Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud



Similar documents
Cyber Incident Response

Extending OpenStack Access Control with Domain Trust

Protect Everything: Networks, Applications and Cloud Services

Microsoft Private Cloud

Securing the Cloud through Comprehensive Identity Management Solution

Cloud Security Introduction and Overview

Red Hat CloudForms Roadmap Build & Manage an Open Hybrid Infrastructure. Xavier Lecauchois & John Hardy Product Management, Red Hat June 12, 2013

The Science, Engineering, and Business of Cyber Security

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS

HBC How to build your cloud - Steps to Extend your Datacenter

Security Compliance Auditing of Identity and Access Management in the Cloud: Application to OpenStack

HP CloudSystem Enterprise

Authorization Federation in IaaS Multi Cloud

1 What is Cloud Computing? Cloud Infrastructures OpenStack Amazon EC CAMF Cloud Application Management

Het is een kleine stap naar een hybrid cloud

MULTI-TENANT ACCESS CONTROL FOR CLOUD SERVICES

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

IPOP-TinCan: User-defined IP-over-P2P Virtual Private Networks

MS 20246C Monitoring and Operating a Private Cloud

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

A Gentle Introduction to Cloud Computing

CLOUDFORMS Open Hybrid Cloud

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Accenture Cloud Enterprise Services

MANAGEMENT AND ORCHESTRATION WORKFLOW AUTOMATION FOR VBLOCK INFRASTRUCTURE PLATFORMS

NATIONAL CYBER SECURITY AWARENESS MONTH

HP Virtualization Performance Viewer

HYPER-V CLOUD DEPLOYMENT GUIDES MODULE 3: OPERATIONS

How To Install Openstack On Ubuntu (Amd64)

Role Based Access Control

Sistemi Operativi e Reti. Cloud Computing

Cloud Security: The Grand Challenge

Public Cloud Service Definition

Using SouthBound APIs to build an SDN Solution. Dan Mihai Dumitriu Midokura Feb 5 th, 2014

Security of Information Systems hosted in Clouds: SLA Definition and Enforcement in a Dynamic Environment

Cyber Security: Past, Present and Future

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

Software Define Storage (SDs) and its application to an Openstack Software Defined Infrastructure (SDi) implementation

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

How To Protect Your Cloud Computing Resources From Attack

locuz.com A comprehensive orchestration tool for setting up private and hybrid clouds

Adding value as a Cloud Broker. Nick Hyner Director Cloud Services EMEA Twitter Dell.com/Cloud


Considerations for Adopting PaaS (Platform as a Service)

VMware vcloud Director for Service Providers

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

D. L. Corbet & Assoc., LLC

Data Center Connector for vsphere 3.0.0

Cloud Security Who do you trust?

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

CloudCIX Bootcamp. The essential IaaS getting started guide.

IBM Spectrum Protect in the Cloud

SDN Solutions ~SDN for Carrier Data Center~ November, 2013 NEC Corporation

Cloud Security. Let s Open the Box. Abu Shohel Ahmed ahmed.shohel@ericsson.com NomadicLab, Ericsson Research

Cloud Security Who do you trust?

Security Issues in Cloud Computing

Clodoaldo Barrera Chief Technical Strategist IBM System Storage. Making a successful transition to Software Defined Storage

Management for the Mobile-Cloud Era

STeP-IN SUMMIT June 18 21, 2013 at Bangalore, INDIA. Performance Testing of an IAAS Cloud Software (A CloudStack Use Case)

Installation Guide Avi Networks Cloud Application Delivery Platform Integration with Cisco Application Policy Infrastructure

VIRTUALIZED SERVICES PLATFORM Software Defined Networking for enterprises and service providers

GAO. INFORMATION SECURITY Governmentwide Guidance Needed to Assist Agencies in Implementing Cloud Computing

Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service

Netzwerkvirtualisierung? Aber mit Sicherheit!

IT Service Management with System Center Service Manager

HPE Software SAP Automation

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

An Oracle White Paper June Security and the Oracle Database Cloud Service

Building Storage as a Service with OpenStack. Greg Elkinbard Senior Technical Director

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

The Art of Virtualization with Free Software

Implementing Multi-Tenanted Storage for Service Providers with Cloudian HyperStore. The Challenge SOLUTION GUIDE

EMC ViPR Software Defined Storage

Transcription:

Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud Cyber Incident Response An Model for Information and Resource Sharing Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu, Bo Tang Institute for Cyber Security University of Texas at San Antonio Aug 15, 2015 Presented by: Amy(Yun) Zhang

Community Cloud Community cloud provides services for exclusive use by a specific community, which contains organizations with shared concern, such as mission, security requirements, business models, etc. A community of financial organizations OpenStack 2

Cyber Collaboration Initiatives Cyber attacks are becoming increasingly sophisticated. Hard to defend by a single organization on its own. Collaborate to enhance situational awareness Share cyber information in community Malicious activities Technologies, tools, procedures, analytics. 3 Ref: www.huffingtonpost.co.uk/2013/04/23/uk-governmentfaces-1000-cyber-attacks-a-day_n_3138164.html

