Cloud Software
Cloud Security
Juha Röning,
Oulu University Secure Programming Group
Introduction
• Cloud computing and information security
• In many ways nothing new
– Still about confidentiality, integrity, availability etc.
• Still, times are changing
• Diminishing perimeters
– AV, Firewalls, IDS etc. no longer that effective
• Trust
– Complex trust boundaries, much trust placed in the hands of few players, e.g. Certification Authorities (Comodo, Diginotar), RSA SecurID, Google, Facebook
• Privacy
– More important than ever
• New technologies bring new challenges
Introduction
• Lean transformation
• Ready-made high-level components, which are integrated to build cloud services
– Infrastructure, web service frameworks, authentication mechanisms, databases, etc.
• Obviously services should be built from secure components
• Integrating the components in a secure manner
• Building security in
Developing secure software?
(Traditional and somewhat more modern
Summary of findings so far
• Secure can fit into Agile, but finding optimal ways is not easy
• Iteratively bring new ways of working into the organization
• Automate security as much as possible
• Risk analysis is important
– Traditionally heavy-weight/expensive but does not have to be
Use of Security Metrics in Risk Analysis and Agile SW
Development: Background
• Industrial pilot study carried out during 2011 at Ericsson Networks
• Technical target: Ericsson’s Media Gateway product that is part of a Mobile Softswitch Solution
• Process context: Adapted integration of Ericsson’s three-stage Risk Analysis (RA) and Agile SW Development practices (Scrum + Kanban) = RA/AD
• Co-operation: Ericsson, VTT, Aalto University
• What was done in the pilot
• Integration of hierarchical security metrics
development process into RA/AD
• Several partial hierachical security metrics
models for the target using MVS tool (a security metrics management tool
developed by VTT)
• Experiences of the potential of metrics use and constraints were gathered
8
Hierarchical security metrics models enable relating security objectives and detailed measurements . The MVS tool increases manageability and visualization of them (screenshot from MVS)
Security Metrics in Risk Analysis and Agile SW
Development: Findings
• Potential of security metrics
• Early visibility of security effectiveness during first iterations of RA
• Metrics support systematization and traceability of risk-driven objectives and requirements during all stages of R&D
• Individual metrics do not offer enough benefits, collections are needed
• Management and visualization tools are needed to cope with collections of
metrics
• Constraints
• Extra work needed for metrics
development (tools help)
• Tools still at prototype level
• Lack of useful taxonomies and metrics collections
• Information collection if not taken into account early enough in the product design
9
Ericsson’s 3-stage RA process and security metrics:
RA1: Product requirements are defined, any security evidence can be part of metrics modelling
RA2: Product is being specified, metrics emphasize correctness (especially compliance to regulations and standards)
RA3: Product is designed and verified, metrics emphasize effectiveness and correctness
More information: Reijo Savola (VTT), Ari Pietikäinen (Ericsson), Christian Frühwirth (Aalto)
Protocols and the cloud
Consolidation in lower-level protocols, previous “application-level” protocols are
now transports
TCP/IP, SSL/TLS, HTTP, ...
New protocols on top of the old ones
HTML5, XML, JSON, ...
Cloud services themselves run on top of these File formats are now parts of these new protocols
Browser robustness
Web browsers are the primary way of accessing cloud services Install base of hundreds of millions
Attack surface (LOC parsing untrusted data) enormous
Even stand-alone applications often utilize same browser engines/libraries
Maps, iTunes, game console stores etc.
Vulnerabilities have been found, and effects have sometimes been serious Can we systematically find vulnerabilities?
Web services, map services, Cloud-based VoIPsystem
Radamsa
Cloud terminal
Libraries and applications
Robustness testing
• Systematically collect samples of cloud protocols
• Infer structure and use as basis for generating test cases
• Instrument system and catch unique crashes
Results
During 2010-11 systematic testing of web browser, support library & plugin
robustness
HTML, XML, SVG, PNG, jpeg, pdf
~= 50 bugs, 20 with potential security implications Work required to run individual tests: minimal
Effort on understanding how this can be made even more effective
Actual result:
Nearly completely automated robustness testing of large code bases is both feasible
Next: robustness testing deep in the cloud
YKSIKKÖ,
MATTI
MEIKÄLÄINE
N, x.x.2006
Summary of robustness testing in the cloud
• Protocols actually used in the cloud are no longer well specified
• Though they are based on standards like XML
• Traditional methods for robustness testing cannot be easily used
• Sample-based ones can be effective
Some technical challenges studied and remaining
• Virtualizating both hosts and networks securely
– Large cost savings and new risks (Bachelor’s thesis)
• Authentication
– GBA/OpenID (SIM card) integration to Open Stack succesfully demonstrated in project
• Trust
– Trusting the right parties and trusting them barely enough,
• Scaling the link layer securely to thousands of hosts