Secure Cloud Computing for Critical Infrastructures

Transcription

1 SEcure Cloud computing for CRitical Infrastructure IT Secure Cloud Computing for Critical Infrastructures Aleksandar Hudic and Christian Wagner AIT Austrian Institute of Technology AIT Austrian Institute of Technology ETRA Investigación y Desarrollo Fraunhofer Institute for Experimental Software Engineering IESE Karlsruhe Institute of Technology NEC Europe Lancaster University Mirasys Hellenic Telecommunications Organization OTE Ayuntamiento de Valencia Amaris

2 Source:

3 The SECCRIT Project Hard Facts Research project on secure Cloud Computing for critical infrastructure IT 10 Partners from Austria, Finland, Germany, Greece, Spain and the UK. Project budget 4.8 Mio, partly funded by the European Union Project duration about % of the project completed 25 public deliverables SECCRIT Consortium 3

4 What are Critical Infrastructures SECCRIT Consortium 4

5 Everything goes to Cloud SECCRIT Consortium 5

6 Motivation Why would someone do that? SECCRIT Consortium 6

7 SECCRIT Consortium 7

8 Motivation Why would someone do that? Possible reduction of costs Pay as you use Managing peak loads Scalable computing resources Potential increased availability SECCRIT Consortium 8

9 now back to the project

10 SECCRIT s Overall Goal analyse and evaluate cloud computing with respect to security risks in sensitive environments i.e. critical infrastructures o o to develop o o o Traffic Control Public Safety (CCTV) methodologies technologies, best practices for secure, trustworthy, high assurance legal compliant cloud computing environments for critical infrastructure IT. Investigate real-world problems SECCRIT Consortium 10

11 Problem Definition High Level Requirements for cloud applications vary o Commercial applications mainly focus on scalability & elasticity o Requirements in CI regarding: overall redundancy, data availability, authenticity, secure access, trust and protection of the citizens are typically higher than in commercial applications. o Common Users Requirements converge with what is CI standard SECCRIT Consortium 11

12 Problem Definition High Level What is the problem? o Cloud services abstract over used resources, are opaque and make it hard to determine technical reasons for (security) failure and hence make the development of countermeasures o This also implies, from a legal perspective, that it is hard to determine who s fault it is and to show one hasn t acted negligent SECCRIT Consortium 12

13 SECCRIT Demonstrator: Traffic Control Gather traffic data from traffic sensors on the road Store traffic data in data bases Generate data and reports about traffic status and traffic evolution Analyse and relate the whole of mobility data Support to define mobility polices and traffic control strategies Control traffic on the road by Traffic Controllers, Traffic Ligths, Variable Messages Signals, etc. Public transportation priority by strategies like offering traffic lights priority Execute traffic control strategies by operators manual actions or by automatic procedures SECCRIT Consortium 13

14 SECCRIT Demonstrator: Public Safety (CCTV) MetroSub CitySec TelCom TenSys CloudCorp The Subway Operator The Security Service Provider The Telecom Operator The Tenant System Mgmt The Cloud Mgmt Provider SECCRIT Consortium 14

15 Key Objectives Legal Guidance on Data Protection and Evidence Understand and manage risk associated with cloud environments Understand cloud behavior in the face of challenges Establish best practices for secure cloud service implementations Demonstration of output in real-world application scenarios SECCRIT Consortium 15

16 Key Objectives Activities & Output Legal Guidance on Data Protection and Evidence Understand and manage risk associated with cloud environments Understand cloud behavior in the face of challenges Establish best practices for secure cloud service implementations Demonstration of output in real-world application scenarios Definition of legal guidance on SLA compliance, provision of evidence, and data protection for cloud services Risk Assessment and Management Methodology Policy Specification Methodology and Tool Cloud Assurance Profile and Evaluation Method Anomaly Detection Techniques and Tools Policy Decision and Enforcement Tools Cloud Resilience Management Framework Tools for Audit Trails and Root Cause Analysis Model Driven Cloud Security Guidelines Orchestration Secure Cloud Storage Demo 1: Storage and Processing of Sensitive Data Demo 2: Hosting Critical Urban Mobility Services SECCRIT Consortium 16

17 SECCRIT Output a) Techno-legal guidance b) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement Framework d) Resilience Management Framework (incl. anomaly detection and virtual component deployment) e) Forensic Analysis via Audit Trails for Root Cause Analysis (incl. secure cloud storage) f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise Approaches SECCRIT Consortium 17

18 SECCRIT Output a) Techno-legal guidance b) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement Framework d) Resilience Management Framework (incl. anomaly detection and virtual component deployment) e) Forensic Analysis via Audit Trails for Root Cause Analysis (incl. secure cloud storage) f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise Approaches SECCRIT Consortium 18

