Secure Cloud Computing for Critical Infrastructures€¦ · • Analyse and relate the whole of mobility ... Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural

AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys

• Hellenic Telecommunications Organization OTE• Ayuntamiento de Valencia • Amaris

SEcure Cloud computingfor CRitical Infrastructure IT

Aleksandar Hudic and Christian WagnerAIT Austrian Institute of Technology

Secure Cloud Computing for Critical Infrastructures

Source: http://www.soompi.com/

The SECCRIT Project – Hard Facts

• Research project on secure Cloud Computing for critical infrastructure IT

• 10 Partners from Austria, Finland, Germany, Greece, Spain and the UK.

• Project budget 4.8 Mio, partly funded by the European Union

• Project duration 1.1.2013 – 31.12.2015

• about 61.748% of the project completed

• 25 public deliverables

07.11.2014 © SECCRIT Consortium 3

What are Critical Infrastructures


Everything goes to Cloud


Motivation – Why would someone do that?



Motivation – Why would someone do that?

• Possible reduction of costs

• Pay as you use

• Managing peak loads


• Scalable computing resources

• Potential increased availability

now back to the project

SECCRIT’s Overall Goal

analyse and evaluate cloud computing with respect to security risks in sensitive environments i.e. critical infrastructures

o Traffic Control o Public Safety (CCTV)

to develop o methodologies o technologies, o best practices for

• secure, • trustworthy, • high assurance• legal compliant

cloud computing environments for critical infrastructure IT.Investigate real-world problems


Problem Definition – High Level

• Requirements for cloud applications vary o Commercial applications mainly focus on scalability & elasticity

o Requirements in CI regarding: overall redundancy, data availability, authenticity, secure access, trust and protection of the citizens are typically higher than in commercial applications.

o Common Users Requirements converge with what is CI standard


Problem Definition – High Level

• What is the problem?o Cloud services abstract over used resources, are opaque and make it

hard to• determine technical reasons for (security) failure and hence make• the development of countermeasures

o This also implies, from a legal perspective, that it is hard to • determine who’s fault it is and • to show one hasn’t acted negligent


SECCRIT Demonstrator: Traffic Control


• Gather traffic data from traffic sensors on the road

• Store traffic data in data bases• Generate data and reports about traffic

status and traffic evolution• Analyse and relate the whole of mobility

data• Support to define mobility polices and

traffic control strategies• Control traffic on the road by Traffic

Controllers, Traffic Ligths, Variable Messages Signals, etc.

• Public transportation priority by strategies like offering traffic lights priority

Execute traffic control strategies by operators manual actions or by automatic procedures.

SECCRIT Demonstrator: Public Safety (CCTV)


MetroSub CitySec TelCom

The Subway Operator

The Security Service Provider

The Tenant System Mgmt

CloudCorp

The Cloud Mgmt Provider

TenSys

The Telecom Operator

Key Objectives


Legal Guidance on Data

Protection and Evidence

Understand and manage

risk associated with cloud

environments

Understand cloud behavior in the face of challenges

Establish best practices for secure cloud

service implementations

Demonstration of output in real-world application scenarios

Key Objectives ↔ Activities & Output


Legal Guidance on Data

Protection and Evidence

Definition of legal guidance

on SLA compliance, provision of

evidence, and data

protection for cloud services

Understand and manage

risk associated with cloud

environments

Risk Assessment

and Management Methodology

Policy Specification Methodology

and Tool

Cloud Assurance Profile and Evaluation

Method

Understand cloud behavior in the face of challenges

Anomaly Detection

Techniques and Tools

Policy Decision and Enforcement

Tools

Cloud Resilience

Management Framework

Tools for Audit Trails and

Root Cause Analysis

Establish best practices for secure cloud

service implementations

Model Driven Cloud Security

Guidelines

Demonstration of output in real-world application scenarios

Demo 1: Storage and

Processing of Sensitive Data

Demo 2: Hosting

Critical Urban Mobility ServicesOrchestration

Secure Cloud Storage

SECCRIT Output

a) Techno-legal guidanceb) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement

Framework d) Resilience Management Framework (incl. anomaly

detection and virtual component deployment)e) Forensic Analysis via Audit Trails for Root Cause

Analysis (incl. secure cloud storage)f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise

Approaches


SECCRIT Output

a) Techno-legal guidanceb) Novel Risk Assessment Approaches c) Cloud Security Policy Specification and Enforcement

Framework d) Resilience Management Framework (incl. anomaly

detection and virtual component deployment)e) Forensic Analysis via Audit Trails for Root Cause

Analysis (incl. secure cloud storage)f) Cloud Assurance Approaches g) Process-Oriented Security Guideline and Best Practise

Approaches


Techno-Legal Guidance

Legal Questions

• „Security Service Operator“ uses cloud services• Uses integrated analysis

cloud service (B-AG) andvideo management cloud service (C-AG)

• Analysis cloud service + video managementrun on virtual server

• video management cloud serviceuses DB (Y-AG)

• Y-AG uses storage service


SECCRIT Architectural Framework

What do we mean when we talk about Cloud?


