A Model-driven Approach Towards Designing and Analysing Secure - - PowerPoint PPT Presentation

Shaun Shei Secure and Dependable Software Systems (SenSe) Haralambos Mouratidis Stylianos Kapetanakis Aidan Delaney

A Model-driven Approach Towards Designing and Analysing Secure Systems for Multi-clouds

Overview

What is Cloud Computing? Current Challenges Cloud Modelling Language

• Definitions
• Relationships
• Models

Process

• Activities

Analysis Conclusion

What is Cloud Computing?

“Delivery of hosted services

• ver the Internet.”

1

Cloud Computing Properties

• Why do we need to define and model cloud computing

properties?

• How are the properties determined from the literature?
• What is our approach to capture these concepts?

Traditional (On-premise) Cloud-based Access Physical access on host machine Remote access through network connection Acquisition Architecture management Service selection Costs Initial capital, maintenance and support Pay-as-you-go based on usage Provisioning Purchase, install and set-up infrastructure, typically days Self-service, spin-up time in minutes Security Company policy Dependent on service provider Scalability Process for adding nodes Elasticity according to demand User model Single-tenancy Multi-tenancy

2

Definitions

National Institute of Technology and Standards (NIST) Definition1: "Cloud computing is a model for enabling convenient,

• n-demand network access to a shared pool of

configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” The cloud model is composed of five essential characteristics, three service models, and four deployment models. 3

[1] Mell, Peter, and Tim Grance. "The NIST definition of cloud computing." (2011).

Definitions

4

NIST Definition Model - http://www.cloudcontrols.org/wp-content/uploads/2011/06/NIST_Visual_Model_of_Cloud_Computing_Definition.jpg

Current Challenges

• Lack of systematic approaches to tackle cloud-specific

security issues at a requirements engineering level

• Existing work fails to provide specialised concepts to capture

security properties in cloud computing

• No automated security analysis support to produce cloud

security requirements

Table 1: Limitations in related SRE work [1].

[1] Shei, S., Alcaniz, L. M., Mouratidis, H., Delaney, A., Rosado, D. G., & Fernández-Medina, E. (2015). Modelling secure cloud systems based on system

• requirements. Proceedings of the ESPRE, Ottawa, NT, Canada, 19-24.

5

Current Challenges

6

• Data security
• Loss of control
• Geographical distribution
• Multi-tenancy
• Redundancy
• Privacy issues
• Jurisdiction
• USA Patriot Act

(law enforcement agencies can access your data without your consent or knowledge). Amazon Web Services - Infrastructure: North America and Europe

AWS - http://aws.amazon.com/about-aws/global-infrastructure/

RQ1

Why are we asking this question?

We formulate this question because we need to know what concepts are required to describe cloud security issues in software systems.

How do we answer this?

• A cloud security framework is produced, consisting of three

components (RC1)

• Modelling language to capture cloud security concepts (RC2)
• Systematic process to construct cloud models (RC3)
• Architecture for automating analysis (RC4)

How does this help advance the field?

The framework builds upon established security requirements engineering work and extends the field with cloud computing specific concepts.

How do we describe concepts for modelling cloud security requirements with sufficient expressive power to capture domain-specific cloud computing software systems from a security requirements engineering perspective?

7

RQ2

Why are we asking this question?

To ensure well-formed models of secure cloud systems are produced, allowing us to perform security analysis.

How do we answer this?

We formalise our concepts to provide the syntax and semantics for analysing cloud security through a formal approach (RC5).

How does this help advance the field?

There is a lack of work formalising cloud computing concepts from a security requirements engineering perspective.

What still needs to be done?

The formalisation process is iterative, where each cycle is carried out in conjunction with the validation through running examples.

How do we systematically apply security and cloud computing concepts in order to model cloud computing systems, perform security analysis and obtain cloud security requirements?

8

RQ3

Why are we asking this question?

To address the lack of support to automate security analysis using cloud models, to produce cloud security requirements.

How do we answer this?

We apply our formal concepts to perform security analysis on real-life case studies in order to validate our cloud security requirements (RC6).

How does this help advance the field?

This provides the groundwork for non-security experts to apply our framework and extend the formal concepts through tool support.

