Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis

TL;DR

The paper introduces Cloud Property Graph (CloudPG), a novel framework that integrates static code analysis with runtime security data to identify security weaknesses across multi-cloud environments.

Contribution

It presents CloudPG, a vendor-neutral graph model that combines static and runtime information to assess cloud security comprehensively.

Findings

Effective identification of misconfigurations across cloud providers

Ability to trace data flows and security features in multi-cloud setups

Supports regulatory compliance checks like GDPR

Abstract

In this paper, we present the Cloud Property Graph (CloudPG), which bridges the gap between static code analysis and runtime security assessment of cloud services. The CloudPG is able to resolve data flows between cloud applications deployed on different resources, and contextualizes the graph with runtime information, such as encryption settings. To provide a vendor- and technology-independent representation of a cloud service's security posture, the graph is based on an ontology of cloud resources, their functionalities and security features. We show, using an example, that our CloudPG framework can be used by security experts to identify weaknesses in their cloud deployments, spanning multiple vendors or technologies, such as AWS, Azure and Kubernetes. This includes misconfigurations, such as publicly accessible storages or undesired data flows within a cloud service, as restricted by regulations such as GDPR.