Towards Security as a Service (SecaaS): on the ... - IEEE Xplore

Towards Security as a Service (SecaaS): on the modeling of Security Services for Cloud Computing Angelo Furfaro, Alfredo Garro, Andrea Tundis Department of Informatics, Modeling, Electronics, and Systems Engineering (DIMES), University of Calabria Via P. Bucci 41C, 87036, Rende (CS), Italy {angelo.furfaro, alfredo.garro, andrea.tundis}@dimes.unical.it

Abstract—The security of software services accessible via the Internet has always been a crosscutting non-functional requirement of uttermost importance. The recent advent of the Cloud Computing paradigm and its wide diffusion has given birth to new challenges towards the securing of existing Cloud services, by properly accounting the issues related to their delivery models and their usage patterns, and has opened the way to the new concept of Security as a Service(SecaaS), i.e. the ability of developing reusable software services which can be composed with standard Cloud services in order to offer them the suitable security features. In this context, there is a strong need for methods and tools for the modeling of security concerns, as well as for evaluation techniques, for supporting both the comparison of different design choices and the analysis of their impact on the behavior of new services before their actual realization. This paper proposes a meta-model for supporting the modeling of Security Services in a Cloud Computing environment as well as an approach for guiding the identification and the integration of security services within the standard Cloud delivery models. The proposal is exemplified through a case study. Keywords—Model-Based Systems Engineering; Cloud Computing; Security Engineering; Cyber-Security; Modeling and Simulation.

I. INTRODUCTION Cloud Computing (CC) is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction [2, 22]. Its architecture is based on three main Delivery Models: SaaS (Software as a Service), which provides software services at application level; PaaS (Platform as a Service), which provides a set of software services, libraries as well as software platforms for supporting the development of application level services; IaaS (Infrastructure as a Service), which allows transparently the exploitation of remote hardware resources on demand and in a flexible way. Furthermore, four Deployment Models (i.e. Public Cloud, Private Could, Community and Hybrid Cloud), which represent different ways of implementing a Cloud architecture, have been defined and concretely adopted [6, 18]. Cloud Computing is continuously evolving, and its increasing popularity is attracting companies, research centers and investors such as IBM, the National Institute of Standards

978-1-4799-3532-1/14/$31.00 ©2014 IEEE

and Technology (NIST), the European Telecommunications Standards Institute (ETSI) and the International Telecommunication Union (ITU) [10, 12, 13, 14, 15, 21, 22]. However, criticalities are arising with the management of several non-functional aspects that have a cross-architectural impact [5]. In particular, Security [1, 3] is a property that needs to be considered in the Cloud Computing context and, specifically, in application domains where the integrity, the privacy and the confidentiality of information must be guaranteed. Indeed, although the number of users that evaluate the possibility to delegate key services to the Cloud is increasing, there are important security concerns that should be taken into account to avoid the negative effects on the user trust that could derive from security flaws. Moreover, additional issues derive from the verification that a provided service respects all the norms and rules concerning its security aspects as required by the current legislation that may vary depending on the country and even on the region. In this context, although several proposals are available for supporting the definition, the modeling and the deployment of IaaS, PaaS and SaaS [7], there is still a lack of models and approaches that specifically concern and address the problem about how to deal with security in the Cloud. Indeed, few attention has been paid to support: (i) the definition and the modeling of security related services; (ii) the security services integration on an overall Cloud architecture; (iii) the evaluation of security performances in the Cloud against possible threats and attacks, and the comparison of different design choices before the actual realization of Cloud services; (iv) the verification of compliance of a service to regulations [3, 7]. Starting from the above mentioned concerns, the research activity presented here has dealt with: (i) the investigation of the concept of Security-as-a-Service (SecaaS) along with the definition of a reference meta-model for SecaaS which is able to catch and represent security aspects with the aim not only to provide added value to the other well-known Delivery Models (IaaS, PaaS, SaaS) but also to enable the delivery of fullfledged security services through the Cloud; (ii) an approach for supporting the modeling of SecaaS and their crossarchitecture integration [11, 19] as well as the evaluation of security policy compliance so as to enable also the comparison of different design choices and ensure desired security levels. The rest of the paper is structured as follows: after an overview of the state of the art related to security services

