secure cloud computing for critical infrastructures€¦ · • analyse and relate the whole of...
TRANSCRIPT
AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys
• Hellenic Telecommunications Organization OTE• Ayuntamiento de Valencia • Amaris
SEcure Cloud computingfor CRitical Infrastructure IT
Aleksandar Hudic and Christian WagnerAIT Austrian Institute of Technology
Secure Cloud Computing for Critical Infrastructures
Source: http://www.soompi.com/
The SECCRIT Project – Hard Facts
• Research project on secure Cloud Computing for critical infrastructure IT
• 10 Partners from Austria, Finland, Germany, Greece, Spain and the UK.
• Project budget 4.8 Mio, partly funded by the European Union
• Project duration 1.1.2013 – 31.12.2015
• about 61.748% of the project completed
• 25 public deliverables
07.11.2014 © SECCRIT Consortium 3
What are Critical Infrastructures
07.11.2014 © SECCRIT Consortium 4
Everything goes to Cloud
07.11.2014 © SECCRIT Consortium 5
Motivation – Why would someone do that?
07.11.2014 © SECCRIT Consortium 6
07.11.2014 © SECCRIT Consortium 7
Motivation – Why would someone do that?
• Possible reduction of costs
• Pay as you use
• Managing peak loads
07.11.2014 © SECCRIT Consortium 8
• Scalable computing resources
• Potential increased availability
now back to the project
SECCRIT’s Overall Goal
analyse and evaluate cloud computing with respect to security risks in sensitive environments i.e. critical infrastructures
o Traffic Control o Public Safety (CCTV)
to develop o methodologies o technologies, o best practices for
• secure, • trustworthy, • high assurance• legal compliant
cloud computing environments for critical infrastructure IT.Investigate real-world problems
07.11.2014 © SECCRIT Consortium 10
Problem Definition – High Level
• Requirements for cloud applications vary o Commercial applications mainly focus on scalability & elasticity
o Requirements in CI regarding: overall redundancy, data availability, authenticity, secure access, trust and protection of the citizens are typically higher than in commercial applications.
o Common Users Requirements converge with what is CI standard
07.11.2014 © SECCRIT Consortium 11
Problem Definition – High Level
• What is the problem?o Cloud services abstract over used resources, are opaque and make it
hard to• determine technical reasons for (security) failure and hence make• the development of countermeasures
o This also implies, from a legal perspective, that it is hard to • determine who’s fault it is and • to show one hasn’t acted negligent
07.11.2014 © SECCRIT Consortium 12
SECCRIT Demonstrator: Traffic Control
07.11.2014 © SECCRIT Consortium 13
• Gather traffic data from traffic sensors on the road
• Store traffic data in data bases• Generate data and reports about traffic
status and traffic evolution• Analyse and relate the whole of mobility
data• Support to define mobility polices and
traffic control strategies• Control traffic on the road by Traffic
Controllers, Traffic Ligths, Variable Messages Signals, etc.
• Public transportation priority by strategies like offering traffic lights priority
Execute traffic control strategies by operators manual actions or by automatic procedures.
