How we’re taking cloud security auditing to the next level
Today’s businesses and government organizations store data and run many of their applications in the cloud. With so many providers of cloud services to choose from, how can they ensure their data is safe? Learn more in the latest Ericsson Research post from our security experts below.
The cloud environment is complex. Proving compliance with security related requirements – a process known as security compliance auditing – is a challenge.
Results from several years of research in cloud security compliance, together with Concordia University, prove there are indeed ways to meet this challenge. During the Audit Ready Cloud project, we investigated a number of cloud security audit research themes, among them multi-tenant near real-time virtual network isolation verification, learning-based proactive security auditing, and data anonymization.
As an example, in the context of multi-tenant virtual network isolation, TenantGuard – a scalable system for verifying cloud-wide VM-level network isolation at runtime was published in the NDSS Symposium 2017. TenantGuard showed improved scalability and efficiency compared to the state-of-the-art techniques due to a novel verification algorithm that adopts a top-down approach and, at the same time, takes advantage of the hierarchical structure of virtual networks. While TenantGuard is mainly concerned with network reachability, ISOTOP – a formal verification approach, has as objective to audit virtual networks topology isolation and consistency across cloud layers (i.e. cloud infrastructure management layer and the cloud implementation layer). Published in the ACM TOPS journal 2018, ISOTOP maps security requirements on virtual network topology isolation and consistency into constraint satisfaction problems over the virtual network configuration data, and then generates a proof of compliance or non-compliance.
In another context for proactive security compliance verification and enforcement, our research team designed a novel learning technique that facilitates proactive cloud security auditing, called LeaPS and published in the ESORICS symposium 2017.
To this end, LeaPS captures existing dependencies between runtime events in the form of a Bayesian network and use it to decide, based on the current observed event instances, the most likely critical event to occur. Based on this information LeaPS proactively verifies the security policies at runtime and enforces those policies in the cloud management system. This allows for the prevention of security breaches before they occur. LeaPS has also been extended to audit operations from multiple cloud levels, as published recently in the DSC conference 2019.
Addressing privacy and utility concerns of data, the research team has developed novel anonymization techniques and privacy-enhancing tools that protect sensitive information in cloud-related data while ensuring its utility for subsequent analysis by a semi-trusted third-party. MultiView, published in the ACM CCS conference 2018, anonymizes the network traffic cloud data while enabling the analysis to take place with the same effectiveness as if done on the real data. MultiView generates a seed view of the data that efficiently hides the real data, while allowing with some utility parameters, the generation of multiple views of the same data. However only one view provides the real analysis results, only accessible to the data owner.
The iCAT tool – an Interactive Customizable Anonymization Tool, published in the ESORICS symposium 2019, proposes an original approach to efficiently involve both the data owner and the data user in the anonymization process. It permits them to express their needs in terms of privacy and utility, respectively, and to reach an agreement on the anonymization of the data that satisfies both sides. iCAT leverages a state-of-the-art natural language processing engine to understand end users’ requirements. It then maps different needs into a pre-built anonymization space, that is organized in the form of a lattice, where a partial order relation is established between different known anonymization algorithms showing their different levels of privacy and utility. This locates the subset of the anonymization algorithms satisfying all requirements.
In 2019, leveraging research done in the Audit Ready Cloud (ARC) project, we published a book with Springer editions entitled “Cloud Security Auditing” presenting a broader view on auditing in the cloud environment.
This successful collaboration reflects Ericsson’s ongoing commitment to security research – a commitment we are now taking to the next level with work on novel methods for security compliance verification of NFV/SDN for future mobile networks.
Check our future network security page to learn more about our security approach at Ericsson.
Read the press release about our 5G security collaboration with Concordia University.
Read the Concordia University press release.