Secure Cloud Computing for Critical Infrastructures

AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys

• Hellenic Telecommunications Organization OTE• Ayuntamiento de Valencia • Amaris

SEcure Cloud computing

for CRitical Infrastructure IT

Aleksandar Hudic and Christian Wagner AIT Austrian Institute of Technology

Secure Cloud Computing

for Critical Infrastructures

The SECCRIT Project – Hard Facts

• Research project on secure Cloud Computing for critical infrastructure IT • 10 Partners from Austria, Finland, Germany, Greece, Spain and the UK. • Project budget 4.8 Mio, partly funded by the European Union

• Project duration 1.1.2013 – 31.12.2015 • about 61.748% of the project completed • 25 public deliverables

What are Critical Infrastructures

Motivation – Why would someone do that?

Motivation – Why would someone do that?

• Possible reduction of costs

• Pay as you use

• Managing peak loads

07.11.2014 © SECCRIT Consortium 8

• Scalable computing

resources

• Potential increased

availability

SECCRIT’s Overall Goal

analyse and evaluate cloud computing

with respect to security risks in sensitive

environments i.e. critical infrastructures

o Traffic Control

o Public Safety (CCTV)

to develop

o methodologies

o technologies,

o best practices for • secure, • trustworthy, • high assurance • legal compliant

cloud computing environments for critical infrastructure IT.

Investigate real-world problems

Problem Definition – High Level

• Requirements for cloud applications vary

o Commercial applications mainly focus on scalability & elasticity

o Requirements in CI regarding: overall redundancy, data availability, authenticity, secure access, trust and protection of the citizens are typically higher than in commercial applications.

Problem Definition – High Level

• What is the problem?

o Cloud services abstract over used resources, are opaque and make it

hard to

• determine technical reasons for (security) failure and hence make • the development of countermeasures

o This also implies, from a legal perspective, that it is hard to • determine who’s fault it is and

• to show one hasn’t acted negligent

SECCRIT Demonstrator: Traffic Control

• Gather traffic data from traffic sensors on the road

• Store traffic data in data bases

• Generate data and reports about traffic status and traffic evolution

• Analyse and relate the whole of mobility data

• Support to define mobility polices and traffic control strategies

• Control traffic on the road by Traffic Controllers, Traffic Ligths, Variable Messages Signals, etc.

• Public transportation priority by

strategies like offering traffic lights priority

Execute traffic control strategies by operators

manual actions or by automatic procedures.

SECCRIT Demonstrator: Public Safety (CCTV)

07.11.2014 © SECCRIT Consortium 14

MetroSub CitySec TelCom

The Subway Operator The Security Service Provider The Tenant System Mgmt CloudCorp The Cloud Mgmt Provider TenSys The Telecom Operator

Key Objectives

Legal Guidance on Data Protection and Evidence Understand and manage risk associated with cloud environments Understand cloud behavior in the face of challenges Establish best practices for secure cloud service implementations Demonstration of output in real-world application scenarios

Key Objectives

↔

Activities & Output

07.11.2014 © SECCRIT Consortium 16 Legal Guidance on Data Protection and Evidence Definition of legal guidance on SLA compliance, provision of evidence, and data protection for cloud services Understand and manage risk associated with cloud environments Risk Assessment and Management Methodology Policy Specification Methodology and Tool Cloud Assurance Profile and Evaluation Method Understand cloud behavior in the face of challenges Anomaly Detection Techniques and Tools Policy Decision and Enforcement Tools Cloud Resilience Management Framework Tools for Audit

Trails and Root Cause Analysis Establish best practices for secure cloud service implementations Model Driven Cloud Security Guidelines Demonstration of output in real-world application scenarios Demo 1: Storage and Processing of Sensitive Data Demo 2: Hosting Critical Urban Mobility Services Orchestration Secure Cloud Storage

SECCRIT Output

a) Techno-legal guidance

b) Novel Risk Assessment Approaches

c) Cloud Security Policy Specification and Enforcement

Framework

d) Resilience Management Framework (incl. anomaly

detection and virtual component deployment)

e) Forensic Analysis via Audit Trails for Root Cause

Analysis (incl. secure cloud storage)

f) Cloud Assurance Approaches

g) Process-Oriented Security Guideline and Best Practise

Approaches

SECCRIT Output

a) Techno-legal guidance

b) Novel Risk Assessment Approaches

c) Cloud Security Policy Specification and Enforcement

Framework

d) Resilience Management Framework (incl. anomaly

detection and virtual component deployment)

e) Forensic Analysis via Audit Trails for Root Cause

Analysis (incl. secure cloud storage)

f) Cloud Assurance Approaches

g) Process-Oriented Security Guideline and Best Practise

Approaches

Legal Questions

•

„Security Service Operator“ uses cloud services

•

Uses integrated analysis

cloud service (B-AG) and

video management cloud service (C-AG)

•

Analysis cloud service + video management

run on virtual server

•

video management cloud service

uses DB (Y-AG)

•

Y-AG uses storage service

What do we mean when we talk about Cloud?

