Adaptive Model-based Cloud Computing Security ManagementMohamed Almorsy
Supervisors
Prof. John Grundy
Prof. Jun Han
25May
2012Center for Computing and Engineering Software Systems
Swinburne University of Technology
Agenda
Cloud Computing SecurityResearch Gaps
Adaptive Cloud Security Management
Motivating Scenario
Get Currency-Now
Build Workflow
Galactic
Batch processing
<<in
clud
e>>
<<include>>
<<in
clude
>>
SWINSOFT
SWINSOFT
GREEN CLOUD
CPs : GREEN CLOUD – BLUE CLOUDSPs : SWINSOFT - GREEN CLOUD – BLUE CLOUDCCs : Swinburne University- Auckland University
BLUE CLOUD
Why Security is different inCloud Computing ?
Cloud Characteristics
Long Dependency Stack
Service Delivery ModelsDifferent Possible Deployments
Different Stakeholders
Cloud Computing Model
Resources Virtualization - Multi-tenancy - Elasticity
Hypervisor - VMs - Platforms - Apps
IaaS - PaaS - SaaS Public - Private - Hybrid
CPs - SPs - CCs
http://blogs.technet.com/b/yungchou/archive/2010/11/15/cloud-computing-primer-for-it-pros.aspx
Loss-of-Control Lack-of-Trust
New Cloud Security Problems
Security Isolation Security Federation.....
�Tenants have no control on outsourced assets.�CPs do not know the hosted service business value.�Services are developed with built-in security functions.�Services are developed with security from the service provider
perspective.
Why
NIST - http://www.kurzweilai.net/nist-issues-government-cloud-computing-roadmap-and-architecture
Research Problem⦾ Cloud computing model lacks a strong security management
framework that can handle:
⦾ Loss-of-control and lack-of-trust.⦾ Multi-tenancy.⦾ Different stakeholders.⦾ Constantly changing security.⦾ Huge number of services and security solutions.
CCs involved in securing their assets
tenant-oriented security
collaboration-based
adaptive security
standard security interface
Current Trends
NIST
CSA
Current Trends
⦾ A cloud provider claims supported security level.
⦾ A certifying authority audits the claimed level.
⦾ A cloud consumer specifies expected security level.
⦾ The certifying authority matches consumers requirements and providers capabilities and assures it.
FedRAMP
NIST
CSA
× Security customization is limited.
× Security adaptation is not possible.
× Cloud provider is the service provider.
× Limits the ROI of the cloud platforms.
Limitations
Current Trends
⦾ CSA Focus on assessing a cloud provider security level.
⦾ List security controls to be provided by a cloud provider.
⦾ Checklist to guide consumers assess a cloud platform security.
Security Registry
NIST
CSA
× Assessment and awareness do not mean real security.
× Loss-of-Control nor Lack-of-Trust are mitigated.
Limitations
Research Objective⦾ To extend the cloud model with an abstract, dynamic, and multi-
tenant security management framework.
CC Security Management Process CC Security Management Process
Information Security Management Systems
ISMSs (including NIST-FISMA and ISO27000) provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets.