(Section II), a lean process for modeling security services is proposed (Section III); then, a reference meta-model for the modeling of security services is presented (Section IV). The effectiveness of the proposal is exemplified and evaluated through a case study, concerning the definition and modeling of an Identity and Access Management Service (Section V). Finally, conclusions are drawn and future works delineated (Section VI). II. SECURITY-AS-A-SERVICE (SECAAS): AN OVERVIEW Security as a Service (SecaaS) is a new concept which is meant to deal with the various security aspects in the different types and models of a cloud system [4]. In this field the Cloud Security Alliance (CSA), a not-for-profit organization, aims at promoting the use of best practices for providing security assurance within Cloud Computing (CC), as well as to provide education on the uses of CC to support all other forms of computing [28]. According to CSA, SecaaS refers to the provision of security applications and services via the Cloud either to Cloud-based infrastructure and software or from the Cloud to the customers [8]. Many aspects that involve security in CC have been identified from the CSA and a brief description of the main identified services categories is provided in the following. Identity and Access Management (IAM) services include people, processes, and systems that are used to manage access to enterprise resources by assuring that the identity of an entity is verified, then granting the correct level of access based on the protected resource, this assured identity, and other context information [9]. Data Loss Prevention (DLP) services are responsible for ensuring the safety, protection and monitoring of the data being exchanged. DLP applies specific security policies on the processed data to avoid information loss, leakage or breach. For example, to prevent unauthorized access to documents containing sensitive data, e.g. some codes that may appear as credit card numbers, a DLP service may automatically encrypts such files before copying them to an external device and allows their decryption only on recognized systems [17]. Web Security (WS) services deal with real-time protection by applying policies to Web traffic thus avoiding, the introduction of malware, whereas EMail Security (EMS) service provides control over inbound and outbound e-mail, protecting the organization from phishing, malicious attachments, enforcing corporate polices such as acceptable use and spam prevention. A Cloud Service Provider (CSP) may also incorporate digital signatures on all e-mail clients and provide optional e-mail encryption. Intrusion Management (IM) services utilize pattern recognition in order to detect and react to events statistically unusual, reconfiguring, if necessary, the systems affected by the intrusion, so as to block the attack. IM encompasses intrusion detection, prevention, and response. The core of this service is the implementation of intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) at entry points to the cloud and on servers in the cloud. An IDS is a set of automated tools designed to detect unauthorized access to a host system. An IPS incorporates IDS functionality but also includes mechanisms designed to block traffic from intruders. Business Continuity and Disaster Recovery (BCDR) services are in charge of ensuring the resilience when a particular event that causes an interruption of a service occurs. Encryption services

deal with both data and application protection technique, the purpose of this kind of SecaaS service category is to identify what Encryption Security as a Service means and to provide guidance to organizations on implementation practices. Network Security (NS) services consist of specific services that are employed to discipline the access, deploy, monitor and protect network resources. Such kind of services, which are typically offered at the network level, can be provided both on whole areas of the network and/or on specific subnets. Security Assessment (SA) services face with aspects related to support business decisions and processes ensuring compliance with legal, regulatory and statutory requirements as well as to ensure confidentiality, integrity and availability of information assets by providing and supporting security in which a Cloudhosted solution performs the assessments and stores the resulting data. Security Information and Event Management (SIEM) services aggregate (via push or pull mechanisms) log and event data from virtual and real networks, applications, and systems. This information is then correlated and analyzed to provide real-time reporting and alerting on information/events that may require intervention or other type of response. The CSP typically provides an integrated service that can put together information from a variety of sources both within the cloud and within the client enterprise network. Many solutions have been proposed to manage the configuration of the above mentioned security services [24, 25]. In [20], an approach based on a third-party security services provider is exploited for facilitating and ensuring the compliance with security requirements through top-level security policies definitions transformed into low-level configuration and vulnerability controls. In [16], a SecurityFocused Configuration Management (SecCM) definition is provided to support organizations that are responsible for managing and administering federal information systems. Other contributes are related to architectural choices for providing security services in the Cloud also accessible from mobile devices. In [23] the aim is to offer mechanisms to specify cloud security requirements, to assess the security features offered by CSPs, and to integrate the desired security services into cloud services with a SecaaS approach.