Traditional Cyber Collaboration Traditional collaboration Subscription services Limitations Organizations Sharing information through subscription. Organizations are not actively participating in analyzing and processing the cyber information they submit. Organizations don't directly interact with each other on sharing activities. 4

Cyber Collaboration in Community Cloud Cloud platform (community) Cyber Security Committee. Organizations routinely collect cyber information. Cross organization cyber collaborations. 5

Community Cyber Incident Response Governance Incident Response Group Cyber Security Committee Organization Security Specialists External Experts Conditional Membership Shared Information 6

Assumptions and Scope In a community cloud platform OpenStack Sharing amongst a set of organizations Sensitive cyber information, infrastructure, tools, analytics, etc. May share malicious or infected code/systems (e.g. virus, worms, etc.) Focus on access control model 7

OpenStack Dominant open-source cloud IaaS software OpenStack software controls large pools of compute, storage, and networking resources throughout a datacenter, managed through a dashboard or via the OpenStack API.!!!!!! Ref: http://www.openstack.org 8

OpenStack HMT HMT : Hierarchical Multitenancy D Cloud Domain 1 Domain n Project 1 Project p Project 1 Project q childproject 1 childproject k child childproject 1 child childproject l 9

OSAC Model with HMT Project Hiearachy: Role Inheritance: One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Group (GO) Domains (D) ot_service Services (S) Group (UG) Groups (G) s (U) (UO) Group Assignment (GA) Assignment (UA) token_project Projects (P) Project (PO) Project-Role Pair (PRP) token_roles Roles (R) Permission Assignment (PA) PRMS Object Types (OT) Operations (OP) user_token Tokens (T) 10

OSAC-HMT-SID Model 11 s (U) Project-Role Pair (PRP) Security Projects (SP) Roles (R) Project-Role Pair (PRP) Projects (P) Roles (R) (UO) Assignment (UA) Assignment (UA) Self Subscription (USS) Assignment (UA) SIP (SIPO) Secure Isolated Domain (SID) Project-Role Pair (PRP) Expert (EUO) Open Project (OPO) Security Project (SPO) Project-Role Pair (PRP) Secure Isolated Projects (SIP) Roles (R) Open Project (OP) Roles (R) Domains (D) Cyber Collaboration Routine Cyber Information Process Expert s Project (PO) Assignment (UA) Cyber Security Forum Project-Role Pair (PRP) Core Project (CP) Roles (R) Cyber Security Committee Core Project (CPO) Assignment (UA) SIP association (assoc)

OSAC-HMT-SID Administration Relation and Resources Cloud admin Domain admin SID admin (Cloud admin) Project admin Security Project admin Core Project admin SIP admin Community Cloud Domains SID Projects Secure Projects Core Project Open Project child Projects child Secure Projects SIPs child SIPs 12

OSAC-SID Administrative Model SipCreate(uSet, sip) /* A subset of Core Project/domain admin users together create a sip */ SipDelete(uSet, sip) /* The same subset of Core Project/domain admin users together delete a sip*/ Add(adminuser, r, u, sp, p) /* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/ Remove(adminuser, r, u, sp, p) /* CP/Sip admin can remove a user from the Core Project/sip */ OpenSubscribe(u, member, OP) /* s subscribe to Open Project */ OpenUnsubscribe(u, member, OP) /* s unsubcsribe from Open Project */ CopyObject(u, so1, sp, so2, p) /* Copy object from Security Project to Core Project/SIP */ ExportObject(adminuser, so1, p, so2, sp) /* Export object from Core Project/SIP to Security Project */ ExpertCreate(coreadmin, eu) /* Core Project admin users can create an expert user */ ExpertDelete(coreadmin, eu) /* Core Project admin users can delete an expert user */ ExpertList(adminuser) /* Admin users of Core Project and SIPs can list expert users */ ExpertAdd(adminuser, r, eu, proj) /* Core Project/sip admin can add an expert user to Core Project/sip*/ ExpertRemove(adminuser, r, eu, proj) /* Core Project/sip admin can remove an expert user from Core Project/sip */ 13

Enforcement Set up the cloud Assign an admin user as Community Cloud:Cloud Admin Domains:Domain Admin Assign domain admins as SID:Cloud Admin Assign domain admins as Security Project: Admin/member Assign users from domains as Core Project: Admin Admin user assign users to SP as member Open Project: member Assign users from home domain as Assign expert users as Core Project: member 14

Enforcement SID: Cloud Admin Assign domain admins as Create SIP/child SIP/, assign domain admins as Core Project: Admin Assign users from home domain as Assign expert users as Core Project: member SIP: Admin Assign users from home domain as Assign expert users as child SIP: Admin SIP: member Assign users from home domain as Assign expert users as child SIP s child SIP: Admin child SIP: member Assign users from home domain as Assign expert users as child SIP s child SIP: member 15

Conclusion and future work Suggested OSAC-HMT-SID model to OpenStack Cyber collaboration across organizations cyber incident response Self-service Cyber Security Committee. Share data, tools, vms, etc. Potential blueprint for official OpenStack adoption Future work Explore other model options. Explore local roles in the model. Explore models in other dominant cloud platforms. 16

Thanks! 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information