Rethinking in Security Management under Cloud Computing Model
Security Management Process
Defining Security
Enforcing Security
Monitoring Security
CCs involved in securing their assets
tenant-oriented security
collaboration-based
adaptive security
standard security interface
Area Existing Efforts LimitationsSecurity Management
Security Management StandardsNIST, ISO27000
Security Management FrameworkPolicy-based, Model-based, Ontology-based security
management frameworks,…
• No Multi-tenancy Support• Security integration within IT
system is limited
Defining Security
Vulnerability and Threat analysis toolsOCTAVE, CORAS, Chinchani et al, Sheyner et al,…
• Documentation Only• Specific Vulnerability Type• No online support
Enforcing Security
Design time security EngineeringUMLSec, SecureUML, KAOS…
Multi-tenant Security EngineeringHong Cai , Menzel et al, Pervez et al,…
• Design time• Require design time preparation• Service-oriented security
Monitoring Security
Security Monitoring FrameworkNIST, Chandra et al, Bayuk et al,…
• Measurements are collected manually
• Security solutions efficiency and effectiveness not addressed
• Security trends and proactive actions
Research Gaps
General Approach
Cloud Platform ModelService ModelSecurity Model
Stakeholder Security Engineers Cloud ProviderService Provider
Secure System model
Security Mgmt plan
Cloud PlatformCloud ServicesSecurity Controls
Enfo
rcem
ent
Feed
back
Model-based Security Management for the Cloud Computing Model
Analysis Component
Measurements Analyzer
Threat and Vulnerability
Analyzer
S1
Management Component
Service & Platform Modeller
Tenant Security Modeller
Enforcement Component
Service-security Integrator
Monitoring Component
Security ProbesGenerator
Measurements Collector
S2
Sn
Security Services
General Framework
Security Interface
Rethinking in Security Management under Cloud Computing Model
Security Management Process
Defining Security
Enforcing Security
Monitoring Security
⦾ Aligning FISMA Security Management standard with the cloud model.⦾ Improving the collaboration among cloud stakeholders.
Security categorization
Security controls selection
controls implementation
Security Assessment
Service Authorization Security Monitoring
CCs All All
CPE CVE/CWE CCE
CCs & CPsCCsAll
Responsible stakeholder(s) Adopted security standards
Collaboration-based Cloud Computing Security Management Framework
Phase Task CP SP CC Input Output
Security categorization
Categorize security impact (SC) Informed Informed Responsible Business
objectivesSecurity Impact Level
Security controls selection
Register security controls Responsible Responsible Responsible Control Datasheet Security controls
registry
Generate security controls baseline Responsible
(Automated by the framework)Service SC +Controls registry
Controls baseline + matching status
Assess service risks Responsible(Partially automated)
Service + platform arch. + CVE + CWE
Service Vulns + Threats + Risks
Tailor security baseline Responsible(planned to be automated)
Security Controls Baseline + Risk assessment
Security mgmt plan (SLA)
controls implementation
Implement security controls Responsible
(planned to be automated)Security mgmt plan
Updated Security plan
Aligning NIST to the Cloud Model
Phase Task CP SP CC Input Output
Security Assessment
Define security metrics Responsible Informed Responsible Security objective Security assessment
plan
Assess security status Responsible
(Automated by the framework)Security assessment plan assessment report
Service Authorization
Authorize serviceInformed Informed Responsible Security plan +
assessment reportService authorization document
Security Monitoring
Monitor security status Responsible
(Automated by the framework)Security assessment plan Security status report
Aligning NIST to the Cloud Model (cont’d)
Standard Description Format Example
CPE A structured naming schema for IT systems including hardware, operating systems and applications.
cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}
cpe:/a:SWINSOFT: Galactic:1.0: update1:pro:en-us
CVE A dictionary of the common vulnerabilities with a reference to the set of the vulnerable products.
CVE-Year-SerialNumber CVE-2010-0249
CWE A catalogue of the community recognized software weaknesses.
CWE-SerialNumber CWE-441
CAPEC A catalogue of the common attack patterns. CAPEC-SerialNumber CAPEC-113
CCE A structured naming to systems’ configuration statements.