Fig. 1. SecaaS Conceptualization and high-level Design: Reference Process

Unfortunately none of them specifically supports the phases of conceptualization and high level design of SecaaS that are crucial to guide the service development by focusing on effective design solutions. III. MODELING SECURITY SERVICES To ease the design of SecaaS, a lean process is proposed and sketched in Fig. 1 by highlighting its phases and related work-products. This process aims at supporting the conceptualization and high level design phases of security services in the main two following delivery scenarios: •

the security services under design are aimed at satisfying security requirements of a given service and thus have to be jointly delivered with it on the Cloud (Delivery Scenario 1);

•

the security services under design are themselves the software components that have to be delivered on the Cloud (Delivery Scenario 2).

The proposed process consists of three main phases (see Fig. 1, right-most column): Security Services Identification (SSI), Design Solutions Definition (DSD) and Design Solutions Analysis (DSA); in particular:

IV. MODELING SECURITY-AS-A-SERVICE (SECAAS) In this Section the main concepts required for modeling Security Services for Cloud Computing are identified and formalized. This reference model aims at highlighting the most significant aspects to represent SecaaS and the relationships with the well-known delivery models in a Cloud system by also taking into account the role of requirements. The proposed meta-model is based on the combination of five main concepts: SecurityService, Service, Policy, SecurityMechanism and Category. The core notion for modeling a security service and its main characteristics is represented by the SecurityService concept (see Fig. 2), which is a specialization of the Service concept. Specifically, a SecurityService is meant to satisfy at least one SecurityRequirement, i.e. a particular class of NonFunctionalRequirement (which in turn represents a specialization of the Requirement concept) that faces with constraints on the design and criteria to be used to evaluate the security aspects of a module/system. A SecurityService is associated to one or more SecurityConcern that in turn belongs to a Category. SecurityLevels can be associated to a SecurityConcern and implemented by SecurityMechanisms according to given Policies.

•

in the SSI phase, starting from the combination of both a Service Description (SD), that specifies the characteristics of the service to be delivered, and Security Requirements (SRs), that describe requirements to be fulfilled (input work-products), the identification of one or more Security Service Conceptual Models (SSCMs) is obtained. On the basis of the two introduced Delivery Scenarios, the SD can refer to: (i) a service that requires to be enriched with security capabilities to satisfy its security requirements (Delivery Scenario 1); (ii) a service that is specifically intended to offer security features (Delivery Scenario 2). In sum, a SSCM represents a conceptual model of the security service to be developed according to a SD, which refers to one of the two introduced Delivery Scenarios and which meets the given SRs.

•

in the DSD phase, the SSCMs achieved in the previous phase are exploited to define different possible Security Service Design Solutions (SSDSs) by exploiting different security policies and mechanisms.

Fig. 2. The SecaaS core concepts

in the DSA phase, the SSDSs, produced in the previous phase, are evaluated and compared so as to identify a set of possible and concretely exploitable solutions (Selected Design Solutions, SDS) that may be considered for the subsequent detailed design and implementation phases.

A Service is conceived to fulfill a set of Requirements that can be functional or non-functional. A Service is offered by a ServiceProvider and it is characterized at least by two attributes: (i) a PeriodOfValidity, which indicates when the Service is available (ii) a CostOfService, which indicates the operative cost of the service.

The models described above (see Fig. 1, middle column), that represent input and output phase work-products, are defined according to a proposed meta-model whose main concepts are reported in the left-most column of Fig. 1. The complete definition and description of the meta-model as well as its meta-data are detailed in Section IV.

A Service is further characterized by the DeliveryModality concept (see Fig. 3), which represents the standard ways to delivery services in a Cloud environment. Finally, the DeploymentModality concept, which in turn can be Public, Private, Hybrid or Community, is exploited to specify different ways, depending on the organizational structure and the provisioning location, to deploy a Service.

