UTSA Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident Response Models for Information and Resource Sharing Amy(Yun) Zhang, Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio San Antonio, TX 78249 Mar 25, 2016 Presented by: Amy(Yun) Zhang
UTSA Information and Resource Sharing • Information sharing – exchanges of data between a sender and receiver – one-to-one, one-to-many, many-to-one, many-to- many • Resource sharing – a computer resource made available from one host to other hosts on a computer network – computer programs, data, storage devices, and printers. • shared file access • shared printer access Ref: https://en.wikipedia.org/wiki/ 2
UTSA Cloud Computing • Concept – a kind of Internet-based computing that provides shared processing resources and data to computers and other devices on demand. • Service models – Infrastructure as a service (IaaS) • computers(physical or virtual machines) and other resources. • AWS, Microsoft Azure, OpenStack. – Platform as a service (PaaS) • a development environment to application developers. • Salesforce, Microsoft Azure. – Software as a service (SaaS) • users gain access to application software and databases. • Google, Dropbox. Ref: https://en.wikipedia.org/wiki/Cloud_computing 3
UTSA Cyber Collaboration Initiatives • Cyber attacks are becoming increasingly sophisticated. – Hard to defend by a single organization on its own. • Collaborate to enhance situational awareness – Share cyber information • M alicious activities • Technologies, tools, procedures, analytics. Ref: www.huffingtonpost.co.uk/2013/04/23/uk-government- faces-1000-cyber-attacks-a-day_n_3138164.html 4
UTSA Scope • Focus on technical challenges • Sharing amongst a set of organizations – Information, infrastructure, tools, analytics, etc. – May want to share malicious or infected code/ systems (e.g. virus, worms, etc.) – Sensitive – Often ad hoc • What are the effective ways to facilitate sharing in such circumstances? – Information sharing models – Infrastructure, technologies, platforms 5
UTSA Traditional Cyber Collaboration • Traditional collaboration – Subscription services – Limitations • Organizations Sharing information through subscription. • Organizations are not actively participating in analyzing and processing the cyber information they submit. • Organizations don't directly interact with each other on sharing activities. 6
UTSA Cloud IaaS Advantages for Cyber Incident Sharing • Virtualized resources – Theoretically, one can take a snapshot and mobilize • Operational efficiency – Light-weight and agile – Rapid deployment and configuration – Dynamic scaling – Self-service 7
UTSA Cloud IaaS Challenges for Cyber Incident Sharing • IaaS clouds lack secure sharing models – Storage – Compute – Networks • Need ability to snapshot tenant infrastructure, share, and control who can access – Share by copy 8
UTSA Sharing Model in Cloud IaaS Add/Remove Data Add/Remove View #1: Org C Data Secure View #1: Org A Participant Isolated View #2: SID Participant C View #2: SID Domain A Join/Leave (SID) Join/Leave Users Users Add/Remove Join/Leave Data Users Participant B Can create multiple View #1: Org B secure isolated projects View #2: SID (SIPs) within SID with different controls 9
UTSA Community Cyber Incident Response Governance Incident Response Group Organization Cyber Security External Security Committee Experts Specialists Conditional Shared Membership Information 10
UTSA Cyber Collaboration in Cloud • Cloud platform (community) – Cyber Security Committee. – Organizations routinely collect cyber information. – Cross organization cyber collaborations. 11
UTSA Secure Isolated Domain (SID) Model Secure Isolated Domain (SID) Secure Secure Core Open Isolated Isolated Project Project Project Project (CP) (OP) SIP-1 SIP-n Expert-1 Expert-k Org-1 Org-m Community Experts 12
UTSA SID Service 13
UTSA Overview • Part I: OpenStack • Part II: AWS • Part III: Azure 14
UTSA OpenStack ➢ > 200 companies • OpenStack ➢ ~14000 developers ➢ >130 countries – Dominant open-source cloud IaaS software 15 Ref: http://www.openstack.org
UTSA OpenStack HMT • HMT : Hierarchical Multitenancy – D Cloud Domain 1 Domain n Project 1 Project p Project 1 Project q childProject 1 childProject k child … childProject 1 child … childProject l 16
