Upload
matteo-leonetti
View
125
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
S
Security Requirement Specification Model for
Cloud Computing Services
SECONDA UNIVERSITA’ DI NAPOLIFACOLTA’ DI INGEGNERIA
RelatoreProf. Massimo Ficco
CandidatoMatteo Leonetti
Matricola A18/064
Anno Accademico 2012/2013
S
Contents
• Main Cloud Computing Issues• Security Requirement Specification for Cloud• Existing Security Specification Languages• Why a New Model?• Modeling Secure Interactions• Use Case and Misuse Case• Stereotypes• Component and Deployment Diagram• IDPS Rule Description• Case Study• Intrusion Detection Architecture for Cloud• Suggestions for Future Works
3
Main Cloud Computing Issues
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure Interfaces and APIs
5. Flooding Attack and Resource Exhaustion
6. Malicious Insiders
4
Security Requirement Specification for Cloud• Considering Security from the
the early stage of SDLC;
• Highliting system vulnerablity;
• Considering security mechanism to adopt;
• Helping to define QoS;
• Allowing Provider and Consumer to agree on SLA;
5
Existing Languages
6
Why a New Model?
• Domain-independent framework; • Describing both allowed and denied behaviour;• Allowing to analyse different security mechanism;• Helping Cloud Consumer and Cloud Provider to agree
on SLA;• Providing UML Component and Deployment
diagram.• UML Extension with stereotypes for security
concepts;• Allowing managing IDS and fault tolerance replicas.• Presenting an useful model to describe IDS rules;
7
Modelling Secure Interactions (1/2)
An Interaction is defined as every kind of data exchange among actors in a Cloud System.
It is made of the triple: <INVOKER, PROVIDER, TARGET>
CC Cloud Consumer
CP Cloud Provider
S Service
R Resource
Interaction Description Interaction Type Interaction Modalities Securit
y Level
First CC’s registration to CP <CC,CP,CP> Web Console with username and password 1
- - Web Console with OTP 2
8
Modelling Secure Interactions (2/2)
Interaction modalities are characterized by the triple: <THREAT, SECURITY REQUIREMENT, SECURITY MECHANISM>
Threat Security Requirement Security Mechanism
Packet Sniffing Confidentiality Routing Control
Denial Of Service Availability Access Monitoring
Wrapping Attack Authenticity Digital Signature
SQL Injection Integrity, Confidentiality Parameterized Queries
Man In The Middle Non repudiation Digital Signature
9
Use Case and Misuse Case (1/2)
Use Cases model all kind of legitimate interactions that describe the whole application behaviour. Some issues can affect these interactions and it is important to specify security mechanism in order to prevent failures.
Misuse Cases model all the malicious behaviours witch can occur to the Cloud System. Misuse Case is meant as a sequence of action that a Cloud Consumer should not be able to perform. Hackers are able to perform a whole range of attacks to harm the Cloud environment, independently of the Use Case. These kinds of attacks are completely uncorrelated from Use Cases Interaction and can be expressed by Misuse Case.
10
Use Case and Misuse Case (1/2)
11
Stereotypes
Stereotype Base class Description
Web Service Subsystem, Component Service made available to users or developers on demand via the Internet from a Service Provider.
Intrusion Detection Component Any kind of Intrusion Detection System that that monitors network or system activities for malicious behaviour or policy violations and produces reports to a management station. “Mode” attribute specify if it is used “Standalone”, as a “Probe” that only collects information or as a “Manager” that only receive information and correlates them to take decisions. “Type” attribute can specify the resource to monitor: “Network”, “Host” or “Hybrid”
Load Balancer Node, component Software that distributes processing and communications activity evenly across a virtual computer network so that no single virtual machine is overwhelmed.
Virtual Machine Node Resource that can be used to run applications and workloads.
Disaster Recovery Component Actions to minimize the negative effects of a disaster and maintain or quickly resume critical functions.
Data Loss Prevention (DLP) Component System designed to detect potential data breach and prevent them by monitoring, detecting and blocking sensitive data.
Replica Component, Node, Subsystem
Data or computation replication can be adopted in order to provide fault tolerance solutions. “Mode” attribute specify the replication mechanism: “Active”, “Passive”. “Type” attribute specify different passive replicas: “Primary”, “Backup”.
12
Component and Deployment Diagram
13
IDPS Rule Description (1/2)
An IDPS Rule can be expressed by three basic elements:
• Attributes• Condition• Reaction
14
IDPS Rule Description (2/2)
IDS rule a graphical representation. The condition that make true the considered rule is composed by events and rules using OR (+) and AND (X) operator. A rule or an event in grey means the negation of that.
15
Case Study: Introduction
16
Case Study: Interaction Diagram
17
Case Study: Use Case and Misuse Case
Use Case 1: End User sends pictures to the Cloud service.
Misuse Case 1: Hacker intrudes into a Virtual Machine and steals data from the storage.
18
Case Study: Security Requirement Specification
19
Case Study: IDPS Rules Description
20
Case Study: Component and Deployment Diagram
21
IDS Architecture for Cloud Computing
Security Manager: receives information from Probes or lower-level SM; normalizes and correlates the events following rules; alerts Admin or sends alert to higher-level SM.
Host Probe: Host Intrusion Detection System (HIDS)
Network Probe: Network Intrusion Detection System (NIDS)
22
IDS Prototype for Cloud Computing
Prelude: Security Information Event Management (SIEM)
OSSEC: Host Intrusion Detection System (HIDS)
Snort: Network Intrusion Detection System (NIDS)
IDMEF
IDMEF
23
• Deriving all the Use Cases and Misuse Cases, splitting them in multiple interactions;
• Considering all security vulnerability for each interaction specifying security requirements;
• Choosing the best implementation that match Cloud Consumer needs and Cloud Provider offers.
• Making sure Cloud Provider adopt valid countermeasures for each malicious interaction or think about additional security solution;
• Representing application in the UML Cloud Component and Deployment diagram;
• Adding required security component to the diagram;• If required, designing new IDPS rules for detect and prevent the
attack described;• If required, specifying replicas type for a fault tolerance solution.
Security Requirement Specification ModelBriefly
24
• Tool witch suggests Cloud Provider that best meets Cloud Consumer needs;
• Software that analyses Security Reuirement and proposes Security Mechanism to adopt;
• Automated Tool witch finds already existing software components to cover vulnerabilities;
• Smart tool that convert Rules for the adopted IDPS;
• Engine witch learn from past events and adds new Rules.
Suggestions for Future Works
Thank you for your attention
S
Security Requirement Specification Model for
Cloud Computing Services
SECONDA UNIVERSITA’ DI NAPOLIFACOLTA’ DI INGEGNERIA
RelatoreProf. Massimo Ficco
CandidatoMatteo Leonetti
Matricola A18/064
Anno Accademico 2012/2013
27
What is Cloud Computing? (1/3)
“Cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST
28
What is Cloud Computing? (2/3)
• On-demand self-service• Broad network access• Resource pooling• Rapid elasticity• Measured service
29
What is Cloud Computing? (3/3)
Service Model Deployment Model