SEcure Cloud computing for CRitical Infrastructure IT Secure Cloud Computing for Critical Infrastructures Aleksandar Hudic and Christian Wagner AIT Austrian Institute of Technology AIT Austrian Institute of Technology ETRA Investigación y Desarrollo Fraunhofer Institute for Experimental Software Engineering IESE Karlsruhe Institute of Technology NEC Europe Lancaster University Mirasys Hellenic Telecommunications Organization OTE Ayuntamiento de Valencia Amaris
Source: http://www.soompi.com/
The SECCRIT Project Hard Facts Research project on secure Cloud Computing for critical infrastructure IT 10 Partners from Austria, Finland, Germany, Greece, Spain and the UK. Project budget 4.8 Mio, partly funded by the European Union Project duration 1.1.2013 31.12.2015 about 61.748% of the project completed 25 public deliverables 07.11.2014 SECCRIT Consortium 3
What are Critical Infrastructures 07.11.2014 SECCRIT Consortium 4
Everything goes to Cloud 07.11.2014 SECCRIT Consortium 5
Motivation Why would someone do that? 07.11.2014 SECCRIT Consortium 6
07.11.2014 SECCRIT Consortium 7
Motivation Why would someone do that? Possible reduction of costs Pay as you use Managing peak loads Scalable computing resources Potential increased availability 07.11.2014 SECCRIT Consortium 8
now back to the project
SECCRIT s Overall Goal analyse and evaluate cloud computing with respect to security risks in sensitive environments i.e. critical infrastructures o o to develop o o o Traffic Control Public Safety (CCTV) methodologies technologies, best practices for secure, trustworthy, high assurance legal compliant cloud computing environments for critical infrastructure IT. Investigate real-world problems 07.11.2014 SECCRIT Consortium 10
Problem Definition High Level Requirements for cloud applications vary o Commercial applications mainly focus on scalability & elasticity o Requirements in CI regarding: overall redundancy, data availability, authenticity, secure access, trust and protection of the citizens are typically higher than in commercial applications. o Common Users Requirements converge with what is CI standard 07.11.2014 SECCRIT Consortium 11
Problem Definition High Level What is the problem? o Cloud services abstract over used resources, are opaque and make it hard to determine technical reasons for (security) failure and hence make the development of countermeasures o This also implies, from a legal perspective, that it is hard to determine who s fault it is and to show one hasn t acted negligent 07.11.2014 SECCRIT Consortium 12
SECCRIT Demonstrator: Traffic Control Gather traffic data from traffic sensors on the road Store traffic data in data bases Generate data and reports about traffic status and traffic evolution Analyse and relate the whole of mobility data Support to define mobility polices and traffic control strategies Control traffic on the road by Traffic Controllers, Traffic Ligths, Variable Messages Signals, etc. Public transportation priority by strategies like offering traffic lights priority Execute traffic control strategies by operators manual actions or by automatic procedures. 07.11.2014 SECCRIT Consortium 13
SECCRIT Demonstrator: Public Safety (CCTV) MetroSub CitySec TelCom TenSys CloudCorp The Subway Operator The Security Service Provider The Telecom Operator The Tenant System Mgmt The Cloud Mgmt Provider 07.11.2014 SECCRIT Consortium 14
Key Objectives Legal Guidance on Data Protection and Evidence Understand and manage risk associated with cloud environments Understand cloud behavior in the face of challenges Establish best practices for secure cloud service implementations Demonstration of output in real-world application scenarios 07.11.2014 SECCRIT Consortium 15
Key Objectives Activities & Output Legal Guidance on Data Protection and Evidence Understand and manage risk associated with cloud environments Understand cloud behavior in the face of challenges Establish best practices for secure cloud service implementations Demonstration of output in real-world application scenarios Definition of legal guidance on SLA compliance, provision of evidence, and data protection for cloud services Risk Assessment and Management Methodology Policy Specification Methodology and Tool Cloud Assurance Profile and Evaluation Method Anomaly Detection Techniques and Tools Policy Decision and Enforcement Tools Cloud Resilience Management Framework Tools for Audit Trails and Root Cause Analysis Model Driven Cloud Security Guidelines Orchestration Secure Cloud Storage Demo 1: Storage and Processing of Sensitive Data Demo 2: Hosting Critical Urban Mobility Services 07.11.2014 SECCRIT Consortium 16
SECCRIT Output a) Techno-legal guidance b) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement Framework d) Resilience Management Framework (incl. anomaly detection and virtual component deployment) e) Forensic Analysis via Audit Trails for Root Cause Analysis (incl. secure cloud storage) f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise Approaches 07.11.2014 SECCRIT Consortium 17
SECCRIT Output a) Techno-legal guidance b) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement Framework d) Resilience Management Framework (incl. anomaly detection and virtual component deployment) e) Forensic Analysis via Audit Trails for Root Cause Analysis (incl. secure cloud storage) f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise Approaches 07.11.2014 SECCRIT Consortium 18
