Security in Cloud Computing
by
Sreeprasad Govindankutty
A Project Report Submitted
in
Partial Fulfillment of the
Requirements for the Degree of
Master of Science
in
Computer Science
Supervised by
Rajendra. K. Raj
Department of Computer Science
B. Thomas Golisano College of Computing and Information Sciences
Rochester Institute of Technology
Rochester, New York
November 2013
The project “An Investigation of Chinese Wall Security in Cloud Computing” by Sreep-rasad Govindankutty has been examined and approved by the following Examination Com-mittee:
Rajendra. K. Raj Professor
Project Committee Chair
Xumin Liu
Assistant Professor
Christopher Homan Associate Professor
Dedication
I dedicate my Master’s project to my beloved wife Dhrissia Raveendran, my parents, my sister and my many friends. A special gratitude for my loving parents for pushing me to
Acknowledgments
First, I would like to thank my master’s advisor Professor Rajendra. K. Raj for his invaluable insight and inspiring guidance, which worked well towards my motivation to work and research for this topic. I thank my beloved wife Dhrissia Raveendran. Without her support, this work would never have been completed. I would also like to thank my friend Pooja Desai who has always been a friend and helped me throughout the concept of
this project idea. I would also like to thank my committee members for helping me improve this project. Finally, I would like to express my sincere thanks to the Department
of Computer Science at Rochester Institute of Technology to provide me such an opportunity to explore and publish my views and ideas for my topic.
Abstract
An Investigation of Chinese Wall Security in Cloud Computing
Sreeprasad Govindankutty
Supervising Professor: Rajendra. K. Raj
The goal of this project is to model a framework that implements Chinese Wall
Security Access Policy (CWSAP) in cloud computing environment. In 1989, Brew and Nash proposed Chinese Wall Security Policy as an intriguing commercial security access control model for the financial world. The policy in was accepted but the model proposed was incorrect. A data center is the most important constituent of a cloud-computing plat-form. Insecure information flow threat inherently exists in the cloud environment paradigm because service provider can access multiple virtual machines in cloud. These virtual ma-chines are key access points to resources that may hold time sensitive information of mul-tiple clients. Information can be leaked to unauthorized customers and such critical infor-mation leaks could raise conflict-of-interest (COI) issues in cloud computing. Preventing information leakage in workflow is necessary to to protect the privacy and integrity of data stored in cloud.The CWSAP model allows no information to flow between subjects and objects that will create a conflict of interest. This model is most useful in financial institu-tions where Sarbanes Oxley Act is enforced.
There are other solutions such as Decentralized workflow environment presented by Min-sky that implements CWSAP in a distributed environment to protect data on the cloud. But the trade off with this solution is cost of running and managing the implementation on
cloud. This project implements and tests a framework that implements the Chinese Wall Security Access Policy (CWSAP) in cloud paradigm in Infrastructure-As-A-Service level. The term Infrastructure as a Service (IaaS) refers to a combination of hosting, hardware, provisioning and basic services needed to run a cloud computing service. This layer offers security to protect virtual machines that can access any resources that hold valuable and key sensitive information. In this project, a model framework that implements Chinese Wall Security Access Policy (CWSAP) in Eucalyptus cloud platform is implemented that dynamically rules policy access decisions based on Conflict of Interest (COI) class that user belongs. In this project, I have explored various scenarios where information flow can cause severe security concerns. The proposed implementation helps to prevent information leakage in cloud by analyzing COI classes and preventing information flow between same COI classes. The framework presented also permits to dynamically change the COI class of users in emergency conditions provided certain conditions are followed so that CWSAP is not violated. The framework implemented in this project works best if competing business models are identified and grouped under same COI class. I have learnt that information leakage is most vulnerable at the infrastructure layer of the cloud platform. This layer holds actual user information and should be protected against unauthorized access from both outside and inside users.
Contents
Dedication. . . iii
Acknowledgments . . . iv
Abstract . . . v
1 Introduction. . . 1
1.1 Need for Access Control Model . . . 2
1.2 Background . . . 4
1.2.1 Cloud to store data . . . 4
1.2.2 Privacy . . . 5
1.2.3 Confidentiality and Integrity in cloud . . . 6
1.2.4 Chinese Wall Security Access Policy ( CWSAP) . . . 7
1.2.5 Conflict Of Interest (COI) Class . . . 8
1.2.6 Flexible Automatic enforcement of Security Policies . . . 10
1.2.7 Infrastructure-As-A-Service . . . 11
1.3 Related Work . . . 11
1.3.1 Read Write rules using Restrictive Partition . . . 11
1.3.2 Decentralizing Workflow environment . . . 12
1.3.3 Least restrictive enforcement of Chinese Wall Security Policy . . . 12
1.4 Problem Statement . . . 13
1.5 Hypothesis . . . 14
1.5.1 Security . . . 14
1.6 Roadmap . . . 15
2 Design . . . 16
2.1 Cloud Computing platform . . . 16
2.2 System architecture . . . 17
2.4 Subject property . . . 18
2.5 Policy enforcement . . . 19
2.5.1 Object creation . . . 19
2.5.2 Object sharing . . . 19
2.6 Meet in the middle : . . . 20
2.7 Child Owners . . . 20
2.8 Demon Owners . . . 22
3 Implementation . . . 24
3.1 Eucalyptus Cloud Computing Platform . . . 24
3.2 Functional Components . . . 25 3.2.1 Registration Manger . . . 25 3.2.2 Authenication Manger . . . 25 3.2.3 Euca2ools . . . 26 3.2.4 Security Manager . . . 26 3.2.5 Instance Manager . . . 27 3.2.6 COI management . . . 27 3.2.7 Image Manager . . . 27 3.2.8 Communication protocol . . . 27 4 Analysis . . . 29 4.1 Testing environment . . . 29 4.2 Hypothesis Analysis . . . 29 4.2.1 Policy Component . . . 30
4.3 Testing CWSAP by accessing COI clases . . . 31
4.3.0.1 Testing CWSAP by accesssing same COI Class . . . 31
4.3.0.2 Testing CWSAP by accesssing different COI class . . . . 32
4.3.0.3 Testing CWSAP by sharing same COI class . . . 33
4.3.0.4 Testing CWSAP by accessing demon owners . . . 34
4.3.0.5 Testing CWSAP by accessing sanitized group . . . 34
4.3.0.6 Testing CWSAP by changing COI class . . . 35
4.3.1 Summary . . . 36
5 Conclusions . . . 38
5.1 Current Status . . . 38
5.2.1 Delegation of Right . . . 39
5.2.2 Web page to for easy auditing . . . 39
5.2.3 Flexibility in changing class of Business models . . . 40
5.2.4 Management Non Public Information . . . 40
5.3 Conclusion . . . 40
Bibliography . . . 42
List of Figures
1.1 Insecure Information Flows in Clouds environment . . . 3
1.2 Computing stack in cloud environment . . . 5
1.3 The Composition of Objects in Cloud environment . . . 9
2.1 System Architecture . . . 18
2.2 COI classes, Sanitized group and VM . . . 21
2.3 Demon Owners. Bob owned object 1 and 2 before leaving the company. Once Bob left the company , objects 1 and 2 are owned by Demon Owner . 23 3.1 High level block diagram of access control in Eucalyptus . . . 25
Chapter 1
Introduction
Cloud computing shifts the location of computing infrastructure to the network as service. This allows to enhance collaboration, scale, agility and availability. This permits compa-nies to spin or drop resources as needed by business. This provides users with scalable resources in pay-as-you use fashion at relatively low costs. Since a service provider can access multiple cloud virtual machines where various customer’s data are stored insecure information flows may occur which is one of the drawbacks of the cloud solution.
