Adaptive Model-based Cloud Computing Security ManagementMohamed Almorsy

Supervisors

Prof. John Grundy

Prof. Jun Han

25May

2012Center for Computing and Engineering Software Systems

Swinburne University of Technology

Agenda

Cloud Computing SecurityResearch Gaps

Adaptive Cloud Security Management

Motivating Scenario

Get Currency-Now

Build Workflow

Galactic

Batch processing

<<in

clud

e>>

<<include>>

<<in

clude

>>

SWINSOFT

SWINSOFT

GREEN CLOUD

CPs : GREEN CLOUD – BLUE CLOUDSPs : SWINSOFT - GREEN CLOUD – BLUE CLOUDCCs : Swinburne University- Auckland University

BLUE CLOUD

Why Security is different inCloud Computing ?

Cloud Characteristics

Long Dependency Stack

Service Delivery ModelsDifferent Possible Deployments

Different Stakeholders

Cloud Computing Model

Resources Virtualization - Multi-tenancy - Elasticity

Hypervisor - VMs - Platforms - Apps

IaaS - PaaS - SaaS Public - Private - Hybrid

CPs - SPs - CCs

http://blogs.technet.com/b/yungchou/archive/2010/11/15/cloud-computing-primer-for-it-pros.aspx

Loss-of-Control Lack-of-Trust

New Cloud Security Problems

Security Isolation Security Federation.....

�Tenants have no control on outsourced assets.�CPs do not know the hosted service business value.�Services are developed with built-in security functions.�Services are developed with security from the service provider

perspective.

Why

NIST - http://www.kurzweilai.net/nist-issues-government-cloud-computing-roadmap-and-architecture

Research Problem⦾ Cloud computing model lacks a strong security management

framework that can handle:

⦾ Loss-of-control and lack-of-trust.⦾ Multi-tenancy.⦾ Different stakeholders.⦾ Constantly changing security.⦾ Huge number of services and security solutions.

CCs involved in securing their assets

tenant-oriented security

collaboration-based

adaptive security

standard security interface

Current Trends

NIST

CSA

Current Trends

⦾ A cloud provider claims supported security level.

⦾ A certifying authority audits the claimed level.

⦾ A cloud consumer specifies expected security level.

⦾ The certifying authority matches consumers requirements and providers capabilities and assures it.

FedRAMP

NIST

CSA

× Security customization is limited.

× Security adaptation is not possible.

× Cloud provider is the service provider.

× Limits the ROI of the cloud platforms.

Limitations

Current Trends

⦾ CSA Focus on assessing a cloud provider security level.

⦾ List security controls to be provided by a cloud provider.

⦾ Checklist to guide consumers assess a cloud platform security.

Security Registry

NIST

CSA

× Assessment and awareness do not mean real security.

× Loss-of-Control nor Lack-of-Trust are mitigated.

Limitations

Research Objective⦾ To extend the cloud model with an abstract, dynamic, and multi-

tenant security management framework.

CC Security Management Process CC Security Management Process

Information Security Management Systems

ISMSs (including NIST-FISMA and ISO27000) provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets.

Rethinking in Security Management under Cloud Computing Model

Security Management Process

Defining Security

Enforcing Security

Monitoring Security

CCs involved in securing their assets

tenant-oriented security

collaboration-based

adaptive security

standard security interface

Area Existing Efforts LimitationsSecurity Management

Security Management StandardsNIST, ISO27000

Security Management FrameworkPolicy-based, Model-based, Ontology-based security

management frameworks,…

• No Multi-tenancy Support• Security integration within IT

system is limited

Defining Security

Vulnerability and Threat analysis toolsOCTAVE, CORAS, Chinchani et al, Sheyner et al,…