07.11.2014 © SECCRIT Consortium 22

R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., “Whitepaper"AF 1.0" SECCRIT Architectural Framework”. 2014. (and IEEE CloudCom)

Cloud Risk Assessment

• There are different stakeholder viewpoints to consider

o

The Cloud Service Provider

• In SECCRIT is decomposed into sub roles, including the Tenant and Cloud Infrastructure Provider

o

The Critical Infrastructure Service Provider

• When should an assessment be performed?

o At the point of

deployment

, to determine whether to use the Cloud and/or

which provider and deployment model to use

o During the

operation

of a service, e.g., periodically or in response to

changes in the deployment environment caused by scaling

Major Contributions

1.

An analysis of risk perceptions regarding the use of cloud

o Performed on an individual and organisational basis

2.

An extensive

cloud-specific

threat and vulnerability catalogue that

can support a risk assessment

3.

An extension to a standard risk assessment process to support

critical infrastructure service providers determine the risk of cloud

deployment

o Supported by the SECCRIT threat and vulnerability catalogue and the open-source Verinice ISMS tool

4.

Identified a set of cloud infrastructure metrics that could be used to

support online risk assessment

The SECCRIT Threat and Vulnerability Catalogue

Primary data sources:

1. Performed an extension literature survey of existing catalogues and organisations of threats and vulnerabilities, e.g., CSA’s “Notorious Nine” 2. Carried out a structured security analysis, based on the SECCRIT

architectural framework and different deployment models 3. Leveraged findings from the cloud risk survey

07.11.2014 © SECCRIT Consortium 26

Management-oriented View

Box model Virtual environment

Local scaling Resource pooling

The SECCRIT Threat and Vulnerability Catalogue

•

Organised items into categories – NIST’s essential characteristics of

cloud computing at the core

Cloud Risk Deployment Assessment Process

Conclusion

•

Four major contributions:

1.

An analysis of risk perceptions regarding the use of cloud

2.

An extensive cloud-specific threat and vulnerability catalogue

3.

Extension to a standard risk assessment process to support critical

infrastructure service providers determine the risk of cloud

deployment

4.

Cloud infrastructure metrics that could be used to support online risk

assessment

•

The threat and vulnerability catalogue is being put forward as a

contribution to the ETSI ISG on Network Function Virtualisation

(NFV)

Cloud Assurance Framework

Assurance Level

1-7

MONIT

O

RING ARTIF

ACTS

Aspects of Assurance

Research questions / challenges

R. Bless, Flittner, M., Horneber, J., Hutchison, D., Jung, C., Pallas, F., Schöller, M., Shirazi, S. Noor ul Ha, Simpson, S., and Smith, P., “Whitepaper "AF 1.0" SECCRIT Architectural Framework”. 2014. (and IEEE CloudCom)

How to assure that security properties

are met across distinct cloud layers

with different stake holders?

How to derive continuous assessment

of security properties across the

clouds architecture?

How can security be assessed,

measured or scaled in respect to a certain predefined set of security properties (assurance levels)?

How to aggregate/inherit security

across different stake holders in

Cloud?

Levels of Abstraction (The SECCRIT architecture)

Security properties

07.11.2014 © SECCRIT Consortium 34

• Security-aware SLA specification language and cloud security dependency model

• Certification models

• Core Certification mechanisms

• Methodologies for Risk Assessment and Management

• The Notorious Nine: Cloud Computing Top Threats in 2013

Identified categories/properties

ID SECURITY PROPERTY CATEGORY VULNERABILITY THREATS DEPENDENCIES

SP_1 User Authentication and

Identity assurance level Identity Assurance

Loss of human-operated control point to verify security and privacy settings

Data Breaches , Data Loss, Shared Technology Vulnerabilities

None Insufficient authentication security, e.g., weak

authentication mechanisms, on the cloud management interface

Account or Service Traffic Hijacking Insecure Interfaces and APIs, Malicious Insiders

SP_2

Data deletion quality level Data Disposal Data recovery vulnerabilities, e.g., unauthorised access to data in memory or on disk from

previous users

Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders,

Insufficient Due Diligence

None

SP_3

Storage Freshness Durability Data recovery vulnerabilities, e.g., unauthorised access to data in memory or on disk from

previous users

Data Breaches, Account or Service Traffic Hijacking, Insecure Interfaces and APIs, Malicious Insiders,

Insufficient Due Diligence

None

SP_4

Data alteration prevention / detection

Integrity Poor/ no integrity checks of the billing information Data Breaches

Insecure Interfaces and APIs Insufficient Due Diligence

SP_1, SP_2, SP_3

SP_5

Storage Retrievability Durability Poor/ no backup & restore strategy is in place to prevent the loss of billing information, e.g., in the

case of a system failure

Data Breaches

Insecure Interfaces and APIs Insufficient

Due Diligence SP_4

SP_6

Data leakage detection / prevention

Data Leakage Poor/ no encryption of the VM data through a wide-area migration process

