Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
The project leading to this work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429
Antonio M. OrtizMUSA Project Exploitation Manager
MUlti-cloud Secure Applications
2
What is multi-cloud?
- Use of different cloud services
- Working in an integrated fashion
- Transparently for the end-user
The MUSA project
Ø EU Horizon 2020 ICT-2015
n Call: Advanced Cloud Infrastructures and Services
Ø MUSA aims at contributing to building up the innovation capacity and technology excellence of the European software and service industry, particularly Cloud services
Ø Start date: Jan 1st 2015
Ø Duration: 36 months.
Ø Coordinator: Erkuden Rios, Tecnalia (Spain)
3
MUSA consortium
4
The MUSA project - Objectives
Ø Ensure security in multi-cloud environments
Ø Provide a framework supporting:
n The security-intelligent lifecycle management of distributed applications over heterogeneous cloud resources
Ø Security-by-design mechanisms
Ø Application self-protection
Ø Integrated security assurance
5
Security in multi-cloud applicationsØ Multi-cloud application:
n Distributed application over heterogeneous cloud resources. Its components are deployed in or use different cloud service providers and work in an integrated way and transparently for the end-user
Ø How to secure multi-cloud applications?Ø Challenges:
n Deal with the security of the individual components and, n Overall application securityØ Including the communications and the data flow between the components
6
ChallengesØ Enable the security aware design of distributed applications
over heterogeneous cloud resources Ø Automatic discovery of the cloud services that match with
the application security requirements as well as functional and business needs
Ø Decision support to select the combinations of cloud services that best match the required balance between security and functional properties
Ø Automated distributed deployment of the componentsØ Security assurance through continuous monitoring of
components and CSP behaviourØ Integrated methods in both engineering and operation of
multi-cloud applications
7
8
Public Cloud 2
Public Cloud 1Private Cloud
Monitoring,enforcementandnotification services
MUSASecurityAssurance Platform
(SaaS)
MUSASLAGenerator
QoS &QoSec
MUSAModeller
A
B
C D
Applicationarchitecturemodelling
Mechanisms to ensure securityat runtime
Public Cloud 3
MUSADistributedDeployer
B
A
C D
DevOps teamAgile DevOps
MUSA SecDevOps
DASHBOARD
MUSARisk Analysis &Decision SupportTool
CSPcategorization
Identify Risks &required SecurityControls
SelectCSPs
Component SLAsComposite app SLA
The MUSA SecDevOps FrameworkØ MUSA Framework – a holistic framework to support the
security-intelligent lifecycle management of multi-cloud applications
Security-by-design
engineering
Securedeployment
Runtimesecurityassurance
Security-intelligentlifecycle– SecDevOps &agile
MUSAModeller MUSASecurityAssurance Platform
(SaaS)
MUSADecisionSupport Tool
MUSADistributedDeployer
DEVELOPMENT DEPLOYMENT EXECUTION
MUSARiskAssessment
MUSASLAGenerator
- Monitoring- Enforcement- Notification
9
MUSA Dashboard
Ø Kanban-styled integration interface (web-based frontend)n Each column representing the state of the components
Ø Multi-cloud application configurationØ Enables individual setup of the application components
Ø MUSA tools alignment for agile collaborationØ DevOps team can manage
n Design, deployment and operation lifecycle
10
MUSA Modeller
11
Ø Enables the creation and update of the Cloud Provider Independent Model (CPIM) of a multi-cloud applicationn Supports CAMEL format
Ø Requirements specification
Ø Independent of the cloud services used
Ø Allows to include security agents from the MUSA security cataloguen Will be automatically deployed
MUSA ModellerØ Used to model the application (CAMEL-based)Ø Specifies requirements and parameters for the application
components
12
MUSA Risk Analysis
Ø Allows the DevOps team to conduct a continuous risk analysis over a multi-cloud application
Ø Automatically identifies the potential risks of each application componentn Indicating a severity risk
Ø Specific security controls can be selected for each type of potential threat
13
MUSA Risk Analysis
14
MUSA Decision Support Tool (DST)Ø Facilitates the task of choosing the best cloud provider for
each multi-cloud application component
Ø Provides the DevOps team a list of cloud service combinationsn Matching the multi-cloud application requirements