SECCRIT Demonstrator: Public Safety (CCTV)
07.11.2014 © SECCRIT Consortium 14
MetroSub CitySec TelCom
The Subway Operator
The Security Service Provider
The Tenant System Mgmt
CloudCorp
The Cloud Mgmt Provider
TenSys
The Telecom Operator
Key Objectives
07.11.2014 © SECCRIT Consortium 15
Legal Guidance on Data
Protection and Evidence
Understand and manage
risk associated with cloud
environments
Understand cloud behavior in the face of challenges
Establish best practices for secure cloud
service implementations
Demonstration of output in real-world application scenarios
Key Objectives ↔ Activities & Output
07.11.2014 © SECCRIT Consortium 16
Legal Guidance on Data
Protection and Evidence
Definition of legal guidance
on SLA compliance, provision of
evidence, and data
protection for cloud services
Understand and manage
risk associated with cloud
environments
Risk Assessment
and Management Methodology
Policy Specification Methodology
and Tool
Cloud Assurance Profile and Evaluation
Method
Understand cloud behavior in the face of challenges
Anomaly Detection
Techniques and Tools
Policy Decision and Enforcement
Tools
Cloud Resilience
Management Framework
Tools for Audit Trails and
Root Cause Analysis
Establish best practices for secure cloud
service implementations
Model Driven Cloud Security
Guidelines
Demonstration of output in real-world application scenarios
Demo 1: Storage and
Processing of Sensitive Data
Demo 2: Hosting
Critical Urban Mobility ServicesOrchestration
Secure Cloud Storage
SECCRIT Output
a) Techno-legal guidanceb) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement
Framework d) Resilience Management Framework (incl. anomaly
detection and virtual component deployment)e) Forensic Analysis via Audit Trails for Root Cause
Analysis (incl. secure cloud storage)f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise
Approaches
07.11.2014 © SECCRIT Consortium 17
SECCRIT Output
a) Techno-legal guidanceb) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement
Framework d) Resilience Management Framework (incl. anomaly
detection and virtual component deployment)e) Forensic Analysis via Audit Trails for Root Cause
Analysis (incl. secure cloud storage)f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise
Approaches
07.11.2014 © SECCRIT Consortium 18
Techno-Legal Guidance
Legal Questions
• „Security Service Operator“ uses cloud services• Uses integrated analysis
cloud service (B-AG) andvideo management cloud service (C-AG)
• Analysis cloud service + video managementrun on virtual server
• video management cloud serviceuses DB (Y-AG)
• Y-AG uses storage service
07.11.2014 © SECCRIT Consortium 20
SECCRIT Architectural Framework
What do we mean when we talk about Cloud?
07.11.2014 © SECCRIT Consortium 22
R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural Framework”. 2014. (and IEEE CloudCom)
Cloud Risk Assessment
Cloud Risk Assessment
• There are different stakeholder viewpoints to considero The Cloud Service Provider
• In SECCRIT is decomposed into sub roles, including the Tenant and Cloud Infrastructure Provider
o The Critical Infrastructure Service Provider
• When should an assessment be performed?o At the point of deployment, to determine whether to use the Cloud and/or
which provider and deployment model to use
o During the operation of a service, e.g., periodically or in response to changes in the deployment environment caused by scaling
07.11.2014 © SECCRIT Consortium 24
Major Contributions
1. An analysis of risk perceptions regarding the use of cloudo Performed on an individual and organisational basis
2. An extensive cloud-specific threat and vulnerability catalogue that can support a risk assessment
3. An extension to a standard risk assessment process to support critical infrastructure service providers determine the risk of cloud deploymento Supported by the SECCRIT threat and vulnerability catalogue and the
open-source Verinice ISMS tool
4. Identified a set of cloud infrastructure metrics that could be used to support online risk assessment
The SECCRIT Threat and Vulnerability Catalogue
Primary data sources:
1. Performed an extension literature survey of existing catalogues and organisations of threats and vulnerabilities, e.g., CSA’s “Notorious Nine”
2. Carried out a structured security analysis, based on the SECCRIT architectural framework and different deployment models
3. Leveraged findings from the cloud risk survey
07.11.2014 © SECCRIT Consortium 26
Management-oriented View
Box model Virtualenvironment
Local scaling Resourcepooling
The SECCRIT Threat and Vulnerability Catalogue
• Organised items into categories – NIST’s essential characteristics of cloud computing at the core
• Identified impact type, i.e., CIA, and references when possible
07.11.2014 © SECCRIT Consortium 27
Cloud Risk Deployment Assessment Process
07.11.2014 © SECCRIT Consortium 28
Conclusion
• Four major contributions:
1. An analysis of risk perceptions regarding the use of cloud2. An extensive cloud-specific threat and vulnerability catalogue3. Extension to a standard risk assessment process to support critical
infrastructure service providers determine the risk of cloud deployment
4. Cloud infrastructure metrics that could be used to support online risk assessment
• The threat and vulnerability catalogue is being put forward as a contribution to the ETSI ISG on Network Function Virtualisation (NFV)
07.11.2014 © SECCRIT Consortium 29
Cloud Assurance Approaches
Cloud Assurance Framework
07.11.2014 © SECCRIT Consortium 31
Assurance Level
1-7
MO
NITO
RIN
G A
RTIFA
CTS
Aspects of Assurance
07.11.2014 © SECCRIT Consortium 32
Research questions / challenges
07.11.2014 © SECCRIT Consortium 33
R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural Framework”. 2014. (and IEEE CloudCom)
How to assure that security propertiesare met across distinct cloud layerswith different stake holders?
