Cloud computing is a computing paradigm that is becoming increasingly popular in the last years. This paradigm is based on the provisioning of computing resources (applications, middleware, storage) that can be consumed as-a-service invoked over the internet. The reasons behind this success lie in the possibility given to customers to reduce part of the IT management costs by outsourcing part of their services/resources to the cloud. Despite these advantages, many companies are still reluctant to move to the cloud. In particular, cloud customer receive limited guarantees on how the computational resources used are protected. More than that, they are concerned in ceding control of their data to external entities, like the cloud providers. Traditionally, cloud’s security issues have been mitigated by statically applying security controls like encryption of the communication channel or two-factors authen- tication. However, this approach does not take into account the variability that lies behind cloud computing. Its services can be used from a variety of devices like mobile phones or PCs, and from different locations like the office or an airport. Furthermore, information stored in the cloud can have different degrees of importance for the stakeholders, thus needing a different degree of protection. A system that supports use of cloud computing services should be able to apply proper security controls based on the context and the value of data that is currently treated. This thesis investigates the security issues of cloud computing and discusses proposed solutions. Security issues are classified and described by exemplifying possible vulnerabilities, threats and attacks. A couple of relevant approaches to cloud computing security have been studied and presented. The central part of this thesis presents how the approach to adaptive security proposed by Salehie et al. [SPO+ 12] has been adapted to cloud computing. The approach promotes assets as first class entities in the requirements engineering process and suggests to build three models. An asset model is used to describe assets and relationships among them. A goal model is used to capture system’s functional and non-functional requirements by means of a goal-oriented methodology. This model is also used to relate operations to the vulnerabilities they introduce, security goals to the assets that need to be protected and security controls to the vulnerabilities they mitigate. A threat model is then used to represent motivations of threat agents and attacks that, by exploiting system’s vulnerabilities, can ultimately harm relevant assets. The approach has been modified staring from the consideration that, moving to the cloud, stakeholders’ attention moves entirely to the information that is treated, while physical infrastructures loose their importance. This is why in our work, the asset model has been modified introducing the notion of information asset as the main resource that needs to be protected and assets’ container, representing the physical assets where the information assets are managed and/or stored. A container can introduce vulnerabilities. The second step in the approach involves building a fuzzy causal network (FCN) from the three models previously described. This network is the part of the systemin charge of analysing the impact that assets and contextual changes have on the security risk and drives the runtime adaptation of the system by identifying the configuration of security controls having the best utility. This thesis enriches the assets, threat and goal models by adding a notion of context and identifies how the context can influence the reasoning supported by the causal network. This work focuses on security controls applied on the customer side, in a public cloud delivering Software-as-a-Service (SaaS). To perform runtime adaptation, this thesis presents an adaptive security architecture for the cloud able to dynamically apply security controls when context and/or assets change. This thesis explains how the adaptive security architecture has been implemented, presents a relevant case study (GMail case study) and describes obtained results.
Cloud computing è un paradigma informatico che sta diventando sempre più popolare negli ultimi anni [BYV+ 09]. Questo paradigma è basato sul fornire risorse informatiche (applicazioni, infrastrutture, memoria) sotto forma di servizi, distribuiti attraverso la rete internet. Le ragioni di questo successo sono da ricercarsi nella possibilità, data ai consumatori, di ridurre parte dei costi per la gestione dell’infrastruttura IT, esternalizzando parte dei loro servizi/risorse ai cloud provider. Nonostante gli evidenti vantaggi, molte compagnie sono ancora restie nel passare al cloud. In particolare, esse ricevono limitate garanzie su come le risorse computazionali utilizzate vengono protette. Oltre a questo, sono preoccupate di cedere i loro dati ad entità esterne, come i cloud provider. Tradizionalmente, le minacce alla sicurezza del cloud sono state mitigate applicando staticamente misure di sicurezza come la cifratura del canale di comunicazione o l’autenticazione a due fattori. Tuttavia, questo approccio non considera la variabilità intrinseca del cloud computing. I suoi servizi possono essere usati da svariati dispositivi come telefoni cellulari o PC, e da diversi luoghi come l’ufficio o un aeroporto. Inoltre, le informazioni salvate sul cloud possono avere diversi livelli di importanza per l’interessato, richiedendo quindi differenti livelli di protezione. Un sistema che supporta l’uso di servizi di cloud computing dovrebbe essere capace di applicare misure di sicurezza adeguate in base al contesto ed al valore dei dati che vengono trattati. In questa tesi verranno esaminati i problemi di sicurezza del cloud computing e discusse le possibili soluzioni. I problemi di sicurezza sono classificati e descritti esemplificando le possibili vulnerabilità, minacce ed attacchi. Sono inoltre stati studiati e presentati due approcci per la sicurezza nel cloud computing. La parte centrale di questa tesi spiega come l’approccio per la sicurezza adattativa, introdotto da Salehie ed altri [SPO+ 12], sia stato adattato al cloud computing. L’approccio promuove gli asset ad entità di primaria importanza nel processo di ingegnerizzazione dei requisiti e suggerisce di costruire tre modelli. Un asset model è usato per descrivere gli asset e le loro relazioni. Un goal model è utilizzato per catturare i requisiti funzionali e non funzionali del sistema attraverso l’utilizzo di una metodologia orientata