Publication: Secure Cloud Maintenance – Protecting workloads against insider attacks

2012/03/02 by Leave a Comment Print This Post Print This Post

Our research on reducing insider threats for clouds has been accepted at AsiaCCS 2012:

Secure Cloud Maintenance – Protecting workloads against insider attacks
Sören Bleikertz, Anil Kurmus, Zoltan A. Nagy, and Matthias Schunter
ASIACCS 2012: ACM Symposium on Information, Computer and Communications Security

The submission version can be found here.

Abstract

Malicious insiders are a substantial risk for today’s cloud computing infrastructures. A single malicious cloud administrator can eavesdrop or damage business-critical or personally identifiable information and computations of thousands of cloud customers. To protect cloud users against such insiders, we propose a novel approach that enables a security team to protect privacy and integrity of cloud users’ workloads against attacks by system administrators during operation and maintenance. We achieve this by managing the privileges of administrators during operation and maintenance while re-establishing the security of a compute node once administration is completed. By default, administrators’ access to cloud servers is disabled since cloud operation is automated. For manual maintenance operations, we propose five fine-grained privilege levels that balance the security objectives of cloud users with the operational requirements of cloud administrators. We demonstrate how existing cloud architectures need to be extended to incorporate our approach.We prototyped our management approach using the OpenStack cloud platform. Policy enforcement has been prototyped by leveraging SELinux type enforcement in the KVM compute nodes, in order to demonstrate the practical feasibility of our approach.

Filed under Publications Tagged with , ,

CfP: 1st European Workshop on Dependable Cloud Computing (EWDCC ’12)

2011/11/05 by Leave a Comment Print This Post Print This Post

I’ll participate in the program committee of the 1st European Workshop on Dependable Cloud Computing (EWDCC ’12). The call for papers can be found at the .

Important dates:

  • Submission deadline: January 27, 2012
  • Author notification: March 14, 2012
  • Final version: March 20, 2012

Read more of this post

Filed under Conferences Tagged with , ,

CCSW 2010: Paper on Auditing Cloud Infrastructures published at ACM CCSW

2010/07/11 by Leave a Comment Print This Post Print This Post

Sören Bleikertz, Matthias Schunter, Christian W. Probst, Dimitrios Pendarakis, Konrad Eriksson: Security Audits of Multi-tier Virtual Infrastructures in Public Infrastructure Clouds, The ACM Cloud Computing Security Workshop (CCSW 2010); in conjunction with the 17th ACM Conference on Computer and Communications Security (CCS), Hyatt Regency Chicago, Chicago, IL, October 2010.

Download (PDF)

Abstract
Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. Managed through a web-services interface, users can configure highly flexible but complex cloud computing environments. Furthermore, users misconfiguring such cloud services poses a severe security risk that can lead to security incidents, \eg, erroneous exposure of services due to faulty network security configurations.

In this article we present a novel approach in the security assessment of the end-user configuration of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization and automated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical scenarios. Our approach effectively allows to remediate today’s security concerns through validation of configurations of complex cloud infrastructures.

Read more of this post

Filed under Publications Tagged with , ,