How to derive continuous assessmentof security properties across theclouds architecture?
How can security be assessed,measured or scaled in respect to acertain predefined set of securityproperties (assurance levels)?
How to aggregate/inherit securityacross different stake holders inCloud?
Levels of Abstraction (The SECCRIT architecture)
Security properties
07.11.2014 © SECCRIT Consortium 34
• Security-aware SLA specification language and cloud security dependency model
• Certification models• Core Certification mechanisms
• Methodologies for Risk Assessment and Management
• The Notorious Nine: Cloud Computing Top Threats in 2013
Identified categories/properties
07.11.2014 © SECCRIT Consortium 35
ID SECURITY PROPERTY CATEGORY VULNERABILITY THREATS DEPENDENCIES
SP_1 User Authentication and Identity assurance level Identity Assurance
Loss of human-operated control point to verify security and privacy settings
Data Breaches , Data Loss, Shared Technology Vulnerabilities
NoneInsufficient authentication security, e.g., weak authentication mechanisms, on the cloud
management interface
Account or Service Traffic Hijacking Insecure Interfaces and APIs, Malicious Insiders
SP_2Data deletion quality level Data Disposal Data recovery vulnerabilities, e.g., unauthorised
access to data in memory or on disk from previous users
Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders,
Insufficient Due DiligenceNone
SP_3Storage Freshness Durability Data recovery vulnerabilities, e.g., unauthorised
access to data in memory or on disk from previous users
Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders,
Insufficient Due DiligenceNone
SP_4Data alteration prevention /
detectionIntegrity Poor/ no integrity checks of the billing information Data Breaches
Insecure Interfaces and APIs Insufficient Due Diligence
SP_1, SP_2, SP_3
SP_5
Storage Retrievability Durability Poor/ no backup & restore strategy is in place to prevent the loss of billing information, e.g., in the
case of a system failure
Data BreachesInsecure Interfaces and APIs Insufficient
Due DiligenceSP_4
SP_6Data leakage detection /
prevention Data Leakage Poor/ no encryption of the VM data through a
wide-area migration processData Breaches
Malicious InsidersShared Technology Vulnerabilities
SP_5
SP_7 Cryptographic module protection level Key Management
Unmonitored and unencrypted network traffic between VMs is possible, e.g., for VMs on the
same node through virtual network Unencrypted physical storage, which is the
underlying for allocated virtual storage of the VMs
Insufficient Due DiligenceShared Technology
Vulnerabilities Data Breaches
Malicious Insiders
None
07.11.2014 © SECCRIT Consortium 36
GROUP OF EVALUATION
Assurance Assessment Framework
Virtual Infrastructure LevelTenant
Physical InfrastructureLevelCloud Infrastructure
Application Level Critical Infrastructure
ABSTRACTION LEVEL
UserLevel
Target of Evaluation
Common Criteria Framework for Information Technology Security Evaluation, CCDB USB Working Group, 2012, part 1-3. Online available: http://www.commoncriteriaportal.org.
