UTSA Community-Based Secure Information and Resource Sharing in AWS - - PowerPoint PPT Presentation

utsa
SMART_READER_LITE
LIVE PREVIEW

UTSA Community-Based Secure Information and Resource Sharing in AWS - - PowerPoint PPT Presentation

Dec 27, 2022 377 likes •580 views

UTSA Community-Based Secure Information and Resource Sharing in AWS Public Cloud Cyber Incident Response A Model for Information and Resource Sharing Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu Institute for Cyber Security University of Texas

slide-1
SLIDE 1

UTSA

Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio CIC, Oct 2015, Hangzhou, China

Presented by: Ravi Sandhu

Community-Based Secure Information and Resource Sharing in AWS Public Cloud

Cyber Incident Response
 A Model for Information and Resource Sharing

slide-2
SLIDE 2

UTSA

Public Cloud

  • Public cloud provides cloud services for self-

service use by general public over the internet.

  • Amazon Web Service (AWS)
  • Communities in public cloud
  • organizations with shared concern, such as

mission, security requirements, business models, etc.

  • self-formed and self-organized.

2

slide-3
SLIDE 3

3

Ref: www.huffingtonpost.co.uk/2013/04/23/uk-government- faces-1000-cyber-attacks-a-day_n_3138164.html

Cyber Collaboration Initiatives

  • Cyber attacks are becoming

increasingly sophisticated.

– Hard to defend by a single

  • rganization on its own.
  • Collaborate to enhance

situational awareness

– Share cyber information in community

  • Malicious activities
  • Technologies, tools,

procedures, analytics.

UTSA

slide-4
SLIDE 4

UTSA

Secure Isolated Domain (SID) Model

4 Secure Isolated Domain (SID) Core Project (CP) Open Project (OP) Secure Isolated Project SIP-1 Secure Isolated Project SIP-n

slide-5
SLIDE 5

UTSA

SID Model

5 Secure Isolated Domain (SID) Core Project (CP) Open Project (OP) Secure Isolated Project SIP-1 Secure Isolated Project SIP-n Org-1 Org-m Community Expert-1 Expert-k Experts

slide-6
SLIDE 6

UTSA

Assumptions and Scope

  • In a public cloud platform
  • Amazon Web Service (AWS)
  • Sharing amongst a set of organizations

– Sensitive cyber information, infrastructure, tools, analytics, etc. – May share malicious or infected code/systems (e.g. virus, worms, etc.)

  • Focus on access control model

6

slide-7
SLIDE 7

UTSA

Amazon Web Service (AWS)

  • Dominant public cloud software

– Amazon Web Services (AWS), a collection of remote computing services, also called web services, make up a cloud-computing platform offered by Amazon.com.

7

Ref: https://en.wikipedia.org/wiki/Amazon_Web_Services

slide-8
SLIDE 8

UTSA

AWS Access Control Model

  • AWS Access Control within a Single Account

8

Users (U) Accounts (A) “Roles” (R) Virtual Permission Assignment (VPA) User Ownership (UO) Services (S) Groups (G) Group Ownership (GO) user_ group PRMS Operations (OP) Object Types (OT) Virtual Permission Assignment (VPA) Virtual Permission Assignment (VPA) Roles Ownership (RO) OT Ownership (OTO) virtual user_role

slide-9
SLIDE 9

UTSA

AWS Access Control Model

  • AWS Access Control Across Accounts [Users in

account A access services and resources in account B]

9

Users (U) Account A “Roles” (R) User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) Account B OT Ownership (OTO) Virtual Permission Assignment (VPA) virtual user_role

slide-10
SLIDE 10

UTSA

SID Model

10 Secure Isolated Domain (SID) Core Project (CP) Open Project (OP) Secure Isolated Project SIP-1 Secure Isolated Project SIP-n Org-1 Org-m Community Expert-1 Expert-k Experts

slide-11
SLIDE 11

UTSA

AWS Access Control Model with SID Extension

11

Users (U) Accounts (A) “Roles” (R) User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) Secure Isolated Project (SIP) Roles Ownership (RO) Open Project (OP) Roles Ownership (RO) Core Project (CP) “Roles” (R) “Roles” (R) OT Ownership (OTO) Secure Isolated Domain (SID) SID_ association (uSet) Expert Users (EU) Accounts (A) User Ownership (UO)

