Towards a Security Stress-Test for Cloud Configurations

Q1 Computer Science

IEEE Cloud Computing Pub Date : 2022-05-28 DOI:10.1109/CLOUD55607.2022.00038

F. Minna, F. Massacci, Katja Tuma

引用次数: 3

Abstract

Securing cloud configurations is an elusive task, which is left up to system administrators who have to base their decisions on "trial and error" experimentations or by observing good practices (e.g., CIS Benchmarks). We propose a knowledge, AND/OR, graphs approach to model cloud deployment security objects and vulnerabilities. In this way, we can capture relationships between configurations, permissions (e.g., CAP_SYS_ADMIN), and security profiles (e.g., AppArmor and SecComp). Such an approach allows us to suggest alternative and safer configurations, support administrators in the study of what-if scenarios, and scale the analysis to large scale deployments. We present an initial validation and illustrate the approach with three real vulnerabilities from known sources.

查看原文本刊更多论文

面向云配置的安全压力测试

保护云配置是一项难以捉摸的任务，它留给系统管理员，他们必须根据“试错”实验或观察良好实践(例如，CIS基准测试)来做出决策。我们提出了一种知识、AND/OR图方法来建模云部署安全对象和漏洞。通过这种方式，我们可以捕获配置、权限(例如CAP_SYS_ADMIN)和安全配置文件(例如AppArmor和SecComp)之间的关系。这种方法允许我们建议可选的更安全的配置，支持管理员研究假设场景，并将分析扩展到大规模部署。我们提出了一个初步的验证，并用三个已知来源的真实漏洞说明了该方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Cloud Computing Computer Science-Computer Networks and Communications

CiteScore

11.20

自引率

0.00%

发文量

期刊介绍： Cessation. IEEE Cloud Computing is committed to the timely publication of peer-reviewed articles that provide innovative research ideas, applications results, and case studies in all areas of cloud computing. Topics relating to novel theory, algorithms, performance analyses and applications of techniques are covered. More specifically: Cloud software, Cloud security, Trade-offs between privacy and utility of cloud, Cloud in the business environment, Cloud economics, Cloud governance, Migrating to the cloud, Cloud standards, Development tools, Backup and recovery, Interoperability, Applications management, Data analytics, Communications protocols, Mobile cloud, Private clouds, Liability issues for data loss on clouds, Data integration, Big data, Cloud education, Cloud skill sets, Cloud energy consumption, The architecture of cloud computing, Applications in commerce, education, and industry, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Business Process as a Service (BPaaS)