Usage Control in Cloud Systems Paolo Mori Istituto di Informatica e Telematica Consiglio Nazionale delle Ricerche Pisa Italy
Agenda Examples of usage of Cloud services Usage Control Model Policy Language Authorization system architecture Integration with OpenNebula and CONTRAIL Cloud Federation
Cloud Security Most of the well-known security issues of IT systems are still valid in the Cloud New security issues due to Cloud peculiarities Users Cloud services providers Reports on Cloud Security CSA NIST ENISA...
Examples of usage of IaaS Cloud A researcher creates a new Virtual Machine to manage the SVN of each new project he starts NESSoS project users create a new Virtual Machine on the NESSoS Cloud Execution Environment to develope their applications using NESSoS Eclipse development tools
Examples of usage of IaaS Cloud A researcher creates a new Virtual Machine to manage the SVN of each new project he starts 1 3 years NESSoS project users create a new Virtual Machine on the NESSoS Cloud Execution Environment to develope their applications using NESSoS Eclipse development tools 6 months g n i t s a es l g ss n lo cce a
Other examples of Cloud usage CONTRAIL project use cases: Distributed Provisioning of Geo-referentiated Data Multimedia Processing Service MarketPlace Real-Time Scientific Data Analysis Electronic Drug Discovery g n i t as es l g ss n lo cce a
IaaS Cloud Accesses IMG usage VM usage Time Start VM Create IMG Stop VM Delete IMG
Authorization of Long Lasting Accesses
Usage Control Model Defined by R. Sandhu et. al. The UCON Usage Control Model. ACM Trans. on Information and System Security, 7(1), 2004 Formal Model and Policy Specification of Usage Control. ACM Trans. on Information and System Security, 8(4), 2005 Towards a Usage-Based Security Framework for Collaborative Computing Systems. ACM Trans. on Information and System Security, 11(1), 2008... Main novelties New decision factors: Obligations and Conditions Mutability of Attributes Continuity of Policy Enforcement
Usage Control Model Defined by R. Sandhu et. al. The UCON Usage Control Model. ACM Trans. on Information and System Security, 7(1), 2004 Formal Model and Policy Specification of Usage Control. ACM Trans. on Information and System Security, 8(4), 2005 Towards a Usage-Based Security Framework for Collaborative Computing Systems. ACM Trans. on Information and System Security, 11(1), 2008... Main novelties New decision factors: Obligations and Conditions Mutability of Attributes Continuity of Policy Enforcement
Mutable Attributes Change their value frequently, as a consequence of the decision process Paired with users and resources Examples: Reputation of users: changes as a consequence of the accesses performed by the user Workload of systems: changes when new applications are started and when running applications are terminated
Continuity of Policy Enforcement The decisions process is done continuously (OnGoing decision) while the access right is exercised, and the access is interrupted when the right does not hold any more Examples: OnGoing Authorization: the right of accessing a resource is granted as long as the reputation of the user is GOOD. OnGoing Obligation: the right of accessing a resource is granted as long as the user keeps an advertisement window opened.
Access VS Usage Control Continuity of decision Decision Pre decision Access request Usage Ongoing decision end begin Before usage Usage After usage Mutability of attributes Attr. update Pre update Ongoing update Post update Time
Access VS Usage Control Traditional Access Control Continuity of decision Decision Pre decision Access request Usage Ongoing decision end begin Before usage Usage After usage Mutability of attributes Attr. update Pre update Ongoing update Post update Time
Access VS Usage Control Continuity of decision Decision Pre decision Access request Usage Ongoing decision revocation begin Before usage Usage After usage Mutability of attributes Attr. update Pre update Ongoing update Post update Time
Why Usage Control in Cloud? Accesses to some resources are long-lasting (hours, days,..) e.g., Virtual Machines in IaaS model The factors that granted the access when it was requested could change while the access is in progress User's reputation could decrease Workload of resources could change... The policy should be re-evaluated every time factors change An access that is in progress could be interrupted
Example of Usage Control Policies In natural language: Users with role RegisteredUser can run Virtual Machines as long as their reputation is equal or higher than GOOD Users with role Guest can run Virtual Machines as long as the overall workload is lower than HIGH and their reputation is equal to VERYGOOD
Security Policy Language
UCON XACML Security Policy Language XACML is a widely used standard for expressing security policies NIST recommends its use for authorization in Cloud We extended XACML to implement UCON features: Attributes update Continuous control Preliminary work: A proposal on enhancing XACML with continuous usage control features. CoreGrid ERCIM WG Workshop on Grids, P2P and Service Computing, 2009
Example of UCON-XACML policy
Usage Control System
XACML Reference Architecture Access Control System access req PEP PEP PEP permit/deny Context handler PDP PAP PIP
Usage Control System Extension of the XACML reference architecture to deal with continuous policy enforcement: PEPs intercept END of accesses (besides access requests) Session Manager (new component) keeps trace of accesses in progress PIP monitors mutable attributes Triggers the re-evaluation of the security policy PDP revokes ongoing accesses
Usage Control System Architecture Usage Control System Session Manager try access permit/deny PEP PEP PEP revoke access end access Context handler PDP PAP PIP
Prototypes 1)Extension of support authorization Resources: VMs 2)CONTRAIL project: integration with Cloud Federation manager Resources: applications (set of VMs running on distinct Cloud providers)
Integration with OpenNebula Usage Control System Authz Driver Session Manager PEP Core PEP Context handler Hook Manager PEP PDP PAP PIP
Design, implement, validate and promote an open source software stack for Cloud federations Develop a comprehensive Cloud platform integrating a full IaaS and PaaS offer Advanced SLA management Advanced security support Federated authentication Usage Control
Usage Control System Performance Ongoing accesses revocation 1600 10 resources per provider 5 resources per provider 1400 1200 Time (ms) 1000 800 600 400 200 0 0 10 20 30 40 50 60 70 Number of providers 80 90 100
Papers A. Lazouski, G. Mancini F. Martinelli, P. Mori: Usage Control in Cloud Systems. In Procedings of The 3rd International workshop on Cloud Applications and Security (CAS 12), IEEE Computer Society (2012) A. Lazouski, F. Martinelli, P. Mori: A Prototype for Enforcing Usage Control Policies Based on XACML. In Proceedings of the 9th International Conference on Trust, Privacy and Security in Digital Business (TrustBus'12), LNCS 7449, Springer (2012) L. Krautsevich, A. Lazouski, F. Martinelli, P. Mori, A. Yautsiukhin: Integration of Quantitative Methods for Risk Evaluation within Usage Control Policies. In Procedings of International Conference on Computer Communications and Networks (ICCCN2013) (2013)
EU Projects Network of Excellence on Engineering Secure Future Internet Software Service and System Oct 2010 apr 2014 Open Computing Infrastructures for elastic Services Oct 2010 feb 2014 Confidential and Compliant Clouds Nov 2013 oct 2016
Thank you!! paolo.mori@iit.cnr.it Istituto di Informatica e Telematica Consiglio Nazionale delle Ricerche Pisa Italy
UCON-XACML Policy Schema