enhancing cloud security with context-aware usage ... - CLOUDCYCLE

FRAUNHOFER INSTITUTE FOR EXPERIMENTAL SOFTWARE ENGINEERING IESE

ENHANCING CLOUD SECURITY WITH CONTEXT-AWARE USAGE CONTROL POLICIES CHRISTIAN JUNG, ANDREAS EITEL, REINHARD SCHWARZ

© Fraunhofer IESE

Christian Jung [email protected]

MOTIVATION

2 © Fraunhofer IESE

MOTIVATION  S ens itiv e Data  Business data  Personal data  Intellectual property

 Data leaks (m alicious or unintentional)

 damage business reputation  cause financial losses

What happens after data is releas ed? 3 © Fraunhofer IESE

MOTIVATION Mov ing Data to the Cloud = Mov ing Data to Third Parties  Data Protection Challenges  Data Residency (data must be kept within defined geographic borders)  Data Privacy (enterprise is responsible for any breach to data)  Compliance (enterprise must comply with applicable laws)  Data Usage Control (data is accessed from different entities)

 Main concerns for critical infrastructure IT using the Cloud

 Security and Privacy https://seccrit.eu/upload/CloudCritITSurvey.pdf, 10-03-2014, SECCRIT

4 © Fraunhofer IESE

MOTIVATION  Acces s control is not enough!

 Us age control – a generalization of access control  Fine-grained policies specify how data is handled

Us age Control

after acces s has been granted  Enables compliance with privacy, auditing, and accountability regulations  Allows you to keep control ov er y our data

5 © Fraunhofer IESE

Acces s Control

USAGE CONTROL THE IND²UCE FRAMEWORK

6 © Fraunhofer IESE

IND²UCE FRAMEWORK

7 © Fraunhofer IESE

USAGE CONTROL  Tracking of data flow : “Do not redis tribute account inform ation”  Additional inform ation s ources (e.g. context): “data can only be displayed on com pany ’s prem is es ”

Expressive Language

Context

 Ex pres s iv e Policy Language (OS L)

Data flow

 Cardinality operators: “data can be read only tw ice“  Tem poral operators: “data must be deleted after one m onth” 8 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE

9 © Fraunhofer IESE

EU PROJECT SECCRIT IN A NUTSHELL  Challenges  Analyse and evaluate cloud computing with respect to security risks in sensitive environments (i.e., critical infrastructures) w w w .s eccrit.eu

 Goal

 Development of methodologies, technologies, best practices for secure, trustworthy, high assurance and legal compliant cloud computing environments for critical infrastructure IT. Enable cloud technologies to be used for critical infrastructure IT

10 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL IND²UCE FOR VMWARE  Man in the Middle (Preventive Enforcement)  Proxy between vCenterServer and vSphereClient VMw are v S phereClient

SOAP VMw are v Center S erv er

 preventive and detective enforcement

Manage VMw are v S phere

 Rebuild all interfaces for enforcement  VMware changes are critical  man in the middle approach (TLS/SSL)  missing user transparency, etc.  Maintaining user roles and privileges within IND²UCE

VMw are v S phere

11 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL IND²UCE FOR VMWARE  vSphere Client Plugin (Preventive Enforcement)  Managed user interface with integrated PEP (Plugin) VMw are v S phereClient

SOAP

 preventive and detective enforcement

VMw are v Center S erv er

 Rebuilding „Control Center“ UI  Maintaining user roles and privileges within IND²UCE  Bypassing of plugin  Client-based solution

Manage VMw are v S phere

VMw are v S phere

12 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL IND²UCE FOR VMWARE  SOAP Interface vCenter Server (Detective Enforcement)

VMw are v S phereClient

SOAP VMw are v Center S erv er

 independent of VMware changes (except for interface changes)  no disturbance of other systems

Manage VMw are v S phere

VMw are v S phere

 only detective enforcement

13 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL POLICY ENFORCEMENT POINT (PEP) Monitored ty pes of Ev ents (230 ev ents tes ted, ov erall about 700 ev ents )

 Virtual Machines  Migration, Lifecycle, Powercycle, Cluster (Failover, HA Monitoring, etc.)

