UTSA Secure Information and Resource Sharing in Cloud - - PowerPoint PPT Presentation

utsa
SMART_READER_LITE
LIVE PREVIEW

UTSA Secure Information and Resource Sharing in Cloud - - PowerPoint PPT Presentation

Dec 11, 2022 267 likes •705 views

UTSA Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident Response Models for Information and Resource Sharing Amy(Yun) Zhang, Ravi Sandhu Institute for Cyber Security University of Texas at San

slide-1
SLIDE 1

UTSA

Amy(Yun) Zhang, Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio San Antonio, TX 78249 Mar 25, 2016

Presented by: Amy(Yun) Zhang

Secure Information and Resource Sharing in Cloud Infrastructure as a Service

Cyber Incident Response


Models for Information and Resource Sharing

slide-2
SLIDE 2

2

Information and Resource Sharing

  • Information sharing

– exchanges of data between a sender and receiver – one-to-one, one-to-many, many-to-one, many-to- many

  • Resource sharing

– a computer resource made available from one host to other hosts on a computer network – computer programs, data, storage devices, and printers.

  • shared file access
  • shared printer access

UTSA

Ref: https://en.wikipedia.org/wiki/

slide-3
SLIDE 3

3

Cloud Computing

  • Concept

– a kind of Internet-based computing that provides shared processing resources and data to computers and other devices on demand.

  • Service models

– Infrastructure as a service (IaaS)

  • computers(physical or virtual machines) and other resources.
  • AWS, Microsoft Azure, OpenStack.

– Platform as a service (PaaS)

  • a development environment to application developers.
  • Salesforce, Microsoft Azure.

– Software as a service (SaaS)

  • users gain access to application software and databases.
  • Google, Dropbox.

UTSA

Ref: https://en.wikipedia.org/wiki/Cloud_computing

slide-4
SLIDE 4

4

Ref: www.huffingtonpost.co.uk/2013/04/23/uk-government- faces-1000-cyber-attacks-a-day_n_3138164.html

Cyber Collaboration Initiatives

  • Cyber attacks are

becoming increasingly sophisticated.

– Hard to defend by a single

  • rganization on its own.
  • Collaborate to enhance

situational awareness

– Share cyber information

  • Malicious activities
  • Technologies, tools,

procedures, analytics.

UTSA

slide-5
SLIDE 5

UTSA

Scope

  • Focus on technical challenges
  • Sharing amongst a set of organizations

– Information, infrastructure, tools, analytics, etc. – May want to share malicious or infected code/ systems (e.g. virus, worms, etc.) – Sensitive – Often ad hoc

  • What are the effective ways to facilitate

sharing in such circumstances?

– Information sharing models – Infrastructure, technologies, platforms

5

slide-6
SLIDE 6

UTSA

Traditional Cyber Collaboration

  • Traditional collaboration

– Subscription services – Limitations

  • Organizations Sharing information through

subscription.

  • Organizations are not actively participating in

analyzing and processing the cyber information they submit.

  • Organizations don't directly interact with each
  • ther on sharing activities.

6

slide-7
SLIDE 7

UTSA Cloud IaaS Advantages for 
 Cyber Incident Sharing

  • Virtualized resources

– Theoretically, one can take a snapshot and mobilize

  • Operational efficiency

– Light-weight and agile – Rapid deployment and configuration – Dynamic scaling – Self-service

7

slide-8
SLIDE 8

UTSA Cloud IaaS Challenges for 
 Cyber Incident Sharing

  • IaaS clouds lack secure sharing models

– Storage – Compute – Networks

  • Need ability to snapshot tenant

infrastructure, share, and control who can access

– Share by copy

8

slide-9
SLIDE 9

UTSA

Sharing Model in Cloud IaaS

Participant B

Secure Isolated Domain (SID)

Add/Remove Data Join/Leave Users Add/Remove Data Join/Leave Users Add/Remove Data Join/Leave Users

