Abstract

Most cyber-attacks and data breaches in cloud infrastructure are due to human errors and misconfiguration vulnerabilities. Cloud customer-centric tools are imperative for mitigating these issues, however existing cloud security models are largely unable to tackle these security challenges. Therefore, novel security mechanisms are imperative, we propose Risk-driven Fault Injection (RDFI) techniques to address these challenges. RDFI applies the principles of chaos engineering to cloud security and leverages feedback loops to execute, monitor, analyze and plan security fault injection campaigns, based on a knowledge-base. The knowledge-base consists of fault models designed from secure baselines, cloud security best practices and observations derived during iterative fault injection campaigns. These observations are helpful for identifying vulnerabilities while verifying the correctness of security attributes (integrity, confidentiality and availability). Furthermore, RDFI proactively supports risk analysis and security hardening efforts by sharing security information with security mechanisms. We have designed and implemented the RDFI strategies including various chaos engineering algorithms as a software tool: CloudStrike. Several evaluations have been conducted with CloudStrike against infrastructure deployed on two major public cloud infrastructure: Amazon Web Services and Google Cloud Platform. The time performance linearly increases, proportional to increasing attack rates. Also, the analysis of vulnerabilities detected via security fault injection has been used to harden the security of cloud resources to demonstrate the effectiveness of the security information provided by CloudStrike. Therefore, we opine that our approaches are suitable for overcoming contemporary cloud security issues.

Highlights

  • Cyber-attacks against Infrastructure as a Service (IaaS) cloud platforms have increased in recent years, mostly exploiting configuration vulnerabilities

  • Similar to the feedback loops employed for non-security faults, we propose an adaptation of the Monitor Analyze Plan Execute over-a-shared Knowledgebase (MAPE-K) feedback loop [20], which has been popularly employed in complex, autonomous computing

  • We extended our initial work in [15], by implementing security fault models drawn from secure baselines, industry standard best practices e.g. the Centre for Internet Security (CIS) benchmarks for Cloud Service Provider (CSP) [21], [22] and the Cloud Security Alliance (CSA) cloud penetration testing playbook [23]

Read more

Summary

INTRODUCTION

Cyber-attacks against Infrastructure as a Service (IaaS) cloud platforms have increased in recent years, mostly exploiting configuration vulnerabilities. Implemented resiliency patterns e.g. timeouts, retries, and fallbacks are important for chaos engineering experiments, given the provision of clear feedback information about system behavior [18], [19] These feedback are indicative of faults, thereby providing opportunities for mitigation. We extended our initial work in [15], by implementing security fault models drawn from secure baselines, industry standard best practices e.g. the Centre for Internet Security (CIS) benchmarks for Cloud Service Provider (CSP) [21], [22] and the CSA cloud penetration testing playbook [23]. We propose the RDFI Feedback Loop (adapted from the MAPE-K model [20]), as a model for automating the transfer of security information gained via Security Chaos Engineering (SCE) to cyber-security controls and mechanisms (Section III-A).

SECURITY CHAOS ENGINEERING
IMPLEMENTATION
CHAOS MONITOR
CHAOS ANALYZER
EXPERIMENTS AND EVALUATION
RELATED WORK
Findings
VIII. CONCLUSION

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.