CCE-softwareID-SerialNumber CCE-17743-6
Adopted Security Standards
ConfigurationsMeasurements
Management Layer
Security Metrics ManagerSecurity Categorization
Risk Assessment Security Controls Manager
Multi-Tenant Security Plan
Multi-Tenant Status Report
Enforcement Layer
Planning Implementation
Feedback Layer
Monitoring Analysis
Cloud Platform
Secu
rity
Stat
us
Secu
rity
Reqs
.Security Management
Repository
Security ControlsControls Logs
Collaboration-based Cloud Computing Security Management Framework
Prototype Snapshots
A cloud consumer registering for one of the GREEN CLOUD registered services
Two different service security categorizations for two different customers
A snapshot of a security control registration
A snapshot of a given service threats retrieved from the NVD
A snapshot of the security controls base satisfaction status
A snapshot of the security SLA between GREENCLOUD, SWINSOFT and Swinburne
A sample of Swinburne security status report
0 Security monitoring depends on security controls’ log files “lagging metrics”.
0 Service-oriented security.
0 Integrating security controls within target services is done manually.
Limitations
Security Management Security EngineeringSecurity ObjectivesSecurity Threats/RisksSecurity ControlsSecurity Monitoring
Security RequirementsSecurity ArchitectureSecurity DesignSecurity Enforcement
o Tenants come and go at runtime.o Tenants’ security change at runtime.o Services shouldn’t go down for customization or maintenance.o Discovered vulnerabilities cannot wait too long for patches.
SMART
TOSSMA
MDSE@R
Security Reengineering
Security Engineering @ runtime
Multi-tenant Security Engineering @ runtime
Adaptive (Multi-tenant) Model-driven Security (Re)Engineering at Runtime Component
System Description Models Security Specification Models
Security Enforcement Point
System Engineer Security EngineerSy
stem
Con
tain
er
Syst
em
Secu
rity
Serv
ices
Develop Develop
1 3
Live System InterceptorsDocument
Live Security Specification
Document
Secu
rity
Testi
ng
852
4
67
9
10
MDSE@R: Model-driven Security Engineering @ Runtime
B
E
C
<profile name=" SecExtensionProfile " displayName =" Security Extensions Profile "...<stereotypes>
<stereotype name=" SecurityConcepts " displayName ="Security Concepts">…
<property name=" SecurityObjectives " displayName =" Security Objectives " ><property name=" SecurityRequirements " displayName =" Security Requirements "><property name=" SecurityControls " displayName =" Security Controls “>
…</stereotype><stereotype name=" ArchitectureConcept " displayName =" Architecture Concept ">…
<property name=" DeploymentPath " displayName =" Deployment Path “ ><property name=" ConfigurationFile " displayName =" Configuration File “ ><property name=" RelatedFeatures " displayName =" RelatedFeatures “ >
…</stereotype><stereotype name=" ClassDiagramConcept " displayName ="Class Diagram Concept">
<property name=" IsSecurityClassFn " displayName =" IsSecurityClassOrFn "><property name=" ParentComponent " displayName =" Parent Component ">
</profile>D
A
Galactic ERP System Description Model (SDM)
<<MetaClass>>
Operation<<MetaClass>>
Class<<MetaClass>>
Connection<<MetaClass>>
Component<<MetaClass>>
UseCase
<<StereoType>>
SecurityConcept
SecurityObjectives: stringSecurityRequirements: stringSecurityControls: string
<<StereoType>>
ClassComponent
ParentComponent: string
<<MetaClass>>
Class
<<StereoType>>
ArchitectureComponent
ParentFeature: stringDeploymentPath: stringConfigurationFile: string
<<MetaClass>>
Componet
UML Profile
Security Management Zone
<<Security Service>>Antivirus
<<Security Service>>Host-Based IDS
<<Security Service>>Authentication Service
<<Security Service>>Access Control Service
C
DB Server
Application ServerApplication Server
Load Balancer
Galactic Security Requirements