View #1: Org C View #1: Org B View #1: Org A Participant C Participant A

9

View #2: SID View #2: SID View #2: SID Can create multiple secure isolated projects (SIPs) within SID with different controls

slide-10
SLIDE 10

UTSA Community Cyber Incident Response Governance

10

Incident Response Group Cyber Security Committee Organization Security Specialists External Experts Conditional Membership Shared Information

slide-11
SLIDE 11

UTSA

Cyber Collaboration in Cloud

  • Cloud platform (community)

– Cyber Security Committee. – Organizations routinely collect cyber information. – Cross organization cyber collaborations.

11

slide-12
SLIDE 12

UTSA

Secure Isolated Domain (SID) Model

12 Secure Isolated Domain (SID) Core Project (CP) Open Project (OP) Secure Isolated Project SIP-1 Secure Isolated Project SIP-n Org-1 Org-m Community Expert-1 Expert-k Experts

slide-13
SLIDE 13

UTSA

SID Service

13

slide-14
SLIDE 14

UTSA

Overview

  • Part I: OpenStack
  • Part II: AWS
  • Part III: Azure

14

slide-15
SLIDE 15

UTSA

OpenStack

  • OpenStack

– Dominant open-source cloud IaaS software

➢> 200 companies ➢~14000 developers ➢>130 countries 15

Ref: http://www.openstack.org

slide-16
SLIDE 16

UTSA

OpenStack HMT

  • HMT : Hierarchical Multitenancy

– D

16

Cloud Domain 1 Domain n Project 1 Project p Project q childProject 1 childProject k child … childProject 1 child … childProject l Project 1

slide-17
SLIDE 17

UTSA

OSAC Model with HMT

17

Users (U) Domains (D) Roles (R) User Assignment (UA) Permission Assignment (PA) Project Ownership (PO) Project-Role Pair (PRP) Projects (P) Tokens (T) User Ownership (UO) Services (S) user_token token_project Groups (G) Group Ownership (GO) User Group (UG) Group Assignment (GA) token_roles PRMS Operations (OP) Object Types (OT)

  • t_service

One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Project Hiearachy: Role Inheritance:

slide-18
SLIDE 18

UTSA

OSAC-HMT-SID Model

18

Users (U) Project-Role Pair (PRP) Security Projects (SP) Roles (R) Project-Role Pair (PRP) Projects (P) Roles (R) User Ownership (UO) User Assignment (UA) User Assignment (UA) User Self Subscription (USS) User Assignment (UA) SIP Ownership (SIPO) Secure Isolated Domain (SID) Project-Role Pair (PRP) Expert User Ownership (EUO) Open Project Ownership (OPO) Security Project Ownership (SPO) Project-Role Pair (PRP) Secure Isolated Projects (SIP) Roles (R) Open Project (OP) Roles (R) Domains (D) Cyber Collaboration Routine Cyber Information Process Expert Users Project Ownership (PO) User Assignment (UA) Cyber Security Forum Project-Role Pair (PRP) Core Project (CP) Roles (R) Cyber Security Committee Core Project Ownership (CPO) User Assignment (UA) SIP association (assoc)

slide-19
SLIDE 19

UTSA

OSAC-SID Administrative Model

19

  • SipCreate(uSet, sip)


/* A subset of Core Project/domain admin users together create a sip */

  • SipDelete(uSet, sip)


/* The same subset of Core Project/domain admin users together delete a sip*/

  • UserAdd(adminuser, r, u, sp, p)


/* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/

  • UserRemove(adminuser, r, u, sp, p)


/* CP/Sip admin can remove a user from the Core Project/sip */

  • OpenUserSubscribe(u, member, OP)


/* Users subscribe to Open Project */

  • OpenUserUnsubscribe(u, member, OP)


/* Users unsubcsribe from Open Project */

  • CopyObject(u, so1, sp, so2, p)