•

In Fig. 5, the meta-model part related to the concept of SecurityMechanism, that could be associated to a SecurityLevel, is shown. A SecurityMechanism, is used to represent measures put in act to perform the appropriate security assessments. It is characterized by attributes such as the AuthernticationTime, which captures the information about when the authentication takes place, and AuthenticationLocation, which catches the information about where the authentication takes place. For concretely modeling the different levels of security according to the adopted evaluation criteria, a SecurityMechanism can be further specialized as: TimeBasedSM, LocationBasedSM, CredentialsBasedSM (e.g. username, password), CertificatesBasedSM, BiometricBasedSM (e.g. fingerprint, optical scanner, etc.).

Fig. 3. The Service concept

The concept of Policy (see Fig. 4) is used to state the intent and the procedures to achieve desired outcomes. It is associated to different SecurityLevel and, specifically, it defines under what conditions and when a specific SecurityLevel has to be provided. A Policy is characterized by two attributes: an Identifier (or a Name) in order to identify it uniquely and a possible Description in a text format by using the natural language; furthermore, at least a Statement need to be defined to indicate the Actions that have to be performed to enforce the policy and their related Effects. A Policy can refer optionally to a User which, in turn, can be characterized as being (i) Single, when the Policy is defined only for one specific user, (ii) Group, when the Policy is defined for a set of users, (iii) Role when the Policy is defined for one or more users which play a role (e.g. Administrator, Developer, Other).

Finally, the concept of Category is shown in Fig. 6. It is related at least to one SecurityConcern and provides a classification of the different types of security services: IAM (Identity and Access Management), DLP (Data Loss Prevention), WS (Web Security), EMS (E-Mail Security), SIEM (Security Information and Event Management), IM (Intrusion Management), BCDR (Business Continuity and Disaster Recovery), NS (Network Security), SA (Security Assessment), Encryption.

Fig. 5. The SecurityMechanism concept

Fig. 4. The Policy concept Fig. 6. The Category concept

V. EXEMPLIFYING THE PROPOSAL: MODELING AN IDENTITY AND ACCESS MANAGEMENT SERVICE In this Section, the proposed process and the introduced meta-model (see Sec. III and IV respectively) are concretely exploited for the modeling of an Identity and Access Management (IAM) service; a service category that is becoming fundamental in the Cloud arena [8, 9]. Note that the service under design is specifically intended to offer security capabilities (see the Delivery Scenario 2 introduced in Sec. III). The process starts with the Security Services Identification phase that takes as inputs a Service Description (SD) and a set of Security Requirements (SRs) and aims to produce a set of Security Service Conceptual Models (SSCMs). In the case under consideration, the SD specifies a functionality that enables the right individuals to access the right resources at the right times for the right reasons. Such functionality addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, as well as meets rigorous dependability requirements; indeed, a failure can undermine the benefits of Cloud Computing. In this context, a crucial requirement is to provide a secure and robust information protection system to validate the identities of users and computing devices that access a private area of a (private) network. Such protection system could exploit different types of authentication features and should include strong authentication mechanisms for validating the credentials and determining the authenticity of the users. By analyzing the above-described information many SSCMs for an IAM service can be specified in terms of the Service, SercurityService and Category concepts of the proposed meta-model (see Fig. 2); as an example, a part of a SSCM is sketched in Table I. TABLE I. SecurityRequirement SecurityService SecurityConcern Category

SecurityLevel

DeliveryModality DeploymentModality ServiceProvider CostOfService PeriodOfValidity

SECURITY SERVICE CONCEPT MODEL1 (SSCM-1)

SecurityLevel based on username, password and, optionally, on location and time-based information. Furthermore, the AuthenticationSecurityService under consideration could be delivered by any ServiceProvider, with a low CostOfService, using a SaaS DeliveryModality according to a Private DeploymentModality. Starting from the identified Security Service Conceptual Model SSCM-1, in the Design Solutions Definition phase, two Security Service Design Solutions (i.e. SSDS-1 and SSDS-2) are defined by considering different configurations and setting of parameters in terms of Policies and SecurityMechanisms. Specifically, the SSDS-1 solution is conceived according to a Policy that aims at offering a level of security based on the analysis of the behavioral contexts and thus centered on user location and timing of the request. Furthermore SSDS-1 adopts a One-Time Password SecurityMechanism that combines username, password, session timeouts, maximum number of failed login attempts along with time and location-based information. The SSDS-2 solution is, instead, defined by considering a Policy that aims at offering a level of security only centered on biometric user data such as fingerprints. In this case the adoption of a Biometric Identification SecurityMechanism is required. As an example, fragments of such candidate solutions are reported in Table II and Table III respectively. TABLE II.

