massimiliano raks, naples university on specs: secure provisioning of cloud services based on sla...
Post on 15-Apr-2017
216 Views
Preview:
TRANSCRIPT
SPECS Project Secure Provisioning of Cloud Services based on SLA
Management
Berlin, Germany
16th September 2015
CeRICT, Italy (coordinator)
TUD, Germany
IeAT, Romania
CSA, United Kingdom
XLAB, Slovenia
EISI, Ireland
FP7-ICT-10-610795
Project Start: 1/11/2013
Project Type: STREP
Duration: 30M
Total Funding: 3.5 M
EU Contribution: 2.4 M
SPECS Project
SPECS: Addressed Objective
Problem Statement:
End-User Cloud Security: How to compare Cloud Service Providers (CSPs)?,
What they grant? How to improve their security features if they do not grant
enough? …
Challenges:
Security Service Level Agreement (SLA): Adoption of Security SLA to states the
security grants between CSPs and Cloud Service Customers (CSCs)
Security SLA Negotiation: Security SLA are evaluated to help CSC in selecting
the servicesand customized according to Customers requirements
Security SLA (Automatic) Enforcement: Services are customized and enriched
with ad-hoc security mechanisms to grant the requested security SLAs
Security SLA Continuous Monitoring: CSC conitnuously monitors the services to
be assured on the respect of agreed Secrutity SLAs
SPECS: A Platform for security SLAs
Negotiate Security SLAs,
Use cloud services,
Broker cloud services
Enforce additional security controls
Monitor security
SECURITY SERVICE LEVEL
AGREEMENT
Security Service Level Agreement in Practice:
How to represent security, How to measure it, How to grant the security level and a
concrete example of SPECS automatic enforcement of Security SLAs
Security Service Level Agreement
What (Security) SLAs should be
CSP delivers services with an
SLA that details each grant
offered
CSC compares offerings from
different CSPs
CSC are able to verify the
respect of SLA and request
penalties when unrespected
What (Security) SLAs are today
CSP offers a natural language
description of what it is able to
grant
Few services are able to compare
concretely security offered by CSPs
CSC have no concrete tools to
monitor an SLA
How to Obtain Concrete SLAs
Issue 1: SLA Life cycle to automate their management
Definition of the Process of SLA Management, taking into
account both CSP and CSC
Issue 2: Security SLA Model to represent the grants
What is the content of a SLAs? How to offer security grants?
Gap among Customers (focused on risks) and Providers
(focused on security mechanisms offered)
Issue 3: Automatic Enforcement/Monitoring of SLA
Is a Security SLA (automatically) implementable?
SLA Life Cycle
Negotiation Phase: Establishing the agreement
Implementation Phase: CSP takes all the
actions needed to grant SLA over target services
Monitoring Phase: Both CSP and CSC monitor
services, to verify that SLA are respected
Remediation Phase: CSP performs action
in order to remdiate to an SLA violation
Renegotiation Phase: one of the party aims
at changing the terms of the agreement
A Security SLA Model
Define Security terms according to standards and known best
practices, understandable by both CSC and CSP
Security terms must be measurable and verifiable for both
CSC and CSP
Implementable in cloud (self-service, on-demand cloud
characteristics)
Automate negotiation of the agreement terms
Automate implementation of SLA
Automate monitoring of SLA
Security Model: Core Idea
Best Practice:
Risk Assessment helps in
identification of threats and
security requirements
Selection of standard security
controls (a safeguard or
countermeasure prescribed to
protect confidentiality, integrity,
and availability)
Certification verifies the
respect of security controls
Security SLA made of
Declarative Part:
Declaration of Security
Controls applied to the service
delivered.
Measurable Part:
Declaration of the Security
Metrics that can be used by
CSC to verify the security Level
Mapping:
Relates Controls and Metrics
11/19/2015 WP or Event Reference
11
Security SLA: Standard Format
In order to enable the (automated) SLA processing Security SLA must be represented in a machine readable format
SPECS relies on WS-Agreement (OGF GFD-192) and offers a
set of extension to:
Represent security controls (NIST 800-53rev4, CCM v3.0)
Represent Standard Security Metrics (NIST RATAX)
SPECS Map Security Metrics against security controls
11/19/2015 WP or Event Reference
13
Security SLA
14
What SLA
declare
What SLA measure
What the SLA protect
How declaration and
measurement are
associated
Implementable Security SLAs
Are the Security SLA implementable? Is the Security SLA Model
Concrete?
Additional Concepts:
Security SLA Template: According to WS-Agreement approach
Security SLA are negotiated through templates that summarizes the
terms that can be negotiated
Security Mechanisms: To grant security controls we introduce the
concept of security mechanism: a software, offered –as-a-service
that enrich the provided services with the safeguards and
countermeasures requested
11/19/2015 WP or Event Reference
15
Implementable Security SLA
11/19/2015 WP or Event Reference
16
Templates
to negotiate
with
customers
Security Mechanisms
IMPLEMENT
& DECLARE
security controls
& security metrics
Security SLA Model: how to use
Cloud Service Provider
Security Controls enforced
through dedicated security
mechanisms
Security Metrics can be
monitored through dedicated
tools
SLA helps to verify correctness of
configuration and automates
service protection
Cloud Service Customer
Security Controls grants the respect
of security requirements
Customers are able to select and
compare providers
SLA can be verified using Security
Metrics, whose definition is
standard
11/19/2015 WP or Event Reference
17
SECURITY SLA IN PRACTICE
A Demonstration of an application able to automate SLA Management
11/19/2015 WP or Event Reference
18
Demonstration Video
SPECS: What Offers
11/19/2015 WP or Event Reference
20
SPECS Platform
A Platfrom that offers SPECS Core Services
(Negotiation, Monitoring, Enforcement)
A Platform able to execute and manage SPECS Applications
SPECS Applications
Application that offers cloud services protected by Security SLA
SPECS Open Source Framework
Core Components to automate the SLA Life Cycle
Security Mechanisms (and their metadata) to protect default services
Tools to setup a SPECS Platform
WHO Uses SPECS
11/19/2015 WP or Event Reference
21
Cloud Service
Providers
Use the SPECS PaaS
Offer SPECS Applications
Enrich their offerings with Security SLA
Can customize their offerings according to specific security requirements (PA
example)
They are the SPECS Owners
Developers
Use the SPECS Framework
Know the security requirements of their customers
Develop SPECS Applications
They are the SPECS Application Developers
Customers
Negotiate Security SLAs
Use the services offered by SPECS Applications
They are the End Users
SPECS Usage
SPECS as Third Party
SPECS runs independently of a
single CSP, brokering resources
SPECS in a CSP
SPECS runs INSIDE a CSP, using
the local resources and granting
SLAs
11/19/2015 Presentation template 22
Cloud Service Provider (CSP)
SPECS Framework
11/19/2015 Presentation template
23
SLA Platform
Negotiation Monitoring Enforcement
SPECS Application
Enabling Platform
Vertical
Layer
SPECS FRAMEWORK
SPECS Framework – The Open Source Solution
11/19/2015 WP or Event Reference
36
https://bitbucket.org/specs-team/
https://bamboo.services.ieat.ro/
http://mvn.services.ieat.ro/
Enabling Platform Demonstration Video
top related