/* Copy object from Security Project to Core Project/SIP */

  • ExportObject(adminuser, so1, p, so2, sp)


/* Export object from Core Project/SIP to Security Project */

  • ExpertUserCreate(coreadmin, eu)


/* Core Project admin users can create an expert user */

  • ExpertUserDelete(coreadmin, eu)


/* Core Project admin users can delete an expert user */

  • ExpertUserList(adminuser)


/* Admin users of Core Project and SIPs can list expert users */

  • ExpertUserAdd(adminuser, r, eu, proj)


/* Core Project/sip admin can add an expert user to Core Project/sip*/

  • ExpertUserRemove(adminuser, r, eu, proj)


/* Core Project/sip admin can remove an expert user from Core Project/sip */

slide-20
SLIDE 20

UTSA

Enforcement

20

  • Set up the cloud

SID:Cloud Admin Core Project: Admin Core Project: member

Assign domain admins as Assign users from home domain as Assign expert users as

Open Project: member

Assign users from domains as Community Cloud:Cloud Admin

Domains:Domain Admin Security Project: Admin/member

Assign an admin user as Admin user assign users to SP as member Assign domain admins as

slide-21
SLIDE 21

UTSA

Enforcement

21

SID: Cloud Admin Core Project: Admin Core Project: member

Assign domain admins as Assign users from home domain as Assign expert users as

SIP: Admin

Create SIP/child SIP/…, assign domain admins as

SIP: member

Assign users from home domain as Assign expert users as

child SIP: Admin child SIP: member

Assign users from home domain as Assign expert users as

child SIP’s … child SIP: Admin child SIP’s … child SIP: member

Assign users from home domain as Assign expert users as

slide-22
SLIDE 22

UTSA

Overview

  • Part I: OpenStack
  • Part II: AWS
  • Part III: Azure

22

slide-23
SLIDE 23

UTSA

Amazon Web Service (AWS)

  • Dominant public cloud software

– Amazon Web Services (AWS), a collection of remote computing services, also called web services, make up a cloud-computing platform offered by Amazon.com.

23

Ref: https://en.wikipedia.org/wiki/Amazon_Web_Services

slide-24
SLIDE 24

UTSA

AWS Access Control Model

  • AWS Access Control within a Single Account

24

Users (U) Accounts (A) “Roles” (R) Virtual Permission Assignment (VPA) User Ownership (UO) Services (S) Groups (G) Group Ownership (GO) user_ group PRMS Operations (OP) Object Types (OT) Virtual Permission Assignment (VPA) Virtual Permission Assignment (VPA) Roles Ownership (RO) OT Ownership (OTO) virtual user_role

slide-25
SLIDE 25

UTSA

AWS Access Control Model

  • AWS Access Control Across Accounts [Users in

account A access services and resources in account B]

25

Users (U) Account A “Roles” (R) User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) Account B OT Ownership (OTO) Virtual Permission Assignment (VPA) virtual user_role

slide-26
SLIDE 26

UTSA

AWS Access Control Model with SID Extension

26

Users (U) Accounts (A) “Roles” (R) User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) Secure Isolated Project (SIP) Roles Ownership (RO) Open Project (OP) Roles Ownership (RO) Core Project (CP) “Roles” (R) “Roles” (R) OT Ownership (OTO) Secure Isolated Domain (SID) SID_ association (uSet) Expert Users (EU) Accounts (A) User Ownership (UO)

[Community Organizations] [Non-community Organizations]

Virtual Permission Assignment (VPA) Virtual Permission Assignment (VPA) Virtual Permission Assignment (VPA) virtual user_role (VUR) virtual user_role (VUR) virtual user_role (VUR) virtual user_role (VUR) SIP_ association (assoc) virtual user_role (VUR)

slide-27
SLIDE 27

UTSA

AWSAC-SID Administrative Model

27

  • SipCreate(subuSet, sip)


