-
owl2proto: Enabling Semantic Processing in Modern Cloud Micro-Services
Authors:
Christian Banse,
Angelika Schneider,
Immanuel Kunz
Abstract:
The usefulness of semantic technologies in the context of security has been demonstrated many times, e.g., for processing certification evidence, log files, and creating security policies. Integrating semantic technologies, like ontologies, in an automated workflow, however, is cumbersome since they introduce disruptions between the different technologies and data formats that are used. This is es…
▽ More
The usefulness of semantic technologies in the context of security has been demonstrated many times, e.g., for processing certification evidence, log files, and creating security policies. Integrating semantic technologies, like ontologies, in an automated workflow, however, is cumbersome since they introduce disruptions between the different technologies and data formats that are used. This is especially true for modern cloud-native applications, which rely heavily on technologies such as protobuf. In this paper we argue that these technology disruptions represent a major hindrance to the adoption of semantic technologies into the cloud and more effort and research is required to overcome them. We created one such approach called $\textit{owl2proto}$, which provides an automatic translation of OWL ontologies into the protobuf data format. We showcase the seamless integration of an ontology and transmission of semantic data in an already existing cloud micro-service.
△ Less
Submitted 10 November, 2024;
originally announced November 2024.
-
Poster: Patient Community -- A Test Bed For Privacy Threat Analysis
Authors:
Immanuel Kunz,
Angelika Schneider,
Christian Banse,
Konrad Weiss,
Andreas Binder
Abstract:
Research and development of privacy analysis tools currently suffers from a lack of test beds for evaluation and comparison of such tools. In this work, we propose a benchmark application that implements an extensive list of privacy weaknesses based on the LINDDUN methodology. It represents a social network for patients whose architecture has first been described in an example analysis conducted b…
▽ More
Research and development of privacy analysis tools currently suffers from a lack of test beds for evaluation and comparison of such tools. In this work, we propose a benchmark application that implements an extensive list of privacy weaknesses based on the LINDDUN methodology. It represents a social network for patients whose architecture has first been described in an example analysis conducted by one of the LINDDUN authors. We have implemented this architecture and extended it with more privacy threats to build a test bed that enables comprehensive and independent testing of analysis tools.
△ Less
Submitted 4 August, 2023;
originally announced August 2023.
-
Application-Oriented Selection of Privacy Enhancing Technologies
Authors:
Immanuel Kunz,
Andreas Binder
Abstract:
To create privacy-friendly software designs, architects need comprehensive knowledge of existing privacy-enhancing technologies (PETs) and their properties. Existing works that systemize PETs, however, are outdated or focus on comparison criteria rather than providing guidance for their practical selection. In this short paper we present an enhanced classification of PETs that is more application-…
▽ More
To create privacy-friendly software designs, architects need comprehensive knowledge of existing privacy-enhancing technologies (PETs) and their properties. Existing works that systemize PETs, however, are outdated or focus on comparison criteria rather than providing guidance for their practical selection. In this short paper we present an enhanced classification of PETs that is more application-oriented than previous proposals. It integrates existing criteria like the privacy protection goal, and also considers practical criteria like the functional context, a technology's maturity, and its impact on various non-functional requirements. We expect that our classification simplifies the selection of PETs for experts and non-experts.
△ Less
Submitted 15 June, 2022;
originally announced June 2022.
-
A Continuous Risk Assessment Methodology for Cloud Infrastructures
Authors:
Immanuel Kunz,
Angelika Schneider,
Christian Banse
Abstract:
Cloud systems are dynamic environments which make it difficult to keep track of security risks that resources are exposed to. Traditionally, risk assessment is conducted for individual assets to evaluate existing threats; their results, however, are quickly outdated in such a dynamic environment. In this paper, we propose an adaptation of the traditional risk assessment methodology for cloud infra…
▽ More
Cloud systems are dynamic environments which make it difficult to keep track of security risks that resources are exposed to. Traditionally, risk assessment is conducted for individual assets to evaluate existing threats; their results, however, are quickly outdated in such a dynamic environment. In this paper, we propose an adaptation of the traditional risk assessment methodology for cloud infrastructures which loosely couples manual, in-depth analyses with continuous, automatic application of their results. These two parts are linked by a novel threat profile definition that allows to reusably describe configuration weaknesses based on properties that are common across assets and cloud providers. This way, threats can be identified automatically for all resources that exhibit the same properties, including new and modified ones. We also present a prototype implementation which automatically evaluates an infrastructure as code template of a cloud system against a set of threat profiles, and we evaluate its performance. Our methodology not only enables organizations to reuse their threat analysis results, but also to collaborate on their development, e.g. with the public community. To that end, we propose an initial open-source repository of threat profiles.
△ Less
Submitted 15 June, 2022;
originally announced June 2022.
-
Cloud Property Graph: Connecting Cloud Security Assessments with Static Code Analysis
Authors:
Christian Banse,
Immanuel Kunz,
Angelika Schneider,
Konrad Weiss
Abstract:
In this paper, we present the Cloud Property Graph (CloudPG), which bridges the gap between static code analysis and runtime security assessment of cloud services. The CloudPG is able to resolve data flows between cloud applications deployed on different resources, and contextualizes the graph with runtime information, such as encryption settings. To provide a vendor- and technology-independent re…
▽ More
In this paper, we present the Cloud Property Graph (CloudPG), which bridges the gap between static code analysis and runtime security assessment of cloud services. The CloudPG is able to resolve data flows between cloud applications deployed on different resources, and contextualizes the graph with runtime information, such as encryption settings. To provide a vendor- and technology-independent representation of a cloud service's security posture, the graph is based on an ontology of cloud resources, their functionalities and security features. We show, using an example, that our CloudPG framework can be used by security experts to identify weaknesses in their cloud deployments, spanning multiple vendors or technologies, such as AWS, Azure and Kubernetes. This includes misconfigurations, such as publicly accessible storages or undesired data flows within a cloud service, as restricted by regulations such as GDPR.
△ Less
Submitted 14 June, 2022;
originally announced June 2022.
-
Towards Tracking Data Flows in Cloud Architectures
Authors:
Immanuel Kunz,
Valentina Casola,
Angelika Schneider,
Christian Banse,
Julian Schütte
Abstract:
As cloud services become central in an increasing number of applications, they process and store more personal and business-critical data. At the same time, privacy and compliance regulations such as GDPR, the EU ePrivacy regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure processing and traceability of critical data. Especially the demand to provide information about e…
▽ More
As cloud services become central in an increasing number of applications, they process and store more personal and business-critical data. At the same time, privacy and compliance regulations such as GDPR, the EU ePrivacy regulation, PCI, and the upcoming EU Cybersecurity Act raise the bar for secure processing and traceability of critical data. Especially the demand to provide information about existing data records of an individual and the ability to delete them on demand is central in privacy regulations. Common to these requirements is that cloud providers must be able to track data as it flows across the different services to ensure that it never moves outside of the legitimate realm, and it is known at all times where a specific copy of a record that belongs to a specific individual or business process is located. However, current cloud architectures do neither provide the means to holistically track data flows across different services nor to enforce policies on data flows. In this paper, we point out the deficits in the data flow tracking functionalities of major cloud providers by means of a set of practical experiments. We then generalize from these experiments introducing a generic architecture that aims at solving the problem of cloud-wide data flow tracking and show how it can be built in a Kubernetes-based prototype implementation.
△ Less
Submitted 10 July, 2020;
originally announced July 2020.
