S

Security Requirement Specification Model for

Cloud Computing Services

SECONDA UNIVERSITA’ DI NAPOLIFACOLTA’ DI INGEGNERIA

RelatoreProf. Massimo Ficco

CandidatoMatteo Leonetti

Matricola A18/064

Anno Accademico 2012/2013

S

Contents

• Main Cloud Computing Issues• Security Requirement Specification for Cloud• Existing Security Specification Languages• Why a New Model?• Modeling Secure Interactions• Use Case and Misuse Case• Stereotypes• Component and Deployment Diagram• IDPS Rule Description• Case Study• Intrusion Detection Architecture for Cloud• Suggestions for Future Works

3

Main Cloud Computing Issues

1. Data Breaches

2. Data Loss

3. Account Hijacking

4. Insecure Interfaces and APIs

5. Flooding Attack and Resource Exhaustion

6. Malicious Insiders 

4

Security Requirement Specification for Cloud• Considering Security from the

the early stage of SDLC;

• Highliting system vulnerablity;

• Considering security mechanism to adopt;

• Helping to define QoS;

• Allowing Provider and Consumer to agree on SLA;

5

Existing Languages

6

Why a New Model?

• Domain-independent framework; • Describing both allowed and denied behaviour;• Allowing to analyse different security mechanism;• Helping Cloud Consumer and Cloud Provider to agree

on SLA;• Providing UML Component and Deployment

diagram.• UML Extension with stereotypes for security

concepts;• Allowing managing IDS and fault tolerance replicas.• Presenting an useful model to describe IDS rules;

7

Modelling Secure Interactions (1/2)

An Interaction is defined as every kind of data exchange among actors in a Cloud System.

It is made of the triple: <INVOKER, PROVIDER, TARGET>

CC Cloud Consumer

CP Cloud Provider

S Service

R Resource

Interaction Description Interaction Type Interaction Modalities Securit

y Level

First CC’s registration to CP <CC,CP,CP> Web Console with username and password 1

- - Web Console with OTP 2

8

Modelling Secure Interactions (2/2)

Interaction modalities are characterized by the triple: <THREAT, SECURITY REQUIREMENT, SECURITY MECHANISM>

Threat Security Requirement Security Mechanism

Packet Sniffing Confidentiality Routing Control

Denial Of Service Availability Access Monitoring

Wrapping Attack Authenticity Digital Signature

SQL Injection Integrity, Confidentiality Parameterized Queries

Man In The Middle Non repudiation Digital Signature

9

Use Case and Misuse Case (1/2)

Use Cases model all kind of legitimate interactions that describe the whole application behaviour. Some issues can affect these interactions and it is important to specify security mechanism in order to prevent failures.

Misuse Cases model all the malicious behaviours witch can occur to the Cloud System. Misuse Case is meant as a sequence of action that a Cloud Consumer should not be able to perform. Hackers are able to perform a whole range of attacks to harm the Cloud environment, independently of the Use Case. These kinds of attacks are completely uncorrelated from Use Cases Interaction and can be expressed by Misuse Case.

10

Use Case and Misuse Case (1/2)

11

Stereotypes

Stereotype Base class Description

Web Service Subsystem, Component Service made available to users or developers on demand via the Internet from a Service Provider.

Intrusion Detection Component Any kind of Intrusion Detection System that that monitors network or system activities for malicious behaviour or policy violations and produces reports to a management station. “Mode” attribute specify if it is used “Standalone”, as a “Probe” that only collects information or as a “Manager” that only receive information and correlates them to take decisions. “Type” attribute can specify the resource to monitor: “Network”, “Host” or “Hybrid”

Load Balancer Node, component Software that distributes processing and communications activity evenly across a virtual computer network so that no single virtual machine is overwhelmed.

Virtual Machine Node Resource that can be used to run applications and workloads.

Disaster Recovery Component Actions to minimize the negative effects of a disaster and maintain or quickly resume critical functions.

Data Loss Prevention (DLP) Component System designed to detect potential data breach and prevent them by monitoring, detecting and blocking sensitive data.

Replica Component, Node, Subsystem

Data or computation replication can be adopted in order to provide fault tolerance solutions. “Mode” attribute specify the replication mechanism: “Active”, “Passive”. “Type” attribute specify different passive replicas: “Primary”, “Backup”.

12

Component and Deployment Diagram

13

IDPS Rule Description (1/2)

An IDPS Rule can be expressed by three basic elements:

• Attributes• Condition• Reaction

14

IDPS Rule Description (2/2)

IDS rule a graphical representation. The condition that make true the considered rule is composed by events and rules using OR (+) and AND (X) operator. A rule or an event in grey means the negation of that.

15

Case Study: Introduction

16

Case Study: Interaction Diagram

17

Case Study: Use Case and Misuse Case

Use Case 1: End User sends pictures to the Cloud service.

Misuse Case 1: Hacker intrudes into a Virtual Machine and steals data from the storage.

18

Case Study: Security Requirement Specification

19

Case Study: IDPS Rules Description

20

Case Study: Component and Deployment Diagram

21

IDS Architecture for Cloud Computing

Security Manager: receives information from Probes or lower-level SM; normalizes and correlates the events following rules; alerts Admin or sends alert to higher-level SM.

Host Probe: Host Intrusion Detection System (HIDS)

Network Probe: Network Intrusion Detection System (NIDS)

22

IDS Prototype for Cloud Computing

Prelude: Security Information Event Management (SIEM)

OSSEC: Host Intrusion Detection System (HIDS)

Snort: Network Intrusion Detection System (NIDS)

IDMEF

IDMEF

23

• Deriving all the Use Cases and Misuse Cases, splitting them in multiple interactions;

• Considering all security vulnerability for each interaction specifying security requirements;

• Choosing the best implementation that match Cloud Consumer needs and Cloud Provider offers.

• Making sure Cloud Provider adopt valid countermeasures for each malicious interaction or think about additional security solution;

• Representing application in the UML Cloud Component and Deployment diagram;

• Adding required security component to the diagram;• If required, designing new IDPS rules for detect and prevent the

attack described;• If required, specifying replicas type for a fault tolerance solution.

Security Requirement Specification ModelBriefly

24

• Tool witch suggests Cloud Provider that best meets Cloud Consumer needs;

• Software that analyses Security Reuirement and proposes Security Mechanism to adopt;

• Automated Tool witch finds already existing software components to cover vulnerabilities;

• Smart tool that convert Rules for the adopted IDPS;

• Engine witch learn from past events and adds new Rules.

Suggestions for Future Works

Thank you for your attention

S

Security Requirement Specification Model for

Cloud Computing Services

SECONDA UNIVERSITA’ DI NAPOLIFACOLTA’ DI INGEGNERIA

RelatoreProf. Massimo Ficco

CandidatoMatteo Leonetti

Matricola A18/064

Anno Accademico 2012/2013

27

What is Cloud Computing? (1/3)

“Cloud computing is a model for enabling on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST

28

What is Cloud Computing? (2/3)

• On-demand self-service• Broad network access• Resource pooling• Rapid elasticity• Measured service

29

What is Cloud Computing? (3/3)

Service Model Deployment Model