In this project, a model framework that implements the Chinese Wall Security Access Policy (CWSAP) with flexibility to change COI class to securely block unauthorized access to resources in cloud data center is presented. This project implements a system that ensures that the information flow between virtual machines is secure and any unauthorized access to virtual machine is prevented. Consider a financial investment firm where many financial analyst address multiple corporate clients. All the financial analysts have secure access to proprietary client data. This trust must be managed by cloud platform that offers the virtual machines to hold proprietary client data.. Even when two analyst have same access control policies, the implementation of the policy by cloud platform must restrict information flow between analysts who work for clients having competing business interests. The Chinese Wall Security Access Policy (CWSAP), in the infrastructure layer of cloud environment prevents information leakage [8] from authorized access. In this project CWSAP applied to infrastructure layer groups subject and objects to Conflict Of Interest (COI) classes. While conflict of interest is anti-reflexive, symmetric and anti-transitive , CWSAP guarantees that access to information will not flow to authorized users..
CWSAP implements restriction to access of information between subjects and objects that would create a conflict of interest. Eucalyptus is the open source cloud platform where CSAP is implemented. CWSAP models access to information to subjects or users through objects or virtual machines. A subject in a cloud environment is a user that has access to the objects or virtual machines where data is stored. An object is the virtual machine of the cloud platform that guarantees access to resources that hold information . Any object that belong to same security groups belong to same COI classes. Any object that belong to different COI classes belong to different security groups. An access operation includes ability to read and write resources by accessing virtual machines by a subject. There can be many to many , one to one or many to many relationship between subject and object.
1.1
Need for Access Control Model
The main challenge for data stored in cloud infrastructure is that owner of the data does not have full control over data. Anyone who has access to the virtual machine that hold the data can access the data. Therefore it is absolutely essential to protect virtual machines including access policies that rule authentication, permission and management of user ac-counts that have access to virtual machines that hold storage systems and shared resources.
Suppose a service company provides business consulting service and uses a cloud in-frastructure. This service company has clients including JPMorgan Chase & Co., Bank of America (BOA) and Citigroup and chip manufacturing companies including Motorola and Samsung. The customers of this service provider need to outsource their consulting related information to virtual machines (VM) running on the cloud infrastructure. Now suppose Samsung is decides to purchase a new RAM technology and needs investment from banks to fund this acquisition. Due to their business and financial interests all the three banks are competing to provide the investments to Samsung. Since the consulting company have access to all the virtual machines in the cloud, it is very likely that the consulting company
may help one of the banks to gain the contract with Samsung by leaking bidding informa-tion and details to other banks for personal gain. This causes immense financial loss to other banks. Samsung and Motorola may store sensitive information in the cloud infras-tructure which the consulting company have access to. This can cause information leakage through consulting executives who have access to virtual machines holding information of Samsung and Motorola. The yellow arrows in Figure 1 show insecure information flow between cloud infrastructure. This scenario demonstrates the possible existence of infor-mation flow at a data center in a cloud computing environment. This scenario demonstrates sharing of sensitive information between competing banks such as BoA and Citi and be-tween competing businesses such as Samsung and Motorola. This causes conflict of interest issues.
Figure 1.1: Insecure Information Flows in Clouds environment
information leakage. Enforcing CWSAP in the infrastructure layer to permits access to resources only after ensuring that the user does not belong to same COI class. This ensures confidentiality of information and protects information leakage between virtual machines that hold sensitive information in the cloud.
1.2
Background
1.2.1
Cloud to store data
Many large corporations have now moved to cloud to store data. Cloud offers a technology that scales very quickly. Cloud storage means companies pay only for the storage space that is actually needed to store their data. The stored data on cloud is available at all time for the authorized users permitted to access virtual machines holding the data. Data stored in cloud can also be encrypted to protect against malicious attacks.
Every company use different layers in a cloud environment to interact with users. Software-As-A-Service ( SaaS ) is the top most layer in the cloud where software applications can be deployed. Users can interact with cloud through a web browser and access soft-ware applications deployed on cloud. Typically Softsoft-ware-As-A-Service provider host and manage software applications on their own data centers. Sometimes SaaS providers run on other cloud service providers’s Platform-As-A-Service (PaaS) or Infrastructure-As-A-Service (IaaS) services. Salesforce.com, and Netsuite are examples of SaaS applications. The middle layer that cloud offers is Platform-As-A-Service (PaaS). This layer offers a platform for development and deployment of software application including database , mid-dleware and development tools required for complete life cycle of software applications on cloud.Google App Engine is an example of PaaS.
The bottom layer is Infrastructure-As-A-Service (IaaS). This layer offers delivery of server, storage and network ( hardware ) and operating systems virtualization technology ( soft-ware ) to users of cloud. This layer offers the physical infrastructure and softsoft-ware services that hold and processes user data. Information leakage is most likely to occur at this layer.
Hence policy enforcement to provisioning and decommissioning resources must be imple-mented in this layer. This project presents a framework where CWSAP is impleimple-mented infrastructure layer of the cloud. The computing stack in cloud environment is represented in Figure 1.2
Figure 1.2: Computing stack in cloud environment
1.2.2
Privacy
Storing data on the cloud by its very nature results in storing information in the storage infrastructure that is not owned by the same organization that owns the data.In addition to this, data of one user is stored along with many other users.Thus current cloud service environment poses an inherent security challenge to data privacy because they typically result in data being exposed, often in an unencrypted form, on a machine that is owned by
cloud service provider and operated by different organization from the data owners. For instance a consultant who offers business advice to client operates the virtual machines in the cloud holding sensitive information about the company he offers business advice. Thus today, the notion of privacy goes beyond the traditional description of customer data.The cloud infrastructure should offer protection into the organizational privacy, which includes intellectual property constraints.
