Cloud and the Common Criteria Sunil J Trivedi

  • Slides: 20
Download presentation
Cloud and the Common Criteria Sunil J. Trivedi The MITRE Corporation September 2010 Approved

Cloud and the Common Criteria Sunil J. Trivedi The MITRE Corporation September 2010 Approved for Public Release: 10 -2968. Distribution Unlimited © 2010 The MITRE Corporation. All rights reserved.

Here is a Test… ■ Who has the biggest cloud on this planet? –

Here is a Test… ■ Who has the biggest cloud on this planet? – – Google? Microsoft? Amazon? Name a Government? ■ Reference: – http: //www. cloudtweaks. com/2010/03/the-biggest-cloud-on-theplanet-is-owned-by-the-crooks/ Page 2 © 2010 The MITRE Corporation. All rights reserved.

Why Cloud Computing? ■ Sacrifice some physical and administrative control to gain efficiency, agility,

Why Cloud Computing? ■ Sacrifice some physical and administrative control to gain efficiency, agility, and reduced infrastructure costs ■ Getting popular in commercial sectors; drawing attention from Government and Defense sectors ■ Cloud management tools and techniques are still under construction ■ Cloud security issues are not new, but mitigation could be a challenge Page 3 © 2010 The MITRE Corporation. All rights reserved.

NIST Definition (National Institute of Standards and Technology) ■Cloud computing is a model for

NIST Definition (National Institute of Standards and Technology) ■Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e. g. , networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction Page 4 © 2010 The MITRE Corporation. All rights reserved.

“Virtual Servers to Order” Platform Layer “Processing, Storage, and Bandwidth for hire” Infrastructure Layer

“Virtual Servers to Order” Platform Layer “Processing, Storage, and Bandwidth for hire” Infrastructure Layer Software as a Service (Saa. S) Platform as a Service (Paa. S) Infrastructure as a Service Cloud Consumer Control “Applications to Order” Software Layer Less More Cloud Provider Control Cloud Abstraction (Iaa. S) Less More Virtual Machine Virtual Layer Managed for the Consumer VLAN SAN Hypervisor and Physical Layer Hidden from the Consumer Provisioning Physical Equipment and Networks Page 5 © 2010 The MITRE Corporation. All rights reserved.

Security vs. Cost Security Test Server Code Storage and Development Server Private Cloud (a

Security vs. Cost Security Test Server Code Storage and Development Server Private Cloud (a single enterprise) Community Cloud (shared by several member companies or agencies) Public Cloud (for public use, open to all) Cost 6 © 2010 The MITRE Corporation. All rights reserved.

The New Challenge ■ The Cloud: A Dynamic Hosting Environment – Cloud as a

The New Challenge ■ The Cloud: A Dynamic Hosting Environment – Cloud as a Target of Evaluation (TOE) ■ Physical Layer may not be under customer control – Lack of control over vendor software changes ■ Does not align well with Common Criteria (CC) evaluation model ■ As services are delivered globally, complex compliance requirements may need to be considered Page 7 © 2010 The MITRE Corporation. All rights reserved.

Cloud Security Issues ■ Consider “Cloud as a Product” ■ Issues are: Confidentiality Integrity

Cloud Security Issues ■ Consider “Cloud as a Product” ■ Issues are: Confidentiality Integrity Availability Privacy Trust & Assurance Security Audit Legal Concerns Cloud Abuse Page 8 © 2010 The MITRE Corporation. All rights reserved.

Confidentiality and Common Criteria - 1 ■ Addressed by Class FDP, User Data Protection

Confidentiality and Common Criteria - 1 ■ Addressed by Class FDP, User Data Protection – Inter-TSF user data confidentiality transfer protection, FDP_UCT ■ Addressed by Class FPT, Protection of TSF Data – Confidentiality of exposed TSF Data ■ Cryptographic functionality may be used to meet objectives specified in these classes Page 9 © 2010 The MITRE Corporation. All rights reserved.

