Skip to main content
SpringerLink
Log in

A Model-Based Systems Engineering Plugin for Cloud Security Architecture Design

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Security is one of the biggest concerns for cloud infrastructures. Cloud infrastructures are susceptible to a wide range of threats, including external and internal threats. Without proper security mechanisms, these threats may compromise the security properties of services hosted in the cloud. To secure cloud infrastructures against threats, it is crucial to perform a threat analysis in the early stages of the system development (i.e., during the design of the system architecture). Threat Analysis and Risk Assessment (TARA) is a well-known approach used by researchers and practitioners. TARA consists of several activities, including asset identification, threat scenarios, attack paths, and risk treatment decision. The risk treatment decision activity involves selecting appropriate security measures to mitigate the identified threat scenarios. In the current state of practice, TARA activities are performed manually by engineers, leading to time-consuming processes and potential errors. In our previous article, we proposed a logic programming tool to enable the automation of TARA activities, including the recommendation of cloud-based security measures. This article proposes Security Pattern Synthesis, a Model-Based Systems Engineering (MBSE) plugin for securing cloud architectures. Security Pattern Synthesis is implemented in Java while using the previously proposed logic-programming tool as a backend to reason about the security of the cloud architecture.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14

Similar content being viewed by others

Notes

  1. https://landscape.cncf.io/.

  2. https://www.cncf.io/blog/2020/09/15/top-7-challenges-to-becoming-cloud-native.

  3. https://kafka.apache.org/.

  4. https://openid.net/connect

  5. https://github.com/aquasecurity/kube-bench

  6. https://www.itemis.com/en/products/itemis-secure/.

  7. https://www.threatget.com.

  8. https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling.

References

  1. Rose S, Borchert O, Mitchell S, Connelly S. Zero Trust Architecture. Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD 2020. https://doi.org/10.6028/NIST.SP.800-207

  2. Carroll M, Kotzé P, Merwe A. Secure cloud computing: Benefits, risks and controls. In: Venter, H.S., Coetzee, M., Loock, M. (eds.) Information Security South Africa Conference 2011, ISSA 2011. ISSA, Pretoria, South Africa 2011. https://doi.org/10.1109/ISSA.2011.6027519

  3. Eliseev V, Miliukova E, Kolpinskiy S. Neural network cryptographic obfuscation for trusted cloud computing. In: Integrated Models and Soft Computing in Artificial Intelligence, 2021;pp. 201–207

  4. Oleshchuk VA, Køien GM. Security and privacy in the cloud a long-term view. In: 2011 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace & Electronic Systems Technology (Wireless VITAE), 2011;pp. 1–5 . https://doi.org/10.1109/WIRELESSVITAE.2011.5940876

  5. ISO/SAE AWI 21434: Road vehicles - cybersecurity engineering. 2021

  6. Dantas YG, Schöpp U. SeCloud: Computer-aided support for selecting security measures for cloud architectures. In: Proceedings of the 9th International Conference on Information Systems Security and Privacy, Lisbon, Portugal, February 22-24, 2023; pp. 264–275. SciTePress, Setúbal, Portugal (2023). https://doi.org/10.5220/0011901900003405 .

  7. Egele M, Brumley D, Fratantonio Y, Kruegel C. An empirical study of cryptographic misuse in android applications. CCS ’13, 2013;pp. 73–84. Association for Computing Machinery, New York, NY, USA . https://doi.org/10.1145/2508859.2516693

  8. Mainka C, Mladenov V, Schwenk J, Wich T. Sok: Single sign-on security - an evaluation of openid connect. In: 2017 IEEE European Symposium on Security and Privacy (EuroS &P), 2017;pp. 251–266 . https://doi.org/10.1109/EuroSP.2017.32