GROUP OF EVALUATION
Framework elements: • Component of Evaluation (CoE)
o Component dependencies (CD)o Association (AS)
• Group of Evaluation (GoE)• Target of Evaluation (ToE)
Assurance Profile:o Assurance Type (AT)o Assurance Properties (AP)o Assurance Class (AC)o Security Objectives (SO)o Assessment Interval (AI)
Initial assurance policy set
07.11.2014 © SECCRIT Consortium 37
INITIAL POLICY SET∀ALK ∈ ACX: !∃ VS, (1)
VS = {SPV1, SPV2 … SPVN}, (2)SPVi= [ SP1, SP2, SP3, SP4], SPi = {0,1} (3)
∀VS ∈ ALK : !∃ SPVi, i ∈ (4)∀ SPVi ∈ ACX: |SPVi| = k (5)
ACX= {SPV1, SPV2, SPV3, … SPVn} (6)
∅(7)
ACSAL = ⍝ACX (SPVi) , ACX ∈CoEM, i∈ {1…N} (8)ACSAL(i) ⊢ DALVS(i) (9)
ALVS ⊆ DALVS (10)(DALVS(i) ∧ ALVS(i)) ⇒ AL(ACX)=i, ACX ∈ CoEM (11)!∃ ALi ⊧ ∀Min(CALj) i∈ {1…7}, j∈ {1…N} (12)
• Each assurance class is associated with at least on vector set
• Vector set is a compound of N Security Property vectors
• Security Property Vector is a set of K Security Properties associated with true or false
• Each Vector Set of a particular Assurance Level is associated with
• All Security Property Vectors in a class have the same cardinality
• Assurance Class is a compound of distinct Security property vectors
• Individual SPV can be found only at one Assurance class
• Bitwise conjunction of Security property vector bits of an individual Assurance Class
• Assurance Class of the evaluated object directly depends on the assurance of the associated components
Service abstraction
07.11.2014 © SECCRIT Consortium 38
Service/infrastructure abstraction via the General tree model:
Clustering assurance class properties to a particular assurance level
Prototype use cases analysis
07.11.2014 © SECCRIT Consortium 39
(a)
(b)
GENERAL TREE MODEL ANALYSIS:
• tree traversal post order method• level based bit conjunction• vertical post order assurance aggregation
Assurance calculation algorithm
07.11.2014 © SECCRIT Consortium 40
begin procedure:for i=k … i=1 doif (∀ CoEC (SPV[i]) ∃! ALM, M ∈ {1,2,…,7}) {
AL = M;end procedure
}else if (∏ CoE SPV i 0) {
discard ∀ SPV where SPV[i] =1;continue;
}else (∏ CoE SPV i 1) {
discard ∀ SPV where SPV[i] =0;continue;
}end procedure
Algorithm steps:
1. Bitwise conjunction SPV[i] for each vector in an Evaluated Vectors Set
2. Reducing the potential combination set
3. Checking the remained subset
Future work
07.11.2014 © SECCRIT Consortium 41
• Building a comprehensive security property catalogue in line with the
critical infrastructure requirements (demo partner feedback)
• Investigating whether the current Cloud monitoring tools are capable of
conducting cross layer monitoring or supporting assurance approach
• Demonstrating the approach by applying it on general demo scenario,
in line with both of our demo scenarios, on OpenStack
Conclusion
• customizable framework for analyzing predefined set of security properties across the cloud stack
• user and provider centric• advanced and transparent monitoring model across
cloud stack• autonomic and cumulative analysis of the cloud
infrastructure• technology independent assessment framework• integration of exiting work of SECCRIT project e.g.:
monitoring, root cause and forensic analysis tools, legal requirements, vulnerability catalogue
07.11.2014 © SECCRIT Consortium 42
Any Questions?
07.11.2014 © SECCRIT Consortium 43
AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys
• Hellenic Telecommunications Organization OTE• Ayuntamiento de Valencia • Amaris
SEcure Cloud computingfor CRitical Infrastructure IT
Contact
Aleksandar Hudic, Christian WagnerAIT Austrian Institute of Technology