ONAP Risk Assessment – Preparation Material - Overview of the Process - Terminology - Assumptions 2018-05-30

Introduction The purpose of Risk Assessment (RA): produce a prioritized list of security improvements Identify risks Rate the identified risks Recommend treatment for the risks with unacceptable high level The following slides have a brief description of The RA process and terminology The scope of RA workshop, planned for the F2F event in Beijing June 2018 The proposed assumptions for the RA WS

The Process of Risk Assessment Preparation phase, need to have these clear before WS Scope (see separate slide) & ensure relevant participants Assumptions (see separate slide) The Core of Risk Assessment: F2F Workshop Risk identification is the main focus Think from different angles, like: main use cases, functionality, deployment, operations. Good if persons with different background/roles participate in RA. Make full use of the F2F aspect: creativity, brainstorming Completion phase Put together the WS outcome eg. in form of mindmap Risk rating in follow-up meetings Recommendations by security sub-committee, including the risk mitigation plan for the risks with unacceptable high level Proposal: TSC to sign off the RA output material & risk mitigation plan TBD: Handling and exposure of the RA output material

The scope of Risk Assessment General: security and privacy (privacy regulations) related risks Beijing release of the following ONAP components VID; External API; Controllers, DCAE SO UI components: SDC and Use-Case UI, Portal The “ONAP architecture level”, eg Data at rest, Data in transit Container deployment of ONAP: any specifics for this case Send checklist of the few most important/typical risk items for all projects, to be checked & reported back (to be checked, there was earlier a ~similar activity)

The Assumptions for Risk Assessment Assumptions that should be agreed prior to (very latest at) the RA WS: ONAP deployment environment Level of protection around ONAP: something between a “walled garden” and Internet Any assumed security mechanisms in the infra? Like self-encrypting storage. ONAP operational aspects? Eg, the assumption can be that multiple organizations (w/o mutual trust) can be users of one ONAP deployment. Division between ONAP & the rest of service provider’s OSS/BSS Which functionalities shall be covered by ONAP vs. are assumed to be covered outside of ONAP For example: data de-identification of the Personally Identifiable Information (PII) is needed when trouble-shooting data originating from VNFs is sent back to VNF vendors. ONAP or ‘some other entity’ needs to perform this.

Concepts, Definitions Asset Something that has a value, can be tangible or intangible (like information) Attack An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. An attack violates one or more of the following properties of an asset: Confidentiality the asset property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity the asset property of safeguarding the accuracy and completeness of assets Availability the asset property of being accessible and usable upon demand by an authorized entity Threat A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm Vulnerability A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Impact The business impact caused by a security incident, when the attacker exploits the vulnerability and realizes the threat Probability The likelihood of the security incident to occur due to an attacker exploiting the vulnerability and realizing the threat Risk An expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result Risk assessment Systematically identify the assets and threats to those, quantify loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (optionally) recommend how to allocate resources to countermeasures so as to minimize total exposure

Concepts, Definitions Impact values

Concepts, Definitions Probability values

Concepts, Definitions Risk Levels: Low (L), Medium (M), High (H), Very High (VH)

Identification of a Risk – A Fictious Example Risk identification (= main focus in the F2F WS) Asset: VNF O&M passwords at rest (in storage / other) Threat (can be several per asset): unauthorized disclosure Vulnerability (can be several per threat): passwords included in plain text in a log file Existing controls: only specific user/group has read access to the log file Risk rating Impact (business impact if the risk materializes): “major” Probability (of the risk to ever materialize): “likely”  HIGH risk level (according to the table on previous slide) Risk mitigation plan, done eg. for all the VERY HIGH and HIGH level risks In this could be: do not include any secrets in any log files in plain text