  9. Aravantinos V, Voss S, Teufl S, Hölzl F, Schätz B. AutoFOCUS 3: Tooling concepts for seamless, model-based development of embedded systems. In: Proc. 8th Int. Workshop Model-based Architecting of Cyber-Physical and Embedded Systems (ACES-MB), 2015;pp. 19–26

  10. Potassco project: Clingo: A grounder and solver for logic programs. https://github.com/potassco/clingo

  11. SeCloud: https://drive.google.com/file/d/1a5UqihDLy9lyL3MRjgzcy9jx-xhwoG2o (2022)

  12. fortiss GmbH: AutoFOCUS3 2.21. Available at https://af3.fortiss.org/

  13. Gelfond M, Lifschitz V. Logic programs with classical negation. In: ICLP. 1990

  14. Dantas YG, Barner S, Ke P, Nigam V, Schöpp U. Automating Vehicle SOA Threat Analysis Using a Model-Based Methodology. In: Proceedings of the 9th International Conference on Information Systems Security and Privacy, Lisbon, Portugal, February 22-24, 2023;pp. 180–191. SciTePress, Setúbal, Portugal (2023). https://doi.org/10.5220/0011786400003405

  15. Shostack A. Threat Modeling: Designing for Security. John Wiley & Sons, Inc., New York, NY, USA 2014. https://doi.org/10.5555/2829295

  16. EmbASP. Available at https://www.mat.unical.it/calimeri/projects/embasp/

  17. Jungebloud T, Nguyen N, Kim D, Zimmermann A. Hierarchical model-based cybersecurity risk assessment during system design. In: 38th IFIP TC 11 International Conference, SEC 2023 (IFIPSEC) 2023. To appear.

  18. Dantas YG, Nigam V. Automating safety and security co-design through semantically rich architecture patterns. ACM Trans Cyber Phys Syst. 2023;7(1):5–1528. https://doi.org/10.1145/3565269.

    Article  Google Scholar 

  19. Leone N, Pfeifer G, Faber W, Eiter T, Gottlob G, Perri S, Scarcello F. The DLV system for knowledge representation and reasoning. ACM Trans. Comput. Log. 2006;7https://doi.org/10.1145/1149114.1149117

  20. Sousa G, Rudametkin W, Duchien L. Automated setup of multi-cloud environments for microservices applications. In: 2016 IEEE 9th International Conference on Cloud Computing (CLOUD), 2016;pp. 327–334 . https://doi.org/10.1109/CLOUD.2016.0051

  21. Etedali A, Lung C.-H, Ajila S, Veselinovic I. Automated constraint-based multi-tenant SaaS configuration support using XML filtering techniques. In: 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), vol. 2, 2017;pp. 413–418 . https://doi.org/10.1109/COMPSAC.2017.69

  22. Minna F, Massacci F. Sok: Run-time security for cloud microservices. Are we there yet? Computers & Security 127, 2023;103119 https://doi.org/10.1016/j.cose.2023.103119

Download references

Acknowledgements

We thank the German Ministry for Economic Affairs and Climate Action of Germany for funding this work through the LuFo V-3 project RTAPHM.

Author information

Authors and Affiliations

  1. Fortiss GmbH, Munich, Germany

    Yuri Gil Dantas & Ulrich Schöpp

  2. Federal University of Paraíba, João Pessoa, Brazil

    Vivek Nigam

Authors
  1. Yuri Gil Dantas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vivek Nigam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ulrich Schöpp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yuri Gil Dantas.

Ethics declarations

Conflict of interest

On behalf of all authors, the corresponding author states that there is no Conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is part of the topical collection “Recent Trends on Information Systems Security and Privacy” guest edited by Steven Furnell and Paolo Mori.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dantas, Y.G., Nigam, V. & Schöpp, U. A Model-Based Systems Engineering Plugin for Cloud Security Architecture Design. SN COMPUT. SCI. 5, 553 (2024). https://doi.org/10.1007/s42979-024-02748-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-024-02748-x

Keywords

Search

Navigation