/* A subset of organization security admin users together create a sip */

  • SipDelete(subuSet, sip)


/* The same subset of security admin users together delete a sip */

  • CpUserAdd(adminu, u)


/* CP admin add a user from his home account to CP */

  • CpUserRemove(adminu, u)


/* CP admin remove a user from CP */

  • SIPUserAdd(adminu, u, r, sip)


/* Sip admin add a user from his home account to SIP */

  • SIPUserRemove(adminu, u, r, sip)


/* Sip admin remove a user from SIP */

  • OpenUserAdd(u)


/* Users add themselves to OP */

  • OpenUserRemove(u)


/* Users remove themselves from OP */

slide-28
SLIDE 28

UTSA

AWSAC-SID Administrative Model

28

  • CpEUserAdd(adminu, eu)


/* CP admin add an expert user to CP */

  • CpEUserRemove(adminu, eu)


/* CP admin remove an expert user from CP */

  • SipEUserAdd(adminu, eu, r, sip)


/* SIP admin add an expert user to SIP */

  • SipEUserRemove(adminu, eu, r, sip)


/* SIP admin remove an expert user from SIP */

  • CpCopyObject(u, o1, o2)


/* Users copy object from organization accounts to CP */

  • CpExportObject(adminu, o1, o2)


/* Admin users export object from CP to organizations accounts */

  • SipCopyObject(u, r, o1, o2, sip)


/* Users copy object from organization accounts to a SIP */

  • SipExportObject(adminu, o1, o2, sip)


/* Admin users export object from SIP to organization accounts */

slide-29
SLIDE 29

UTSA

Enforcement

29

  • SID Service Setting-up

Users (U) SID Manager Account “Roles” (R)

[Special Permission Assignment]

User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) SID Operational Accounts OT Ownership (OTO) Virtual Permission Assignment (VPA) Virtual user_role [AssumeRole]

slide-30
SLIDE 30

UTSA

Enforcement

30

  • Setting up SID service

– Create two roles in the Core Project account: CPadmin and CPmember

– CPadmin allows the user have limited administrative power to use the role CPmember and specify policies for users from his organization.

– Create one role in the Open Project account: OPmember

– CPadmin allows all users from the community to access the Open Project account.

– SID manager maintains a list of security administrative users (uSet) from organizations.

slide-31
SLIDE 31

UTSA

Enforcement

31

  • SIP User Assignment

Users (U) Organization Accounts “Roles” (R) User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) SIP Accounts OT Ownership (OTO) Virtual user_role [AssumeRole] Virtual Permission Assignment (VPA)

slide-32
SLIDE 32

UTSA

Enforcement

32

  • SIP request handling

– Users from uSet send a SIP request to SID manager – SID manager creates a SIP – SID manager associates the group of organizations to the SIP – Two roles are created in the SIP account: SIPadmin and SIPmember

– SIPadmin allows the user have limited administrative power to use the role SIPmember and specify policies for users from organizations to join the SIP

– SID manager returns an SIP account number with the name of the SIPadmin role to each user from uSet.

slide-33
SLIDE 33

UTSA

Overview

  • Part I: OpenStack
  • Part II: AWS
  • Part III: Azure

33

slide-34
SLIDE 34

UTSA

Microsoft Azure

  • Popular public cloud software

– Microsoft Azure: is a cloud computing platform and infrastructure created by Microsoft for building, deploying, and managing applications and services through a global network of Microsoft-managed datacenters.