n Analysing the identified potential risks
n Considering technical and non-technical parameters (e.g., location)
n To ensure the proposed CSPs are optimal for a given multi-cloud application
Ø Allows the selection of one of the combinations as a deployment option candidate
15
MUSA Decision Support Tool (DST)
16
MUSA Deployer
Ø Facilitates the creation of an implementation plan Ø Enables the automatic execution of the multi-cloud
application components deploymentØ Also copes with the security of the multi-cloud application
n Acquires resources on selected CSPs that cover the specified security requirements
n Automatically deploys the security enforcement agents selected by the DevOps team
17
MUSA Deployer
18
MUSA SLA GeneratorØ Allows the specification and creation of service level agreements
(SLAs) n For each component of the multi-cloud application, and
n For the whole multi-cloud application (composite SLA)
Ø Enables to determine countermeasures to be taken into account at the design stagen To thwart the main existing threats and assess the effective security
Ø The MUSA SLA Generator is based onn The multi-cloud application model
n The required security controls
n The selection of the combination of cloud services
19
MUSA SLA Generator
20
Multi-cloud application runtime
Ø The DevOps team deploys the multi-cloud application components, as specified in the implementation plan
Ø Once the components are deployed, the DevOps team can monitor the application using the MUSA Security Assurance Platform (SecAP)
21
The MUSA SecAP
Three main services:• Monitoring capable of collecting security properties using
standard APIs, cloud interoperability frameworks, or measures by MUSA monitoring agents
• Notification to the application provider about detected security relevant incidents
• Enforcement to ensure that the multi-cloud application respects the security requirements in its SLA, by MUSA enforcement agents.
Multi-cloud application contract verification supported by composition of measures of low-level metrics.
22
Monitoring,EnforcementandNotification Services
MUSASecurityAssurance Platform
(SaaS)
The MUSA Security AssurancePlatform (MUSA SecAP) - SaaS
Runtime Security Assurance -Monitoring
24
Select cloud servicecombination
Monitoring, Enforcementand Notification Services
MUSA Security Assurance Platform
(SecAP) - SaaS
Ensure security at runtime
Comp A Comp B Comp CMulti-cloudapplication
CSP 1 CSP 2 CSP 3
CSP 1, CSP 2,CSP3…
Feedback onmonitored securitybehaviour of CSPs
üComponent SLAsüComposite app SLA
MUSARisk Analysis &Decision SupportTool
CSPcategorization
SelectCSPs
Monitoring agents
- Network- System- Application
SLA violation
Runtime Security Assurance
25
Select cloud servicecombination
Monitoring, Enforcementand Notification Services
MUSA Security Assurance Platform
(SecAP) - SaaS
Ensure security at runtime
Comp A Comp B Comp CMulti-cloudapplication
CSP 1 CSP 2 CSP 3
CSP 1, CSP 2,CSP3…
Feedback onmonitored securitybehaviour of CSPs
MUSARisk Analysis &Decision SupportTool
CSPcategorization
SelectCSPs
Security enforcement agents
- Activation- Deploymentwith application component- DeploymentaaS
SLA violation
Tools in the MUSA FrameworkMUSA tools are all open sourceFirst prototypes available to test! www.musa-project.eu
MUSADeployer
MUSASecurityAssurance Platform
(SaaS)
Application Developers
MUSAModeller
Business Managers
Service Administrators
System OperatorsDevOps Team
MUSASLAGenerator
MUSA SecDevOps
DASHBOARD
MUSARisk Analysis&
Decision SupportTool
MUSA success stories
Smart Mobility• Energy efficient and sustainable multi-modal transit
of Tampere citizens when commuting from home to work and vice versa
• Based on services exposed in Intelligent Transport Systems and Services (ITS) platform (http://wiki.itsfactory.fi)
• Confidentiality and privacy of citizens’ personal data and location
Airline Flight Scheduling• NetLine/Sched prototype by Lufthansa Systems • Data localisation, data retention and deletion,
data integrity, confidentiality, access control, etc.
27
The MUSA Framework and its individual tools can be used in a widerange of multi-cloud applications. During the project, two application use cases are being developed.
The project leading to this work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 644429
Thank you!MUlti-cloud Secure Applications
Antonio M. OrtizMUSA Exploitation ManagerMontimage EURL R&D [email protected]
www.musa-project.eu@MUSA_projectMUSA project (Group)MUSA Project