A Cloud-Oriented Cross-Domain Security Architecture 단국대학교 컴퓨터 보안 및 OS...

A Cloud-Oriented Cross-Domain Security Architecture

단국대학교컴퓨터 보안 및 OS 연구실[email protected]

임경환

2015. 04. 16

Thuy D. NguyenMark A. GondreeThe 2010 Military Communications Confer-ence

Computer Security & OS Lab.

ContentsContents

2

INTRODUCTION

OVERALL ARCHITECTURE

Security Features

Security policy

Conclusion

Reference

Q & A


INTRODUCTIONINTRODUCTION

3

Extended version of MYSEA(Monterey Security

Architecture)

This is designed to address the inefficient exchange of information in

military “silo” environment.

Supporting a cloud of cross-domain service.


INTRODUCTIONINTRODUCTION

4

Multilevel secure(MLS) system

Manages information of different security and enforces a mandatory security policy to

control both information access and information flow.

MLS policy enforcement mechanism

Access to information in an MLS system is governed by the classification level of the in-

formation, the security clearance of the requester and whether the requester has a need to

access the information. Need-to-know


OVERALL ARCHITECTUREOVERALL ARCHITECTURE

5



6

MYSEA Cloud Servers Federated Services Manager

• user sessions, service availability

Authentication Server• I & A supporting policy

Dynamic Security Service Manager• service management mechanism

Application Server• web browsing, wkiki, email, … service



7

Special Purpose Trustworthy Components Trusted Path Extension(TPE)

• acts as a gate keeper between the workstation and the MYSEA cloud.

Trusted Channerl Module(TCM)• serves as a multiplexer that labels incoming network traffic from single-level

service.


Security FeaturesSecurity Features

8

Secure connections to classified network

Centralized security management

Use of adaptive security techniques to provide dynamic security services

High assurance trusted path and trusted channel techniques for managing access to the MLS cloud


SECURITY POLICIESSECURITY POLICIES

9

MYSEA controls access to resources using both mandatory

access control and discretionary access control.

lattice-based confidentiality

Bell and L. LaPadula, Biba

Identification and Authentication( I & A), Audit.

I & A, the MYSEA Server ensures that users are afforded a trusted

communication path between the user and the MYSEA Server, and that

the user’s claimed identity and authentication credentials are validated

before a user session is established.

Audit, the MYSEA Server accounts for all users actions, either taken di-

rectly by the user (e.g., trusted path invocation) or by software acting

on the user’s behalf (e.g., a web server process).


Dynamic Security ServiceDynamic Security Service

10

The DSS design follows the standard policy management paradigm policy input point (PIP) policy repository policy decision point(PDP) policy enforcement point(PEP)


ConclusionsConclusions

11

Cloud computing promotes agility, scalability, collaboration, and sharing of resources across domains/organizations but inherits the same security risks

MYSEA integrates support for cloud computing functionality with the strong security properties.

MYSEA’s security features include strong cross-domain access controls, protection of system assets with different security classification.


ReferenceReference

12

[1] CNSS Instruction No. 4009, “National information assurance (IA)glossary,” Committee on National Security Systems, Revised June2006.[2] M. Bailey, “The unified cross domain management office: bridgingsecurity domains and cultures,” CrossTalk magazine, vol. 21, no. 7, pp.21–23, July 2007.[3] D. E. Bell and L. LaPadula, “Secure computer system: unifiedexposition and Multics interpretation,” Technical Report ESD-TR-75-306, The MITRE Corporation, Hanscom AFB, MA, 1975.[4] K. J. Biba, “Integrity considerations for secure computer systems,” Tech.Report ESD-TR-76-372, The MITRE Corporation, 1977.

감사합니다 .

A Cloud-Oriented Cross-Domain Security Architecture 단국대학교 컴퓨터 보안 및 OS...

Documents

Transcript of A Cloud-Oriented Cross-Domain Security Architecture 단국대학교 컴퓨터 보안 및 OS...