In this paper, we present the Cloud Property Graph (CloudPG), which bridges the gap between static code analysis and runtime security assessment of cloud services. The CloudPG is able to resolve data flows between cloud applications deployed on different resources, and contextualizes the graph with runtime information, such as encryption settings. To provide a vendor- and technology-independent representation of a cloud service's security posture, the graph is based on an ontology of cloud resources, their functionalities and security features. We show, using an example, that our CloudPG framework can be used by security experts to identify weaknesses in their cloud deployments, spanning multiple vendors or technologies, such as AWS, Azure and Kubernetes. This includes misconfigurations, such as publicly accessible storages or undesired data flows within a cloud service, as restricted by regulations such as GDPR.
翻译:在本文中,我们展示了云财产图(CloudPG),它弥合了静态代码分析和运行时对云服务的安全评估之间的差距。云财产图(CloudPG)能够解决在不同资源中部署的云应用之间的数据流动,并将图表与运行时的信息(如加密设置)相匹配。为了提供一个云服务安全态势的供应商和技术独立代表,图基于云资源、其功能和安全特征的本体学。我们举例表明,我们的云财产图框架可以被安全专家用来查明云的部署、跨越多个销售商或技术(如AWS、Azure和Kubernetes)的弱点。这包括错误的配置,如公众可访问的存储或云服务中不理想的数据流动,受到GDPR等监管的限制。