Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Security Policy Management for Humans:Textual-Analysis Tools to Streamline Security
Gabriel A. Weaver, and Sean W. SmithDartmouth College
Outline
The ProblemOur Approach Two Examples of Parallel Challenges in PKI/Cloud Conclusion
The Problem
Human judgment is a necessary part of security
CustomersProviders
A
B
C
HumanspaceCyberspace
Customers need to evaluate cloud providers
Comparison
AuditAnalysis
CustomersProviders
A
B
C
HumanspaceCyberspace
Securitypolicies,
assessments
AuditAnalysis
CustomersProviders
A
C
HumanspaceCyberspace
Audit Request
AuditAnalysis
AuditRequest
Providers have an assurance burden
Our Approach
We recognize many policies are structured text
Network Configuration Management
Power Grid
Public Key Infrastructure
interface 2interface 3
Section 1Section 2
voltage current
HKLMHKCC
Comparison
Humanspace
AuditAnalysis
Cyberspace
PMU Data
Registry Data
Cisco IOS
Certificate Policies
We observed problems in real-world security processes.
Network Configuration Management
Cisco IOS
Power GridPMU Data,
Registry Data
Public Key Infrastructure
Certificate Policies
DataVolume Moving Target Increasing
ComplexityLayer
Synchronization
Real-World Challenges in PKI
The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [Weaver et al., 2010].
Analysts need to synchronize CPs across member organizations of the grid. [Rea, S., 2011].
The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].
Public Key Infrastructure
Certificate Policies
DataVolume Moving Target Increasing
ComplexityLayer
Synchronization
Real-World Challenges in PKI and the Cloud
Cloud Cloud Providers (CP) need to deal with high-volume of audit requests [Catteddu and Hogben, 2009].
Cloud Customers (CC) need to be able to compare different cloud provider offers [Catteddu and Hogben, 2009][Pauley, 2010].
Maintenance and Management
of Identity Management
System
The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [Weaver et al., 2010].
Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea,S., 2011].
The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].
Public Key Infrastructure
Certificate Policies
DataVolume Moving Target Increasing
ComplexityLayer
Synchronization
Two of Our Prototyped Tools
Cloud Cloud Providers (CP) need to deal with high-volume of audit requests [Catteddu and Hogben, 2009].
Cloud Customers (CC) need to be able to compare different cloud provider offers [Catteddu and Hogben, 2009][Ghosh and Arce, 2010][Pauley, 2010]
Maintenance and Management
of Identity Management
System
The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [Weaver et al., 2010].
Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea, S., 2011].
The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].
Public Key Infrastructure
Certificate Policies
DataVolume Moving Target Increasing
ComplexityLayer
Synchronization
Tool 1: CTS Policy Repository
Tool 2: Hierarchical
Policy Analyzer
Tool 1: CTS Policy Repository
The volume of natural-language policy is more than humans can efficiently handle [Weaver et al., 2009, 2010].
Cloud Providers (CP) need to deal with high-volume of audit requests [Catteddu and Hogben, 2009].
Public Key InfrastructureCompliance Audit, Bridging,
Grid Accreditation
The Cloud Maintenance and Management of Identity Management System
Auditors manually manage policies
CAWebsite
CAWebsite
CAWebsite
CAWebsite
1
2
3
4
Cyberspace
1
1.1
1.2
1.3
Page Number
SectionNumber
Policy
Text
Comparison
Humanspace
Mapping
Canonical Text Services (CTS) bridges the gap.
CTS PolicyRepository
TEI-XML
Cyberspace
1
1.1
1.2
1.3
SectionNumber
Policy
Text
Comparison
Humanspace
Mapping
Benefits of CTS for the Cloud
1) Help providers supply more granular audit.
2) Help customers easily locate versioned policies.
Semantics CTS-URN OIDAll texts in the pkipolicy namespace urn:cts:pki:pkipolicy n/a
The ULAGrid CP (and CPS) urn:cts:pki:pkipolicy.ulagrid 1.3.6.1.4.1.19286.2.2.2
A specific edition of the ULAGrid CP urn:cts:pki:pkipolicy.ulagrid.version1 1.3.6.1.4.1.19286.2.2.2.1.0.0
The ULAGrid CP's 'Technical Security Controls' urn:cts:pki:pkipolicy.ulagrid.version1:6 1.3.6.1.4.1.19286.2.2.2.1.0.0.6
The ULAGrid's policy unit on key pair generation urn:cts:pki:pkipolicy.ulagrid.version1:6.1.1 1.3.6.1.4.1.19286.2.2.2.1.0.0.6.1.1
CTS PolicyRepository
CTS-URN
TEI-XML
TEI-XML
Tool 2: Hierarchical Policy AnalyzerAnalysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea, S., 2011].
Cloud Customers (CC) need to be able to compare different cloud provider offers [Catteddu and Hogben, 2009].
No controlled language by which one can compare these policies.
Public Key InfrastructureCompliance Audit, Bridging,
Grid Accreditation
The Cloud Maintenance and Management of Identity Management System
Auditors Keep Policies Synchronized
1) Member organizations' policies with the base policy.
2) Change logs with actual policy changes.
3) Language among member organizations.
Auditors keep policies synchronized
1) Member organizations' policies with the base policy.