1.2.3
Confidentiality and Integrity in cloud
Confidentiality refers to limiting the access of information to only authorized users. Unau-thorized users should not be able to access any information. Confidentiality policies are often distinguished from privacy policies in that confidentiality policies express the interest of organizations where privacy policy protects the interest of individual user (Anderson, 1996). In cloud paradigm, confidentiality refers to the assurance that information will not be disclosed to unauthorized persons, process or devices. This problem is resolved by ap-plying the CWSAP proposed by Brewer-Nash [2] to the infrastructure layer of the cloud computing paradigm. CWSAP ensures that no subject can access information from a vir-tual machine belonging to same COI class. A subject can access information only if the information resides in a virtual machine that belongs to a different COI class. Integrity of data refers to trustworthiness of information resources. In cloud computing paradigm, this mean data must not have been changed inappropriately, whether by accident or deliberate activity.Owners of the data no longer possess their data locally .The correctness of the data being distributed in cloud servers must be guaranteed. This relates to data confidential-ity that when unauthorized personals belonging to same COI class can access information, then data integrity cannot be guaranteed. Thus Infrasture-As-A-Service provider must offer security from any adversary interested in corrupting the confidential information stored in cloud virtual machines.
1.2.4
Chinese Wall Security Access Policy ( CWSAP)
Heterogeneity of services offered by cloud demands for access control mechanism which are very granular and prevents unauthorized use of cloud resources and services. Chinese Wall Security Access Policy (CWSAP) [2] proposed by Brewer and Nash ensures that no information can flow between subject and objects that would create a COI. A cloud storage engine stores and processes sensitive information. Policies for determining access to vir-tual machines in cloud has to derived to prevent information leakage. Enforcing CWSAP at IaaS layer prevents this information leakage.
Consider a client who controls virtual machines that holds sensitive information. A con-sulting company that clients works with, needs to have access to these virtual machines that holds this key sensitive data. Every virtual machine that a consultant would have access to is associated with name of the company dataset and COI class the objects belong to. The subject is the consultant in the system who tries to access the object. If the decision rules no violation of CWSAP then access to VM is granted. If the decision rules violation of CWSAP then no access is granted. In a cloud instance this composition of objects is demonstrated in Figure 2.
Here the object are virtual machine holding financial documents containing sensitive information about each company. The object has the following properties :
• Each object has a many to one relationship in a cloud instance between security groups that have access to object.
• Each security group in a cloud instance have many to one relationship between secu-rity group and Conflict Of Interest (COI) classes.
The subject is a consultant who tries to access to virtual machines (or objects) in the cloud. Each subject has access to all objects in same security group. A subject also have access to objects that belongs to different COI class compared to the security group that he is already have access to. Any object in the common sanitized security group is accessible to all the users. These objects are accessible to all security groups. The objects that belong
to the sanitized group usually provides utility services. They objects in the sanitized group will not store any customer related information.
Consider, a consultant Bob who have access and provides investment advices to BoA, Chase,Citi group and offers business consulting services to Motorola and Samsung. Bob will have access to sanitized group of virtual machines. Bob, because of his nature of con-sulting, will also have access to instances of virtual machines holding sensitive information of BoA, Chase, Citi, Motorola and Samsung group. If Bob has provided investment advice to Chase group, then Bob needs access to virtual machines holding Chase group. Once Bob access this information from the instances that hold Chase group then Bob will not have access to any instance that belongs to Citi and BoA group. This is because Citi, BoA and Chase belong to same COI classes. However Bob still have access to Motorola and Sam-sung instances. If Bob on the other hand tries to access information belonging to Motorola group then Bob loses access to instance running Samsung group. Within Samsung, if Bob decides to review information about investment portfolios for an acquisition that involves BoA, Chase and Citi group then he can choose to access information only for one of the competing banks related to that investment. This means if Samsung is planning an acquisi-tion and all three banks are competing for investing in Samsung, then at the time of opening the virtual machine holding the document related to acquisition, the consultant will be of-fered a choice of one of banks for whom the consultant may advise for the investing. But consultant cannot advise all three banks on investing in Samsung for this acquisition. Thus the next access to data is always constrained by what data the user has previously accessed.
1.2.5
Conflict Of Interest (COI) Class
Security threats by convention are usually thought as attacks on the system from outsiders. However in Cloud environment, security problems can easily come from well controlled environment from authorized insiders. This means that cloud infrastructure should be able to secure system from attacks from outside as well as ensure and prevent information leak-age from authorized insiders that arise due to conflict of interest. Conflict of interest can
Figure 1.3: The Composition of Objects in Cloud environment
be modeled as a conflict between the private interest and official responsibility of person in position of trust. For example, consider a consulting company that offers investment advice to other companies. A. business consultant from this firm offer investment advice to Mo-torola. Since the business consultant works closely with Motorola , the consultant is privy to multiple non public information. This information is not and should not be available to other colleagues working for the the same consulting firm. This information should never be available to colleagues working for the same consulting firm but for competing com-panies such as Samsung. However since all ranks of business consultant share the same access rights within the consulting firm, information leakage is possible.
This is where CWSAP comes to picture. CWSAP prevents information flow between ob-jects that belong to same COI class. Information flow is permitted only between obob-jects of different COI classes. However there may be legitimate situations when users belonging to same of COI class need access to resources. The framework modeled in this project is capable to deal with such problems as well.
To ensure insecure information flow is prevented between two competing issuers that lever-ages cloud environment, virtual machines that hold information should be classified as be-longing to same COI class. This ensures that privacy and security of two competing issuers are protected. This situation is abstracted and modelled in the framework presented in this project. Trusted issuers are grouped into ?Conflict Of Interest? classes and sharing of resources held by virtual machines is permitted only if both virtual machines belong to different COI class.
1.2.6
Flexible Automatic enforcement of Security Policies
CWSAP defines is expressed to ensure that once a user accesses some resources, that user cannot access any resource that would otherwise create a conflict-of-interest situation. This may well work when the policy evaluates that no matter what conditions prevail access should not be granted to any resources that belong to COI class. Many financial institu-tions, such as bank, enforce this type of policy so that an agent cannot access financial data of conflicting clients. However in multiple practical situations, such static policy con-straints have to be relaxed to conduct business. If one considers the generic case of an analyst working for a consulting firm that offers business advices, it is quite possible that the consulting firm may have two or more clients in the same COI class and that an analyst for the firm may be working on more than one account. Implementing CWSAP directly will put constraint on such an access because current access rights of the consultant will not permit to him to access any data that belongs to any COI class.
The framework modeled in this project automatically enforces information flow control between virtual machines holding time sensitive information. This mean that framework enables the issuers to access virtual machines that belongs to different COI class without any restriction. The framework should also enable users to access virtual machines that belong to same COI class under emergency conditions. The practical implication is that, provided owners of the virtual machines that belong to same COI class agree to such an access, the cross communication between virtual machines belonging to same COI class
should be permitted.