Description

Policy

Action1 Statement Effect 1

Strong Authentication

Private

Security Mechanism

Group/Single

Authentication Time

Enabled

Authentication Location CredentialBased TimeBased LocationBased

TABLE III.

Target: Minimal/Zero Additional Infrastructure Cost

Description

One-Time Password authentication mechanism

Id-02 It offers a level of security based on biometric data analysis Action1

Policy Statement Effect 1

Security Mechanism

Enabled

SECURITY SERVICE DESIGN SOLUTION 2(SSDS-2)

Identifier

Specifically,, for satisfying the above sketched SecurityRequirement (SR1), the SecurityService under design, called AuthenticationSecurityService, has to face with the Strong Authentication SecurityConcern, which in turn belongs to the Identity and Access Management (IAM) service Category. This Concern can be associated to a specific

It offers a level of security based on username and password credentials along with location and timing of the request. Username and Password are provide by the User The user is authorized/identified if username and password in input are correctly recognized and location and time of access of the user is considered valid

User

Any

Not-Specified

Id-01

Identifier

SR1: Secure and reliable protection features for access management of users are required It is an AuthenticationSecurityService that has to provide different access control authentication capabilities that fulfill SR1 The AuthenticationSecurityService faces with Identity Access and Management (IAM) category It has to be centered on the exploitation of user identification mechanims and optionally by employing location and time-based information The AuthenticationSecurityService under design represent itself a service to be delivered on the Cloud as a SaaS

SECURITY SERVICE DESIGN SOLUTION 1(SSDS-1)

Scanning of biometric data The user is authorized/identified if biometric data in input has to be correctly recognized

User

Group/Single

Authentication Time

Disabled

Authentication Location BiometricBased

Disabled Biomentric Identification security mechanism centered on fingerprints

Finally, in the Design Solutions Analysis phase, the above identified Security Service Design Solutions (i.e. SSDS-1 and SSDS-2) are analyzed and compared for evaluating: (i) the fulfillment of the SRs; (ii) their performances on the basis of specific performance indices; (iii) their compliance with in force regulations also on the basis the target market. At the end of this phase, some of the identified Security Service Design Solutions could be selected for the implementation. As an example, in the case under consideration, given that both the identified solution (SSDS-1 and SSDS-2) fulfill the SRs, other questions should be answered: (i) whether the extra-cost deriving from the biometric security mechanisms provided by SSDS-2 are compatible with the target cost of service (see Table I), (ii) whether the biometric security mechanism provided by SSDS-2 are compliant with the regulations in force in the countries in which the service is to be delivered. On the basis of this evaluation, a Selected Design Solution-1 (SDS-1) can be obtained (e.g. based on SSDS-1) that may be considered for the subsequent detailed design and implementation phases. VI. CONCLUSION The paper has focused on the modeling of SecaaS in the Cloud Computing context. In particular, a process for the conceptual modeling and high-level design of security services has been proposed along with a reference meta-model. The process is based on three main phases: (i) Security Services Identification (SSI), devoted to the identification of conceptual security service models, (ii) Design Solutions Definition (DSD), which faces with the definition of candidate design solutions and (iii) Design Solutions Analysis (DSA), which is oriented to the analysis, comparison and selection of solutions that may be considered for the subsequent detailed design and implementation phases. The work-products of these phases adhere to the proposed meta-model which aims at supporting the modeling of SecaaS in its main aspects and relationships. In particular, the Service, the SecurityService and Category concepts of the meta-model are mainly exploited during the SSI phase of the process for supporting the identification of Security Service Conceptual Models; then the Policy and SecurityMechanism concepts are employed during both the DSD and the DSA phases for describing and evaluate possible alternative solutions. The proposed process and the introduced meta-model have been concretely exploited for the modeling of an Identity and Access Management service so to show how to combine the concepts of the meta-model during the different phases of the reference process for effectively modeling security services. The proposed process, combined with the reference meta-model, provides an effective approach for guiding the identification, modeling and integration of security services with the Cloud. Ongoing research efforts are currently devoted to: (i) integrate in the proposed approach simulation techniques for supporting the evaluation and selection among Security Service Design Solutions; (ii) supporting the verification of the Selected Design Solutions against the in force regulations. These improvements could allow a more

