Off-line Risk Assessment of Cloud Service Provider Amartya Sen & Sanjay Madria Department of Computer Science {asrp6, madrias}@mst.edu

Motivation Major concern while adopting cloud services – Security Availability of standard cloud security, but uncertainty about individual application security Cloud Security – A big black box to clients

Security is the Major Issue Fig: A user survey of cloud services concerns, 2012-2013

Objective Find client’s security requirements Assess cloud vendor’s trustworthiness Cost benefit trade off analysis Selection of best cloud adoption strategy

Related Work Project Risk Assessment Cloud Vendor Risk Assessment Microsoft SDL - STRIDE EMC’s DDTM Cloud Vendor Risk Assessment ENISA PCI DSS Security White Papers

Framework Mission Oriented Risk Assessment Project Assessment through System Design Analyze system design for security threats Cloud Vendor Security Assessment Assess security measures of different cloud vendors Compare security measures with mission oriented security requirements Cloud Adoption Strategies Cost benefit Trade-off analysis Select Optimal Cloud Adoption Plan

Mission Oriented Risk Assessment Analyze system design Scan System Data Flow Diagram (DFD) Identify Vulnerability – STRIDE Analysis Identify feasible attacks CAPEC Database Rank threats DREAD Select security requirements

STRIDE Analysis Acronym for the common vulnerabilities that can exist in a system Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

STRIDE Analysis (Cont’d) Analyze system elements of a DFD based on STRIDE vulnerabilities Each system element is associated with a given set of vulnerabilities Analysis is element dependent and not application dependent Process elements – (S,T,R,I,D,E) Data store elements – (T,I,R,D) Narrow down applicable vulnerabilities by analyzing system design and available security measures

Fig: DFD of an Online Movie Streaming and Renting Application

CAPEC Database Common Attack Pattern Enumeration and Classification Database Exportable in xml file format Consists of detailed attack definition and mitigation of known attacks Determine attacks that can exploit the identified vulnerabilities

Derived Tree Structure from CAPEC Considering Spoofing attack category and an instantiation of an attack, Identity Spoofing, under it: Spoofing Symlink Attack Content Spoofing Attack Identity Spoofing Attack Pharming Man in the Middle Phising Create Malicious Client Action Spoofing Attack

Mapping STRIDE Vulnerabilities to CAPEC Attack Patterns STRIDE Vulnerability CAPEC Attack Pattern Category Spoofing Tampering Data Structure Attacks, Injection, Remote Code Inclusion Repudiation Attack categories of Spoofing and Tampering Information Disclosure Data Leakage Attacks, Path Traversal, Functionality Misuse Denial of Service Resource Depletion Attacks Elevation of Privilege Exploitation of Authentication, Exploitation of Privilege or Trust, Privilege of Escalation

DREAD Ranking Acronym representing fields to identify the impact of an attack Damage Reproducibility Exploitability Affected Users Discoverability

DREAD Ranking (Cont’d) Subjective in nature Each DREAD category is mapped to a qualitative score of High, Medium, or Low Qualitative scores are then converted to quantitative scores based on ranking scale selected by an organization (0-3, 0-10, or 0-100)

DREAD Ranking - Example For a quantitative scale of 0-10 High: 7-10 Medium: 3-7 Low: 0-3 Let for an attack, X, DREAD scores be as follows: D:10, R:10, E: 5, A: 5, Di: 5 Rank(X) = (D + R + E + A + Di)/5 A net rank of 7 out of 10

Cloud Vendor Security Assessment Compare and contrast different Cloud Vendor security solution based on client’ requirements Security Coverage Risk Reduction Factor Trustworthiness

Security Coverage Assess available security measures employed by different cloud vendors Security white papers SLA Tendor notes Third party security assessments

Security Coverage (Cont’d) Compare and contrast available security measures with client’s security requirements Cloud S1 S2 Si Sn Security Coverage Application Vulnerabilities V1 V2 Vi Vn User Application

Risk Reduction Factor Given a threat and its Security Coverage, risk reduction factor is the amount by which the impact of the threat is reduced in the presence of the security measure 𝑅 𝑇 = 𝑀𝑖 ∈𝑀 𝛼𝑖𝑗 if security coverage is disjunctive, otherwise 𝑅 𝑇 = 𝑀𝑖 ∈𝑀 (1 −𝛼𝑖𝑗) if security coverage is conjunctive. Where, 𝛼𝑖𝑗 is the reduction factor for a threat 𝑇𝑖 in the presence of a security measure 𝑀𝑗

Trustworthiness The difference in the impact of the set of threats in the presence of security measures from that of their impact in the absence of security measures For a set of threats T, with impact scores 𝜕(𝑇) and reduction factor 𝑅(𝑇) 𝑇𝑟𝑢𝑠𝑡= 𝜕 𝑇 − 𝜕 𝑇 ×𝑅(𝑇)

Cloud Adoption Strategies Cloud Adoption Plans Selection of Optimal Cloud Migration Policy

Cloud Adoption Plans Each cloud adoption plan will consist of the system elements that is being considered to be migrated onto the cloud platform Each of the developed cloud adoption plans will be assessed on the following factors Security Coverage dispersed by cloud Security cost availed by clients (in absence of security for certain threats)

Optimal Cloud Migration Policy For each plan, total cost incurred can then be summarized as: 𝑃𝑙𝑎𝑛𝐴𝑠𝑠𝑒𝑠𝑠𝑚𝑒𝑛𝑡 𝑖 =𝑉𝑒𝑛𝐶𝑜𝑠𝑡 𝑖 +𝐶𝑙𝑖𝑒𝑛𝑡𝐶𝑜𝑠𝑡(𝑖) Where, 𝑉𝑒𝑛𝐶𝑜𝑠𝑡 𝑖 is the cost incurred by cloud to implement its security measures 𝐶𝑙𝑖𝑒𝑛𝑡𝐶𝑜𝑠𝑡 𝑖 is the cost incurred by client to implement preventive measures and avail cloud services A cost benefit trade-off analysis is performed to select the most optimal plan.

Future Directions Working tool realizing our proposed Off-line Risk Assessment Framework Validate results using Attack Surface Measurement metric

References Microsoft’s “the stride threat model”, msdn.microsoft.com Microsoft’s “Ranking threats with dread”, msdn.microsoft.com Microsoft’s SDL, “threat modeling tool”, msdn.microsoft.com MITRE, “Common Attack Enumeration and Classification”, capec.mitre.org D. Dhillon, “Developer-driven threat modeling: Lessons learned in the trenches.”, IEEE Security & Privacy, vol. 9, pp. 41-47, 2011 ENISA, “Cloud computing security risk assessment”, European Network and Information Security Agency, 2009 P. K. Manadhata and J. M. Wing, “An Attack Surface Metric”, IEEE Transactions on Software Engineering, vol. 37, no. 3, pp. 371-386, 2011.