• Documentation Only• Specific Vulnerability Type• No online support

Enforcing Security

Design time security EngineeringUMLSec, SecureUML, KAOS…

Multi-tenant Security EngineeringHong Cai , Menzel et al, Pervez et al,…

• Design time• Require design time preparation• Service-oriented security

Monitoring Security

Security Monitoring FrameworkNIST, Chandra et al, Bayuk et al,…

• Measurements are collected manually

• Security solutions efficiency and effectiveness not addressed

• Security trends and proactive actions

Research Gaps

General Approach

Cloud Platform ModelService ModelSecurity Model

Stakeholder Security Engineers Cloud ProviderService Provider

Secure System model

Security Mgmt plan

Cloud PlatformCloud ServicesSecurity Controls

Enfo

rcem

ent

Feed

back

Model-based Security Management for the Cloud Computing Model

Analysis Component

Measurements Analyzer

Threat and Vulnerability

Analyzer

S1

Management Component

Service & Platform Modeller

Tenant Security Modeller

Enforcement Component

Service-security Integrator

Monitoring Component

Security ProbesGenerator

Measurements Collector

S2

Sn

Security Services

General Framework

Security Interface

Rethinking in Security Management under Cloud Computing Model

Security Management Process

Defining Security

Enforcing Security

Monitoring Security

⦾ Aligning FISMA Security Management standard with the cloud model.⦾ Improving the collaboration among cloud stakeholders.

Security categorization

Security controls selection

controls implementation

Security Assessment

Service Authorization Security Monitoring

CCs All All

CPE CVE/CWE CCE

CCs & CPsCCsAll

Responsible stakeholder(s) Adopted security standards

Collaboration-based Cloud Computing Security Management Framework

Phase Task CP SP CC Input Output

Security categorization

Categorize security impact (SC) Informed Informed Responsible Business

objectivesSecurity Impact Level

Security controls selection

Register security controls Responsible Responsible Responsible Control Datasheet Security controls

registry

Generate security controls baseline Responsible

(Automated by the framework)Service SC +Controls registry

Controls baseline + matching status

Assess service risks Responsible(Partially automated)

Service + platform arch. + CVE + CWE

Service Vulns + Threats + Risks

Tailor security baseline Responsible(planned to be automated)

Security Controls Baseline + Risk assessment

Security mgmt plan (SLA)

controls implementation

Implement security controls Responsible

(planned to be automated)Security mgmt plan

Updated Security plan

Aligning NIST to the Cloud Model

Phase Task CP SP CC Input Output

Security Assessment

Define security metrics Responsible Informed Responsible Security objective Security assessment

plan

Assess security status Responsible

(Automated by the framework)Security assessment plan assessment report

Service Authorization

Authorize serviceInformed Informed Responsible Security plan +

assessment reportService authorization document

Security Monitoring

Monitor security status Responsible

(Automated by the framework)Security assessment plan Security status report

Aligning NIST to the Cloud Model (cont’d)

Standard Description Format Example

CPE A structured naming schema for IT systems including hardware, operating systems and applications.

cpe:/ {part} : {vendor} : {product} : {version} : {update} : {edition} : {language}

cpe:/a:SWINSOFT: Galactic:1.0: update1:pro:en-us

CVE A dictionary of the common vulnerabilities with a reference to the set of the vulnerable products.

CVE-Year-SerialNumber CVE-2010-0249

CWE A catalogue of the community recognized software weaknesses.

CWE-SerialNumber CWE-441

CAPEC A catalogue of the common attack patterns. CAPEC-SerialNumber CAPEC-113

CCE A structured naming to systems’ configuration statements.