agli obiettivi. Oltre a questo, è utilizzato anche per collegare le vulnerabilità alle operazioni che le introducono, gli obiettivi di sicurezza agli asset che devono essere protetti e le misure di sicurezza alle vulnerabilità che attenuano. Un threat model è poi usato per rappresentare le motivazioni degli attaccanti e gli attacchi che, sfruttando una o più vulnerabilità del sistema, possono danneggiare importanti asset. L’approccio è stato modificato partendo dalla considerazione che, passando al cloud, l’attenzione degli utenti si sposta interamente sulle informazioni che vengono trattate, mentre le infrastrutture fisiche perdono importanza. Ecco perché, nel nostro lavoro, l’asset model è stato modificato introducendo la nozione di information asset, ad indicare la principale risorsa che deve essere protetta, e quella di assets’ container, a rappresentare l’asset fisico in cui gli information asset sono gestiti o salvati. Un container può introdurre vulnerabilità. Il secondo passo nell’approccio porta a costruire una Fuzzy Causal Network (FCN) a partire dai tre modelli sopra descritti. Questa rete causale è la parte del sistema che ha il compito di analizzarel’impatto che gli asset e i cambiamenti nel contesto hanno sulla sicurezza e guidare l’adattamento del sistema, individuando la configurazione di misure di sicurezza che massimizza l’utilità. Questa tesi arrichisce gli asset, threat e goal model aggiungendo la nozione di contesto ed identificando come il contesto può influenzare il ragionamento supportato dalla causal network. Questo lavoro si concentra su misure di sicurezza applicate dal lato utente, in un cloud pubblico che fornisce Software-as-a-Service (SaaS). Per applicare l’adattamento mentre il sistema è in funzione, questa tesi presenta un’architettura per la sicurezza adattativa nel cloud, capace di applicare dinamicamente le misure di sicurezza quando il contesto o gli asset cambiano. Questa tesi spiega come l’architettura proposta è stata implementata, presenta un caso di studio rilevante (il caso d’uso di GMail) e descrive i risultati ottenuti.
Engineering adaptive security for the Cloud. An experience with Google Apps
ZANINI, MARCO
2011/2012
Abstract
Cloud computing is a computing paradigm that is becoming increasingly popular in the last years. This paradigm is based on the provisioning of computing resources (applications, middleware, storage) that can be consumed as-a-service invoked over the internet. The reasons behind this success lie in the possibility given to customers to reduce part of the IT management costs by outsourcing part of their services/resources to the cloud. Despite these advantages, many companies are still reluctant to move to the cloud. In particular, cloud customer receive limited guarantees on how the computational resources used are protected. More than that, they are concerned in ceding control of their data to external entities, like the cloud providers. Traditionally, cloud’s security issues have been mitigated by statically applying security controls like encryption of the communication channel or two-factors authen- tication. However, this approach does not take into account the variability that lies behind cloud computing. Its services can be used from a variety of devices like mobile phones or PCs, and from different locations like the office or an airport. Furthermore, information stored in the cloud can have different degrees of importance for the stakeholders, thus needing a different degree of protection. A system that supports use of cloud computing services should be able to apply proper security controls based on the context and the value of data that is currently treated. This thesis investigates the security issues of cloud computing and discusses proposed solutions. Security issues are classified and described by exemplifying possible vulnerabilities, threats and attacks. A couple of relevant approaches to cloud computing security have been studied and presented. The central part of this thesis presents how the approach to adaptive security proposed by Salehie et al. [SPO+ 12] has been adapted to cloud computing. The approach promotes assets as first class entities in the requirements engineering process and suggests to build three models. An asset model is used to describe assets and relationships among them. A goal model is used to capture system’s functional and non-functional requirements by means of a goal-oriented methodology. This model is also used to relate operations to the vulnerabilities they introduce, security goals to the assets that need to be protected and security controls to the vulnerabilities they mitigate. A threat model is then used to represent motivations of threat agents and attacks that, by exploiting system’s vulnerabilities, can ultimately harm relevant assets. The approach has been modified staring from the consideration that, moving to the cloud, stakeholders’ attention moves entirely to the information that is treated, while physical infrastructures loose their importance. This is why in our work, the asset model has been modified introducing the notion of information asset as the main resource that needs to be protected and assets’ container, representing the physical assets where the information assets are managed and/or stored. A container can introduce vulnerabilities. The second step in the approach involves building a fuzzy causal network (FCN) from the three models previously described. This network is the part of the systemin charge of analysing the impact that assets and contextual changes have on the security risk and drives the runtime adaptation of the system by identifying the configuration of security controls having the best utility. This thesis enriches the assets, threat and goal models by adding a notion of context and identifies how the context can influence the reasoning supported by the causal network. This work focuses on security controls applied on the customer side, in a public cloud delivering Software-as-a-Service (SaaS). To perform runtime adaptation, this thesis presents an adaptive security architecture for the cloud able to dynamically apply security controls when context and/or assets change. This thesis explains how the adaptive security architecture has been implemented, presents a relevant case study (GMail case study) and describes obtained results.| File | Dimensione | Formato | |
|---|---|---|---|
|
2012_12_Zanini.pdf
non accessibile
Descrizione: Thesis text
Dimensione
4.26 MB
Formato
Adobe PDF
|
4.26 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/72436