1.2.7
Infrastructure-As-A-Service
Information leakage is most most likely to happen in the layer where actual information is stored. Infrastructure-As-A-Service offers the physical infrastructure where user infor-mation is stored.Thus practically CWSAP should be enforced in this layer. In this project, CWSAP is enforced at the Infrastructure layer. This project considers users as subject who uses the cloud infrastructure. The virtual machines that hold sensitive information in the cloud environment are considered as objects. Access to virtual machines holding informa-tion is considered as read or write operainforma-tions. Informainforma-tion flow is typically controlled by assigning every object a security class and permitting the information flow between differ-ent COI classes. However in a collaborative environmdiffer-ent, there may be multiple scenarios where access right policy decision based on COI classes is not sufficient. The framework that implements CWSAP in the cloud environment must permit under extreme conditions the right to access objects belonging to same COI class. In this project, the framework support such request by first informing the owners of both objects that belong to the same COI class. Once the owners of the virtual machine agrees to permit access, class of the sub-ject requesting access is changed so accessing the obsub-ject will no longer be violation of the CWSAP. Infrastructure is the layer that enforces CWSAP and offers maximum constraint to information leakage in cloud environment.
1.3
Related Work
There are several solutions for implementing CWSAP in cloud environment. The solution offered has to be scalable and cost effective.
1.3.1
Read Write rules using Restrictive Partition
Any solution that offered access control problem must be scalable in cloud context. A so-lution by modifying the CWSAP was proposed by Atluri,Chun, and Mazzoleni[1]. This
solution to offered a decentralized workflow environment. If sensitive information is con-tained within the object then restrictive partition is generated by the algorithm. Read and Write access rules are enforced by this restrictive partitioning. This solution cannot be scaled to support cloud as this approach is application dependent and cannot be applied as an infrastructure level solution.
1.3.2
Decentralizing Workflow environment
Another solution implementing CWSAP in distributed environment is attributed to Minsky[3]. The implementation resolves the limitations of centralized enforcement of access poli-cies and offers a scalable solution in the inherently decentralized law- governed interac-tion(LGI) mechanism. The cost for running and managing the implementation on cloud environment would limit the benefits of deploying this solution.
1.3.3
Least restrictive enforcement of Chinese Wall Security Policy
Another solution presented by Alireza [6] and Mahesh is the least restrictive enforcement of Chinese Wall Security Policy. This solution is based on the finding that if a subject is authorized to write to an object ( or a virtual machine ) that contain confidential informa-tion then all objects that contain the confidential informainforma-tion must belong to same COI class. The proposed solution seeks to investigate if least restriction enforcement mecha-nism offers solution in context to solve problems in context that prior work of Tsai et al. This solution offers a policy enforcement mechanism that permits the least restrictive en-forcement of the CWSP. This framework proposed, mediates read attempts only to prevent subject violation of the Chinese Wall Security Policy. Write attempts are mediated only to prevent the objection violation of the CWSP . The trade off with this solution is that actions of a subject may constrain the actions of prospective subjects.1.4
Problem Statement
The focus of work within this project is on developing a CWSAP based access policy framework model for cloud environment paradigm. A access policy model in a cloud envi-ronment puts in place policies for accessing a virtual machine that holds resources having key sensitive information. This model will automatically manage access to virtual machine holding resources and permit or revoke access based on the class of the object or the ac-cessor belongs to . Granting of access to virtual machines is permitted only if there is no violation of CWSAP. These policies will be automatically invoked on the assessor’s cur-rent context. Once access is granted, policies restrictions are invoked only when sharing of resource is called thus there is no hinderance on the performance.
For example, consider a consultant Milan who works for a client Samsung. Milan will have access to virtual machines holding all key resources of Samsung. Milan will not have access to virtual machines holding resources of any rival company like Motorola. This is because Motorola and Samsung fall under same COI class. Granting access to virtual machines under same COI class will be a violation of CWSAP. However, what if under extreme emergency conditions, Milan needs access to Motorola resources. Under such circumstance, both Samsung and Motorola are notified and this request is logged. Once both Motorola and Samsung agrees, then security manager will remove Milan from class corresponding to Samsung and add to class belonging to Motorola. Now Milan’s context class has changed. Security manager will reevaluate the permission again for Milan with this new context. Since granting access to Milan does not violate CWSAP, Milan is granted access. Evaluation of permission also occurs for resource sharing between users and also for resources who does not have owners (i.e demon resources ). Common resources are pooled under sanitary group that do not require any permission to access and are shared across all users.
1.5
Hypothesis
The hypothesis of this project is that applying CWSAP in a cloud paradigm at Infrastructure-As-A-Service layer will enable to minimize information leakages.The dynamic setting of Security manager will evaluate which COI class the object belongs to before granting and denying access to virtual machines holding key sensitive information of companies. Such a framework will also permit to change the class that user belongs so that there will not be a violation of CWSAP . Such requests are logged and access is granted only after taking permission from owners of virtual machines of both COI classes. The framework will also permit users to own virtual machines that they have access to and also share with other users. In case, any person leaves the company , the framework will force the security man-ager to own the resources and only grant access to new users if they do not violate CWSAP.
1.5.1
Security
Existing frameworks that implements CWSAP permits to access objects from different COI class. Such an access does not violate the CWSAP. When a user requests access to a virtual machine security manager verifies if this virtual machine belongs to different COI class than the the user requesting access. If the virtual machine belongs to a different COI class then accessing this object will not violate CWSAP. Permission to grant access to the requested object is granted in this case. in any normal situations, where user tries to access a virtual machine that belong to same COI class is denied by Security Manager. However the security concerns arise when user requesting access to virtual machine belong to same COI class as the virtual machine. Accessing object from same COI class is not permitted as this be a violation of CWSAP. But in almost all practical cases, there is a situation when user urgently needs access to resources that belongs to same COI class. To permit such request under urgent conditions, the framework logs such requests and automatically informs owners of both virtual machines about such a request. If both owners agree to such a request, then this consent is also logged and permission is granted. If either of owners disagrees, then this dissent is also logged and permission is denied. If permission is
granted, then the class that owner requesting the access is changed to same class of virtual machine for which the access request is raised. The user now has access to virtual machine as this does not violate the CWSAP and this offers protection against information leakage. Security concern also arise when there are no owners of the virtual machines. There may be multiple situations where owners of virtual machine that hold resources of a company leaves the company. For instance, an employee of an investment firm who offers investment advice to bank may leave the investment firm for another job. In such cases, the virtual machines, that the former employee owned falls under Security Manager. Security manager now owns all the virtual machines that the terminated employee owned. If a request is made to regain ownership of virtual machines, then Security manager verifies that the user requesting access and the class of the virtual machine that Security Manager owns falls under different COI class. If both fall under different COI class then there is not violation of CWSAP and request is granted. If both does fall under same COI class then the request to access is denied. This ensures that CWSAP protects and prevents the information leakage at all levels of the cloud infrastructure.
