Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud

Transcription

1 Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud Cyber Incident Response An Model for Information and Resource Sharing Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu, Bo Tang Institute for Cyber Security University of Texas at San Antonio Aug 15, 2015 Presented by: Amy(Yun) Zhang

2 Community Cloud Community cloud provides services for exclusive use by a specific community, which contains organizations with shared concern, such as mission, security requirements, business models, etc. A community of financial organizations OpenStack 2

3 Cyber Collaboration Initiatives Cyber attacks are becoming increasingly sophisticated. Hard to defend by a single organization on its own. Collaborate to enhance situational awareness Share cyber information in community Malicious activities Technologies, tools, procedures, analytics. 3 Ref:

4 Traditional Cyber Collaboration Traditional collaboration Subscription services Limitations Organizations Sharing information through subscription. Organizations are not actively participating in analyzing and processing the cyber information they submit. Organizations don't directly interact with each other on sharing activities. 4

5 Cyber Collaboration in Community Cloud Cloud platform (community) Cyber Security Committee. Organizations routinely collect cyber information. Cross organization cyber collaborations. 5

6 Community Cyber Incident Response Governance Incident Response Group Cyber Security Committee Organization Security Specialists External Experts Conditional Membership Shared Information 6

7 Assumptions and Scope In a community cloud platform OpenStack Sharing amongst a set of organizations Sensitive cyber information, infrastructure, tools, analytics, etc. May share malicious or infected code/systems (e.g. virus, worms, etc.) Focus on access control model 7

8 OpenStack Dominant open-source cloud IaaS software OpenStack software controls large pools of compute, storage, and networking resources throughout a datacenter, managed through a dashboard or via the OpenStack API.!!!!!! Ref: 8

9 OpenStack HMT HMT : Hierarchical Multitenancy D Cloud Domain 1 Domain n Project 1 Project p Project 1 Project q childproject 1 childproject k child childproject 1 child childproject l 9

10 OSAC Model with HMT Project Hiearachy: Role Inheritance: One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Group (GO) Domains (D) ot_service Services (S) Group (UG) Groups (G) s (U) (UO) Group Assignment (GA) Assignment (UA) token_project Projects (P) Project (PO) Project-Role Pair (PRP) token_roles Roles (R) Permission Assignment (PA) PRMS Object Types (OT) Operations (OP) user_token Tokens (T) 10

11 OSAC-HMT-SID Model 11 s (U) Project-Role Pair (PRP) Security Projects (SP) Roles (R) Project-Role Pair (PRP) Projects (P) Roles (R) (UO) Assignment (UA) Assignment (UA) Self Subscription (USS) Assignment (UA) SIP (SIPO) Secure Isolated Domain (SID) Project-Role Pair (PRP) Expert (EUO) Open Project (OPO) Security Project (SPO) Project-Role Pair (PRP) Secure Isolated Projects (SIP) Roles (R) Open Project (OP) Roles (R) Domains (D) Cyber Collaboration Routine Cyber Information Process Expert s Project (PO) Assignment (UA) Cyber Security Forum Project-Role Pair (PRP) Core Project (CP) Roles (R) Cyber Security Committee Core Project (CPO) Assignment (UA) SIP association (assoc)

12 OSAC-HMT-SID Administration Relation and Resources Cloud admin Domain admin SID admin (Cloud admin) Project admin Security Project admin Core Project admin SIP admin Community Cloud Domains SID Projects Secure Projects Core Project Open Project child Projects child Secure Projects SIPs child SIPs 12

13 OSAC-SID Administrative Model SipCreate(uSet, sip) /* A subset of Core Project/domain admin users together create a sip */ SipDelete(uSet, sip) /* The same subset of Core Project/domain admin users together delete a sip*/ Add(adminuser, r, u, sp, p) /* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/ Remove(adminuser, r, u, sp, p) /* CP/Sip admin can remove a user from the Core Project/sip */ OpenSubscribe(u, member, OP) /* s subscribe to Open Project */ OpenUnsubscribe(u, member, OP) /* s unsubcsribe from Open Project */ CopyObject(u, so1, sp, so2, p) /* Copy object from Security Project to Core Project/SIP */ ExportObject(adminuser, so1, p, so2, sp) /* Export object from Core Project/SIP to Security Project */ ExpertCreate(coreadmin, eu) /* Core Project admin users can create an expert user */ ExpertDelete(coreadmin, eu) /* Core Project admin users can delete an expert user */ ExpertList(adminuser) /* Admin users of Core Project and SIPs can list expert users */ ExpertAdd(adminuser, r, eu, proj) /* Core Project/sip admin can add an expert user to Core Project/sip*/ ExpertRemove(adminuser, r, eu, proj) /* Core Project/sip admin can remove an expert user from Core Project/sip */ 13

14 Enforcement Set up the cloud Assign an admin user as Community Cloud:Cloud Admin Domains:Domain Admin Assign domain admins as SID:Cloud Admin Assign domain admins as Security Project: Admin/member Assign users from domains as Core Project: Admin Admin user assign users to SP as member Open Project: member Assign users from home domain as Assign expert users as Core Project: member 14

15 Enforcement SID: Cloud Admin Assign domain admins as Create SIP/child SIP/, assign domain admins as Core Project: Admin Assign users from home domain as Assign expert users as Core Project: member SIP: Admin Assign users from home domain as Assign expert users as child SIP: Admin SIP: member Assign users from home domain as Assign expert users as child SIP s child SIP: Admin child SIP: member Assign users from home domain as Assign expert users as child SIP s child SIP: member 15

16 Conclusion and future work Suggested OSAC-HMT-SID model to OpenStack Cyber collaboration across organizations cyber incident response Self-service Cyber Security Committee. Share data, tools, vms, etc. Potential blueprint for official OpenStack adoption Future work Explore other model options. Explore local roles in the model. Explore models in other dominant cloud platforms. 16

17 Thanks! 17