effective design of security services that are compliant with the regulations while satisfying their security requirements. ACKNOWLEDGMENT This work has been partially supported by MIUR-PON under project PON03PE_00032_2_02 within the framework of the Technological District on Cyber Security. REFERENCES [1] [2]

[3]

[4] [5] [6] [7] [8] [9] [10] [11]

[12] [13] [14] [15] [16]

[17]

[18]

[19] [20]

[21] [22] [23]

[24] [25]

R. J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd ed., Wiley & Sons, pp. 1080, April 2008. M. Armbrust, A. Fox, R. Griffith, A. D. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Soica and M. Zaharia, “A view of cloud computing,” in Communications of the ACM, vol. 53, April 2010, pp. 50-58. L. Badger, T. Grance, R. Patt-Corner and J. Voas, Cloud Computing Synopsis and Recommendations - Recommendations of the National Institute of Standards and Technology, May 2012. M. Carvalho, “SECaaS-Security as a Service,” in Information Systems Security Association (ISSA) Journal, pp. 20-24, October 2011. Cloud Computing Expert Group, The Future of Cloud Computing Report from European Commission, January 2010. Cloud Computing Reference Architecture NIST - Special Publication 500-292. Cloud Standards Coordination Final Report, CSC-Final_report-013CSC_Final_report_v1_0_PDF_format-.pdf, ver. 10.0, November 2011. Cloud Security Alliance SecaaS - Defined Categories Of Services 2011. Cloud Security Alliance, SecaaS Implementation Guidance, Category 1: Identity and Access Management, September 2012. European Telecommunications Standards Institute - www.etsi.org/. M. Hafner, M. Mukhtiar and R. Breu, “Seaas - a reference architecture for security services in soa”, in Journal of Universal Computer Science (JUCS), vol. 15, pp. 2916-2936, September 2009. IBM - http://www.ibm.com/cloud-computing/us/en/. IBM -https://www.ibm.com/developerworks/community/blogs/c2028fdc -41fe-4493-8257-33a59069fa04/entry/chapter_124?lang=en. IEEE Standards in Cloud Computing http://cloudcomputing.ieee.org/standards/. International Telecommunication Union (ITU) - http://www.itu.int/. A. Johnson, K. Dempsey, R. Ross, S. Gupta and D. Bailey, “Guide for Security-Focused Configuration Management of Information Systems,” in NIST Special publication 800-128, Gaithersburg, August 2011. H. Mahajan and N. Giri, “Threats to Cloud Computing Security,” in VESIT International Technological Conference (I-TechCON), January 03-04, 2014. P. Mell and T. Grance, The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology, September 2011. E. Messmer, “Cloud Security Alliance formed to promote best practices,” in Computerworld, March 2013. J. Meszaros, “Towards security management in the cloud utilizing SECaaS,” in Latest Trends in Information Technology, Vienna, Austria, November 10-12, pp.449-455, 2012. Microsoft Windows Azure - http://www.windowsazure.com/. National Institute of Standards and Technology (NIST) – www.nist.gov/itl/cloud/. M. Rak, N. Suri, J. Luna, D. Petcu, V. Casola and U. Villano, “Security as a Service Using an SLA-Based Approach via SPECS,” in IEEE International Conference on Cloud Computing Technology and Science, vol. 2, pp. 1-6, Bristol, UK, December 2013. C. Senk, “Adoption of security as a service,” in Journal of Internet Services and Applications, vol. 4, Ed. Springer London, April 2013. D. Zissis and D. Lekkas, “Addressing cloud computing security issues”, Future Generation Computer Systems, vol. 28(3), pp. 583-592, 2012.