UTSA
Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu, Bo Tang
Institute for Cyber Security
University of Texas at San Antonio
Aug 15, 2015
Presented by: Amy(Yun) Zhang
Hierarchical Secure Information and
Resource Sharing in OpenStack
Community Cloud
Cyber Incident Response
UTSA
Community Cloud
•
Community cloud
provides services for
exclusive use by a specific community, which
contains organizations with shared concern,
such as mission, security requirements, business
models, etc.
•
A community of financial organizations
•
OpenStack
3
Ref: www.huffingtonpost.co.uk/2013/04/23/uk-government-faces-1000-cyber-attacks-a-day_n_3138164.html
Cyber Collaboration Initiatives
•
Cyber attacks are becoming
increasingly sophisticated.
–
Hard to defend by a single
organization on its own.
•
Collaborate to enhance
situational awareness
–
Share cyber information in
community
•
M
alicious
activities
•
Technologies, tools,
procedures, analytics.
UTSA
Traditional Cyber Collaboration
•
Traditional collaboration
–
Subscription services
–
Limitations
•
Organizations Sharing information through
subscription.
•
Organizations are not actively participating in
analyzing and processing the cyber information
they submit.
•
Organizations don't directly interact with each
other on sharing activities.
UTSA
Cyber Collaboration in Community
Cloud
•
Cloud platform (community)
–
Cyber Security Committee.
–
Organizations routinely collect cyber
information.
–
Cross organization cyber collaborations.
UTSA
Community Cyber Incident Response
Governance
6
Incident Response Group
Cyber Security
Committee
Organization
Security
Specialists
External
Experts
Conditional
Membership
Shared
Information
UTSA
Assumptions and Scope
•
In a community cloud platform
•
OpenStack
•
Sharing amongst a set of organizations
–
Sensitive cyber information, infrastructure, tools,
analytics, etc.
–
May share malicious or infected code/systems (e.g.
virus, worms, etc.)
•
Focus on access control model
UTSA
OpenStack
•
Dominant open-source cloud IaaS software
–
OpenStack software controls large pools of compute,
storage, and networking resources throughout a datacenter,
managed through a dashboard or via the OpenStack API.
!
!
!
!
!
!
8 Ref: http://www.openstack.orgUTSA
OpenStack HMT
•
HMT : Hierarchical Multitenancy
–
D
9Cloud
Domain 1
Domain n
Project 1
Project p
Project q
childProject 1
childProject k
child … childProject 1
child … childProject l
Project 1
UTSA
OSAC Model with HMT
10 Users (U) Domains (D) Roles (R) User Assignment (UA) Permission Assignment (PA) Project Ownership (PO) Project-Role Pair (PRP) Projects (P) Tokens (T) User Ownership (UO) Services (S) user_token token_project Groups (G) Group Ownership (GO) User Group (UG) Group Assignment (GA) token_roles PRMS Operations (OP) Object Types (OT) ot_service One-to-one relation: One-to-multiple relation: Multiple-to-multiple relation: Project Hiearachy: Role Inheritance:
UTSA
OSAC-HMT-SID Model
11 Users (U) Project-Role Pair (PRP) Security Projects (SP) Roles (R) Project-Role Pair (PRP) Projects (P) Roles (R) User Ownership (UO) User Assignment (UA) User Assignment(UA) User Self Subscription (USS) User Assignment (UA) SIP Ownership (SIPO) Secure Isolated Domain (SID) Project-Role Pair (PRP) Expert User Ownership (EUO) Open Project Ownership (OPO) Security Project Ownership (SPO) Project-Role Pair (PRP) Secure Isolated Projects (SIP) Roles (R) Open Project (OP) Roles (R) Domains (D) Cyber Collaboration Routine Cyber Information Process Expert Users Project Ownership (PO) User Assignment (UA) Cyber Security Forum Project-Role Pair (PRP) Core Project (CP) Roles (R) Cyber Security Committee Core Project Ownership (CPO) User Assignment (UA) SIP association (assoc)
UTSA
OSAC-HMT-SID Administration Relation
and Resources Ownership
12
Cloud admin
Domain admin
Security Project admin
Project admin Core Project admin SID admin (Cloud admin) SIP admin Community Cloud Domains Secure Projects
Projects Core Project
SID
child Projects child Secure Projects SIPs
child SIPs
UTSA
OSAC-SID Administrative Model
13
• SipCreate(uSet, sip)
/* A subset of Core Project/domain admin users together create a sip */
• SipDelete(uSet, sip)
/* The same subset of Core Project/domain admin users together delete a sip*/
• UserAdd(adminuser, r, u, sp, p)
/* CP/Sip admin can add a user from his home domain Security Project to CP/sip*/
• UserRemove(adminuser, r, u, sp, p)
/* CP/Sip admin can remove a user from the Core Project/sip */
• OpenUserSubscribe(u, member, OP)
/* Users subscribe to Open Project */
• OpenUserUnsubscribe(u, member, OP)
/* Users unsubcsribe from Open Project */
• CopyObject(u, so1, sp, so2, p)
/* Copy object from Security Project to Core Project/SIP */
• ExportObject(adminuser, so1, p, so2, sp)
/* Export object from Core Project/SIP to Security Project */
• ExpertUserCreate(coreadmin, eu)
/* Core Project admin users can create an expert user */
• ExpertUserDelete(coreadmin, eu)
/* Core Project admin users can delete an expert user */
• ExpertUserList(adminuser)
/* Admin users of Core Project and SIPs can list expert users */
• ExpertUserAdd(adminuser, r, eu, proj)
/* Core Project/sip admin can add an expert user to Core Project/sip*/
• ExpertUserRemove(adminuser, r, eu, proj)
UTSA
Enforcement
14
•
Set up the cloud
SID:Cloud Admin
Core Project: Admin
Core Project: member
Assign domain admins as
Assign users from home domain as Assign expert users as
Open Project: member
Assign users from domains as
Community Cloud:Cloud Admin
Domains:Domain Admin
Security Project: Admin/member
Assign an admin user as
Admin user assign users to SP as member
Assign domain admins as
UTSA
Enforcement
15
SID: Cloud Admin
Core Project: Admin
Core Project: member
Assign domain admins as
Assign users from home domain as Assign expert users as
SIP: Admin
Create SIP/child SIP/…, assign domain admins as
SIP: member
Assign users from home domain as Assign expert users as
child SIP: Admin
child SIP: member
Assign users from home domain as Assign expert users as
child SIP’s … child SIP: Admin
child SIP’s … child SIP: member
Assign users from home domain as Assign expert users as