19 Techno-Legal Guidance

20 Legal Questions Security Service Operator uses cloud services Uses integrated analysis cloud service (B-AG) and video management cloud service (C-AG) Analysis cloud service + video management run on virtual server video management cloud service uses DB (Y-AG) Y-AG uses storage service SECCRIT Consortium 20

21 SECCRIT Architectural Framework

22 What do we mean when we talk about Cloud? R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., Whitepaper "AF 1.0" SECCRIT Architectural Framework (and IEEE CloudCom) SECCRIT Consortium 22

23 Cloud Risk Assessment

24 Cloud Risk Assessment There are different stakeholder viewpoints to consider o The Cloud Service Provider In SECCRIT is decomposed into sub roles, including the Tenant and Cloud Infrastructure Provider o The Critical Infrastructure Service Provider When should an assessment be performed? o At the point of deployment, to determine whether to use the Cloud and/or which provider and deployment model to use o During the operation of a service, e.g., periodically or in response to changes in the deployment environment caused by scaling SECCRIT Consortium 24

25 Major Contributions 1. An analysis of risk perceptions regarding the use of cloud o Performed on an individual and organisational basis 2. An extensive cloud-specific threat and vulnerability catalogue that can support a risk assessment 3. An extension to a standard risk assessment process to support critical infrastructure service providers determine the risk of cloud deployment o Supported by the SECCRIT threat and vulnerability catalogue and the open-source Verinice ISMS tool 4. Identified a set of cloud infrastructure metrics that could be used to support online risk assessment

26 The SECCRIT Threat and Vulnerability Catalogue Primary data sources: 1. Performed an extension literature survey of existing catalogues and organisations of threats and vulnerabilities, e.g., CSA s Notorious Nine 2. Carried out a structured security analysis, based on the SECCRIT architectural framework and different deployment models 3. Leveraged findings from the cloud risk survey Management-oriented View Box model Virtual environment Local scaling Resource pooling SECCRIT Consortium 26

27 The SECCRIT Threat and Vulnerability Catalogue Organised items into categories NIST s essential characteristics of cloud computing at the core Identified impact type, i.e., CIA, and references when possible SECCRIT Consortium 27

28 Cloud Risk Deployment Assessment Process SECCRIT Consortium 28

29 Conclusion Four major contributions: 1. An analysis of risk perceptions regarding the use of cloud 2. An extensive cloud-specific threat and vulnerability catalogue 3. Extension to a standard risk assessment process to support critical infrastructure service providers determine the risk of cloud deployment 4. Cloud infrastructure metrics that could be used to support online risk assessment The threat and vulnerability catalogue is being put forward as a contribution to the ETSI ISG on Network Function Virtualisation (NFV) SECCRIT Consortium 29

30 Cloud Assurance Approaches

31 Cloud Assurance Framework Assurance Level 1-7 MONITORING ARTIFACTS SECCRIT Consortium 31

32 Aspects of Assurance SECCRIT Consortium 32

33 Research questions / challenges How to assure that security properties are met across distinct cloud layers with different stake holders? Levels of Abstraction (The SECCRIT architecture) How to derive continuous assessment of security properties across the clouds architecture? How can security be assessed, measured or scaled in respect to a certain predefined set of security properties (assurance levels)? How to aggregate/inherit security across different stake holders in Cloud? R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., Whitepaper "AF 1.0" SECCRIT Architectural Framework (and IEEE CloudCom) SECCRIT Consortium 33

34 Security properties Security-aware SLA specification language and cloud security dependency model Certification models Core Certification mechanisms Methodologies for Risk Assessment and Management The Notorious Nine: Cloud Computing Top Threats in SECCRIT Consortium 34

35 Identified categories/properties ID SECURITY PROPERTY CATEGORY VULNERABILITY THREATS DEPENDENCIES SP_1 SP_2 SP_3 SP_4 SP_5 User Authentication and Identity assurance level Identity Assurance Loss of human-operated control point to verify security and privacy settings Insufficient authentication security, e.g., weak authentication mechanisms, on the cloud management interface Data deletion quality level Data Disposal Data recovery vulnerabilities, e.g., unauthorised access to data in memory or on disk from previous users Storage Freshness Durability Data recovery vulnerabilities, e.g., unauthorised access to data in memory or on disk from previous users Data alteration prevention / detection Data Breaches, Data Loss, Shared Technology Vulnerabilities Account or Service Traffic Hijacking Insecure Interfaces and APIs, Malicious Insiders Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders, Insufficient Due Diligence Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders, Insufficient Due Diligence Integrity Poor/ no integrity checks of the billing information Data Breaches Insecure Interfaces and APIs Insufficient Due Diligence Storage Retrievability Durability Poor/ no backup & restore strategy is in place to prevent the loss of billing information, e.g., in the case of a system failure Data Breaches Insecure Interfaces and APIs Insufficient Due Diligence None None None SP_1, SP_2, SP_3 SP_4 SP_6 SP_7 Data leakage detection / prevention Cryptographic module protection level Data Leakage Key Management Poor/ no encryption of the VM data through a wide-area migration process Unmonitored and unencrypted network traffic between VMs is possible, e.g., for VMs on the same node through virtual network Unencrypted physical storage, which is the underlying for allocated virtual storage of the VMs Data Breaches Malicious Insiders Shared Technology Vulnerabilities Insufficient Due Diligence Shared Technology Vulnerabilities Data Breaches Malicious Insiders SP_5 None SECCRIT Consortium 35