Confidentiality and Common Criteria – 2 ■ Observations: – Traditionally, CC SFRs have addressed

Confidentiality and Common Criteria – 2 ■ Observations: – Traditionally, CC SFRs have addressed data-in-transit – Currently, no reference to encrypting data-at-rest ■ In the cloud, stored data must be encrypted with a readily available local backup copy – BP oil spill example ■ Operations become expensive on encrypted data, especially on a remote store Challenge: Adapting CC SFRs for protecting data-at-rest Page 10 © 2010 The MITRE Corporation. All rights reserved.

Integrity and Common Criteria - 1 ■ Addressed by Class FDP, User Data Protection

Integrity and Common Criteria - 1 ■ Addressed by Class FDP, User Data Protection – Stored data integrity (FDP_SDI) – Inter-TSF user data integrity transfer protection (FDP_UIT) – Internal TOE transfer (FDP_ITT) ■ Integrity Protection, Error, and Monitoring – Rollback (FDP_ROL) ■ Rollback to preserve the integrity of the user data ■ Addressed by Class FPT, Protection of TSF – Integrity of exported TSF data (FPT_ITI) – Internal TOE TSF data Transfer (FPT_ITT) ■ monitor and identify integrity errors – TSF Self Test (FPT_TST) ■ verify the integrity of TSF data and TSF itself Page 11 © 2010 The MITRE Corporation. All rights reserved.

Integrity and Common Criteria - 2 ■ Observations – FDP: Focuses on user data

Integrity and Common Criteria - 2 ■ Observations – FDP: Focuses on user data protection – FPT: Focuses on protection of the TSF data – FIA specifies components to protect attributes associated with the user – Data exchange integrity implying data-in-transit – Encryption is not required/expected on the stored data Challenge: Adapting CC SFRs for protecting data-at-rest Page 12 © 2010 The MITRE Corporation. All rights reserved.

Privacy and Common Criteria ■ Addressed by Class FPR, Privacy requirements – Provide a

Privacy and Common Criteria ■ Addressed by Class FPR, Privacy requirements – Provide a user protection against discovery and misuse of identity by other users – A PP/ST author might consider it appropriate not to require protection of the privacy of users against a suitably authorized user ■ The current CC is not very clear here – According to FAU_GEN. 2 User identity association, there is a potential conflict between the audit and privacy requirements ■ Observations: – What if the authorized user or the auditor is a third party cloud admin/auditor? – Audit by an admin on a local physical drive may not be available at a virtual level Challenge: Clarify current CC to address ambiguity regarding Privacy Page 13 © 2010 The MITRE Corporation. All rights reserved.

Availability and Common Criteria ■ Addressed by Class FPT, Protection of TSF – Availability

Availability and Common Criteria ■ Addressed by Class FPT, Protection of TSF – Availability of exported TSF data (FPT_ITA) ■ Addressed by Security audit event storage, FAU_STG – Guarantees of audit data availability, FAU_STG. 2 ■ Addressed by Class FRU, Resource utilization – Supports the availability of required resources such as processing capability and/or storage capacity ■ Observations: – Typically, in a cloud, clients have no control over ■ Data (may get accidently lost or written over) ■ Data Corruption ■ Resources (important customer may get priority) Challenge: Introduce SFRs mandating an up-to-date backup copy, in case cloud fails to provide one Page 14 © 2010 The MITRE Corporation. All rights reserved.

Developing Cloud Security Requirements for CC Common Criteria SFRs Cloud Public Specifications* Analyze Security

Developing Cloud Security Requirements for CC Common Criteria SFRs Cloud Public Specifications* Analyze Security Gaps *References: Cloud Security Alliance www. cloudsecurityalliance. org Extended Requirements in PP/ST or Augment CC SFRs 15 © 2010 The MITRE Corporation. All rights reserved.

Cloud - CC Security Functions ■ A TOE is essentially a set of software,

Cloud - CC Security Functions ■ A TOE is essentially a set of software, firmware, and/or hardware accompained by a set of guidelines – Useful set of testable assertions ■ Virtual ■ Web Server Technology Applications Technology ■ Software Applications – Physical layer not under customer control ■ But is any software really under customer control? ■ Cloud can also be an environment supporting layered applications Page 16 © 2010 The MITRE Corporation. All rights reserved.