Authenticate User
Max Password Lifetime
Max Unsuccessful Length
Min Password Length
B
SecurityObjectivesTenantsDataIsolation
Security Requirements
SecurityIsolator
SecurityObjectivesSecurity Requirements
SwinAntivirus
SecurityObjectivesSecurity Requirements
SwinValidator SecurityObjectivesAuthenticate User
Security Requirements
ESAPI-AccessController
SecurityRequirements
SecurityObjectives<<Component>> Presentation Layer
Confidentiality Integrity
AuthenticateUserSecurityControls
SecurityRequirements
SecurityObjectives<<Component>> Business-L Layer
Confidentiality Integrity
SecurityControls
SecurityRequirements
SecurityObjectives<<WebPage>> EmployeeASPX
SecurityControls
SecurityRequirements
SecurityObjectives<<WebService>> CurrencyNow
SecurityControls
SecurityRequirements
SecurityObjectives<<WebService>> BatchProcessing
SecurityControls
System AvailabilityHigh
Data Integrity Medium
ConfidentialityHigh
AccountabilityLow
A
D
E
Swinburne Security Specification Model (SSM)
Security Zone
Security Requirement
Name: stringSecurityArea: enumRequirementDescription: string
Ref
eren
ce
0..*
ZoneName: stringZoneType: enumStrategy: enumFirewall : boolIDS: bool
Realized By
0..*
1..*
Security Threat
ID: stringSource: stringTarget: stringObjective: string[]Vulnerabilities: string[]
Security Vulnerability
ID: stringCategory: enumDescription: stringPrerequisites: string[]Consequences: strings[]
SecurityAttack
ID: stringDescription: stringAgent: stringSequence: string[]Consequences: string[]
Security Service
ServiceName: stringSecurityMechanism: enumSecurityStandard: enum
Threat Agent
Name: stringAgentType: enumObjectiveCategory: stringStra tegy: enum
Asset
Name: stringImportace: enumProvider: stringDeploymentPath: enum
0..*
Parent Asset
Security Objective
Name: stringImportace: enumObjectiveCategory: stringStrategy: enum
0..*
Dependent ObjectiveSecurity Objectives
1..*
Security Risk
Name: stringDescription: stringImpact: enumLikelihood: integer
Security Risk
Realized By
Asset Vulnerabilities
Security Service
Name: stringProvider: stringControlFamily: enumDeploymentPath: string
SecDSVL Metamodel
Security control
public IMethodReturn Invoke( IMethodInvocation input, GetNextHandlerDelegate getNext) {EntitySecurity entity = LoadMethodSecurityAttributes( …);if (entity == null || entity.HasSecurityRequirements() == false) {
return getNext().Invoke(input, getNext);}
//logging Before Callthis.source.TraceInformation("Invoking {0}", input.Arguments[0].ToString());//Check for Authenticationif (entity.GetAuthenticationMethod() != AuthenticationMethod.None) {
. . .}//Check for Authorizationif ( entity.GetAuthorizationMethod() != AuthorizationMethod.None ) {
. . .}
}
. . .<systemlevel><Entitylevel>1</Entitylevel>. . .<componentlevel>
<objectname>. . .
<classlevel><objectname>. . .
<methodlevel>. . .
< ObjectName> GetCustomers </ObjectName><Authentication_Method>Forms</Authentication_Method><Authorization_Method>RBAC_Impersonate</Authorization_Method>
. . .
. . .<extension type="Interception" /><register type="PresentationLayer.CustomerBLL, PresentationLayer ">
. . .<interception><policy name="PolicyCustomersBLL"><matchingRule name="MatchingRuleCustomersBLL“
Type="MemberNameMatchingRule"><constructor><param name="nameToMatch" value="GetCustomers" /><param name="nameToMatch" value="GetCustomerByName" />
. . .<callHandler name="callhandlerCustBLL"tType="SecurityKernel.SecurityCallHandler, SecurityKernel">
. . .
1
2
3
Live system interceptors [1], security specification [2] documents
Component2
Component1
Component3
CLSCLS
SaaS Application
Class level
App.Level
Comp.Level
Methodlevel
Security Controls
Authn
EncryptI/p validation
LoggingMulti-tenant
Security Reqs
…
…
Syst
em R
eque
sts
Validated Request
Application Security Management ConsoleTenant-ZTenant-BTenant-ASP - Eng.
