UTSA Hierarchical Secure Information and Resource Sharing in - - PowerPoint PPT Presentation

utsa
SMART_READER_LITE
LIVE PREVIEW

UTSA Hierarchical Secure Information and Resource Sharing in - - PowerPoint PPT Presentation

Mar 04, 2023 343 likes •526 views

UTSA Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud Cyber Incident Response An Model for Information and Resource Sharing Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu, Bo Tang Institute for Cyber Security

slide-1
SLIDE 1

UTSA

Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu, Bo Tang Institute for Cyber Security University of Texas at San Antonio Aug 15, 2015

Presented by: Amy(Yun) Zhang

Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud

Cyber Incident Response
 An Model for Information and Resource Sharing

slide-2
SLIDE 2

UTSA

Community Cloud

  • Community cloud provides services for

exclusive use by a specific community, which contains organizations with shared concern, such as mission, security requirements, business models, etc.

  • A community of financial organizations
  • OpenStack

2

slide-3
SLIDE 3

3

Ref: www.huffingtonpost.co.uk/2013/04/23/uk-government- faces-1000-cyber-attacks-a-day_n_3138164.html

Cyber Collaboration Initiatives

  • Cyber attacks are becoming

increasingly sophisticated.

– Hard to defend by a single

  • rganization on its own.
  • Collaborate to enhance

situational awareness

– Share cyber information in community

  • Malicious activities
  • Technologies, tools,

procedures, analytics.

UTSA

slide-4
SLIDE 4

UTSA

Traditional Cyber Collaboration

  • Traditional collaboration

– Subscription services – Limitations

  • Organizations Sharing information through

subscription.

  • Organizations are not actively participating in

analyzing and processing the cyber information they submit.

  • Organizations don't directly interact with each
  • ther on sharing activities.

4

slide-5
SLIDE 5

UTSA

Cyber Collaboration in Community Cloud

  • Cloud platform (community)

– Cyber Security Committee. – Organizations routinely collect cyber information. – Cross organization cyber collaborations.

5

slide-6
SLIDE 6

UTSA Community Cyber Incident Response Governance

6

Incident Response Group Cyber Security Committee Organization Security Specialists External Experts Conditional Membership Shared Information

slide-7
SLIDE 7

UTSA

Assumptions and Scope

  • In a community cloud platform
  • OpenStack
  • Sharing amongst a set of organizations

– Sensitive cyber information, infrastructure, tools, analytics, etc. – May share malicious or infected code/systems (e.g. virus, worms, etc.)

  • Focus on access control model

7

slide-8
SLIDE 8

UTSA

OpenStack

  • Dominant open-source cloud IaaS software

– OpenStack software controls large pools of compute, storage, and networking resources throughout a datacenter, managed through a dashboard or via the OpenStack API.

  • 8
Ref: http://www.openstack.org
slide-9
SLIDE 9

UTSA

OpenStack HMT

  • HMT : Hierarchical Multitenancy

– D

9

Cloud Domain 1 Domain n Project 1 Project p Project q childProject 1 childProject k child … childProject 1 child … childProject l Project 1

slide-10
SLIDE 10

UTSA

OSAC Model with HMT

10

Users (U) Domains (D) Roles (R) User Assignment (UA) Permission Assignment (PA) Project Ownership (PO) Project-Role Pair (PRP) Projects (P) Tokens (T) User Ownership (UO) Services (S) user_token token_project Groups (G) Group Ownership (GO) User Group (UG) Group Assignment (GA) token_roles PRMS Operations (OP) Object Types (OT)

