graph and correlation algorithm contribute to the observed deltas under the tested conditions. revision: partial

Circularity Check

0 steps flagged

No significant circularity; empirical testbed results are direct measurements

full rationale

The paper reports measured performance deltas (assessment time, false-positive rate, coverage) from running the implemented framework on a specified 50-200 node private-cloud testbed with defined injected misconfiguration classes, workload generation, and metric definitions. These outcomes are presented as experimental results rather than derived predictions or equations. No self-definitional loops, fitted parameters renamed as predictions, load-bearing self-citations, uniqueness theorems, or ansatzes appear in the derivation chain. The reproducibility specifications enable external verification and do not create circularity by construction. The central claims remain independent of the reported inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The central claims rest on the domain assumption that the described testbed and injected violations are representative. No explicit free parameters are fitted in the abstract. New framework components are introduced without independent evidence outside the paper.

axioms (1)

domain assumption The 50-200 node private-cloud testbed with injected misconfiguration classes accurately models real-world cloud infrastructure and workloads.
All quantitative performance claims are scoped to and derived from this specific test setup.

invented entities (2)

cross-platform identity-resource graph no independent evidence
purpose: To connect identities and resources across Kubernetes and OpenStack for policy correlation
New modeling component introduced as part of the framework contribution.
policy-to-evidence data model no independent evidence
purpose: To link OPA/Gatekeeper and Checkov policy results to live assets
New data model proposed to support the correlation and remediation workflow.

pith-pipeline@v0.9.0 · 5495 in / 1525 out tokens · 72618 ms · 2026-05-13T20:30:17.216198+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

AI Native Asset Intelligence
cs.CR 2026-05 unverdicted novelty 5.0

The paper presents a modeling-plus-scoring framework that turns fragmented security signals into stable asset-level importance scores by separating intrinsic exposure from business and data context, evaluated on 131k ...
AI Native Asset Intelligence
cs.CR 2026-05 unverdicted novelty 5.0

AI-native asset intelligence framework converts heterogeneous security signals into normalized asset importance scores by separating intrinsic exposure from contextual factors using modeling and deterministic aggregation.

Reference graph

Works this paper leans on

15 extracted references · 15 canonical work pages · cited by 1 Pith paper

[1]

Testbed Tests were conducted in a reproducible laboratory private-cloud testbed

EXPERIMENT 3.1. Testbed Tests were conducted in a reproducible laboratory private-cloud testbed. All nodes used the same OS image, container runtime, clock synchronization settings, and pinned tool versions. Before each run, Elasticsearch indices were cleared, the Terraform state was reset to a known baseline, and Kubernetes/OpenStack inventories were reg...

work page 2024
[2]

exec in container,

DISCUSSION The experiments confirm three points. First, breadth of coverage matters more than depth of a single tool. Baseline-A illustrates the cost of a depth-only stance: Falco's runtime sensors detected container-level anomalies—including the privileged-pod, shell-in-container, and crypto-miner classes injected during the experiment—but the tool's sco...

work page 2024
[3]

Using RBAC Authorization

Kubernetes Documentation, "Using RBAC Authorization." [Online]. Available: https://kubernetes.io/docs/reference/access-authn-authz/rbac/. [Accessed: Apr. 2026]

work page 2026
[4]

Available: https://kubernetes.io/docs/concepts/security/service-accounts/

[Online]. Available: https://kubernetes.io/docs/concepts/security/service-accounts/. [Accessed: Apr. 2026]

work page 2026
[5]

Falco Documentation

The Falco Project, "Falco Documentation." [Online]. Available: https://falco.org/docs/. [Accessed: Apr. 2026]

work page 2026
[6]

Basic Elements of Falco Rules

The Falco Project, "Basic Elements of Falco Rules." [Online]. Available: https://falco.org/docs/concepts/rules/basic-elements/. [Accessed: Apr. 2026]

work page 2026
[7]

Available: https://openpolicyagent.org/docs/kubernetes

[Online]. Available: https://openpolicyagent.org/docs/kubernetes. [Accessed: Apr. 2026]

work page 2026
[8]

ConstraintTemplates

Open Policy Agent Gatekeeper, "ConstraintTemplates." [Online]. Available: https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates/. [Accessed: Apr. 2026]

work page 2026
[9]

[Online]

OpenStack Documentation, OpenStack Security Guide. [Online]. Available: https://docs.openstack.org/security-guide/. [Accessed: Apr. 2026]

work page 2026
[10]

[Online]

OpenStack Documentation, Keystone, the OpenStack Identity Service. [Online]. Available: https://docs.openstack.org/keystone/latest/. [Accessed: Apr. 2026]

work page 2026
[11]

[Online]

Checkov Documentation, Policy-as-code for Everyone. [Online]. Available: https://www.checkov.io/. [Accessed: Apr. 2026]

work page 2026
[12]

[Online]

Checkov Documentation, CLI Command Reference. [Online]. Available: https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html. [Accessed: Apr. 2026]

work page 2026
[13]

Get Started with Elastic Security SIEM: Detect and Respond to Threats

Elastic, "Get Started with Elastic Security SIEM: Detect and Respond to Threats." [Online]. Available: https://www.elastic.co/docs/solutions/security/get-started/get-started-detect-with-siem. [Accessed: Apr. 2026]

work page 2026
[14]

Terraform plan and apply Command References

HashiCorp Developer, "Terraform plan and apply Command References." [Online]. Available: https://developer.hashicorp.com/terraform/cli/commands/plan; https://developer.hashicorp.com/terraform/cli/commands/apply. [Accessed: Apr. 2026]

work page 2026
[15]

Available: https://owasp.org/www-project-kubernetes-top-ten/

[Online]. Available: https://owasp.org/www-project-kubernetes-top-ten/. [Accessed: Apr. 2026]

work page 2026