Data Breaches Malicious Insiders Shared Technology Vulnerabilities

SP_5

SP_7 Cryptographic module

protection level Key Management

Unmonitored and unencrypted network traffic between VMs is possible, e.g., for VMs on the

same node through virtual network Unencrypted physical storage, which is the underlying for allocated virtual storage of the

VMs

Insufficient Due Diligence Shared Technology

Vulnerabilities Data Breaches Malicious Insiders

07.11.2014 © SECCRIT Consortium 36 GROUP OF EVALUATION

Assurance Assessment Framework

Virtual Infrastructure  Level Tenant  Physical Infrastructure Level Cloud Infrastructure Application Level  Critical Infrastructure ABSTRACTION LEVEL User Level Target of Evaluation

Common Criteria Framework for Information Technology Security Evaluation, CCDB USB Working Group, 2012, part 1-3. Online available: http://www.commoncriteriaportal.org.

GROUP OF EVALUATION

Framework elements:

• Component of Evaluation (CoE)

o Component dependencies (CD)

o Association (AS)

• Group of Evaluation (GoE)

• Target of Evaluation (ToE)

Assurance Profile:

o Assurance Type (AT)

o Assurance Properties (AP) o Assurance Class (AC) o Security Objectives (SO) o Assessment Interval (AI)

Initial assurance policy set

INITIAL POLICY SET

∀AL_K∈AC_X:  !∃VS,  (1) VS = {SPV₁, SPV₂… SPV_N}, (2) SPVi= [ SP₁, SP₂, SP₃, SP₄], SP_i= {0,1} (3) ∀VS ∈ AL_K:  !∃SPVi, i∈ (4) ∀SPVi∈AC_X: |SPVi| = k (5) AC_X= {SPV₁, SPV₂, SPV₃, … SPV_n} (6) ∅ (7) ACS_AL= ⍝AC_X (SPV_i) ,  AC_X∈CoE_M, i∈{1…N} (8)

ACS_AL(i) ⊢DAL_VS(i) (9)

AL_VS⊆ DAL_VS (10)

(DAL_VS(i) ∧AL_VS(i)) ⇒AL(AC_X)=i, AC_X∈CoE_M (11)

!∃ALi⊧ ∀Min(CALj)  i∈{1…7}, j∈{1…N} (12)

• Each assurance class is associated with at least on vector set

• Vector set is a compound of N Security Property vectors

• Security Property Vector is a set of K Security Properties associated with true or false

• Each Vector Set of a particular Assurance Level is associated with

• All Security Property Vectors in a class have the same cardinality

• Assurance Class is a compound of distinct Security property vectors

• Individual SPV can be found only at one Assurance class

• Bitwise conjunction of Security property vector bits of an individual Assurance Class

• Assurance Class of the evaluated object directly depends on the assurance of the associated components

Service abstraction

07.11.2014 © SECCRIT Consortium 38

Service/infrastructure abstraction via the General tree model:

Clustering assurance class properties to a particular assurance level

Prototype use cases analysis

(a)

(b) GENERAL TREE MODEL ANALYSIS:

• tree traversal post order method • level based bit conjunction

Assurance calculation algorithm

07.11.2014 © SECCRIT Consortium 40

begin procedure: for i=k … i=1 do

if (∀ CoE_C (SPV[i]) ∃! AL_M,M ∈ {1,2,…,7}) { AL = M;

end procedure }

else if (∏ CoE SPV i 0) { discard ∀ SPV where SPV[i] =1; continue;

}

else (∏ CoE SPV i 1) { discard ∀ SPV where SPV[i] =0; continue;

}

end procedure

Algorithm steps:

1. Bitwise conjunction SPV[i] for each vector in an Evaluated Vectors Set 2. Reducing the potential combination

set

Future work

• Building a comprehensive security property catalogue in line with the

critical infrastructure requirements (

demo partner feedback

)

• Investigating whether the current Cloud monitoring tools are capable of

conducting

cross layer monitoring

or

supporting assurance approach

• Demonstrating the approach by applying it on

general demo scenario,

Conclusion

• customizable framework for analyzing predefined set of

security properties across the cloud stack

• user and provider centric

• advanced and transparent monitoring model across

cloud stack

• autonomic and cumulative analysis of the cloud

infrastructure

• technology independent assessment framework

• integration of exiting work of SECCRIT project e.g.:

monitoring

,

root cause

and

forensic analysis tools

,

legal

requirements

,

vulnerability catalogue

AIT Austrian Institute of Technology • ETRA Investigación y Desarrollo • Fraunhofer Institute for Experimental Software Engineering IESE • Karlsruhe Institute of Technology • NEC Europe • Lancaster University • Mirasys

• Hellenic Telecommunications Organization OTE• Ayuntamiento de Valencia • Amaris

SEcure Cloud computing

for CRitical Infrastructure IT

Contact

Aleksandar Hudic, Christian Wagner

AIT Austrian Institute of Technology