What still needs to be done?

Identifying case studies and applying our formal concepts in

• rder to validate our claims.

How can we semi-automatically generate system configurations enforcing the security properties of cloud deployments based on cloud security requirements?

9

How is this addressed?

• Cloud Modelling language to capture cloud security concepts
• Cloud Meta-Model aligning concepts from requirements

engineering, security and cloud computing domains

• A cloud security framework to provide systematic guidance

How does this help advance the field?

The components of our framework builds upon established security requirements engineering work and extends the field with cloud computing specific concepts.

Our Approach

10

Structure of Thesis

• Split into three parts; state of the art, secure cloud

environment framework, validation and evaluation 11

What are the research deliverables?

• Secure Cloud Framework
• Security analysis (First-order logic)
• Validation through case studies

12

Health-care Example

Protection of Personal Data

• Health Insurance Portability and Accountability Act

(HIPAA)

• European Parliament and Council Directive 95/46/EC

Migrating to Cloud Computing Systems

• Loss of control over sensitive assets
• Reliance on third-parties to implement security

measures 13

Organisational View

14

Cloud Modelling Language

• Extension of the Secure Tropos methodology

15

Definitions

• Meta-model extended with cloud computing concepts

16

Definitions

Cloud Service

• A cloud service provides a specific computing

capability, relies on a combination of virtual and physical assets and is enabled through cloud computing characteristics as defined by NIST.

 Capability: String  Deployment Model: «Enumeration»

DeploymentModel

 Service Model: «Enumeration» ServiceModel

17

Definitions

Cloud Service Provider

• A Cloud Service Provider (CSP) provides the

resources required to deliver cloud services.

 Name: String

18

Definitions

Cloud User

• A Cloud user represents actors who require cloud

services to satisfy their strategic needs.

 Name: String  End-User: Bool

19

Definitions

Virtual Resource

• A virtual resource represents intangible assets in a

cloud computing system.

 Resource Description: String  Type: «Enumeration» ResourceType  Visibility: «Enumeration» Visibility

20

Definitions

Physical Infrastructure

• A physical infrastructure represents a tangible system

which, given a geographical location, hosts group of physical assets within its local proximity.

 Resource Description: String  Node Set: [NodeID]  Location: «Enumeration» JurisdictionType

21

Definitions

Infrastructure Node

• An infrastructure node represents a single instance of

a computing component such as a server, data storage or network connection.

 Resource Description: String  NodeID: Integer  Type: «Enumeration» NodeType  Location: «Enumeration» JurisdictionType  Tenancy: «Enumeration» Tenancy

22

Definitions

Security Constraint

• A security restriction placed on a cloud service by an

actor, representing the stakeholders security needs.

 Description: String  Dependee: Cloud Service Provider  Dependent: Actor  Security Property: «Enumeration»

HighlevelCloudSR

 Satisfaction: Bool

23

Definitions

Security Objective

• The security objective describes criteria contributing

towards the satisfaction of security needs.

 Description: String  Security Property: «Enumeration»

HighlevelCloudSR 24

Definitions

Threat

• Threats represent circumstances that have the potential

to cause loss; or problems that can put the security features of the system in danger,

 Description: String  Impact: Int

25

Definitions

Security Mechanism

• A security mechanism represents security methods for

satisfying security objectives.

 Description: String  Security Property: «Enumeration»

HighlevelCloudSR 26

Definitions

Vulnerability

• A weakness of an asset or group of assets that can be

exploited by one or more threats.

 Description: String  Attack Method: String  Impact: Int

27

Relationships

• Meta-model showing relationships between the

security and cloud computing concepts 28

Relationship

Cloud Dependency

• A dependency relationship between two actors and a

cloud service as the dependum, where the depender actor depends on the dependee actor to deliver the dependum cloud service. 29

Relationship

Service Dependency

• A dependency relationship between two cloud

services and an actor, where the depender cloud service depends on the dependee actor to deliver the dependum cloud service. 30

Relationship

Owns

• Indicates a level of responsibility where an actor

possesses ownership over a physical asset, the creator of a virtual asset or data ownership over a virtual asset. 31

Relationship

Manages

• Indicates a level of responsibility where an actor plays

a role in the configuration and delivery of a cloud service. 32

Relationship

Resides

• This indicates that a virtual resource is physically

stored on a infrastructure node. 33

Relationship

Requires

• A cloud service requires resources, in order to perform

its capability. 34

Relationship

Restricts

• A constraint placed on a cloud service to indicate the

security needs of stakeholders. 35

Relationship

Impacts

• Threats or vulnerabilities which impact the security

properties of a cloud service. 36

Relationship

Affects

• An identified vulnerability which affects a cloud service
• r resource.

