Security Policy Management for Humans:Textual-Analysis Tools to Streamline Security

Gabriel A. Weaver, and Sean W. SmithDartmouth College

Outline

The ProblemOur Approach Two Examples of Parallel Challenges in PKI/Cloud Conclusion

The Problem

Human judgment is a necessary part of security

CustomersProviders

A

B

C

HumanspaceCyberspace

Customers need to evaluate cloud providers

Comparison

AuditAnalysis

CustomersProviders

A

B

C

HumanspaceCyberspace

Securitypolicies,

assessments

AuditAnalysis

CustomersProviders

A

C

HumanspaceCyberspace

Audit Request

AuditAnalysis

AuditRequest

Providers have an assurance burden

Our Approach

We recognize many policies are structured text

Network Configuration Management

Power Grid

Public Key Infrastructure

interface 2interface 3

Section 1Section 2

voltage current

HKLMHKCC

Comparison

Humanspace

AuditAnalysis

Cyberspace

PMU Data

Registry Data

Cisco IOS

Certificate Policies

We observed problems in real-world security processes.

Network Configuration Management

Cisco IOS

Power GridPMU Data,

Registry Data

Public Key Infrastructure

Certificate Policies

DataVolume Moving Target Increasing

ComplexityLayer

Synchronization

Real-World Challenges in PKI

The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [Weaver et al., 2010].

Analysts need to synchronize CPs across member organizations of the grid. [Rea, S., 2011].

The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].

Public Key Infrastructure

Certificate Policies

DataVolume Moving Target Increasing

ComplexityLayer

Synchronization

Real-World Challenges in PKI and the Cloud

Cloud Cloud Providers (CP) need to deal with high-volume of audit requests [Catteddu and Hogben, 2009].

Cloud Customers (CC) need to be able to compare different cloud provider offers [Catteddu and Hogben, 2009][Pauley, 2010].

Maintenance and Management

of Identity Management

System

The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [Weaver et al., 2010].

Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea,S., 2011].

The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].

Public Key Infrastructure

Certificate Policies

DataVolume Moving Target Increasing

ComplexityLayer

Synchronization

Two of Our Prototyped Tools

Cloud Cloud Providers (CP) need to deal with high-volume of audit requests [Catteddu and Hogben, 2009].

Cloud Customers (CC) need to be able to compare different cloud provider offers [Catteddu and Hogben, 2009][Ghosh and Arce, 2010][Pauley, 2010]

Maintenance and Management

of Identity Management

System

The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [Weaver et al., 2010].

Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea, S., 2011].

The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].

Public Key Infrastructure

Certificate Policies

DataVolume Moving Target Increasing

ComplexityLayer

Synchronization

Tool 1: CTS Policy Repository

Tool 2: Hierarchical

Policy Analyzer

Tool 1: CTS Policy Repository

The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].

Cloud Providers (CP) need to deal with high-volume of audit requests [Catteddu and Hogben, 2009].

Public Key InfrastructureCompliance Audit, Bridging,

Grid Accreditation

The Cloud Maintenance and Management of Identity Management System

Auditors manually manage policies

CAWebsite

CAWebsite

CAWebsite

CAWebsite

PDF

1

2

3

4

Cyberspace

1

1.1

1.2

1.3

Page Number

SectionNumber

Policy

Text

Comparison

Humanspace

Mapping

Canonical Text Services (CTS) bridges the gap.

CTS PolicyRepository

TEI-XML

Cyberspace

1

1.1

1.2

1.3

SectionNumber

Policy

Text

Comparison

Humanspace

Mapping

Benefits of CTS for the Cloud

1) Help providers supply more granular audit.

2) Help customers easily locate versioned policies.

Semantics CTS-URN OIDAll texts in the pkipolicy namespace urn:cts:pki:pkipolicy n/a

The ULAGrid CP (and CPS) urn:cts:pki:pkipolicy.ulagrid 1.3.6.1.4.1.19286.2.2.2

A specific edition of the ULAGrid CP urn:cts:pki:pkipolicy.ulagrid.version1 1.3.6.1.4.1.19286.2.2.2.1.0.0

The ULAGrid CP's 'Technical Security Controls' urn:cts:pki:pkipolicy.ulagrid.version1:6 1.3.6.1.4.1.19286.2.2.2.1.0.0.6

The ULAGrid's policy unit on key pair generation urn:cts:pki:pkipolicy.ulagrid.version1:6.1.1 1.3.6.1.4.1.19286.2.2.2.1.0.0.6.1.1

CTS PolicyRepository

CTS-URN

TEI-XML

TEI-XML

Tool 2: Hierarchical Policy AnalyzerAnalysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea, S., 2011].

Cloud Customers (CC) need to be able to compare different cloud provider offers [Catteddu and Hogben, 2009].

No controlled language by which one can compare these policies.

