UTSA Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud Cyber Incident Response An Model for Information and Resource Sharing Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu, Bo Tang Institute for Cyber Security University of Texas at San Antonio Aug 15, 2015 Presented by: Amy(Yun) Zhang
UTSA Community Cloud • Community cloud provides services for exclusive use by a specific community, which contains organizations with shared concern, such as mission, security requirements, business models, etc. • A community of financial organizations • OpenStack 2
UTSA Cyber Collaboration Initiatives • Cyber attacks are becoming increasingly sophisticated. – Hard to defend by a single organization on its own. • Collaborate to enhance situational awareness – Share cyber information in community • M alicious activities • Technologies, tools, procedures, analytics. Ref: www.huffingtonpost.co.uk/2013/04/23/uk-government- faces-1000-cyber-attacks-a-day_n_3138164.html 3
UTSA Traditional Cyber Collaboration • Traditional collaboration – Subscription services – Limitations • Organizations Sharing information through subscription. • Organizations are not actively participating in analyzing and processing the cyber information they submit. • Organizations don't directly interact with each other on sharing activities. 4
UTSA Cyber Collaboration in Community Cloud • Cloud platform (community) – Cyber Security Committee. – Organizations routinely collect cyber information. – Cross organization cyber collaborations. 5
UTSA Community Cyber Incident Response Governance Incident Response Group Organization Cyber Security External Security Committee Experts Specialists Conditional Shared Membership Information 6
UTSA Assumptions and Scope • In a community cloud platform • OpenStack • Sharing amongst a set of organizations – Sensitive cyber information, infrastructure, tools, analytics, etc. – May share malicious or infected code/systems (e.g. virus, worms, etc.) • Focus on access control model 7
UTSA OpenStack • Dominant open-source cloud IaaS software – OpenStack software controls large pools of compute, storage, and networking resources throughout a datacenter, managed through a dashboard or via the OpenStack API. � � � � � � 8 Ref: http://www.openstack.org
UTSA OpenStack HMT • HMT : Hierarchical Multitenancy – D Cloud Domain 1 Domain n Project 1 Project p Project 1 Project q childProject 1 childProject k child … childProject 1 child … childProject l 9
UTSA OSAC Model with HMT Project Hiearachy: One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Role Inheritance: Services (S) Group Domains (D) Ownership ot_service (GO) Project Groups Group Ownership (G) Assignment (PO) Object (GA) Permission Types Project-Role Pair Assignment (OT) User (PRP) (PA) Ownership User (UO) Roles Projects Group PRMS (R) (P) (UG) User Assignment (UA) Operations (OP) token_project Users (U) token_roles user_token Tokens (T) 10
UTSA OSAC-HMT-SID Model Secure Expert User Isolated Domains Ownership Domain (D) (EUO) (SID) Expert SIP Users Project association Open Project Security Project Core Project Ownership (assoc) Ownership Ownership Ownership User (PO) (OPO) (SPO) (CPO) Assignment (UA) SIP Secure Ownership Core Security Open Isolated Projects (SIPO) Project Projects Project Projects (P) (CP) (OP) (SP) (SIP) Project-Role Project-Role Project-Role Project-Role Project-Role Pair Pair Pair Pair Pair (PRP) (PRP) (PRP) (PRP) (PRP) Roles Roles Roles Roles Roles (R) (R) (R) (R) (R) User Ownership (UO) Routine Cyber Cyber Cyber Cyber Information Collaboration Security Security Process Committee Forum User User Assignment Assignment User User (UA) User Self (UA) Assignment Assignment Subscription (UA) (UA) (USS) Users (U) 11
UTSA OSAC-HMT-SID Administration Relation and Resources Ownership Cloud admin SID admin Domain admin (Cloud admin) Project admin Security Project admin Core Project admin Community Cloud SIP admin Domains SID Projects Secure Projects Core Project Open Project child Projects child Secure Projects SIPs child SIPs 12
UTSA OSAC-SID Administrative Model • SipCreate(uSet, sip) /* A subset of Core Project/domain admin users together create a sip */ • SipDelete(uSet, sip) /* The same subset of Core Project/domain admin users together delete a sip*/ • UserAdd(adminuser, r, u, sp, p) /* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/ • UserRemove(adminuser, r, u, sp, p) /* CP/Sip admin can remove a user from the Core Project/sip */ • OpenUserSubscribe(u, member, OP) /* Users subscribe to Open Project */ • OpenUserUnsubscribe(u, member, OP) /* Users unsubcsribe from Open Project */ • CopyObject(u, so1, sp, so2, p) /* Copy object from Security Project to Core Project/SIP */ • ExportObject(adminuser, so1, p, so2, sp) /* Export object from Core Project/SIP to Security Project */ • ExpertUserCreate(coreadmin, eu) /* Core Project admin users can create an expert user */ • ExpertUserDelete(coreadmin, eu) /* Core Project admin users can delete an expert user */ • ExpertUserList(adminuser) /* Admin users of Core Project and SIPs can list expert users */ • ExpertUserAdd(adminuser, r, eu, proj) /* Core Project/sip admin can add an expert user to Core Project/sip*/ • ExpertUserRemove(adminuser, r, eu, proj) /* Core Project/sip admin can remove an expert user from Core Project/sip */ 13
UTSA Enforcement Set up the cloud • Community Cloud:Cloud Admin Assign an admin user as Domains:Domain Admin SID:Cloud Admin Assign domain admins as Assign domain admins as Assign users from Security Project: Admin/member Core Project: Admin domains as Assign users from home domain as Assign expert users as Admin user assign users to SP as member Open Project: member Core Project: member 14
UTSA Enforcement SID: Cloud Admin Assign domain admins as Create SIP/child SIP/…, Core Project: Admin assign domain admins as Assign users from home domain as Assign expert users as Core Project: member SIP: Admin Assign users from home domain as Assign expert users as SIP: member child SIP: Admin Assign users from home domain as Assign expert users as child SIP: member child SIP’s … child SIP: Admin Assign users from home domain as Assign expert users as 15 child SIP’s … child SIP: member
UTSA Conclusion and future work • Suggested OSAC-HMT-SID model to OpenStack – Cyber collaboration across organizations • cyber incident response • Self-service • Cyber Security Committee. • Share data, tools, vms, etc. – Potential blueprint for official OpenStack adoption • Future work – Explore other model options. – Explore local roles in the model. – Explore models in other dominant cloud platforms. 16
UTSA Thanks! 17
Recommend
More recommend