CCE-softwareID-SerialNumber CCE-17743-6

Adopted Security Standards

ConfigurationsMeasurements

Management Layer

Security Metrics ManagerSecurity Categorization

Risk Assessment Security Controls Manager

Multi-Tenant Security Plan

Multi-Tenant Status Report

Enforcement Layer

Planning Implementation

Feedback Layer

Monitoring Analysis

Cloud Platform

Secu

rity

Stat

us

Secu

rity

Reqs

.Security Management

Repository

Security ControlsControls Logs

Collaboration-based Cloud Computing Security Management Framework

Prototype Snapshots

A cloud consumer registering for one of the GREEN CLOUD registered services

Two different service security categorizations for two different customers

A snapshot of a security control registration

A snapshot of a given service threats retrieved from the NVD

A snapshot of the security controls base satisfaction status

A snapshot of the security SLA between GREENCLOUD, SWINSOFT and Swinburne

A sample of Swinburne security status report

0 Security monitoring depends on security controls’ log files “lagging metrics”.

0 Service-oriented security.

0 Integrating security controls within target services is done manually.

Limitations

Security Management Security EngineeringSecurity ObjectivesSecurity Threats/RisksSecurity ControlsSecurity Monitoring

Security RequirementsSecurity ArchitectureSecurity DesignSecurity Enforcement

o Tenants come and go at runtime.o Tenants’ security change at runtime.o Services shouldn’t go down for customization or maintenance.o Discovered vulnerabilities cannot wait too long for patches.

SMART

TOSSMA

MDSE@R

Security Reengineering

Security Engineering @ runtime

Multi-tenant Security Engineering @ runtime

Adaptive (Multi-tenant) Model-driven Security (Re)Engineering at Runtime Component

System Description Models Security Specification Models

Security Enforcement Point

System Engineer Security EngineerSy

stem

Con

tain

er

Syst

em

Secu

rity

Serv

ices

Develop Develop

1 3

Live System InterceptorsDocument

Live Security Specification

Document

Secu

rity

Testi

ng

852

4

67

9

10

MDSE@R: Model-driven Security Engineering @ Runtime

B

E

C

<profile name=" SecExtensionProfile " displayName =" Security Extensions Profile "...<stereotypes>

<stereotype name=" SecurityConcepts " displayName ="Security Concepts">…

<property name=" SecurityObjectives " displayName =" Security Objectives " ><property name=" SecurityRequirements " displayName =" Security Requirements "><property name=" SecurityControls " displayName =" Security Controls “>

…</stereotype><stereotype name=" ArchitectureConcept " displayName =" Architecture Concept ">…

<property name=" DeploymentPath " displayName =" Deployment Path “ ><property name=" ConfigurationFile " displayName =" Configuration File “ ><property name=" RelatedFeatures " displayName =" RelatedFeatures “ >

…</stereotype><stereotype name=" ClassDiagramConcept " displayName ="Class Diagram Concept">

<property name=" IsSecurityClassFn " displayName =" IsSecurityClassOrFn "><property name=" ParentComponent " displayName =" Parent Component ">

</profile>D

A

Galactic ERP System Description Model (SDM)