Techno-Legal Guidance
Legal Questions Security Service Operator uses cloud services Uses integrated analysis cloud service (B-AG) and video management cloud service (C-AG) Analysis cloud service + video management run on virtual server video management cloud service uses DB (Y-AG) Y-AG uses storage service 07.11.2014 SECCRIT Consortium 20
SECCRIT Architectural Framework
What do we mean when we talk about Cloud? R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., Whitepaper "AF 1.0" SECCRIT Architectural Framework. 2014. (and IEEE CloudCom) 07.11.2014 SECCRIT Consortium 22
Cloud Risk Assessment
Cloud Risk Assessment There are different stakeholder viewpoints to consider o The Cloud Service Provider In SECCRIT is decomposed into sub roles, including the Tenant and Cloud Infrastructure Provider o The Critical Infrastructure Service Provider When should an assessment be performed? o At the point of deployment, to determine whether to use the Cloud and/or which provider and deployment model to use o During the operation of a service, e.g., periodically or in response to changes in the deployment environment caused by scaling 07.11.2014 SECCRIT Consortium 24
Major Contributions 1. An analysis of risk perceptions regarding the use of cloud o Performed on an individual and organisational basis 2. An extensive cloud-specific threat and vulnerability catalogue that can support a risk assessment 3. An extension to a standard risk assessment process to support critical infrastructure service providers determine the risk of cloud deployment o Supported by the SECCRIT threat and vulnerability catalogue and the open-source Verinice ISMS tool 4. Identified a set of cloud infrastructure metrics that could be used to support online risk assessment
The SECCRIT Threat and Vulnerability Catalogue Primary data sources: 1. Performed an extension literature survey of existing catalogues and organisations of threats and vulnerabilities, e.g., CSA s Notorious Nine 2. Carried out a structured security analysis, based on the SECCRIT architectural framework and different deployment models 3. Leveraged findings from the cloud risk survey Management-oriented View Box model Virtual environment Local scaling Resource pooling 07.11.2014 SECCRIT Consortium 26
The SECCRIT Threat and Vulnerability Catalogue Organised items into categories NIST s essential characteristics of cloud computing at the core Identified impact type, i.e., CIA, and references when possible 07.11.2014 SECCRIT Consortium 27
Cloud Risk Deployment Assessment Process 07.11.2014 SECCRIT Consortium 28
Conclusion Four major contributions: 1. An analysis of risk perceptions regarding the use of cloud 2. An extensive cloud-specific threat and vulnerability catalogue 3. Extension to a standard risk assessment process to support critical infrastructure service providers determine the risk of cloud deployment 4. Cloud infrastructure metrics that could be used to support online risk assessment The threat and vulnerability catalogue is being put forward as a contribution to the ETSI ISG on Network Function Virtualisation (NFV) 07.11.2014 SECCRIT Consortium 29
Cloud Assurance Approaches
Cloud Assurance Framework Assurance Level 1-7 MONITORING ARTIFACTS 07.11.2014 SECCRIT Consortium 31
Aspects of Assurance 07.11.2014 SECCRIT Consortium 32
Research questions / challenges How to assure that security properties are met across distinct cloud layers with different stake holders? Levels of Abstraction (The SECCRIT architecture) How to derive continuous assessment of security properties across the clouds architecture? How can security be assessed, measured or scaled in respect to a certain predefined set of security properties (assurance levels)? How to aggregate/inherit security across different stake holders in Cloud? R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., Whitepaper "AF 1.0" SECCRIT Architectural Framework. 2014. (and IEEE CloudCom) 07.11.2014 SECCRIT Consortium 33
Security properties Security-aware SLA specification language and cloud security dependency model Certification models Core Certification mechanisms Methodologies for Risk Assessment and Management The Notorious Nine: Cloud Computing Top Threats in 2013 07.11.2014 SECCRIT Consortium 34
Identified categories/properties ID SECURITY PROPERTY CATEGORY VULNERABILITY THREATS DEPENDENCIES SP_1 SP_2 SP_3 SP_4 SP_5 User Authentication and Identity assurance level Identity Assurance Loss of human-operated control point to verify security and privacy settings Insufficient authentication security, e.g., weak authentication mechanisms, on the cloud management interface Data deletion quality level Data Disposal Data recovery vulnerabilities, e.g., unauthorised access to data in memory or on disk from previous users Storage Freshness Durability Data recovery vulnerabilities, e.g., unauthorised access to data in memory or on disk from previous users Data alteration prevention / detection Data Breaches, Data Loss, Shared Technology Vulnerabilities Account or Service Traffic Hijacking Insecure Interfaces and APIs, Malicious Insiders Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders, Insufficient