[Community Organizations] [Non-community Organizations]

Virtual Permission Assignment (VPA) Virtual Permission Assignment (VPA) Virtual Permission Assignment (VPA) virtual user_role (VUR) virtual user_role (VUR) virtual user_role (VUR) virtual user_role (VUR) SIP_ association (assoc) virtual user_role (VUR)

slide-12
SLIDE 12

UTSA

AWSAC-SID Administrative Model

12

  • SipCreate(subuSet, sip)


/* A subset of organization security admin users together create a sip */

  • SipDelete(subuSet, sip)


/* The same subset of security admin users together delete a sip */

  • CpUserAdd(adminu, u)


/* CP admin add a user from his home account to CP */

  • CpUserRemove(adminu, u)


/* CP admin remove a user from CP */

  • SIPUserAdd(adminu, u, r, sip)


/* Sip admin add a user from his home account to SIP */

  • SIPUserRemove(adminu, u, r, sip)


/* Sip admin remove a user from SIP */

  • OpenUserAdd(u)


/* Users add themselves to OP */

  • OpenUserRemove(u)


/* Users remove themselves from OP */

slide-13
SLIDE 13

UTSA

AWSAC-SID Administrative Model

13

  • CpEUserAdd(adminu, eu)


/* CP admin add an expert user to CP */

  • CpEUserRemove(adminu, eu)


/* CP admin remove an expert user from CP */

  • SipEUserAdd(adminu, eu, r, sip)


/* SIP admin add an expert user to SIP */

  • SipEUserRemove(adminu, eu, r, sip)


/* SIP admin remove an expert user from SIP */

  • CpCopyObject(u, o1, o2)


/* Users copy object from organization accounts to CP */

  • CpExportObject(adminu, o1, o2)


/* Admin users export object from CP to organizations accounts */

  • SipCopyObject(u, r, o1, o2, sip)


/* Users copy object from organization accounts to a SIP */

  • SipExportObject(adminu, o1, o2, sip)


/* Admin users export object from SIP to organization accounts */

slide-14
SLIDE 14

UTSA

Enforcement

14

  • SID Service Setting-up

Users (U) SID Manager Account “Roles” (R)

[Special Permission Assignment]

User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) SID Operational Accounts OT Ownership (OTO) Virtual Permission Assignment (VPA) Virtual user_role [AssumeRole]

slide-15
SLIDE 15

UTSA

Enforcement

15

  • Setting up SID service

– Create two roles in the Core Project account: CPadmin and CPmember

– CPadmin allows the user have limited administrative power to use the role CPmember and specify policies for users from his organization.

– Create one role in the Open Project account: OPmember

– CPadmin allows all users from the community to access the Open Project account.

– SID manager maintains a list of security administrative users (uSet) from organizations.

slide-16
SLIDE 16

UTSA

Enforcement

16

  • SIP User Assignment

Users (U) Organization Accounts “Roles” (R) User Ownership (UO) Services (S) PRMS Operations (OP) Object Types (OT) Roles Ownership (RO) SIP Accounts OT Ownership (OTO) Virtual user_role [AssumeRole] Virtual Permission Assignment (VPA)

slide-17
SLIDE 17

UTSA

Enforcement

17

  • SIP request handling

– Users from uSet send a SIP request to SID manager – SID manager creates a SIP – SID manager associates the group of organizations to the SIP – Two roles are created in the SIP account: SIPadmin and SIPmember

– SIPadmin allows the user have limited administrative power to use the role SIPmember and specify policies for users from organizations to join the SIP

– SID manager returns an SIP account number with the name of the SIPadmin role to each user from uSet.

slide-18
SLIDE 18

UTSA

Conclusion and future work

  • Suggested AWSAC and AWSAC-SID models to AWS public

cloud – Allow cyber collaboration across organizations

  • cyber incident response
  • Self-service
  • Future work

– Explore other model options. – Explore local roles in the model. – Explore models in other dominant cloud platforms.

18

slide-19
SLIDE 19

UTSA

19

Thanks!