36 Assurance Assessment Framework ABSTRACTION LEVEL User Level Application Level Critical Infrastructure Target of Evaluation Framework elements: Component of Evaluation (CoE) o Component dependencies (CD) o Association (AS) Group of Evaluation (GoE) Target of Evaluation (ToE) Virtual Infrastructure Level Tenant Physical Infrastructure Level Cloud Infrastructure Assurance Profile: o o o o o GROUP OF EVALUATION GROUP OF EVALUATION Assurance Type (AT) Assurance Properties (AP) Assurance Class (AC) Security Objectives (SO) Assessment Interval (AI) Common Criteria Framework for Information Technology Security Evaluation, CCDB USB Working Group, 2012, part 1-3. Online available: SECCRIT Consortium 36

37 Initial assurance policy set INITIAL POLICY SET AL K AC X :! VS, (1) VS = {SPV 1, SPV 2 SPV N }, (2) SPVi= [ SP 1, SP 2, SP 3, SP 4 ], SP i = {0,1} (3) VS AL K :! SPVi, i (4) SPVi AC X : SPVi = k (5) AC X = {SPV 1, SPV 2, SPV 3, SPV n } (6) (7) ACS AL = AC X (SPV i ), AC X CoE M, i {1 N} (8) ACS AL (i) DAL VS (i) (9) AL VS DAL VS (10) (DAL VS (i) AL VS (i)) AL(AC X )=i, AC X CoE M (11)! ALi Min(CALj) i {1 7}, j {1 N} (12) Each assurance class is associated with at least on vector set Vector set is a compound of N Security Property vectors Security Property Vector is a set of K Security Properties associated with true or false Each Vector Set of a particular Assurance Level is associated with All Security Property Vectors in a class have the same cardinality Assurance Class is a compound of distinct Security property vectors Individual SPV can be found only at one Assurance class Bitwise conjunction of Security property vector bits of an individual Assurance Class Assurance Class of the evaluated object directly depends on the assurance of the associated components SECCRIT Consortium 37

38 Service abstraction Service/infrastructure abstraction via the General tree model: Clustering assurance class properties to a particular assurance level SECCRIT Consortium 38

39 Prototype use cases analysis GENERAL TREE MODEL ANALYSIS: tree traversal post order method level based bit conjunction vertical post order assurance aggregation (a) (b) SECCRIT Consortium 39

40 Assurance calculation algorithm Algorithm steps: 1. Bitwise conjunction SPV[i] for each vector in an Evaluated Vectors Set 2. Reducing the potential combination set 3. Checking the remained subset begin procedure: for i=k i=1 do if ( CoE C (SPV[i])! AL M, M {1,2,,7}) { AL = M; end procedure } else if ( CoE SPV i 0) { discard SPV where SPV[i] =1; continue; } else ( CoE SPV i 1) { discard SPV where SPV[i] =0; continue; } end procedure SECCRIT Consortium 40

41 Future work Building a comprehensive security property catalogue in line with the critical infrastructure requirements (demo partner feedback) Investigating whether the current Cloud monitoring tools are capable of conducting cross layer monitoring or supporting assurance approach Demonstrating the approach by applying it on general demo scenario, in line with both of our demo scenarios, on OpenStack SECCRIT Consortium 41

42 Conclusion customizable framework for analyzing predefined set of security properties across the cloud stack user and provider centric advanced and transparent monitoring model across cloud stack autonomic and cumulative analysis of the cloud infrastructure technology independent assessment framework integration of exiting work of SECCRIT project e.g.: monitoring, root cause and forensic analysis tools, legal requirements, vulnerability catalogue SECCRIT Consortium 42

43 Any Questions? SECCRIT Consortium 43

44 SEcure Cloud computing for CRitical Infrastructure IT Contact Aleksandar Hudic, Christian Wagner AIT Austrian Institute of Technology AIT Austrian Institute of Technology ETRA Investigación y Desarrollo Fraunhofer Institute for Experimental Software Engineering IESE Karlsruhe Institute of Technology NEC Europe Lancaster University Mirasys Hellenic Telecommunications Organization OTE Ayuntamiento de Valencia Amaris