Syst
em W
rapp
er
Secu
rity
Enfo
rcem
ent P
oint
2
3
4 5
6
SaaSApplicationDescription
1
TOSSMA: Tenant-Oriented SaaS Security Management Architecture
Tenant Security Specification Models
Tenant Security Specification Models
Tenant Security Specification Models
Tenant Security Specification Models
System Description Models
Security Specification Models
Mappings
Security Enforcement Point
System Engineer Security Engineer
System Container
System Security Services
Develop Develop
Tenant System Description Models
Tenant Security Specification Models
Mappings
Live Security Specification
Document
Live System InterceptorsDocument
Tenant Security Admin
Manage
Tenant System Admin
Manage
1 2
3 4
56
7 8
910
Adaptive (Multi-tenant) Model-driven Security (Re)Engineering at runtime Component
Security Requirements Authentication
Authorization Input Sanitization Audit Cryptography
Group-1 GalacticERP F-C-S-M F-C-S-M F-C-S-M F-C-S-M F-C-S-M
PetShop F-C-S-M F-C-S-M F-C-S-M F-C-S-M F-C-S-M
Group-2 SplendidCRM C-S-M C-S-M C-S-M C-S-M (C-S-M)*
KOOBOO C-S-M C-S-M C-S-M C-S-M (C-S-M)*
NopCommerce C-S-M C-S-M C-S-M C-S-M (C-S-M)*
BlogEngine C-S-M C-S-M C-S-M C-S-M (C-S-M)*
BugTracer C-S-M C-S-M C-S-M C-S-M (C-S-M)*
TinyERP C-S-M C-S-M C-S-M C-S-M (C-S-M)*
F: Security attribute can be applied on feature level C: Security attribute can be applied on component levelS: Security attribute can be applied on class level M: Security attribute can be applied on method level
MDSE@RMT Evaluation Results
SMART
TOSSMA
MDSE@R
Security Reengineering
Security Engineering @ runtime
Multi-tenant Security Engineering @ runtime
Adaptive (Multi-tenant) Model-driven Security (Re)Engineering at Runtime Component
bool updateCustomerBalance(string custID, decimal nBalance) {
if(!AuthenitcateUser( username, password)) return false;if(!AuthorzUser(username, "updateCustBalance")) return false;LogTrx(username, dateTime.Now, "updateCustomerBalance");Customer customer = Customers.getCustomerByID(custID);customer.Balance = nBalance;Customers.SaveChanges();LogTrx(username, dateTime.Now, "updateCustBalance done");
}
if( Request.Cookies["Loggedin"] != true ) { if( !AuthenticateUser(Request.Params["username"], Request.Params["password"] ) )
throw new Exception("Invalid user");}DoAdministration();
if( !AuthenticateUser( Request.Params["username"], Request.Params["password"] ) )throw new Exception("Invalid user");
if( !AuthorizeUser( Thread.CurrentPrincipal, (new StakeFrame()).GetMethod().Name, (new StakeFrame()).GetMethod().GetParameters() ) ) throw new Exception("User is not auhorized");updateCustomerBalance(Request.QueryString["cID"], nBalance);
Examples of code snippets that need to be Re-engineerd
To be removed
To be modified
To be injected
Re-aspect Definition ::= s:{Signature} a:{Action} d:{Advice} Signature ::= st:{Signature Type} se:{Signature Expression} Signature Type ::= code-snippet | ocl-expression Action ::= at:{Action Type} ac: {Action Condition} Action Type ::= Delete | Modify | Replace | Inject Action Condition ::= ocl-expression
Re-engineering Aspects “Re-aspects” Grammar
System Security Reengineering Architecture
System Model
UML Model
AST
Reflection
Re-aspect Engine
Re-aspects Model
Re-aspects Locator
Re-aspect Enforcer
Perspective Model
Features
Test Cases
Security
System
1 2
5
3
4