UTSA OSAC Model with HMT Project Hiearachy: One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Role Inheritance: Services (S) Group Domains Ownership (D) ot_service (GO) Project Groups Group Ownership (G) Assignment (PO) Object (GA) Permission Types Project-Role Pair Assignment (OT) User (PRP) (PA) Ownership User (UO) Roles Projects Group PRMS (R) (P) (UG) User Assignment (UA) Operations (OP) token_project Users (U) token_roles user_token Tokens (T) 17
UTSA OSAC-HMT-SID Model Secure Expert User Isolated Domains Ownership Domain (D) (EUO) (SID) Expert SIP Users Project association Open Project Security Project Core Project Ownership (assoc) Ownership Ownership Ownership User (PO) (OPO) (SPO) (CPO) Assignment (UA) SIP Secure Ownership Core Security Open Isolated Projects (SIPO) Project Projects Project Projects (P) (CP) (OP) (SP) (SIP) Project-Role Project-Role Project-Role Project-Role Project-Role Pair Pair Pair Pair Pair (PRP) (PRP) (PRP) (PRP) (PRP) Roles Roles Roles Roles Roles (R) (R) (R) (R) (R) User Ownership (UO) Routine Cyber Cyber Cyber Cyber Information Collaboration Security Security Process Committee Forum User User Assignment Assignment User User (UA) User Self (UA) Assignment Assignment Subscription (UA) (UA) (USS) Users (U) 18
UTSA OSAC-SID Administrative Model • SipCreate(uSet, sip) /* A subset of Core Project/domain admin users together create a sip */ • SipDelete(uSet, sip) /* The same subset of Core Project/domain admin users together delete a sip*/ • UserAdd(adminuser, r, u, sp, p) /* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/ • UserRemove(adminuser, r, u, sp, p) /* CP/Sip admin can remove a user from the Core Project/sip */ • OpenUserSubscribe(u, member, OP) /* Users subscribe to Open Project */ • OpenUserUnsubscribe(u, member, OP) /* Users unsubcsribe from Open Project */ • CopyObject(u, so1, sp, so2, p) /* Copy object from Security Project to Core Project/SIP */ • ExportObject(adminuser, so1, p, so2, sp) /* Export object from Core Project/SIP to Security Project */ • ExpertUserCreate(coreadmin, eu) /* Core Project admin users can create an expert user */ • ExpertUserDelete(coreadmin, eu) /* Core Project admin users can delete an expert user */ • ExpertUserList(adminuser) /* Admin users of Core Project and SIPs can list expert users */ • ExpertUserAdd(adminuser, r, eu, proj) /* Core Project/sip admin can add an expert user to Core Project/sip*/ • ExpertUserRemove(adminuser, r, eu, proj) /* Core Project/sip admin can remove an expert user from Core Project/sip */ 19
UTSA Enforcement • Set up the cloud Community Cloud:Cloud Admin Assign an admin user as Domains:Domain Admin SID:Cloud Admin Assign domain admins as Assign domain admins as Assign users from Security Project: Admin/member Core Project: Admin domains as Assign users from home domain as Assign expert users as Admin user assign users to SP as member Open Project: member Core Project: member 20
UTSA Enforcement SID: Cloud Admin Assign domain admins as Create SIP/child SIP/…, Core Project: Admin assign domain admins as Assign users from home domain as Assign expert users as Core Project: member SIP: Admin Assign users from home domain as Assign expert users as SIP: member child SIP: Admin Assign users from home domain as Assign expert users as child SIP: member child SIP’s … child SIP: Admin Assign users from home domain as Assign expert users as 21 child SIP’s … child SIP: member
UTSA Overview • Part I: OpenStack • Part II: AWS • Part III: Azure 22
UTSA Amazon Web Service (AWS) • Dominant public cloud software – Amazon Web Services ( AWS ), a collection of remote computing services, also called web services, make up a cloud-computing platform offered by Amazon.com. 23 Ref: https://en.wikipedia.org/wiki/Amazon_Web_Services
UTSA AWS Access Control Model • AWS Access Control within a Single Account Groups Virtual (G) Services Permission (S) Assignment Group (VPA) Ownership (GO) user_ OT group Ownership (OTO) Virtual Permission User Assignment Ownership (VPA) Object Accounts (UO) Users Types (A) (U) (OT) Virtual Permission virtual PRMS Assignment Roles user_role (VPA) Ownership (RO) Operations “Roles” (OP) (R) 24
Recommend
More recommend