<<MetaClass>>

Operation<<MetaClass>>

Class<<MetaClass>>

Connection<<MetaClass>>

Component<<MetaClass>>

UseCase

<<StereoType>>

SecurityConcept

SecurityObjectives: stringSecurityRequirements: stringSecurityControls: string

<<StereoType>>

ClassComponent

ParentComponent: string

<<MetaClass>>

Class

<<StereoType>>

ArchitectureComponent

ParentFeature: stringDeploymentPath: stringConfigurationFile: string

<<MetaClass>>

Componet

UML Profile

Security Management Zone

<<Security Service>>Antivirus

<<Security Service>>Host-Based IDS

<<Security Service>>Authentication Service

<<Security Service>>Access Control Service

C

DB Server

Application ServerApplication Server

Load Balancer

Galactic Security Requirements

Authenticate User

Max Password Lifetime

Max Unsuccessful Length

Min Password Length

B

SecurityObjectivesTenantsDataIsolation

Security Requirements

SecurityIsolator

SecurityObjectivesSecurity Requirements

SwinAntivirus

SecurityObjectivesSecurity Requirements

SwinValidator SecurityObjectivesAuthenticate User

Security Requirements

ESAPI-AccessController

SecurityRequirements

SecurityObjectives<<Component>> Presentation Layer

Confidentiality Integrity

AuthenticateUserSecurityControls

SecurityRequirements

SecurityObjectives<<Component>> Business-L Layer

Confidentiality Integrity

SecurityControls

SecurityRequirements

SecurityObjectives<<WebPage>> EmployeeASPX

SecurityControls

SecurityRequirements

SecurityObjectives<<WebService>> CurrencyNow

SecurityControls

SecurityRequirements

SecurityObjectives<<WebService>> BatchProcessing

SecurityControls

System AvailabilityHigh

Data Integrity Medium

ConfidentialityHigh

AccountabilityLow

A

D

E

Swinburne Security Specification Model (SSM)

Security Zone

Security Requirement

Name: stringSecurityArea: enumRequirementDescription: string

Ref

eren

ce

0..*

ZoneName: stringZoneType: enumStrategy: enumFirewall : boolIDS: bool

Realized By

0..*

1..*

Security Threat

ID: stringSource: stringTarget: stringObjective: string[]Vulnerabilities: string[]

Security Vulnerability

ID: stringCategory: enumDescription: stringPrerequisites: string[]Consequences: strings[]

SecurityAttack

ID: stringDescription: stringAgent: stringSequence: string[]Consequences: string[]

Security Service

ServiceName: stringSecurityMechanism: enumSecurityStandard: enum

Threat Agent

Name: stringAgentType: enumObjectiveCategory: stringStra tegy: enum

Asset

Name: stringImportace: enumProvider: stringDeploymentPath: enum

0..*

Parent Asset

Security Objective

Name: stringImportace: enumObjectiveCategory: stringStrategy: enum

0..*

Dependent ObjectiveSecurity Objectives

1..*

Security Risk

Name: stringDescription: stringImpact: enumLikelihood: integer

Security Risk

Realized By

Asset Vulnerabilities

Security Service

Name: stringProvider: stringControlFamily: enumDeploymentPath: string

SecDSVL Metamodel

Security control

public IMethodReturn Invoke( IMethodInvocation input, GetNextHandlerDelegate getNext) {EntitySecurity entity = LoadMethodSecurityAttributes( …);if (entity == null || entity.HasSecurityRequirements() == false) {

return getNext().Invoke(input, getNext);}

//logging Before Callthis.source.TraceInformation("Invoking {0}", input.Arguments[0].ToString());//Check for Authenticationif (entity.GetAuthenticationMethod() != AuthenticationMethod.None) {

. . .}//Check for Authorizationif ( entity.GetAuthorizationMethod() != AuthorizationMethod.None ) {

. . .}

}

. . .<systemlevel><Entitylevel>1</Entitylevel>. . .<componentlevel>

<objectname>. . .

<classlevel><objectname>. . .

<methodlevel>. . .

< ObjectName> GetCustomers </ObjectName><Authentication_Method>Forms</Authentication_Method><Authorization_Method>RBAC_Impersonate</Authorization_Method>

. . .

. . .<extension type="Interception" /><register type="PresentationLayer.CustomerBLL, PresentationLayer ">

. . .<interception><policy name="PolicyCustomersBLL"><matchingRule name="MatchingRuleCustomersBLL“

Type="MemberNameMatchingRule"><constructor><param name="nameToMatch" value="GetCustomers" /><param name="nameToMatch" value="GetCustomerByName" />

. . .<callHandler name="callhandlerCustBLL"tType="SecurityKernel.SecurityCallHandler, SecurityKernel">

. . .

1

2

3

Live system interceptors [1], security specification [2] documents

Component2

Component1

Component3

CLSCLS

SaaS Application

Class level

App.Level

Comp.Level

Methodlevel

Security Controls

Authn

EncryptI/p validation

LoggingMulti-tenant

Security Reqs

…

…

Syst

em R

eque

sts

Validated Request

Application Security Management ConsoleTenant-ZTenant-BTenant-ASP - Eng.

