Towards Novel Certification Models in Cloud Infrastructures (the CUMULUS approach)

Transcription

1 Twards Nvel Certificatin Mdels in Clud Infrastructures (the CUMULUS apprach) Prfessr G. Spanudakis Schl f Infrmatics CSP Frum, April 2013, Brussels

2 Outline Clud Security Still a prblem? Prvider perspective & cunter arguments Evidence: incidents and perceptins Security audit & risk assessment CUMULUS Overall visin Hybrid, multi-layer and incremental certificatin New certificatin mdels Infrastructure Interperability and standards Cnclusins G. Spanudakis

3 Clud security Still a prblem? G. Spanudakis

4 Clud security the arguments Still a prblem? The prvider s argument: Increased security due t Cncentratin and availability f expertise Use f cutting edge security slutins Increased cntrls Regular audits G. Spanudakis

5 Clud security the arguments Still a prblem? The prvider s argument: Increased security due t Cncentratin and availability f expertise Use f cutting edge security slutins Increased cntrls Regular audits Cunter arguments: Breach f data integrity, cnfidentiality [1,2,3] and privacy [4] Spamming, crss-site scripting attacks [5] Denial-r-service (DS) attacks [6,7] Reduced applicatin and data availability [2] Authenticatin, authrizatin and accunting (AAA) vulnerabilities [2,1] VM vulnerabilities (e.g., heap verflw, abnrmal terminatin f VM prcesses) fllwing stress testing and inspectin [27] G. Spanudakis

6 Clud security the evidence Sme incidents Amazn 24/12/2012: utage f Elastic Lad Balancing Service (lad balancing f virtual servers) fr 10Hrs (affected Netflix) 04/2011: EC2 clud suffered multiday utages causing lss f availability and data (affected Reddit/36Hrs, Fursquares, Htsuite and Qura/48Hrs) Micrsft Azure 28/2/2012: unavailability (24Hrs) due t leap year affecting, plus up t 24 mre Hrs t restre (affected UK G-Clud CludStre) Megauplad 01/2012: clud strage service suspensin due t cpyright infringement (effect: 180m users / 25 petabyte); c-tenants permanent data lss & reputatin damage Other 06/2009: 0-day vulnerability in HyperVM (LxLabs) server virtualisatin; explited t delete100,000 websites using it fr hsting purpses G. Spanudakis

7 Clud security the evidence (cnt d) Industry Perceptins: security and privacy cncerns: blck uptake f clud cmputing cmpletely fr 10% f Eurpean enterprises, and limit it fr anther 30% f enterprises [25] G. Spanudakis

8 Security Audits & Risk Assessment Framewrks fr auditing cmpany IT cntrls: SSAE 16 [31] ISAE 3402 [32] COBIT [34] Framewrks fr assurance f security management practices: NIST Rev 4 [36] ISO 2700x : assessing the infrmatin security risk f IT systems (n-ging) extensin t t prvide clud specific cntrls Sme with an explicit fcus n clud, e.g.: ENISA s Clud Cmputing Infrmatin Assurance Framewrk [35] Security recmmendatins fr clud prviders by German Federal Office fr Infrmatin Security (BSI) COSO [33] G. Spanudakis

9 Security Audits & Risk Assessment Framewrks fr auditing cmpany IT cntrls: SSAE 16 [31] ISAE 3402 [32] COBIT [34] Framewrks fr assurance f security management practices: NIST Rev 4 [36] ISO 2700x : assessing the infrmatin security risk f IT systems (n-ging) extensin t t prvide clud specific cntrls Sme with an explicit fcus n clud, e.g.: ENISA s Clud Cmputing Infrmatin Assurance Framewrk [35] Security recmmendatins fr clud prviders by German Federal Office fr Infrmatin Security (BSI) COSO [33] BUT Lw degree f autmatin Mnitring is nt cntinuus G. Spanudakis

10 Clud Certificatin An answer t the prblem? Sftware certificatin is nt new (e.g., Cmmn Criteria mdel) BUT i. Cvers mnlithic systems ii. Targets humans à certificates iii. a. nt amenable t autmated prcessing b. cannt be used fr autmated (and pssibly n-fly) system cmpnent selectin/replacement, verificatin etc.) Cannt cpe with changes t system structures and the peratinal envirnment Recent wrk n SOA certificatin (Assert4SOA prject [22] ) cvers (i)-(iii) in sme circumstances but nt in all and nt fr clud services, e.g.: Schema fr specifying machine prcessable service certificates Ontlgies fr anntating certificates Certificates aware sftware service discvery and SaaS level cmpsitin [23] G. Spanudakis

11 The CUMULUS apprach G. Spanudakis

12 CUMULUS - verview EU funded STREP (medium size targeted) research prject (Prj. n ) Ttal budget: 4.3m EU cntributin: ~ 3m funding CONSORTIUM Clud Security Alliance (UK) Infinen Technlgies AG (D) City University Lndn (UK) ATOS SPAIN SA (S) Wellness Telecm SL (S) University f Malaga (S) University f Milan (I) Fdazine Ug Brdni (I) G. Spanudakis

13 CUMULUS Overall visin Develpment f an integrated framewrk f mdels, prcesses, and tls supprting the certificatin f security prperties f infrastructure (IaaS), platfrm (PaaS) and sftware applicatin layer services (SaaS) in cluds. Use f multiple types f evidence fr security assessment including testing data mnitring data trusted cmputing prfs Use f different mdels fr security assessment: hybrid, Incremental, and multi-layer security certificatin. G. Spanudakis