Public Key InfrastructureCompliance Audit, Bridging,

Grid Accreditation

The Cloud Maintenance and Management of Identity Management System

Auditors Keep Policies Synchronized

1) Member organizations' policies with the base policy.

2) Change logs with actual policy changes.

3) Language among member organizations.

Auditors keep policies synchronized

1) Member organizations' policies with the base policy.

2) Change logs with actual policy changes.

3) Language among member organizations.

Current mechanisms do not suffice

Reference Description wordED treeED

SDG.1_5_1:6.1.1 In Sec 6.1.1, added more description. 12 0

AIST.1_1:1.4.3 Added Section 1.4.3 21 1

IUCC.1_5:4.6.1 Changed 4.6.1 to add logging of login, logout,... 0 0

Out of 178 reported changes,9 never actually occurred

Hierarchical Policy Analyzer

1) An engine for cloud customers to analyze policies.

2) A mechanism to bootstrap a controlled policy language from real-world policies.

Conclusion

Conclusion

Cloud customers and providers both need a trust framework to evaluate security policy.

Security policy management is difficult.

But many security policies (and artifacts) are structured text.

We can process these structures and make policy management more efficient, reproducible, and transparent.

Thank YouQuestions?

gabriel.a.weaver@dartmouth.edu

ReferencesDaniele Catteddu and Giles Hogben. Cloud computing: Benefits, risks, and recommendations for information security. Technical report, European Network and Information Security Agency (ENISA), November 2009.

IGTF CTS. IGTF PKI policy repository. Retrieved December 1, 2011 from http://pkipolicy.appspot.com/.

Wayne A. Pauley. Cloud provider transparency: An empirical evaluation. IEEE Security and Privacy, 8(6): 32–39, Nov.–Dec. 2010.

Rea, S., September 2011. Conversation on the FBCA and PKI Policy Framework.

D.N. Smith. Canonical Text Services (CTS). Retrieved May 29, 1009 from http://cts3.sourceforge.net/.

Hassan Tabaki, James B.D. Joshi, and Gail-Joon Ahn. Security and privacy challenges in cloud computing environments. IEEE Security and Privacy, 8(6):24–30, Nov.–Dec. 2010.

G. Weaver, S. Rea, and S.W. Smith. A computational framework for certificate policy operations. In Public Key Infrastructure: EuroPKI 2009. Springer-Verlag LNCS, 2009.

G. Weaver, S. Rea, and S.W. Smith. Computational techniques for increasing PKI policy comprehension by human analysts. In Proceedings of the 9th Symposium on Identity and Trust on the Internet, pages 51–62. ACM, 2010.

G. Weaver, N. Foti, S. Bratus, D. Rockmore, and S.W. Smith. Using hierarchical change mining to manage network security policy evolution. In Proceedings of the 11th USENIX Conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services. USENIX Association, 2011.

Our Domains and the Cloud

Approach: Fieldwork

Network Configuration Management

Power Grid

Public Key Infrastructure

Volume Dynamic Complex Synchronization

The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [WRS10].

Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea11].

The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].

It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].

It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].

Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?

It would be handy to diff registries and network configurations as they change [Rog11].

The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].

§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer

It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].

It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].

Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?

It would be handy to diff registries and network configurations as they change [Rog11].

Our PKI Research and The Cloud

Public Key Infrastructure

Volume Dynamic Complex Synchronization

The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [WRS10].

Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea11].

The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].

Cloud Cloud Providers (CP) need to deal with high-volume of audit requests [cattedduHogben2009].

Cloud Customers (CC) need to be able to compare different cloud provider offers [cattedduHogben2009].

No controlled language by which one can compare these policies.

Maintenance and Management

of Identity Management

System

The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].

§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer

Cloud Providers (CP) need to deal with high-volume of audit requests [cattedduHogben2009].

Our Research and The CloudVolume Dynamic Complex Synchronization

CloudCloud Providers (CP) need to deal with audit requests on demand [my claim].

Cloud Providers (CP) need to dynamically audit across layers of a platform [my claim].

SecurityPlatform

Configuration

It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].

Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?

Network Configuration Management

§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer

Cloud Providers (CP) need to deal with audit requests on demand [my claim].

It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].

Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?

It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].

Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?

Our Research and The CloudVolume Dynamic Complex Synchronization

CloudCloud Providers (CP) need to deal with audit requests on demand [my claim].

"A trust framework should be developed…to manage evolving trust and interaction/sharing requirements" [Takabi10]

SecurityPlatform

Configuration

Power Grid

It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].

It would be handy to diff registries and network configurations as they change [Rog11].

§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer

Cloud Providers (CP) need to deal with audit requests on demand [my claim].

It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].

It would be handy to diff registries and network configurations as they change [Rog11].

"A trust framework should be developed…to manage evolving trust and interaction/sharing requirements" [Takabi10]