1.6
Roadmap
The remainder of this report discusses the implementation analysis and tests of the CWSAP in the cloud paradigm. Section 2 and Section 3 describes the detailed design and implemen-tation of the framework respectively. Section 4 analyzes the the testing environment and test results on policies decision on multiple scenarios. Comparison to other applications are also presented in this section. Section 5 provides conclusion and future work.
Chapter 2
Design
2.1
Cloud Computing platform
The approach implemented in this project is designed to focus to prevent information leak-age in any cloud application based application running on open sourced cloud platform Eu-calyptus. Eucalyptus cloud platform is an open source software implementation of cloud computing that offers a modular design which allows a combination of cloud roles to be installed on separate physical machines. For the purpose of building a medium sized cloud for this project, the open source version of Eucalyptus is used.The enterprise version has extra features which makes it appropriate to offer service to large public customers. There are several reasons why Eucalyptus was chosen as the cloud computing platform for this project. Following are the major reasons
1. Eucalyptus is a software available under GPL that helps in creating and managing a private or even a publicly accessible cloud.
2. Eucalyptus offers developers AWS compatible private cloud that can be set up easily while maintaining governance and control
3. The open source framework of Eucalyptus offers few independent components. This reduce the overhead of system monitoring
The disadvantage of using this design is the front end machine will become over-whelmed as cloud grows. This requires more memory than the standard memory machine offers.
2.2
System architecture
The system architecture consists of 3 layers. The bottom most layer is the infrastructure layer. This layer offers virtual machines that system interacts to store information. CWSAP is implemented to protect information leakage from this layer. The middle layer is the Eu-calyptus cloud fabric. EuEu-calyptus cloud fabric consists of five units that performs different tasks. The five units are :
1. Cloud Level Controller (CLC) is the front end for the cloud. 2. Walrus Controller (WC) is used to boot images to cloud
3. Storage Controller (SC) is used to provide virtual machine (VM) instances with mountable storage
4. Cluster Controllers (CCs) work with Cloud Level Controller and Storage Controller to deploy Virtual Machines (VM) and provide isolated networking between the Vir-tual Machines (VMs)
5. The Node Controller (NC) control the Virtual Machines (VMs) directly on each ma-chine.
The top most layer is System management layer. System management layer consists of functional components. These are Security Manager, Image Manager, Instance Manager, Authentication Manager, Registration Manager, Communication Manager. The functions of each component is explained in the implementation. System architecture design is rep-resented in figure 2.1
2.3
Object property
1. Any two objects ( or virtual machines ) that belongs to same COI class belong same security group
Figure 2.1: System Architecture
2. Any two objects ( or virtual machines ) that belongs to different COI class belong different security group
2.4
Subject property
1. Any two objects ( or virtual machines ) that belongs to same COI class belong same security group
2. Any two objects ( or virtual machines ) that belongs to different COI class belong different security group
2.5
Policy enforcement
Access to an object without violation of CWSAP is the most important functions of Secu-rity Manager. This is always ensured in two situations.
1. Object creation 2. Object sharing.
2.5.1
Object creation
Consider a scenario where Bob, a business consultant is advising Samsung for an acqui-sition. Bob open the cloud instance which belongs to Samsung. The Security Manager interface notices that Bob, as a consultant to Samsung have access to Samsung’s instance and will grant access to resources that belong to Samsung’s instance. At the same time, the security group will remove Bob’s access to Motorola instance and Bob will no longer have access to resources that is managed by Motorola instance. Now Bob creates a new virtual machine to open a resources and notes his advices for the new acquisition. This is a new object that Bob has created. The system will authenticate Bob as the owner of the object. As owner of the object Bob has the ability to update, delete the object. Bob also have the ability to share the object with other subjects that fall under different COI class. Here subject who have access to resources managed by Motorola instance falls under same COI class. Hence any subject who have access to Motorola resources or have opened resources managed by Motorola instance earlier will not have access to this object.
2.5.2
Object sharing
Consider the same scenario where Bob needs to review the business consulting advice he submitted to Samsung. But Bob needs advice from Milan before taking his proposition to Samsung management. Unfortunately Milan manages resources belonging to Motorola and hence falls under the same category of COI class. This means that Milan will not have access to any object that Bob have access to. As the owner of the object, Bob has the
ability to share the object with any subject. But as soon as Bob tries to share object with Milan, Security Manager will notice that Milan and Bob belong to same COI class and this causes violation of CWSAP. Security group will not permit sharing this object and deny permission to Bob from sharing the virtual machine.
2.6
Meet in the middle :
In many real world scenarios, there may be situations that require permitting access to objects that belong to same COI class. For instance consider a scenario where a consulting company where Bob and Milan works. Bob offers advice to Samsung and Milan offers advice to Motorola. Samsung and Motorola fall under same COI class. However there may be situations when Bob requires Milan’s expertise before making a decision. The current model will not permit any sharing of resources between Bob and Milan. But if an emergency requires Milan to access the object that Bob owns, then the system can force an emergency exception. This exception is noted and logged every time a case is made to forcefully over rule the CWSAP model. In this scenario, the security administrator can modify the Milan permissions to include Milan in the same security group as Bob. At this state, Milan loses all permission on resources controlled by Motorola instance. From this point, Milan belongs same instance that have access to Samsung resources and Bob will be able to share the object with Milan. Milan can review the document, make suggestion, update the document. Bob continues to have no access on the resources controlled by Motorola instance. After completing Milan may choose to terminate his access rights on Samsung instance. Again this is an emergency request which is logged and noted for audit purposes. This model forces no constraints on the objects created by the subject.
2.7
Child Owners
Consider a scenario where Bob offers consulting advice to Samsung. Xing is also a con-sultant working alongside Bob and offering consulting advice to Samsung. Both Bob and
Figure 2.2: COI classes, Sanitized group and VM
Xing have access to sensitive information belonging to Samsung. Bob and Xing are owners of the object holding this sensitive information. Bob and Xing regularly updates the object ( a virtual machine holding a resource ) with their expert advices. Alice is a new recruit who joins the firm and is assigned to work with Bob and Xing for Samsung. Xing being one of the owners of the object shares access to Alice as owner for the object. Security Manager notices that Alice has previously not accessed any resources belonging to same COI class and have required permissions for becoming an owner. Security Manager quickly permits Alice to have now full access to object. Now there are three owners for the object, Bob, Xing and Alice. CWSAP rules are not violated and Xing using his discretionary powers have granted rights to Alice to become one of the owners. Now Xing leaves the firm. All the rights that Xing previously enjoyed has been terminated. This include the right to grant access to objects. In this scenario, Alice does not lose her rights and continues to enjoy her
rights as owner of the object. An notification alert will be send to all owners of the object informing the termination of access permissions for Xing.
