Continuous security evaluation and auditing of remote platforms by combining trusted computing and security automation techniques

Abstract

In many new distributed systems paradigms such a cloud computing, Internet of Things (IoT), electronic banking, etc. the security of the host platforms is very critical which is managed by the platform owner. The platform administrators use security automation techniques such as those provided by Security Content Automation Protocol (SCAP) standards to ensure that the outsourced platforms are set up correctly and follow the security recommendations (governmental or industry). However, the remote platform users still have to trust the platform administrators. The third party security audits, used to shift the required user trust from the platform owner to a trusted entity, are scheduled and are not very frequent to deal with the daily reported vulnerabilities which can be exploited by the attackers. In this paper we propose a remote platform evaluation mechanism which can be used by the remote platform users themselves, or by the auditors to perform frequent platform security audits for the platform users. We analyze the existing SCAP and trusted computing (TCG) standards for our solution, identify their shortcomings, and suggest ways to integrate them. Our proposed platform security evaluation framework uses the synergy of TCG and SCAP to address the limitations of each technology when used separately.