Abstract
In this chapter, we present an efficient user-level runtime security auditing framework in a multi-domain cloud environment. The multi-tenancy and ever-changing nature of clouds usually implies significant design and operational complexity, which may prepare the floor for misconfigurations and vulnerabilities leading to violations of security properties. Runtime security auditing may increase cloud tenants’ trust in the service providers by providing assurance on the compliance with security properties mainly derived from the applicable laws, regulations, policies, and standards. Evidently, the Cloud Security Alliance has recently introduced the Security, Trust and Assurance Registry (STAR) for security assurance in clouds, which defines three levels of certifications (self-auditing, third-party auditing, and continuous, near real-time verification of security compliance).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Amazon, Amazon virtual private cloud. https://aws.amazon.com/vpc. Accessed 14 Feb 2018
A. Armando, R. Carbone, L. Compagna, J. Cuellar, L. Tobarra, Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps, in Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering (2008)
M. Ben-Ari, Mathematical Logic for Computer Science (Springer, London, 2012)
S. Bleikertz, C. Vogel, T. Groß, S. Mödersheim, Proactive security analysis of changes in virtualized infrastructures, in Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC) (ACM, New York, 2015), pp. 51–60
Cloud Security Alliance, Cloud control matrix CCM v3.0.1 (2014). https://cloudsecurityalliance.org/research/ccm/. Accessed 14 Feb 2018
Cloud Security Alliance, CSA STAR program and open certification framework in 2016 and beyond (2016). https://downloads.cloudsecurityalliance.org/star/csa-star-program-cert-prep.pdf. Accessed 14 Feb 2018
D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, R. Chandramouli, Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)
getcloudify.org, OpenStack in numbers - the real stats (2014). http://getcloudify.org
Google, Google cloud platform. https://cloud.google.com. Accessed 14 Feb 2018
A. Gouglidis, I. Mavridis, V.C. Hu, Security policy verification for multi-domains in cloud systems. Int. J. Inf. Sec. 13(2), 97–111 (2014)
T. GroĂź, Security analysis of the SAML single sign-on browser/artifact profile, in Proceedings of 19th Annual Computer Security Applications Conference (ACSAC) (2003)
V.C. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, K. Scarfone, Guide to attribute based access control (ABAC) definition and considerations. NIST SP, 800 (2014)
ISO Std IEC, ISO 27002: 2005. Information technology-security techniques- code of practice for information security management. ISO (2005)
ISO Std IEC, ISO 27017. Information technology- security techniques- code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) (2012). http://www.iso27001security.com/html/27017.html. Accessed 14 Feb 2018
W.A. Jansen, Inheritance properties of role hierarchies, in 21st National Information Systems Security Conference (NISSC) (1998)
X. Jin, Attribute based access control model. https://blueprints.launchpad.net/keystone/%2Bspec/attribute-based-access-control
X. Jin, Attribute based access control and implementation in infrastructure as a service cloud. Ph.D. Thesis, The University of Texas at San Antonio (2014)
T. Madi, S. Majumdar, Y. Wang, Y. Jarraya, M. Pourzandi, L. Wang, Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack, in Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY) (ACM, New York, 2016), pp. 195–206
S. Majumdar, T. Madi, Y. Wang, Y. Jarraya, M. Pourzandi, L. Wang, M. Debbabi, Security compliance auditing of identity and access management in the cloud: application to OpenStack, in 7th International Conference on Cloud Computing Technology and Science (CloudCom) (IEEE, Piscataway, 2015), pp. 58–65
S. Majumdar, Y. Jarraya, T. Madi, A. Alimohammadifar, M. Pourzandi, L. Wang, M. Debbabi, Proactive verification of security compliance for clouds through pre-computation: application to OpenStack, in European Symposium on Research in Computer Security (ESORICS) (Springer, Berlin, 2016), pp. 47–66
Microsoft, Microsoft Azure virtual network. https://azure.microsoft.com. Accessed 14 Feb 2018
NIST, SP 800-53. Recommended security controls for federal information systems (2003)
OASIS, Security assertion markup language (SAML) (2016). http://www.oasis-open.org/committees/security
H.-K. Oh, S.-H. Jin, The security limitations of SSO in OpenID, in 10th International Conference on Advanced Communication Technology (2008)
OpenID Foundation, OpenID: the internet identity layer (2016). http://openid.net
OpenStack, OpenStack congress (2015). https://wiki.openstack.org/wiki/Congress. Accessed 14 Feb 2018
OpenStack, OpenStack open source cloud computing software (2015). http://www.openstack.org. Accessed 14 Feb 2018
OpenStack, OpenStack audit middleware (2016). http://docs.openstack.org/developer/keystonemiddleware/audit.html. Accessed 14 Feb 2018
OpenStack, OpenStack user survey (2016). https://www.openstack.org/assets/survey/October2016SurveyReport.pdf. Accessed 14 Feb 2018
N. Pustchi, R. Sandhu, MT-ABAC: a multi-tenant attribute-based access control model with tenant trust, in Network and System Security (NSS)( 2015)
R. Sandhu, The authorization leap from rights to attributes: maturation or chaos?, in Proceedings of the 17th ACM symposium on Access Control Models and Technologies (2012)
N. Tamura, M. Banbara, Sugar: a CSP to SAT translator based on order encoding, in Proceedings of the Second International CSP Solver Competition (2008), pp. 65–69
B. Tang, R. Sandhu, Extending openstack access control with domain trust, in Network and System Security (Springer, Berlin, 2014), pp. 54–69
VMware, VMware vCloud director. https://www.vmware.com. Accessed 14 Feb (2018)
R. Wang, S. Chen, X. Wang, Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the IEEE Symposium on Security and Privacy (IEEE S&P) (2012)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Majumdar, S. et al. (2019). User-Level Runtime Security Auditing for the Cloud. In: Cloud Security Auditing. Advances in Information Security, vol 76. Springer, Cham. https://doi.org/10.1007/978-3-030-23128-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-23128-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-23127-9
Online ISBN: 978-3-030-23128-6
eBook Packages: Computer ScienceComputer Science (R0)