Towards a Security Stress-Test for Cloud Configurations
Francesco Minna, Fabio Massacci, Katja Tuma
TL;DR
This paper introduces a graph-based method to model and analyze cloud configurations, aiming to assist administrators in identifying safer setups and understanding security implications through scenario analysis.
Contribution
It proposes a novel knowledge graph approach to model cloud security objects and vulnerabilities, enabling safer configuration suggestions and scalable analysis.
Findings
Initial validation shows effectiveness in vulnerability analysis.
Supports scenario-based security assessments.
Scales to large cloud deployments.
Abstract
Securing cloud configurations is an elusive task, which is left up to system administrators who have to base their decisions on ``trial and error'' experimentations or by observing good practices (e.g., CIS Benchmarks). We propose a knowledge, AND/OR, graphs approach to model cloud deployment security objects and vulnerabilities. In this way, we can capture relationships between configurations, permissions (e.g., CAP\_SYS\_ADMIN), and security profiles (e.g., AppArmor and SecComp), as first-class citizens. Such an approach allows us to suggest alternative and safer configurations, support administrators in the study of what-if scenarios, and scale the analysis to large scale deployments. We present an initial validation and illustrate the approach with three real vulnerabilities from known sources.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware System Performance and Reliability · Data Quality and Management · Cloud Data Security Solutions