To be announced
Christian Banse is the head of the department “Service and Application Security” at Fraunhofer AISEC. The primary focus of the department is to develop and research tools and technologies to analysis and strengthen the security of software. This includes mobile application as well as Cloud and Edge Computing. Christian has been an employee of Fraunhofer AISEC since 2011. He has a Master of Science degree in Management Information Systems from the University in Regensburg and is the author of several publications in the field of network and Cloud security.
Establishing Continuous Security in Multi-Cloud Environments
Security is still regarded as the most inhibiting factor for companies moving into the Cloud. While recent trends show that Cloud vendors are increasingly aware of this and are providing the necessary tools to secure the Cloud workloads of their customers, it is still a challenge to continuously ensure security in environments involving multiple Cloud providers. This is especially the case if multiple Cloud offerings include different service levels ranging from IaaS to SaaS, since the shared responsibilities regarding security between Cloud consumer and cloud customer are often not clearly defined.
Additionally, further research has to be done in regards to the meaning of continuous in the context of Cloud security. What are sensible intervals to check certain security configuration settings? While it might suffice to check the expiration of a password on a daily basis, the firewall configuration of a virtual machine might need checks in a per-hour interval or even less. Furthermore, new paradigms such as serverless computing can be leveraged to check security settings on change rather than in a regular interval. Another big challenge the community is facing, is the comparison of evidences generated from differentheterogeneousders because of their heterogenous nature. While there are some Cloud computing standards in the on-premise world, such as OpenStack, the commercial Cloud providers rarely follow these standards and technologies need to be developed to quickly adapt to different APIs of different Cloud providers. On the other hand, the rise of containers and especially the establishment of Kubernetes as the de-facto container management solution can be used to mitigate this to a certain degree.
This talk will highlight how the research department “Service and Application Security” of Fraunhofer AISEC is tackling those questions, especially in the context of Cloud service certification. It will give insight into the works conducted at the Fraunhofer AISEC laboratories, especially Clouditor, which is currently being piloted on a European level in the Horizon 2020 project EU-SEC (www.sec-cert.eu). Clouditor follows a test-based certification approach and can be used to check the security configuration of different Cloud workloads, for example in the course of an compliance audit. To compare security settings of different Cloud providers and even different service offerings, Fraunhofer AISEC is currently developing a domain-specific language based on a context-free grammar to easily model security requirements of Cloud resources.