37

Cloud Meta-model: Properties

38

Models

• Four types of models representing the conceptual

“layers” of detail in a cloud computing system.

• Organisational model captures the social concepts
• Application model defines the intangible assets,

information transactions and responsibilities.

• Infrastructure model consists of physical assets,

physical ownership of components and jurisdiction.

• The Cloud environment model provides a holistic view
• f the cloud computing system.

39

Secure Cloud Process

40

Process

Activity 1

• Identify organisational needs, stakeholders, assets

and relationships, producing a goal model as output.

• We assume we have a goal model.

41

Process

Activity 2

• Identify cloud services, stakeholders, assets and

relationships on the organisational level.

• Iterate through candidate cloud services.
• Produce a list of cloud services as output.

:

42

Process

Activity 3

• Refine layer-specific concepts through a fine-grained

approach.

• Iterate through organisational, application and

infrastructure layers.

• Output a cloud environment model.

:

43

Cloud Environment Model (Health-care)

44

Process

Activity 4

• Four types of security analysis on layer-specific

models and cloud environment models

• Vulnerability identification
• Threat propagation
• Security constraint validation
• Cloud property analysis
• Output is the cloud security-enhanced model.

:

45

46

Process

Activity 5

• Provide guidance for mitigating threats and

vulnerabilities through security policies

• Best practises for satisfying security constraints.
• Output is the cloud security requirements.

:

47

Analysis

Four types of security analysis is defined using the formal framework:

• 1. Vulnerability Identification
• 2. Threat Propagation
• 3. Security Constraint Satisfaction
• 4. Cloud Property Analysis

48

Analysis

Vulnerability Identification

• Mitigating vulnerabilities

mitigate2(cloud service(service2),Vul,Secmech). Returns a list of vulnerabilities affecting service2 and the Secmech required to mitigate these vulnerabilities.

• Unmitigated vulnerabilities

missingMigitate(cloud service(service1)). Returns true if the service is mitigated, false otherwise. 49

Analysis

Threat Propagation threatens(cloud service(service4),dos,vul(api,X)) Encoding threats for cloud services.

• Threat mitigation

mitigate3(cloud service(service4),Threat,SecCon). Returns a list of threats affecting service4 and the SecCon required to mitigate these threats.

• Unmitigated threats

missingMigitateT(cloud service(service4)). Returns true if the service is mitigated, false otherwise. 50

Analysis

Cloud Property Analysis

• Manage conflict

manage_conflict(Actor1,Service,ServiceLevel,Actor2) Returns the manage tuples for the conflicting service2 by ibm and amazon 51

Contributions

• RC1: A framework providing a systematic approach for holistically

capturing, analysing and producing cloud security requirements

• RC2: A modelling language combining concepts from cloud computing,

security requirements engineering and software engineering to support expression of cloud security properties and requirements

• RC3: The modelling language includes a formal component, allowing for

fine-grained description of cloud computing services, components and security properties.

• RC4: A process to guide the application of concepts step-by-step through

an iterative approach, standardising the procedure for practitioners

• RC5: An architecture providing four types of semi-automated security

analysis for generating cloud security requirements towards the design and implementation of secure cloud systems

52

Summary

We have discussed:

• A modelling language combining concepts from cloud computing,

security requirements engineering and software engineering to support expression of cloud security properties and requirements.

• An systematic process guiding practitioners through the application of our

concepts.

• Formal components of the modelling language, with four types of security

analysis. Our contributions are:

• A framework providing a systematic approach for holistically capturing,

analysing and producing cloud security requirements

53

Thanks!