R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural Framework”. 2014. (and IEEE CloudCom)

Cloud Risk Assessment

Cloud Risk Assessment

• There are different stakeholder viewpoints to considero The Cloud Service Provider

• In SECCRIT is decomposed into sub roles, including the Tenant and Cloud Infrastructure Provider

o The Critical Infrastructure Service Provider

• When should an assessment be performed?o At the point of deployment, to determine whether to use the Cloud and/or

which provider and deployment model to use

o During the operation of a service, e.g., periodically or in response to changes in the deployment environment caused by scaling


Major Contributions

1. An analysis of risk perceptions regarding the use of cloudo Performed on an individual and organisational basis

2. An extensive cloud-specific threat and vulnerability catalogue that can support a risk assessment

3. An extension to a standard risk assessment process to support critical infrastructure service providers determine the risk of cloud deploymento Supported by the SECCRIT threat and vulnerability catalogue and the

open-source Verinice ISMS tool

4. Identified a set of cloud infrastructure metrics that could be used to support online risk assessment

The SECCRIT Threat and Vulnerability Catalogue

Primary data sources:

1. Performed an extension literature survey of existing catalogues and organisations of threats and vulnerabilities, e.g., CSA’s “Notorious Nine”

2. Carried out a structured security analysis, based on the SECCRIT architectural framework and different deployment models

3. Leveraged findings from the cloud risk survey


Management-oriented View

Box model Virtualenvironment

Local scaling Resourcepooling

The SECCRIT Threat and Vulnerability Catalogue

• Organised items into categories – NIST’s essential characteristics of cloud computing at the core

• Identified impact type, i.e., CIA, and references when possible


Cloud Risk Deployment Assessment Process


Conclusion

• Four major contributions:

1. An analysis of risk perceptions regarding the use of cloud2. An extensive cloud-specific threat and vulnerability catalogue3. Extension to a standard risk assessment process to support critical

infrastructure service providers determine the risk of cloud deployment

4. Cloud infrastructure metrics that could be used to support online risk assessment

• The threat and vulnerability catalogue is being put forward as a contribution to the ETSI ISG on Network Function Virtualisation (NFV)


Cloud Assurance Approaches

Cloud Assurance Framework


Assurance Level

1-7

MO

NITO

RIN

G A

RTIFA

CTS

Aspects of Assurance


Research questions / challenges


R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural Framework”. 2014. (and IEEE CloudCom)

How to assure that security propertiesare met across distinct cloud layerswith different stake holders?

How to derive continuous assessmentof security properties across theclouds architecture?

How can security be assessed,measured or scaled in respect to acertain predefined set of securityproperties (assurance levels)?

How to aggregate/inherit securityacross different stake holders inCloud?

Levels of Abstraction (The SECCRIT architecture)

Security properties


• Security-aware SLA specification language and cloud security dependency model

• Certification models• Core Certification mechanisms

• Methodologies for Risk Assessment and Management

• The Notorious Nine: Cloud Computing Top Threats in 2013

Identified categories/properties


ID SECURITY PROPERTY CATEGORY VULNERABILITY THREATS DEPENDENCIES

SP_1 User Authentication and Identity assurance level Identity Assurance

Loss of human-operated control point to verify security and privacy settings

Data Breaches , Data Loss, Shared Technology Vulnerabilities

NoneInsufficient authentication security, e.g., weak authentication mechanisms, on the cloud

management interface

Account or Service Traffic Hijacking Insecure Interfaces and APIs, Malicious Insiders

SP_2Data deletion quality level Data Disposal Data recovery vulnerabilities, e.g., unauthorised

access to data in memory or on disk from previous users

Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders,

Insufficient Due DiligenceNone

SP_3Storage Freshness Durability Data recovery vulnerabilities, e.g., unauthorised

access to data in memory or on disk from previous users

Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders,

Insufficient Due DiligenceNone

SP_4Data alteration prevention /

detectionIntegrity Poor/ no integrity checks of the billing information Data Breaches