  • t_service

One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Project Hiearachy: Role Inheritance:

slide-11
SLIDE 11

UTSA

OSAC-HMT-SID Model

11

Users (U) Project-Role Pair (PRP) Security Projects (SP) Roles (R) Project-Role Pair (PRP) Projects (P) Roles (R) User Ownership (UO) User Assignment (UA) User Assignment (UA) User Self Subscription (USS) User Assignment (UA) SIP Ownership (SIPO) Secure Isolated Domain (SID) Project-Role Pair (PRP) Expert User Ownership (EUO) Open Project Ownership (OPO) Security Project Ownership (SPO) Project-Role Pair (PRP) Secure Isolated Projects (SIP) Roles (R) Open Project (OP) Roles (R) Domains (D) Cyber Collaboration Routine Cyber Information Process Expert Users Project Ownership (PO) User Assignment (UA) Cyber Security Forum Project-Role Pair (PRP) Core Project (CP) Roles (R) Cyber Security Committee Core Project Ownership (CPO) User Assignment (UA) SIP association (assoc)

slide-12
SLIDE 12

UTSA

OSAC-HMT-SID Administration Relation and Resources Ownership

12

Cloud admin Domain admin Security Project admin Project admin Core Project admin SID admin (Cloud admin) SIP admin Community Cloud Domains Secure Projects Projects Core Project SID child Projects child Secure Projects SIPs child SIPs Open Project

slide-13
SLIDE 13

UTSA

OSAC-SID Administrative Model

13

  • SipCreate(uSet, sip)


/* A subset of Core Project/domain admin users together create a sip */

  • SipDelete(uSet, sip)


/* The same subset of Core Project/domain admin users together delete a sip*/

  • UserAdd(adminuser, r, u, sp, p)


/* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/

  • UserRemove(adminuser, r, u, sp, p)


/* CP/Sip admin can remove a user from the Core Project/sip */

  • OpenUserSubscribe(u, member, OP)


/* Users subscribe to Open Project */

  • OpenUserUnsubscribe(u, member, OP)


/* Users unsubcsribe from Open Project */

  • CopyObject(u, so1, sp, so2, p)


/* Copy object from Security Project to Core Project/SIP */

  • ExportObject(adminuser, so1, p, so2, sp)


/* Export object from Core Project/SIP to Security Project */

  • ExpertUserCreate(coreadmin, eu)


/* Core Project admin users can create an expert user */

  • ExpertUserDelete(coreadmin, eu)


/* Core Project admin users can delete an expert user */

  • ExpertUserList(adminuser)


/* Admin users of Core Project and SIPs can list expert users */

  • ExpertUserAdd(adminuser, r, eu, proj)


/* Core Project/sip admin can add an expert user to Core Project/sip*/

  • ExpertUserRemove(adminuser, r, eu, proj)


/* Core Project/sip admin can remove an expert user from Core Project/sip */

slide-14
SLIDE 14

UTSA

Enforcement

14

  • Set up the cloud

SID:Cloud Admin Core Project: Admin Core Project: member

Assign domain admins as Assign users from home domain as Assign expert users as

Open Project: member

Assign users from domains as Community Cloud:Cloud Admin

Domains:Domain Admin Security Project: Admin/member

Assign an admin user as Admin user assign users to SP as member Assign domain admins as

slide-15
SLIDE 15

UTSA

Enforcement

15

SID: Cloud Admin Core Project: Admin Core Project: member

Assign domain admins as Assign users from home domain as Assign expert users as

SIP: Admin

Create SIP/child SIP/…, assign domain admins as

SIP: member

Assign users from home domain as Assign expert users as

child SIP: Admin child SIP: member

Assign users from home domain as Assign expert users as

child SIP’s … child SIP: Admin child SIP’s … child SIP: member

Assign users from home domain as Assign expert users as

slide-16
SLIDE 16

UTSA

Conclusion and future work

  • Suggested OSAC-HMT-SID model to OpenStack

– Cyber collaboration across organizations

  • cyber incident response
  • Self-service
  • Cyber Security Committee.
  • Share data, tools, vms, etc.

– Potential blueprint for official OpenStack adoption

  • Future work

– Explore other model options. – Explore local roles in the model. – Explore models in other dominant cloud platforms.

16

slide-17
SLIDE 17

UTSA

17

Thanks!