Deliverable 6.3 Techniques and tools to assess the security of Cloud and Data Services

The main problem faced by system administrators nowadays is the protection against unauthorized access or corruption due to malicious actions. In fact, due to the impressive growth of the Internet, security has become one vital concern in any information infrastructure, especially in Cloud computing. Unfortunately, security is still commonly misunderstood, which leads to systems/components being deployed with critical vulnerabilities.

The assurance of the security properties is a concern that is transversal to all the cloud layers. This way, security assessment (e.g., testing, analysis, vulnerability and attack injection, etc.) must be performed to provide a degree of trustworthiness on the security of all the components, and to understand how resistant they are to malicious attempts. The information obtained allows the adjustment of the quality of protection established from the provider’s point of view, thus obtaining a realistic measure of what level of security can be promised.

The goal of this deliverable is to present techniques and tools for assessing the security properties of the software components used to support the EUBra-BIGSEA platform. In practice, we focus on researching assessment techniques targeting the services provided and also the infrastructure beneath, using as inspiration existing techniques in security assessment. This includes testing and analysis techniques (both static and dynamic), and the use of vulnerability and attack injection (techniques that are useful to assess the existing security protection systems deployed). It also includes techniques that can aggregate the outputs of such assessments and transform them in evidences that provide users with a degree of trustworthiness on the security of the services and an estimation of how resilient they are against malicious attacks.

D6.1 (Requirements and Coordinated Security Strategy) defined a strategy to achieve the required level of security with regard to the EUBra-BIGSEA infrastructure. Such strategy was intended to guide the research, development and integration of the security solutions along the project. In practice, the main objective of that document was to define a global security solution able to deal with the security objectives of the project: the provisioning of Authentication, Authorization and Accounting (AAA); the assurance of the security properties of the cloud and Big Data services; and the protection of the data privacy. The result is a list of 30 high-level requirements whose implementation will provide a secure environment for the infrastructure, for the application developers and even for the end users of the applications running inside the framework.

This deliverable (D6.3) focuses on the requirements related with the assurance of security properties. In practice, techniques are presented to: assess the robustness and security of the EUBra-BIGSEA application development services; assess the security of application containers, Cloud Management Frameworks (CMFs), and virtualization infrastructures; benchmark Intrusion Detection Systems (IDSs); test the behavior of NoSQL databases; and provide an overall trustworthiness characterization of Cloud infrastructures. Note that the results of the application of such techniques are not presented, as those will be later addressed in deliverable D6.5. Those results will contribute to the other work packages of the project by supporting the identification of the best configuration of the components in terms of security, the mitigation of existing vulnerabilities in those components, the definition of a potential intrusion prevention strategy, and the provision of an indicator of the level of trustworthiness on the overall platform.