Model-based Security Analysis and Applications to Security Economics (Invited Talk)

J. Jürjens, A. S. Ahmadian

The project ClouDAT was supported by the Ministry of Innovation, Science, Research and Technology of the German State of North Rhine-

Westphalia and EFRE under grant number 300267

Model-based Security Analysis and Applications to Security Economics

Jan JürjensAmir Shayan AhmadianTechnical University of Dortmund

09.02.2015

This talk:

First part:Model-based Security Analysis (UMLsec)

Second part:ClouDAT

2/25

First part:Model-based Security Analysis (UMLsec)

3/25

How to Develop Secure IT-Systems ?

Modern software engineering approaches usually do not consider security

Traditional, practical approaches for security assurance do not provide a holistic, integrated assurance which would scale to the complexity modern systems

Solution: Model-based development with UML

4/25

Model-Based Security Engineering with UMLsec

Security Requirements

UMLsec Models

Secure Code

Configurations

Runtime System

Configure

Verify

Execute

Analyze against

Weave in

Code-/ Testgen.

Generate / Verify

Configure

Evolution

5/25

Security Requirements

UMLsec Models

Secure Code

Configurations

Runtime System

Security Requirements Engineering

Identify security requirements within the requirements elicitation

Idea: „Requirements Mining“ in security standards

6/25

Security Requirements

UMLsec Models

Secure Code

Configurations

Runtime System

Modeling with UMLsec

Documentation and automated analysis of security-relevant information

Idea: UML for system modelingSecurity-relevant information as:

• Lightweight extensions (Stereotypes, Constraints, Tags)• Heavy extensions (UMLsec 2.0 Analysis Model)

7/25

UMLsec 2.0

UML Meta-Model

UML Stereotype Package

Analysis Model

Transfor-mation

<<extends>>

UMLsec 2.0

Each UMLsec 2.0 Profile is constructed from:

• A standard UML profile package defining stereotypes• Analysis Model defines a new meta-model• A transformation

8/25

Security Requirements

UMLsec Models

Secure Code

Configurations

Runtime System

Model-Based Security Analysis

Automated analysis of the system models

Idea: Generate logical formulas formalizing security requirementsAutmated theorem prover or modelchecker to automaticallycheck the requirements

9/25

Security Requirements

UMLsec Models

Secure Code

Configurations

Runtime System

Security Analysis of Configuration Data

Verification if security policies are enforced by user permissions

Idea: Automated analysis of business process models against security policiesApex (Architecture for auditable business process execution) project atFraunhofer institute

10/25

UMLsec Tool Support

CARiSMA

Offers an unprecedented opportunity for high-quality critical systems development

It enables:• Compliance analysis• Risk analysis• Security analysis

Is a reimplemented variant of the former UMLsec tool

11/25

Second part:ClouDAT

12/25

Cloud Computing

NIST defines cloud computing as:

Measured Service

Broad Network Access

Rapid Elasticity

Resource Pooling

On-Demand Self-Service

Software as Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (Iaas)

Public

Private

Hybrid

Community

13/25

Cloud Computing & Security

The biggest challenge toward deploying clouds:

14/25

ClouDAT Project

• Nationally funded by Ministry of Education and Research

• Small and medium enterprises (SMEs)

• Cloud computing services

• Security is important for cloud customers

• Certification of applied security mechanisms

• ISO 27001 (tailoring)

• Create a documentation of the cloud system using patterns and a defined process

15/25

ClouDAT

Overview of the pattern-based risk analysis method (ClouDAT Process)

16/25

Cloud System Analysis Pattern

The aim of this phase is defining the scope and boundaries of the information security management system

17/25

…

…

Refining the Assets

The asset list containing all the assets of the organization and relevant aspects

18/25

Providing a catalogue of common threats and vulnerabilities

Providing a catalogue of common risks

19/25

A catalogue of predefined security requirements is provided

Instantiating Security Requirements

20/25

Security Control List

• The normative controls of ISO 27001• Security patterns

21/25

Documentation

• When all risk ratings are below the risk acceptance level, the final documentation for certification can be generated

• The generated documentation generally fulfills the ISO 27001 requirements

• It can be used for certification

22/25

Conclusion

Model-based Security AnalysisUMLsec 2.0

• Stereotypes• Analysis Model

ClouDAT• A pattern based certification technique to certify SMEs• Based on ISO 27001• Delivers a documentation • Risk analysis is an indispensable part of certification• The process contains

• Assets, threats and vulnerabilities identification• Risk assessment• Security requirements elicitation• Applying the proper security controls

23/25