2.8
Demon Owners
Consider the above scenario, if before Alice joined both Xing and Bob quit the firm then all objects that were previously under the supervision of Bob and Xing falls into the hands of Demon owner. When a demon owner owns an object then inherits the COI classes that the object previously belonged to. Objects managed by the demon owner cannot be shared unless Security Manager forces a new owner. At this instance demon owner transfers all rights and permissions to the new owner. For instance, if Alice joins the company, and management requires her to work with Samsung, then the Security Manager transfer all rights to Alice and Alice becomes the new owner of the object. Demon owners owns all object who does not have a legitimate system owners. Object owned by demon owners cannot be shared. If an object owned by a demon owner needs to be shared, then demon owner has transfer all rights to a new owner and the new owner then decides to share an object or not. Security Manager only have permission to transfer the ownership rights from demon owner to new owner. Security Manager does not have permission on any object owned by the demon owner.
Now if for instance, the consulting firm requires Alice to work with Motorola then Security Manager will not be able to make Alice an owner of object that were previously managed by Bob and Xing as they fall under the same COI class. If the management wishes to permit access to Alice then emergency notification must be called. This request is logged and reason for granting access is noted. Then Alice will lose her permission on objects holding resources of Motorola . Alice will now become an owner of the object that holds resources of Samsung.
Figure 2.3: Demon Owners. Bob owned object 1 and 2 before leaving the company. Once Bob left the company , objects 1 and 2 are owned by Demon Owner
Chapter 3
Implementation
3.1
Eucalyptus Cloud Computing Platform
This project implements a prototype framework that implements CWSAP in open source cloud computing platform, Eucalyptus.Eucalyptus [5], [4] is an open source software im-plementation of cloud computing. Eucalyptus does not support a web interface to manage cloud service model. The system uses Java Server Pages (JSP) as front end interface. For database server, MySql community server 5.1 is used as backend storage. The administra-tor can moniadministra-tor security groups and cloud instances in the cloud system. This prototype implements CWSAP on the infrastructure layer of open source cloud computing platform. The system architecture is made of three layers.
The bottom most layer is the infrastructure layer. This layer offers infrastructure resources that for interaction with upper layers. The middle layer of Eucalyptus cloud architecture composes of 3 components. They are Cloud controller, Cluster controller and node con-troller. Finally the topmost layer of the Eucalyptus cloud architecture is composed of sys-tem management layer. The syssys-tem management layer consists of functional components.A high level block diagram of this implementation in Eucalyptus is shown in Figure 3
3.2
Functional Components
3.2.1
Registration Manger
The registration manager component registers new users to the system. The registration component ensures that any new user entering the system be registered with the system. After registration component registers new users, system administrator needs to activate new users so that new users become active in the system.
3.2.2
Authenication Manger
Authentication manager component verifies credentials of users entering the system. The component ensures that only authorized users are permitted to enter the system. Users must have a valid credential before they are authorized to enter the system. if no valid credentials are provided then the authentication component denies permission to access the system.
3.2.3
Euca2ools
A command line interface called Euca2ools is available for front end users needs to be installed on clients. This tool can be used for both Eucalyptus and Amazon Web Ser-vices (AWS). This project facilitates a web interface that is both user friendly and enforces CWSAP to restrict cloud instances. This interface allows subjects ( in this scenario subjects are consultants ) to be registered to the system. Once registered, the system administrator activates the newly registered users. The next time subjects tries to log in, the authentica-tion module authenticates the user credentials and grants permission based on combinaauthentica-tion of documents the subject has previously accessed and existing security groups that the con-sultant belongs to. Every user can create new objects and request access to existing objects based on
• security group they belong to and
• object they have previously accessed.
While creating new objects, every subject who owns the object will have ability to share the object with other subjects. When the user tries to share an object, access permission will be granted to the new subject only when the new subject
• is in the same security group as owner of the object
• does not violates the Chinese Wall Security Access Policy ( CWSAP )
3.2.4
Security Manager
The Security Manager allows to manage COI classes related operations. Administrators belonging to this group can display , add, delete , update COI classes. When administrator updates a COI classes then all the security groups belonging to the original COI class moves to another COI class. This component enforces CWSAP and permits users to grant discre-tionary rights to objects as long they do not violate CWSAP. All objects in the sanitized security group is accessible to all subjects.
3.2.5
Instance Manager
Instance management interface allows administrators to see all available resource informa-tion. This includes small, medium large or extra large instance informainforma-tion. The different scales of instances consumes different RAM and disk size for the resources they support. Instance management interface allows users to access instance information such as pub-lic IP address, private IP address, image ID, instance type and operating system that runs the instance. The administrator may also terminate and instance by choosing an instance ID. This interface also allows to spin new instances by specifying image ID, number of instances and choosing the instance type and security group to which the instance belongs.
3.2.6
COI management
COI management component offers the ability for administrators to change COI classes. Administrators can display, add, delete COI classes. In case of an emergency situation, that requires change of COI classes then COI management can change the security group from original COI class to another COI class for updating COI classes. CWSAP is enforced in the cloud fabric by this layer for preventing information leakage.
3.2.7
Image Manager
Image manager component is for administrative use. This component displays all existing VM images in the system. This component permits system administrators to delete exist-ing VM images in the system. The system manger can get the image ID information for launching new cloud instances. Some of the images supported are cents 5.3, fedora 11 and debian 5.
3.2.8
Communication protocol
Secure Shell ( SSH ) network protocol communication is used by subjects to access in-stances. Whenever a new instance is launched an SSH key is dynamically generated and the instance can only be accessed using this SSH key. For a newly spun instance, any user
can request access. The Security Group management investigates if the user can be granted permission to the instance by checking the security group user belongs to and objects avail-able to this instance and objects the user have previously granted access. If no conflict is found, access is granted to the instance. After the user is granted access to the system, the system will prevent access to other instances in different security group within same COI classes. This interface applies security access controls to dynamically and prevents violation of CWSAP .
Chapter 4
Analysis
4.1
Testing environment
Eucalyptus [5], [4] is an open source software framework for cloud computing. Eucalyptus cloud platform enables developers to run and control virtual machines deployed across multiple physical resources. Eucalyptus cloud enables developers to offer Infrastructure-As-A-Service to users. The user interface of the application is modeled using JSP ( Java Server Pages ). The container interprets the JSP and executes the embedded code and send the response to the browser. The browser then renders the response a web page. To store and retrieve data, the open source community server edition of MySQL 5.1 was used. All tests were performed against standard chrome browser.
4.2
Hypothesis Analysis
The hypothesis underlying this project is that information leakage in cloud environment paradigm will be reduced by applying CWSAP at Infrastructure-As-A-Service (IaaS) layer of a cloud computing engine. The decision to grant access to virtual machine is permitted only if it will not cause violation of CWSAP. The Security Management of framework should analyze three variables before ruling a decision.
1. The relationship between COI class of user and virtual machine
Access is granted only if the class that user belongs and the class for the virtual machine for which the access request is raised does not fall under same COI class.
If the user has accessed this object before then, this check was done earlier by the Security Manager. Access is granted only if granting such an access does not violate CWSAP.