US Government Cloud Projects ■ DISA RACE – http: //www. disa. mil/race/ ■ GSA

US Government Cloud Projects ■ DISA RACE – http: //www. disa. mil/race/ ■ GSA Apps. Gov – https: //www. apps. gov/cloud/advantage/main/start_page. do/ ■ Do. I National Business Center (NBC) – http: //cloud. nbc. gov/ ■ And more…. Page 17 © 2010 The MITRE Corporation. All rights reserved.

Cloud Vendor Listing (not exhaustive) Software as a Service Platform as a Service •

Cloud Vendor Listing (not exhaustive) Software as a Service Platform as a Service • Google Apps • Amazon Web Services • Microsoft Azure • Go. Grid Platform • Net. Suite • Google App. Engine • Salesforce • Rackspace • Salesforce Infrastructure as a Service • Amazon • Rackspace Other Players • AT&T – application hosting • Enomaly – integration software • Rightscale – support sw Page 18 © 2010 The MITRE Corporation. All rights reserved.

Conclusions ■ To consider the “cloud as TOE, ” some CC changes will be

Conclusions ■ To consider the “cloud as TOE, ” some CC changes will be required as explored in this presentation – For CC, Evaluating a Private Cloud, might be a manageable task ■ Lack of control over physical layer in a Public Cloud will require considerably more changes for the CC and evaluation practice in general – This is a discussion for another time Page 19 © 2010 The MITRE Corporation. All rights reserved.

Questions Page 20 © 2010 The MITRE Corporation. All rights reserved.

Questions Page 20 © 2010 The MITRE Corporation. All rights reserved.

Sunil Mittal A Case Study Introduction Sunil BhartiSunil Mittal A Case Study Introduction Sunil Bharti
Common Criteria Om Common Criteria CC CC ochCommon Criteria Om Common Criteria CC CC och
CRITERIA OF CREDIBILITY CRITERIA CREDIBILITY Criteria of CredibilityCRITERIA OF CREDIBILITY CRITERIA CREDIBILITY Criteria of Credibility
CLOUD TO CLOUD BACKUP CLOUD TO CLOUD BACKUPCLOUD TO CLOUD BACKUP CLOUD TO CLOUD BACKUP
300 cloud 300 cloud 300 cloud 300 cloud300 cloud 300 cloud 300 cloud 300 cloud
Common Practical Assessment Criteria Presentation 2 The criteriaCommon Practical Assessment Criteria Presentation 2 The criteria
Common Practical Assessment Criteria Presentation 2 The criteriaCommon Practical Assessment Criteria Presentation 2 The criteria
Common Practical Assessment Criteria Presentation 2 The criteriaCommon Practical Assessment Criteria Presentation 2 The criteria
Common Practical Assessment Criteria Presentation 2 The criteriaCommon Practical Assessment Criteria Presentation 2 The criteria
CLOUD COMPUTING AND DATABASES CLOUD DATABASE A cloudCLOUD COMPUTING AND DATABASES CLOUD DATABASE A cloud
Common Object Request Broker Architecture CORBA By SunilCommon Object Request Broker Architecture CORBA By Sunil
Common Object Request Broker Architecture CORBA By SunilCommon Object Request Broker Architecture CORBA By Sunil
Common Criteria Richard Newman What is the CommonCommon Criteria Richard Newman What is the Common
Taxonomy for Cloud Computing and Common Cloud UsageTaxonomy for Cloud Computing and Common Cloud Usage
MCH Introduction A A TRIVEDI MCH Maternal andMCH Introduction A A TRIVEDI MCH Maternal and
University of Dundee Ajit Trivedi Equality and DiversityUniversity of Dundee Ajit Trivedi Equality and Diversity
Cloud Drivers Cloud Obstacles Deliver BestinClass Hybrid CloudCloud Drivers Cloud Obstacles Deliver BestinClass Hybrid Cloud
Cloud Formation I Cloud Formation A Cloud ACloud Formation I Cloud Formation A Cloud A
CLOUD COMPUTING Apa Itu Cloud Computing Cloud computingCLOUD COMPUTING Apa Itu Cloud Computing Cloud computing