Insecure Interfaces and APIs Insufficient Due Diligence

SP_1, SP_2, SP_3

SP_5

Storage Retrievability Durability Poor/ no backup & restore strategy is in place to prevent the loss of billing information, e.g., in the

case of a system failure

Data BreachesInsecure Interfaces and APIs Insufficient

Due DiligenceSP_4

SP_6Data leakage detection /

prevention Data Leakage Poor/ no encryption of the VM data through a

wide-area migration processData Breaches

Malicious InsidersShared Technology Vulnerabilities

SP_5

SP_7 Cryptographic module protection level Key Management

Unmonitored and unencrypted network traffic between VMs is possible, e.g., for VMs on the

same node through virtual network Unencrypted physical storage, which is the

underlying for allocated virtual storage of the VMs

Insufficient Due DiligenceShared Technology

Vulnerabilities Data Breaches

Malicious Insiders

None


GROUP OF EVALUATION

Assurance Assessment Framework

Virtual Infrastructure LevelTenant

Physical InfrastructureLevelCloud Infrastructure

Application Level Critical Infrastructure

ABSTRACTION LEVEL

UserLevel

Target of Evaluation

Common Criteria Framework for Information Technology Security Evaluation, CCDB USB Working Group, 2012, part 1-3. Online available: http://www.commoncriteriaportal.org.

GROUP OF EVALUATION

Framework elements: • Component of Evaluation (CoE)

o Component dependencies (CD)o Association (AS)

• Group of Evaluation (GoE)• Target of Evaluation (ToE)

Assurance Profile:o Assurance Type (AT)o Assurance Properties (AP)o Assurance Class (AC)o Security Objectives (SO)o Assessment Interval (AI)

Initial assurance policy set


INITIAL POLICY SET∀ALK ∈ ACX: !∃ VS, (1)

VS = {SPV1, SPV2 … SPVN}, (2)SPVi= [ SP1, SP2, SP3, SP4], SPi = {0,1} (3)

∀VS ∈ ALK : !∃ SPVi, i ∈ (4)∀ SPVi ∈ ACX: |SPVi| = k (5)

ACX= {SPV1, SPV2, SPV3, … SPVn} (6)

∅(7)

ACSAL = ⍝ACX (SPVi) , ACX ∈CoEM, i∈ {1…N} (8)ACSAL(i) ⊢ DALVS(i) (9)

ALVS ⊆ DALVS (10)(DALVS(i) ∧ ALVS(i)) ⇒ AL(ACX)=i, ACX ∈ CoEM (11)!∃ ALi ⊧ ∀Min(CALj) i∈ {1…7}, j∈ {1…N} (12)

• Each assurance class is associated with at least on vector set

• Vector set is a compound of N Security Property vectors

• Security Property Vector is a set of K Security Properties associated with true or false

• Each Vector Set of a particular Assurance Level is associated with

• All Security Property Vectors in a class have the same cardinality

• Assurance Class is a compound of distinct Security property vectors

• Individual SPV can be found only at one Assurance class

• Bitwise conjunction of Security property vector bits of an individual Assurance Class

• Assurance Class of the evaluated object directly depends on the assurance of the associated components

Service abstraction


Service/infrastructure abstraction via the General tree model:

Clustering assurance class properties to a particular assurance level

Prototype use cases analysis


(a)

(b)

GENERAL TREE MODEL ANALYSIS:

• tree traversal post order method• level based bit conjunction• vertical post order assurance aggregation

Assurance calculation algorithm


begin procedure:for i=k … i=1 doif (∀ CoEC (SPV[i]) ∃! ALM, M ∈ {1,2,…,7}) {

AL = M;end procedure

}else if (∏ CoE SPV i 0) {

discard ∀ SPV where SPV[i] =1;continue;

}else (∏ CoE SPV i 1) {

discard ∀ SPV where SPV[i] =0;continue;

}end procedure

Algorithm steps:

1. Bitwise conjunction SPV[i] for each vector in an Evaluated Vectors Set

2. Reducing the potential combination set

3. Checking the remained subset

Future work


• Building a comprehensive security property catalogue in line with the

critical infrastructure requirements (demo partner feedback)

• Investigating whether the current Cloud monitoring tools are capable of

conducting cross layer monitoring or supporting assurance approach

• Demonstrating the approach by applying it on general demo scenario,

in line with both of our demo scenarios, on OpenStack

Conclusion

• customizable framework for analyzing predefined set of security properties across the cloud stack

• user and provider centric• advanced and transparent monitoring model across

cloud stack• autonomic and cumulative analysis of the cloud

infrastructure• technology independent assessment framework• integration of exiting work of SECCRIT project e.g.:

monitoring, root cause and forensic analysis tools, legal requirements, vulnerability catalogue


Any Questions?


AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys

• Hellenic Telecommunications Organization OTE• Ayuntamiento de Valencia • Amaris

SEcure Cloud computingfor CRitical Infrastructure IT

Contact

Aleksandar Hudic, Christian WagnerAIT Austrian Institute of Technology

[email protected], [email protected]

Documents

Secure Cloud Computing for Critical Infrastructures€¦ · • Analyse and relate the whole of mobility ... Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural