Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs significant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. Security negligence and human errors often lead to misconfiguring IAM policies which may open a backdoor for attackers. To address these challenges, first, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dark permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies significantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.
翻译:现代软件系统依靠公共云层中储存的商业敏感数据的采矿洞察力。 数据破坏通常给商业组织造成重大(货币)损失。 理论上,云层安全严重依赖信息技术管理需要适当配置和定期更新的识别存取管理政策。 安全疏忽和人为错误往往导致错误配置IAM政策,可能为攻击者打开后门。 为了应对这些挑战,首先,我们开发了一个新框架,用限制程序(CP)编码产生最佳的 IAM政策。 我们确定减少云用户的暗色许可是最佳标准,这直觉地意味着最大限度地减少不必要的数据存取许可。 其次,为了使IAM政策可以解释,我们使用用于用户历史存取用模式的图表表述学习,以类似限制扩大我们的CP模式:类似的用户应当组合在一起,共享共同的 IAM政策。 第三,我们描述多个攻击模式,并表明我们优化的IAM政策将使用8个商业组织和合成实例的实际数据大大减少安全攻击的影响。