Syst

em W

rapp

er

Secu

rity

Enfo

rcem

ent P

oint

2

3

4 5

6

SaaSApplicationDescription

1

TOSSMA: Tenant-Oriented SaaS Security Management Architecture

Tenant Security Specification Models

Tenant Security Specification Models

Tenant Security Specification Models

Tenant Security Specification Models

System Description Models

Security Specification Models

Mappings

Security Enforcement Point

System Engineer Security Engineer

System Container

System Security Services

Develop Develop

Tenant System Description Models

Tenant Security Specification Models

Mappings

Live Security Specification

Document

Live System InterceptorsDocument

Tenant Security Admin

Manage

Tenant System Admin

Manage

1 2

3 4

56

7 8

910

Adaptive (Multi-tenant) Model-driven Security (Re)Engineering at runtime Component

Security Requirements Authentication

Authorization Input Sanitization Audit Cryptography

Group-1 GalacticERP F-C-S-M F-C-S-M F-C-S-M F-C-S-M F-C-S-M

PetShop F-C-S-M F-C-S-M F-C-S-M F-C-S-M F-C-S-M

Group-2 SplendidCRM C-S-M C-S-M C-S-M C-S-M (C-S-M)*

KOOBOO C-S-M C-S-M C-S-M C-S-M (C-S-M)*

NopCommerce C-S-M C-S-M C-S-M C-S-M (C-S-M)*

BlogEngine C-S-M C-S-M C-S-M C-S-M (C-S-M)*

BugTracer C-S-M C-S-M C-S-M C-S-M (C-S-M)*

TinyERP C-S-M C-S-M C-S-M C-S-M (C-S-M)*

F: Security attribute can be applied on feature level C: Security attribute can be applied on component levelS: Security attribute can be applied on class level M: Security attribute can be applied on method level

MDSE@RMT Evaluation Results

SMART

TOSSMA

MDSE@R

Security Reengineering

Security Engineering @ runtime

Multi-tenant Security Engineering @ runtime

Adaptive (Multi-tenant) Model-driven Security (Re)Engineering at Runtime Component

bool updateCustomerBalance(string custID, decimal nBalance) {

if(!AuthenitcateUser( username, password)) return false;if(!AuthorzUser(username, "updateCustBalance")) return false;LogTrx(username, dateTime.Now, "updateCustomerBalance");Customer customer = Customers.getCustomerByID(custID);customer.Balance = nBalance;Customers.SaveChanges();LogTrx(username, dateTime.Now, "updateCustBalance done");

}

if( Request.Cookies["Loggedin"] != true ) { if( !AuthenticateUser(Request.Params["username"], Request.Params["password"] ) )

throw new Exception("Invalid user");}DoAdministration();

if( !AuthenticateUser( Request.Params["username"], Request.Params["password"] ) )throw new Exception("Invalid user");

if( !AuthorizeUser( Thread.CurrentPrincipal, (new StakeFrame()).GetMethod().Name, (new StakeFrame()).GetMethod().GetParameters() ) ) throw new Exception("User is not auhorized");updateCustomerBalance(Request.QueryString["cID"], nBalance);

Examples of code snippets that need to be Re-engineerd

To be removed

To be modified

To be injected

Re-aspect Definition ::= s:{Signature} a:{Action} d:{Advice} Signature ::= st:{Signature Type} se:{Signature Expression} Signature Type ::= code-snippet | ocl-expression Action ::= at:{Action Type} ac: {Action Condition} Action Type ::= Delete | Modify | Replace | Inject Action Condition ::= ocl-expression

Re-engineering Aspects “Re-aspects” Grammar

System Security Reengineering Architecture

System Model

UML Model

AST

Reflection

Re-aspect Engine

Re-aspects Model

Re-aspects Locator

Re-aspect Enforcer

Perspective Model

Features

Test Cases

Security

System

1 2

5

3

4

Mo

Mohamed Almorsymalmorsy@swin.edu.au

http://www.ict.swin.edu.au/ictstaff/malmorsy