TY - GEN A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Cheng, Feng A1 - Meinel, Christoph T1 - Leveraging cloud native design patterns for security-as-a-service applications T2 - IEEE International Conference on Smart Cloud (SmartCloud) N2 - This paper discusses a new approach for designing and deploying Security-as-a-Service (SecaaS) applications using cloud native design patterns. Current SecaaS approaches do not efficiently handle the increasing threats to computer systems and applications. For example, requests for security assessments drastically increase after a high-risk security vulnerability is disclosed. In such scenarios, SecaaS applications are unable to dynamically scale to serve requests. A root cause of this challenge is employment of architectures not specifically fitted to cloud environments. Cloud native design patterns resolve this challenge by enabling certain properties e.g. massive scalability and resiliency via the combination of microservice patterns and cloud-focused design patterns. However adopting these patterns is a complex process, during which several security issues are introduced. In this work, we investigate these security issues, we redesign and deploy a monolithic SecaaS application using cloud native design patterns while considering appropriate, layered security counter-measures i.e. at the application and cloud networking layer. Our prototype implementation out-performs traditional, monolithic applications with an average Scanner Time of 6 minutes, without compromising security. Our approach can be employed for designing secure, scalable and performant SecaaS applications that effectively handle unexpected increase in security assessment requests. KW - Cloud-Security KW - Security-as-a-Service KW - Vulnerability Assessment KW - Cloud Native Applications Y1 - 2017 SN - 978-1-5386-3684-8 U6 - https://doi.org/10.1109/SmartCloud.2017.21 SP - 90 EP - 97 PB - Institute of Electrical and Electronics Engineers CY - New York ER - TY - GEN A1 - Sukmana, Muhammad Ihsan Haikal A1 - Torkura, Kennedy A. A1 - Graupner, Hendrik A1 - Cheng, Feng A1 - Meinel, Christoph T1 - Unified Cloud Access Control Model for Cloud Storage Broker T2 - 33rd International Conference on Information Networking (ICOIN 2019) N2 - Cloud Storage Broker (CSB) provides value-added cloud storage service for enterprise usage by leveraging multi-cloud storage architecture. However, it raises several challenges for managing resources and its access control in multiple Cloud Service Providers (CSPs) for authorized CSB stakeholders. In this paper we propose unified cloud access control model that provides the abstraction of CSP's services for centralized and automated cloud resource and access control management in multiple CSPs. Our proposal offers role-based access control for CSB stakeholders to access cloud resources by assigning necessary privileges and access control list for cloud resources and CSB stakeholders, respectively, following privilege separation concept and least privilege principle. We implement our unified model in a CSB system called CloudRAID for Business (CfB) with the evaluation result shows it provides system-and-cloud level security service for cfB and centralized resource and access control management in multiple CSPs. KW - Cloud Storage Broker KW - Cloud access control and resource management KW - Unified cloud model KW - Privilege separation concept KW - Least privilege principle KW - Role-based access control Y1 - 2019 SN - 978-1-5386-8350-7 U6 - https://doi.org/10.1109/ICOIN.2019.8717982 SN - 1976-7684 SP - 60 EP - 65 PB - IEEE CY - Los Alamitos ER - TY - JOUR A1 - Torkura, Kennedy A. A1 - Sukmana, Muhammad Ihsan Haikal A1 - Cheng, Feng A1 - Meinel, Christoph T1 - CloudStrike BT - chaos engineering for security and resiliency in cloud infrastructure JF - IEEE access : practical research, open solutions N2 - Most cyber-attacks and data breaches in cloud infrastructure are due to human errors and misconfiguration vulnerabilities. Cloud customer-centric tools are imperative for mitigating these issues, however existing cloud security models are largely unable to tackle these security challenges. Therefore, novel security mechanisms are imperative, we propose Risk-driven Fault Injection (RDFI) techniques to address these challenges. RDFI applies the principles of chaos engineering to cloud security and leverages feedback loops to execute, monitor, analyze and plan security fault injection campaigns, based on a knowledge-base. The knowledge-base consists of fault models designed from secure baselines, cloud security best practices and observations derived during iterative fault injection campaigns. These observations are helpful for identifying vulnerabilities while verifying the correctness of security attributes (integrity, confidentiality and availability). Furthermore, RDFI proactively supports risk analysis and security hardening efforts by sharing security information with security mechanisms. We have designed and implemented the RDFI strategies including various chaos engineering algorithms as a software tool: CloudStrike. Several evaluations have been conducted with CloudStrike against infrastructure deployed on two major public cloud infrastructure: Amazon Web Services and Google Cloud Platform. The time performance linearly increases, proportional to increasing attack rates. Also, the analysis of vulnerabilities detected via security fault injection has been used to harden the security of cloud resources to demonstrate the effectiveness of the security information provided by CloudStrike. Therefore, we opine that our approaches are suitable for overcoming contemporary cloud security issues. KW - cloud security KW - security chaos engineering KW - resilient architectures KW - security risk assessment Y1 - 2020 U6 - https://doi.org/10.1109/ACCESS.2020.3007338 SN - 2169-3536 VL - 8 SP - 123044 EP - 123060 PB - Institute of Electrical and Electronics EngineersĀ  CY - Piscataway ER -