2. Need to change of Class of user requesting access
There are several business reasons where the user requesting access and the virtual machine for which the request is raised fall under same COI class. In this project these consitute emergency conditions where the user requesting access and the virtual machine that the access request is raised will fall under same COI class. All such requests will be logged by Security Manager. The framework informs owners of both virtual machine about such a request. If both owners agrees to this request, then the class of the user raising the request is changed to same class of the virtual machine. Now granting access to user will not violate CWSAP.
3. Accessing objects from Demon owner
This includes verifying that CWSAP will not be violated by granting access to the virtual machine owned by Security Manager. If an employee leaves the company, then all virtual machine owned by the user, will now have no owners. In such situa-tion, Security Manager will step up and own all such virtual machines. When a new request is raised to access the virtual machine owned by Security manager then ac-cess is granted only if the user raising the acac-cess request and virtual machine owned by Security Manager fall under different COI class.
4.2.1
Policy Component
Based on the object type, Security Management component of the framework may decide to grant or deny access to the object access request is raised for. There are also many situations when it is necessary to grant subject access to object from a same COI class. But there are situations when Security Manager needs to move and shift the access rights of a subject so that the subject can access objects from the same COI class. There can be
multiple scenario when this may be necessary.
Consider for instance an expertise requested by the business from a consultant in the matter of product advertisement and content publishing by the corporate giant Samsung. The consultant need access to data of brand new flagship chip that Samsung has fabricated in its labs exclusively for its printing solutions. Previously, the consultant worked with Motorola for advertising video solutions and products designed to meet the demands of digital cable network and video infrastructure for home. This solution from Motorola is not directly or indirectly competing with printing solution of Samsung. But Samsung and Motorola falls under same COI class, Security Management would outright deny the request for accessing Samsung records. Under such conditions, the framework must be able to offer the access to object
• after properly logging such requests and
• removing all access rights of subject from objects or virtual machines that are in con-flict of interest (here Motorola) before granting access to requested virtual machines.
4.3
Testing CWSAP by accessing COI clases
4.3.0.1 Testing CWSAP by accesssing same COI Class
Consider the following case : Milan, a consultant, who offers business and investment advice to works for Chase and BoA. Milan has accessed virtual machines that holds in-formation associated with Chase and BoA. Milan now has access to virtual machines that hold Chase and BoA investment principles and process. Milan’s firm has on boarded 1 partner, Samsung and Motorola. Samsung needs investment for a new Chip plant. Milan quickly request access to virtual machine holding information about the new Chip plant.
Security manager notes this request does not amount to violation of CWSAP. Security man-ager grants Milan access to virtual machine holding information regarding the new Chip plant by Samsung. Now, Milan cannot advise both Chase and BoA at the same time for investment in Samsung. Milan will be given a choice of choosing one the 2 banks for pro-viding investment advice. Suppose Milan chooses Chase, the Security Manager notes that accessing Chase after accessing virtual machine associated with Samsung does not con-strain CWSAP and grants access. But now, Milan loses all access to any virtual machine belonging to BoA that Milan had previously accessed for offering investment advice. Even if Milan tries and request for permission to access any virtual machine associated with BoA with information holding investment details, Security Manager will note that granting ac-cess to BoA will fall under same COI class and deny acac-cess.
Test : Tries to share a resource with another that falls under same COI class
Test Result:
Permission to share the resource with another that falls under same COI class is denied. Sharing is not resource not possible because this violates CWSAP
4.3.0.2 Testing CWSAP by accesssing different COI class
Consider the following case : Milan, a consultant, who offers business and investment advice to works for Chase. Milan’s firm also on boarded 2 new partners Samsung and Blackrock. Samsung needs investment for a new Chip plant.Milan have access to Chase virtual machine in the cloud. Milan can access Chase virtual machines and offer advice to Chase to provide investment to Samsung. Blackrock deals with funds and sees an opportu-nity to invest money. Milan still have access to Chase virtual machine. Milan can request the access to the same virtual machine that he accessed earlier. The security group notes the request and checks if granting access to previously accessed virtual machine from Chase would amount to violation of CWSAP. Security group notes that Blackrock and Samsung are from 2 different COI class. Since Samsung and Blackrock are from 2 different COI
class, security group grants Milan access to virtual machine holding Chase information. Milan can now access virtual machine holding Chase data and advice investment to Black-rock funds.
Test : Tries to access a resource with another that falls under different COI class
Test Result:
Permission to access a resource that falls under different COI class is granted. Accessing resource is possible because this does not violate CWSAP.
4.3.0.3 Testing CWSAP by sharing same COI class
Consider the following case : Milan is consultant for Samsung. Milan foresees an invest-ment opportunity in an emerging market. But Milan wants to discuss this with his colleague Bob before taking to next level. However Bob works for Motorola. If Milan tries to share a virtual machine holding information associated with Samsung with Bob, Security manage-ment will note that Bob is requesting sharing access to a virtual machine that will violate CWSAP because Samsung and Motorola falls under same COI class. Security manager will deny this request for shared access to a resource belonging to same COI class. How-ever if Milan tries to share virtual machine holding information about Samung with another colleague ,Lewis who works for a different company,Paypal, that does not fall under the COI class, then Security manager will not view this as a violation of CWSAP. In such case, Security manager will grant access to share resource with Lewis.
Test : Tries to access a resource with another that falls under different COI class
Test Result:
Permission to access a resource that falls under different COI class is granted. Accessing resource is possible because this does not violate CWSAP.
4.3.0.4 Testing CWSAP by accessing demon owners
Consider the following case: Milan works for and offered business advice to Samsung. Mi-lan have access to virtual machines holding information regarding Samsung. MiMi-lan owns virtual machines holding sensitive information regarding Samsung. Now Milan leaves the firm. The virtual machines that were previously under the supervision of Milan does not have any owners. In such a scenario Security Management becomes the owner. At this moment if Alice, former colleague of Milan, who works for Motorola in the same firm that Milan used to work for. If Alice tries to access a resource of Samsung, Security manager will notice that Alice works for a company that falls under a same COI class. Security manager also notices that there is no emergency case raised for granting access to Alice. Granting access to Alice would be a violation of CWSAP. Security manager will deny ac-cess to Alice.
Test : Tries to access a resource that is owned by Security manager which falls under same COI Class
Test Result:
Resource is owned by Security manager. There is no emergency request raised by the user to grant access to the resource. As user belongs to same COI class, granting access to user would be violation of CWSAP. Access to resource is denied.