34

Ref: https://azure.microsoft.com/

slide-35
SLIDE 35

UTSA

Azure Access Control Model

35

Accounts (A) AADRoles (AADR) *Permission Assignment (PA) AAD User Ownership (AADUO) Services (S) Groups (G) Group Ownership (GO) user_ group PRMS Operations (OP) Object Types (OT) AADRoles Ownership (AADRO) OT Ownership (OTO) Azure Active Directories (AAD) Subscriptions (Sub) Subscription Assignment (SA) AAD Ownership (AADO) Subscription Ownership (SubO) SubAdmin User Assignment (SAUA) NonAAD Users (NAADU) AADAdmin User Assignment (AADAUA) AAD Users (AADU) SubRoles (SubR) RG Ownership (RGO) User Assignment (UA) SUBRole Ownership (SubRA) Account Ownership (AO) Resources (RS) Resource Co-Ownership (RO) Resource Co-Ownership (RO)

  • t_

resource RG-R pair Resource Groups (RG) Roles (R) Group Assignment (GA)

slide-36
SLIDE 36

UTSA

Azure Access Control Model with SID Extension

36

Permission Assignment (PA) Services (S) PRMS Operations (OP) Object Types (OT) OT Ownership (OTO) User Assignment (UA) Resources (RS)

  • t_

resource SIDs Open Project [Sub] SIPs [Sub] Core Project [Sub] Resource Co-Ownership (RO) Users (U) Expert Users (EU) RG Ownership (RGO) Resource Co-Ownership (RO) SIP/CP/OP Ownership (SIPO/CPO/OPO) Resource Groups (RG) Roles (R) Organization Accounts (OA) SID- Association (assoc) RG Ownership (RGO) RG Ownership (RGO) RG-R pair User Ownership (UO)

slide-37
SLIDE 37

UTSA

AzureAC-SID Administrative Model

37

  • SipCreate(uSet, sip, sid)


/* A set of organization security admin users together create a sip */

  • SipDelete(subuSet, sip, sid)


/* The same set of security admin users together delete a sip */

  • UserAdd(adminu, u, p, sid)


/* Admin users add a user from his home account to a Cp/Sip */

  • UserRemove(adminu, u, p, sid)


/* Admin users remove a user from a Cp/Sip */

  • OpenUserAdd(u, op, sid)


/* Users add themselves to a Op */

  • OpenUserRemove(u, op, sid)


/* Users remove themselves from a Op */

  • ExpertUserAdd(adminu, eu, p, sid)


/* Admin users add an expert user to a Cp/Sip */

  • ExpertUserRemove(adminu, eu, p, sid)


/* Admin users remove an expert user from a Cp/Sip */

  • CopyObject(u, o1, o2, p)


/* Users copy object from organization accounts to a Cp/Sip */

  • ExportObject(adminu, o1, o2, p)


/* Admin users export object from a Cp/Sip to organizations accounts */

slide-38
SLIDE 38

UTSA

Enforcement

38

  • Azure Account Resource Division

Azure Account Subscription 1 Subscription 2 Subscription N Resource Group 1-1 Resource Group 1-2 Resource Group 2-1 Resource Group N-1 Resource Group N-X VM1 VM2 VM1 VM1 VM2 VM3

slide-39
SLIDE 39

UTSA

Enforcement

39

  • Setting up SID service

– Create two roles in the Core Project account: CPadmin and CPmember

– CPadmin allows the user have limited administrative power to use the role CPmember and specify policies for users from his organization.

– Create one role in the Open Project account: OPmember

– CPadmin allows all users from the community to access the Open Project account.

– SID manager maintains a list of security administrative users (uSet) from organizations.

slide-40
SLIDE 40

UTSA

Enforcement

40

  • SIP request
slide-41
SLIDE 41

UTSA

Conclusion and future work

  • Developed sharing models

– Formal specification

  • Enhanced Dominant Cloud IaaS with SID/SIP capabilities

– Cyber incident response capabilities

  • Self-service
  • SID/SIP specific security
  • Share data, tools, etc. in an isolated environment
  • Ability to execute and analyze malicious code in an isolated environment

– Practitioners can deploy a “cyber incident response” cloud

  • Future work

– more fine grained access control within a SIP

41

slide-42
SLIDE 42

UTSA

42

Thanks!