Defining the Cloud Battlefield - Supporting Security Assessments by Cloud Customers

S. Bleikertz, T. Mastelic, S. Pape, W. Pieters, T. Dimkov
2013 2013 IEEE International Conference on Cloud Engineering (IC2E)  
Introduction System Model Security Model Model Applications Conclusions and Future Work Introduction System Model Security Model Model Applications Conclusions and Future Work Introduction System Model Security Model Model Applications Conclusions and Future Work 1 Identifying known attacks and map them to the model 2 Analyze remaining combinations of entities, attacker, threats → reveal possible unknown attacks Sebastian Pape (TU Dortmund) 8/34 SOMF Model Cloud Pyramid NIST Cloud Model
more » ... n Pape (TU Dortmund) 9/34 Introduction System Model Security Model Model Applications Conclusions and Future Work System Model Components Each entity has access to one or more components: Administration service, logical access to the cloud infrastructure Technical Support service, physical access to the cloud infrastr. Hardware e.g. hard-disk, processor, produced by a manufacturer , part of a cloud data center. Software e.g. hypervisor, cloud management software produced by a developer , part of a cloud infrastructure. Data information stored on hardware or being transmitted. Appliance executable piece of software deployed by a customer , includes higher layers of a cloud service, black box completely controlled by a customer . non running appliances considered as data Usage represents usage by third-party , logical access of an appliance Sebastian Pape (TU Dortmund) 11/34 Security Model Model Applications Conclusions and Future Work Security Model Attacker Model: Archetypes Archetypes combine goals and skills malicious (intentionally contribute to an attack): increases risk and associated damage to others for its own gain ostrich (knowingly contribute to an attack): does not intend to increase risk for others, but fails to take action upon being informed about this (lazy) charlatan (failing to acquire essential knowledge about contributing to an attack): increases risk for others, could/should have known (sloppy) stepping stone (unknowingly contribute to an attack): increases risk for others, but could not have known (sloppy) Sebastian Pape (TU Dortmund) 17/34 Introduction System Model Security Model Model Applications Conclusions and Future Work Model Applications Evaluation and Purpose Evaluation: Assembled security threats from Cloud Security Alliance [Brunette, 2010] ENISA [Catteddu and Hogben, 2009] Deloitte Cloud Risk Map [Deloitte, 2012] developed attack scenarios using subsets from our model Practical purpose of model: Explain success of existing attacks and possible mitigations Produce a systematic set of threats → input in developing a security assessment for a cloud solution Analyze behavior and motivation of entities → insights into causes of threats → cost-benefit assessment Define possible attack scenarios by presenting what-if scenarios in a consistent language Sebastian Pape (TU Dortmund) 20/34 Security Model Model Applications Conclusions and Future Work Applying the Model to Practical Attacks Malicious Administrator Attacks -Mitigation and Assessment differences between possible archetypes of the provider no functional charlatan provider hires a malicious administrator charlatan provider fails to implement proper handling of security vulnerability reporting ostrich does not perform necessary patch management technical mitigation Trusted hypervisors [Garfinkel et al., 2003, Zhang et al., 2011] Access control approaches [Bleikertz et al., 2012] Fully homomorphic encryption [Gentry, 2009] still practically infeasible [Van Dijk and Juels, 2010] A two-person administration [Potter et al., 2009] Sebastian Pape (TU Dortmund) 23/34 Security Model Model Applications Conclusions and Future Work Applying the Model to Practical Attacks App Store Scenario -Mitigation and Assessment Amazon changed from stepping stone to defender (reputationalist) Requires scanning and cleaning of infected/malicious images [Balduzzi et al., 2012] Alternatively: pre-emptive image management system that provides a secured access to images [Wei et al., 2009] defender provider could patch VM images [Zhou et al., 2010] Sebastian Pape (TU Dortmund) 25/34 Introduction System Model Security Model Model Applications Conclusions and Future Work Conclusions and Future Work We proposed a cloud security threat model that combines Comprehensive system model of infrastructure clouds Security model focusing on cloud customer security objectives Threat model with characteristics and motivations of attackers We used our model to systematic categorization analysis of existing attacks construction of "what-if" attack scenarios Customers can apply the approach to competing cloud providers Requires sufficient data about the architecture or Trusted Third Party [Probst et al., 2012]. Sebastian Pape (TU Dortmund) 32/34 System Model Security Model Model Applications Conclusions and Future Work
doi:10.1109/ic2e.2013.31 dblp:conf/ic2e/BleikertzMPPD13 fatcat:ny4naedfzbe5flaasyihlrmlpq