Due Diligence Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders, Insufficient Due Diligence Integrity Poor/ no integrity checks of the billing information Data Breaches Insecure Interfaces and APIs Insufficient Due Diligence Storage Retrievability Durability Poor/ no backup & restore strategy is in place to prevent the loss of billing information, e.g., in the case of a system failure Data Breaches Insecure Interfaces and APIs Insufficient Due Diligence None None None SP_1, SP_2, SP_3 SP_4 SP_6 SP_7 Data leakage detection / prevention Cryptographic module protection level Data Leakage Key Management Poor/ no encryption of the VM data through a wide-area migration process Unmonitored and unencrypted network traffic between VMs is possible, e.g., for VMs on the same node through virtual network Unencrypted physical storage, which is the underlying for allocated virtual storage of the VMs Data Breaches Malicious Insiders Shared Technology Vulnerabilities Insufficient Due Diligence Shared Technology Vulnerabilities Data Breaches Malicious Insiders SP_5 None 07.11.2014 SECCRIT Consortium 35
Assurance Assessment Framework ABSTRACTION LEVEL User Level Application Level Critical Infrastructure Target of Evaluation Framework elements: Component of Evaluation (CoE) o Component dependencies (CD) o Association (AS) Group of Evaluation (GoE) Target of Evaluation (ToE) Virtual Infrastructure Level Tenant Physical Infrastructure Level Cloud Infrastructure Assurance Profile: o o o o o GROUP OF EVALUATION GROUP OF EVALUATION Assurance Type (AT) Assurance Properties (AP) Assurance Class (AC) Security Objectives (SO) Assessment Interval (AI) Common Criteria Framework for Information Technology Security Evaluation, CCDB USB Working Group, 2012, part 1-3. Online available: http://www.commoncriteriaportal.org. 07.11.2014 SECCRIT Consortium 36
Initial assurance policy set INITIAL POLICY SET AL K AC X :! VS, (1) VS = {SPV 1, SPV 2 SPV N }, (2) SPVi= [ SP 1, SP 2, SP 3, SP 4 ], SP i = {0,1} (3) VS AL K :! SPVi, i (4) SPVi AC X : SPVi = k (5) AC X = {SPV 1, SPV 2, SPV 3, SPV n } (6) (7) ACS AL = AC X (SPV i ), AC X CoE M, i {1 N} (8) ACS AL (i) DAL VS (i) (9) AL VS DAL VS (10) (DAL VS (i) AL VS (i)) AL(AC X )=i, AC X CoE M (11)! ALi Min(CALj) i {1 7}, j {1 N} (12) Each assurance class is associated with at least on vector set Vector set is a compound of N Security Property vectors Security Property Vector is a set of K Security Properties associated with true or false Each Vector Set of a particular Assurance Level is associated with All Security Property Vectors in a class have the same cardinality Assurance Class is a compound of distinct Security property vectors Individual SPV can be found only at one Assurance class Bitwise conjunction of Security property vector bits of an individual Assurance Class Assurance Class of the evaluated object directly depends on the assurance of the associated components 07.11.2014 SECCRIT Consortium 37
Service abstraction Service/infrastructure abstraction via the General tree model: Clustering assurance class properties to a particular assurance level 07.11.2014 SECCRIT Consortium 38
Prototype use cases analysis GENERAL TREE MODEL ANALYSIS: tree traversal post order method level based bit conjunction vertical post order assurance aggregation (a) (b) 07.11.2014 SECCRIT Consortium 39
Assurance calculation algorithm Algorithm steps: 1. Bitwise conjunction SPV[i] for each vector in an Evaluated Vectors Set 2. Reducing the potential combination set 3. Checking the remained subset begin procedure: for i=k i=1 do if ( CoE C (SPV[i])! AL M, M {1,2,,7}) { AL = M; end procedure } else if ( CoE SPV i 0) { discard SPV where SPV[i] =1; continue; } else ( CoE SPV i 1) { discard SPV where SPV[i] =0; continue; } end procedure 07.11.2014 SECCRIT Consortium 40
Future work Building a comprehensive security property catalogue in line with the critical infrastructure requirements (demo partner feedback) Investigating whether the current Cloud monitoring tools are capable of conducting cross layer monitoring or supporting assurance approach Demonstrating the approach by applying it on general demo scenario, in line with both of our demo scenarios, on OpenStack 07.11.2014 SECCRIT Consortium 41
Conclusion customizable framework for analyzing predefined set of security properties across the cloud stack user and provider centric advanced and transparent monitoring model across cloud stack autonomic and cumulative analysis of the cloud infrastructure technology independent assessment framework integration of exiting work of SECCRIT project e.g.: monitoring, root cause and forensic analysis tools, legal requirements, vulnerability catalogue 07.11.2014 SECCRIT Consortium 42
Any Questions? 07.11.2014 SECCRIT Consortium 43
SEcure Cloud computing for CRitical Infrastructure IT Contact Aleksandar Hudic, Christian Wagner AIT Austrian Institute of Technology aleksandar.hudic@ait.ac.at, christian.wagner@ait.ac.at AIT Austrian Institute of Technology ETRA Investigación y Desarrollo Fraunhofer Institute for Experimental Software Engineering IESE Karlsruhe Institute of Technology NEC Europe Lancaster University Mirasys Hellenic Telecommunications Organization OTE Ayuntamiento de Valencia Amaris