4.3.0.5 Testing CWSAP by accessing sanitized group
Sanitized group contains resources that are common for any users to access. Resources in the sanitized group are owned by security manager. Security manager shares the resources belonging to sanitized group among all users. Resources belonging to the sanitized group can be usually common utility resources such as laws of the land where any transaction is performed or treaty agreements and clauses between nations that is used for common re-ferral by any and all parties of the organization. Security manager can add update or move
a resource from sanity group to any other class. Suppose Milan works for investment firm and his client is Samsung. Samsung needs to confirm that its products have passed the nec-essary legal obligations in Amsterdam before expanding business. Milan needs access to Europe business laws and Amsterdam in particular before advising Samsung. These open legal records are available through the sanitized group for Milan. Milan request access to legal records and security manager notices that legal records belong to sanitized group. Security manager grants access to records from sanitized group.
Test :Tries to access a resource present in sanitized group
Test Result:
Resource present in sanitized group. All users are granted access to any resource present in sanitized group. Granting access will not be violation of CWSAP. Access to resource is granted.
4.3.0.6 Testing CWSAP by changing COI class
This test is to test the effectiveness of the system to permit sharing of resources belonging to same COI class in emergency situations. Consider the case when Bob and Milan both work for a corporation that Samsung and Motorola consults for business advices. Bob is assigned to work for interests of Samsung while Milan represents Motorola. Due to com-peting business models, both Samsung and Motorola falls under same COI class. Consider this scenario where both Samsung and Motorola procure their chips for use in their business from a leading American Chip manufacturing company. Samsung uses the chips for using in their entertainment products such as television, music players while Motorola uses the chip on embedded computer products. Samsung sourced the chip a year earlier than Mo-torola. But soon Motorola engineers found defect on the chip. Now it is in the interest of Motorola and Samsung to file breach of warranty against the manufacturer and this needs coordination between Milan who works for Motorola and Bob who works for Samsung.
To fully understand, the damage, attorney request access for Samsung resources from Bob. Bob grants complete access and attorney is granted access to resources that Samsung owns. The attorney is effectively made a child owner of the resources that Bob owns. The attorney now becomes part of class that Samsung belongs to . After understanding and formulating the case, the attorney need access to Motorola files but since Motorola belongs to a differ-ent COI class, the request by attorney to access Motorola resources is denied by Security manager. This is an emergency case and a case is made by Milan to grant access to attorney. This case is logged and security manager now changes attorney from class that Samsung belong to a class that Motorola belongs to. The attorney now cannot access any files re-lated to Samsung anymore. The attorney falls under class that represents Motorola and is granted access to files owned by Motorola. This is a special transition of classes effected by Security manager under special conditions. Each request change of classes is logged and both owners of Samsung and Motorola resources are informed about this change of class and transition is made after approval.
Test : Tries to access a resource present in same COI class under emergency conditions
Test Result:
Under emergency conditions, security manager permits access to resources under same COI class. For this there are logging mechanisms that logs such emergency requests and alert the owners of each resource about such an access. After getting approval from both owners, security manager swaps the user between COI classes. This will not violate CWSAP.
4.3.1
Summary
Table 4.1: Tests performed and Resuts
Serial No Test Reason for Grant or Deny access Test Result 1 Tries to access resource that
fall under same COI class
Permission to share the resource with another that falls under same COI class is denied. Sharing is not resource not possible because this violates CWSAP
Grant Access
2 Tries to access a resource with another that falls under different COI class
Permission to access a resource that falls under different COI class is granted. Accessing resource is pos-sible because this does not violate CWSAP
Deny Access
3 Tries to access a resource that is owned by Security manager which falls under same COI class
Resource is owned by Security manager. There is no emergency request raised by the user to grant access to the resource. As user be-longs to same COI class, granting access to user would be violation of CWSAP
Deny Access
4 Tries to access a resource that is present in the sanitized group
Resource is present in the sanitized group. All requests, irrespective of them being previously accessed or otherwise, to a resources in the san-itized group is always granted ac-cess.CWSAP does not apply to re-sources in the sanitized group as they are accessible to all users
Grant Access
5 Tries to access a resource that is present same COI classes under emergency conditions
Resources under same COI classes are permitted to access by Security manager only in emergency cases. All such requests are logged and owners of both resources are in-formed about such access. If both owners approves such an access then security manager swaps the class of the user belongs to between the COI classes. This enables user to access resources and yet CWSAP is not violated
Chapter 5
Conclusions
5.1
Current Status
In this project , I have explored various scenarios where information flow can cause severe security concerns. I have explained the challenges in cloud computing environment for enforcing information control policies. Institutions can enforce identity management and access control policies on resources to prevent information flow leakage. But as infras-tructure is shifted to the cloud, an institution cannot rely on those solutions. To enforce complete control to prevent information leakage, CWSAP should be best applied at the in-frastructure layer. The inin-frastructure layer holds a pool of computing resources that server and interacts all other layers in the cloud computing architecture. Thus for classified data handling CWSAP implemented in the infrastructure layer will offer highest control in en-forcing information flow policies.
I have prototyped an implementation of CWSAP on a model application in an open source software for building AWS-compatible private and hybrid clouds called Eucalyptus. Although Eucalyptus comes with a command line interface called Euca2ools for users, this needs to be installed on clients. This prototype comes with a user friendly web interface that users can interact. This interface permit user to manage and control instances that hold resources easily. This implementation permits users to own instances that holds resources. Owners can share resources based of the class that user belongs to. Owners can only share
resources to users who fall under different COI classes. All resources are managed by Se-curity manager. If a owner of a resource quits then SeSe-curity manager becomes the owner. All common resources fall under Sanitized group that all users have access.
The main principle behind this implementation is that infrastructure that manages the resources in cloud environment paradigm must be follow the CWSAP. Competing business models are assigned to same COI classes. Any request to access a resource under same COI class are denied. Under emergency conditions, after logging requests, Security manager swaps class of the user requesting access so that user can access resource. This model is most useful in financial institution where Sarbanes Oxley Act [7] should be enforced.
5.2
Future Work
There are several opportunities available to improve the CWSAP in the cloud paradigm implemented in this project.
5.2.1
Delegation of Right
One of the future work for this project is to evaluate the delegation of rights principle to even more granular level. It is possible to grant part of the object which is generic and does not hold any sensitive information as sanitized objects by the owner of the object. Another work is to evaluate the quality of performance for calculating the correct permission rights before granting.
5.2.2
Web page to for easy auditing
Another area is to built an interface to permit user to history of access to a resource. This complies with Sarbanes Oxley Act but also permits audits easy. Every request to access a resource is logged. Every request to access a resource that falls under the same COI class is also logged. This user interface interface would read from the log files time stamp
information about when the resource was accessed and the user Id of the user who accessed the resource.
5.2.3
Flexibility in changing class of Business models
In this project, two business models are said to be competing if both business models offer same value to customers at competing costs. Once 2 business model is identified as com-peting then the 2 business models fall under same COI class. If one of the business model now pivot to a different business model, it is not possible to alter the class of the business model. It remains in the same COI class even though it is not competing. This rule should be flexible to seamless permit alter the class the business model belong once a business pivots.
5.2.4