 Cluster  Lifecycle, Resources, HA Services  Hosts

 Host operations, networking, lifecycle, etc.  Datastores  Networking  Lifecycle, Switch (e.g., port state)  Roles and Permissions 14 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL POLICY ENFORCEMENT POINT (PEP) Ev ent proces s ing

vCenter Server VMwarePEP Request new Events SOAPInterface

starts EventCollector

Response VmWare events PDP event EventConverter Response BooleanConveter IntegerConverter

Single field from Vmware Event + PDP event

EntityConverter ... IntegerConverter

15 © Fraunhofer IESE

PDP event with converted field added

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL POLICY INFORMATION POINT (PIP) Contex tual Inform ation  Performance of virtual machines, cluster, etc.  Resource load such as CPU, memory, etc.  Runtime status

 Connection or power state, bootTime, maximum CPU usage, etc.  Datastore  Capacity, free space, etc.

 Configuration parameters of virtual machines or cluster  Mac address, annotation, number of CPUs, etc.  Information about user or group privileges

16 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL POLICY EXECUTION POINT (PXP) Ex ecute Actions  Virtual Machines  Powercycle (PowerOn/Off, Reset, Suspend, Standby, Shutdown, Reboot)

 Lifecycle (Reconfig, Relocate, Migrate, Clone, CreateSnapshot, etc.)  Cluster

 Reconfigure, Apply/CancelRecommendation  Roles and Permissions  Set/Reset/RemoveEntityPermissions

17 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL ENFORCING ANTI-AFFINITY POLICY  S cenario: TenantA runs critical infrastructure services on different machines (VMs) on a virtual datacenter. However, the services are not allowed to share the same physical resources!

 Problem : If TenantA or the cloud infrastructure operator starts migrating virtual machines (VMs) to the same physical host, both critical services run on the same physical host.  VMware offers affinity rules, but allows their violation

 S olution: An anti-affinity policy specifies that critical VMs have to be separated. Migrating critical VMs to the same physical host results in automatically migrating the other critical service away.

18 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL ENFORCING VIRTUAL MACHINE SNAPSHOTS POLICY  S cenario: A virtual machine is reserved as a sandbox for evaluating new software. Testers can install software on the machine, but it has to be reverted to previous state after usage. Only administrators are allowed to make persistent changes.

 Problem : A tester might forget to revert the machine or an administrator might forget to create a new snapshot. Creating snapshots and reverting has to be triggered manually. The vCenter user management has no automatic mechanisms for this kind of scenario.

 S olution: Virtual machine snapshots policies specify that a snapshot is created after an administrator logs out from the virtual machine. If a tester logs out from the virtual machine, the virtual machine is reverted.

19 © Fraunhofer IESE

ENFORCEMENT IN THE CLOUD INFRASTRUCTURE LEVEL ENFORCING VIRTUAL MACHINES GEOLOCATION  S cenario: A virtual machine hosts sensitive data and is only allowed to be operated in countries within Europe.

 Problem : A cloud operator might trigger the process to migrate the virtual machine to another data center outside Europe.

 S olution: A virtual machines geolocation policy specifies that virtual machines are only allowed to be operated in data centers within Europe. Migrating the virtual machine outside Europe will be logged and countermeasures enforced.

20 © Fraunhofer IESE

CONCLUSION & FUTURE WORK Moving Data to the Cloud = …

Usage Control

 Moving Data to Third Parties  Loosing Control over Data

Access Control

 IND²UCE enables us age control capabilities to VMw are  Cannot prevent system actions, but can react after the event or report

policy violation  IND²UCE enables compliance with privacy, auditing, and accountability regulations (e.g., data has to be stored within Europe)  Usage Control keeps control over your data usage 21 © Fraunhofer IESE

CONCLUSION & FUTURE WORK  Enforcem ent com ponents for Cloud S torage

 Changing source code of HBase to modify data in transit  Us er-friendly Policy S pecification

 Elicitation method for security demands and mapping to machineenforceable security policies  Reduction of errors and misunderstandings in policy specification

 Policy Managem ent in Dis tributed Env ironm ents  Policy deployment and revocation; management policies

22 © Fraunhofer IESE

FRAUNHOFER INSTITUTE FOR EXPERIMENTAL SOFTWARE ENGINEERING IESE

Chris tian Jung Fraunhofer Institute for Experimental Software Engineering IESE Fraunhofer-Platz 1 | 67663 Kaiserslautern | Germany Phone +49 631 6800-2146 | Fax +49 631 6800-92146 [email protected]

[email protected] http://s.fhg.de/UC This document was created using the official VMware icon and diagram library. Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware does not endorse or make any representations about © third party information included in this document, Fraunhofer IESE nor does the inclusion of any VMware icon or diagram in this document imply such an endorsement.