2) Change logs with actual policy changes.
3) Language among member organizations.
Current mechanisms do not suffice
Reference Description wordED treeED
SDG.1_5_1:6.1.1 In Sec 6.1.1, added more description. 12 0
AIST.1_1:1.4.3 Added Section 1.4.3 21 1
IUCC.1_5:4.6.1 Changed 4.6.1 to add logging of login, logout,... 0 0
Out of 178 reported changes,9 never actually occurred
Hierarchical Policy Analyzer
1) An engine for cloud customers to analyze policies.
2) A mechanism to bootstrap a controlled policy language from real-world policies.
Conclusion
Conclusion
Cloud customers and providers both need a trust framework to evaluate security policy.
Security policy management is difficult.
But many security policies (and artifacts) are structured text.
We can process these structures and make policy management more efficient, reproducible, and transparent.
Thank YouQuestions?
ReferencesDaniele Catteddu and Giles Hogben. Cloud computing: Benefits, risks, and recommendations for information security. Technical report, European Network and Information Security Agency (ENISA), November 2009.
IGTF CTS. IGTF PKI policy repository. Retrieved December 1, 2011 from http://pkipolicy.appspot.com/.
Wayne A. Pauley. Cloud provider transparency: An empirical evaluation. IEEE Security and Privacy, 8(6): 32–39, Nov.–Dec. 2010.
Rea, S., September 2011. Conversation on the FBCA and PKI Policy Framework.
D.N. Smith. Canonical Text Services (CTS). Retrieved May 29, 1009 from http://cts3.sourceforge.net/.
Hassan Tabaki, James B.D. Joshi, and Gail-Joon Ahn. Security and privacy challenges in cloud computing environments. IEEE Security and Privacy, 8(6):24–30, Nov.–Dec. 2010.
G. Weaver, S. Rea, and S.W. Smith. A computational framework for certificate policy operations. In Public Key Infrastructure: EuroPKI 2009. Springer-Verlag LNCS, 2009.
G. Weaver, S. Rea, and S.W. Smith. Computational techniques for increasing PKI policy comprehension by human analysts. In Proceedings of the 9th Symposium on Identity and Trust on the Internet, pages 51–62. ACM, 2010.
G. Weaver, N. Foti, S. Bratus, D. Rockmore, and S.W. Smith. Using hierarchical change mining to manage network security policy evolution. In Proceedings of the 11th USENIX Conference on Hot Topics in Management of Internet, Cloud, and Enterprise Networks and Services. USENIX Association, 2011.
Our Domains and the Cloud
Approach: Fieldwork
Network Configuration Management
Power Grid
Public Key Infrastructure
Volume Dynamic Complex Synchronization
The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [WRS10].
Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea11].
The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].
It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].
It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].
Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?
It would be handy to diff registries and network configurations as they change [Rog11].
The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].
§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer
It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].
It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].
Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?
It would be handy to diff registries and network configurations as they change [Rog11].
Our PKI Research and The Cloud
Public Key Infrastructure
Volume Dynamic Complex Synchronization
The whitespace problem shows that policy may contain contradictory information. If such a policy is accredited, then it exposes the FPKIPA or IGTF to risk [WRS10].
Analysts need to synchronize CPs across member organizations of the grid. Also we need to synchronize language within these policies [Rea11].
The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].
Cloud Cloud Providers (CP) need to deal with high-volume of audit requests [cattedduHogben2009].
Cloud Customers (CC) need to be able to compare different cloud provider offers [cattedduHogben2009].
No controlled language by which one can compare these policies.
Maintenance and Management
of Identity Management
System
The volume of natural-language policy is more than humans can efficiently handle [WRS09, WRS10].
§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer
Cloud Providers (CP) need to deal with high-volume of audit requests [cattedduHogben2009].
Our Research and The CloudVolume Dynamic Complex Synchronization
CloudCloud Providers (CP) need to deal with audit requests on demand [my claim].
Cloud Providers (CP) need to dynamically audit across layers of a platform [my claim].
SecurityPlatform
Configuration
It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].
Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?
Network Configuration Management
§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer
Cloud Providers (CP) need to deal with audit requests on demand [my claim].
It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].
Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?
It would be handy when migrating services behind the firewall to 'grep' out the same feature implemented in slightly different languages to make sure that everything has been relocated [Sch10].
Network configurations frequently change due to new features and other factors but is policy maintained [WFB+11,SRSL09]?
Our Research and The CloudVolume Dynamic Complex Synchronization
CloudCloud Providers (CP) need to deal with audit requests on demand [my claim].
"A trust framework should be developed…to manage evolving trust and interaction/sharing requirements" [Takabi10]
SecurityPlatform
Configuration
Power Grid
It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].
It would be handy to diff registries and network configurations as they change [Rog11].
§ 3.1 CTS § 3.2 Context-Free Grep § 3.3 Hierarchical Diff § 3.4 Hierarchical Text Analyzer
Cloud Providers (CP) need to deal with audit requests on demand [my claim].
It would be useful to extract parts of the Windows registry, network configurations, and PMU data that are good targets for attack or relevant to CIP [Rog11].
It would be handy to diff registries and network configurations as they change [Rog11].
"A trust framework should be developed…to manage evolving trust and interaction/sharing requirements" [Takabi10]