Before deploying their infrastructure (resources, data, communications, ...) on a Cloud computing platform, companies want to be sure that it will be properly secured. At deployment time, the company provides a security policy describing its security requirements through a set of properties. Once its infrastructure deployed, the company want to be assured that this policy is applied and enforced. But describing and enforcing security properties and getting strong evidences of it is a complex task.To address this issue, in [1], we have proposed a language that can be used to express both security and assurance properties on distributed resources. Then, we have shown how these global properties can be cut into a set of properties to be enforced locally. In this paper, we show how these local properties can be used to automatically configure security mechanisms. Our language is context-based which allows it to be easily adapted to any resource naming systems e.g., Linux and Android (with SELinux) or PostgreSQL. Moreover, by abstracting low-level functionalities (e.g., deny write to a file) through capabilities, our language remains independent from the security mechanisms. These capabilities can then be combined into security and assurance properties in order to provide high-level functionalities, such as confidentiality or integrity. Furthermore, we propose a global architecture that receives these properties and automatically configures the security and assurance mechanisms accordingly. Finally, we express the security and assurance policies of an industrial environment for a commercialized product and show how its security is enforced.
Enforcing security properties in a Cloud is a difficult task, which requires expertise. However, it is not the only securityrelated challenge met by a company migrating to a Cloud environment. Indeed, the tenant must also have assurance that the requested security properties have effectively been enforced. Therefore, the Cloud provider has to offer a way of monitoring the security. In this paper, we present a solution to express the assurance properties based on the security requirements of the tenant and to deploy these assurance properties. First, we introduce a language that expresses the assurance based on the tenant's security requirements. Secondly, we propose an infrastructure that deploys the assurance in a Cloud environment. This solution aims to be easy to use: the assurance directly results from the high-level expression of the tenant's security requirements, and no additional action is needed from the tenant. Consequently, we address one of the greatest drawback of security and assurance -the complexity of their configuration -while providing a complete assurance mechanism.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.