14 Hybrid certificatin What? Certificatin based n cmbinatin f different types f evidence: testing data mnitring data trusted cmputing prfs fr the hardware elements f clud infrastructures Why? Sme prperties might be certifiable using a cmbinatin f evidence types G. Spanudakis

15 Hybrid certificatin examples The availability f a SaaS layer service S may be certified by a certificate based n: test data fr the service and a TC prf fr the cnfiguratin f the hsting clud infrastructure (t ensure that the infrastructure where the service is deplyed is the same as that fr which test data were btained) Cert Test Data TC Prf Hybrid certificate fr a SaaS service integrity based n test data and cntinuus mnitring in real perating cnditins Cert Test Data Mnitr Data G. Spanudakis

16 Multi-layer certificatin What? Certificatin based n a cmbinatin f certificates f interdependent services (as ppsed t simply evidence ) at different layers f the clud stack Nte: dependencies can be bttm-up, tp-dwn r side-level Why? Security prperties are affected by such dependencies Liability r reasning restrictins (e.g., inability t btain the direct evidence required fr prperty assessment) require making assessments based n certificates rather than direct evidence G. Spanudakis

17 Multi-layer certificatin examples The integrity f data-at-rest f a sftware service S 1 using a clud strage service S 2 culd be certified n the basis f a certificate regarding the crrect implementatin f a prff-strage prtcl by S 2 SaaS PaaS The availability f a messaging service in a clud federatin may be certified n the basis f certificates regarding DSresilience f the hsting nde(s) in the federatin PaaS IaaS A data-in-prcess integrity certificate f a SaaS layer service requires TCP based certificate fr hypervisr t ensure crrect mnitring f security cnditins f infrastructure services that are necessary fr data-inprcess integrity, and avidance f data leaks f relevant mnitring data SaaS IaaS G. Spanudakis

18 Incremental certificatin What? It is based n evidence acquired thrugh accumulatin f evidence regarding the satisfactin f security prperties based n cntinuus mnitring Shuld cver changes that may affect certified prperties f clud services withut having t re-certify prperties frm scratch Why? Operatinal cnditins within a clud infrastructure may change Clud services and data may migrate t different clud infrastructures within a clud federatin Cnstituent services f cmpsite services may be substituted (whether c-tenant r nt) G. Spanudakis

19 Incremental certificatin examples Re-validatin f certificate due t changing peratinal cnditins, e.g.: the certificate C fr data integrity f a sftware service requires a certificate C fr the data islatin scheme perated by the clud strage service; the sftware service migrates t a different nde in a clud federatin à C needs t be revalidated by cnsidering whether the new hsting clud has a certificate equivalent t (r apprpriate substitute fr) C Use cntinuus mnitring t create new certificates r strengthen existing certificates with increased peratinal evidence, e.g., The certificate f data-islatin fr sftware service in a given infrastructure requires islatin f c-tenant services in the infrastructure; the certificate is cntinually validated thrugh cntinuus mnitring f the infrastructure G. Spanudakis

20 New Certificatin mdels Need fr New certificatin mdels t determine the evidence (type and extent) that needs t be cnsidered t be able t certify a security prperty and hw it will be used t assess the prperty Cnsequences Certificatin authrities sign parametric certificates, which are based n apprved (signed) certificatin mdels, and may need t be validated (cnfirmed) dynamically à Changes in existing life cycle mdel f Issuing/Revcatin G. Spanudakis

21 New Certificatin mdels (cnt d) Certificatin mdels shuld address questins like: When tw distinct pieces f evidence can be cnsidered equivalent fr a given security prperty? If cnflicting evidence arises what happens t the certificate? Shuld a certificate be revalidated/revked when: The cmpsitin f a service changes The deplyment cnfiguratin f a service changes (e.g., cde r data migratin t anther nde in a federatin) The cnfiguratin f an infrastructure changes Hw certificate re-validatin shuld be carried ut? fr example: Culd equivalent security prperties be cnsidered sufficient? Culd alternative equivalent pieces f evidence be used? G. Spanudakis

22 CUMULUS Infrastructure CUMULUS Aware Service Engineering Tls Clud Service Prvider CUMULUS Certificatin Infrastructure Certificatin Mdels Multi-layer, hybrid & incremental Certificatin Security Mdels Test Based Certificatin Mnitring Based Certificatin Trusted Cmputing Based Certificatin Clud Service Custmer Certificatin Authrity Clud Trust Prtcl Clud 1 TestService TCP Clud 2 Clud Mnitr Clud Mnitr Mnitring Service Clud N TCP Mnitring Service Clud Mnitr Clud Mnitr External Certificate Registries (e.g., STAR) G. Spanudakis

23 Interperability & standards Interperability with emerging standards (e.g., GRC stack, STAR Registry) fr clud audit reference clud architectures (e.g., Nebula, CSA s reference architecture) Cntributin t standards, e.g.: OCF (CSA; nging) ISO (Clud cntrls; nging) ISO (Privacy in public cluds; nging) cntributes underpin underpin Key challenge/pprtunity Mst f these standards are under develpment (e.g., OCF, ISO27017) G. Spanudakis

24 Where are we? G. Spanudakis

25 Cnclusins Clud security still nt perfect Security assessment: frm audit t certificatin Fcus n new certificatin mdels Expliting multiple types f evidence Supprting increased autmatin, cntinuity and transparency Clse alignment with nging standardisatin effrts G. Spanudakis