Cross-domain IDMS for Cloud Environment Umme Habiba, March 17, 2014 Healthcare as a Case-study...
-
Upload
nancy-evans -
Category
Documents
-
view
214 -
download
0
Transcript of Cross-domain IDMS for Cloud Environment Umme Habiba, March 17, 2014 Healthcare as a Case-study...
Cross-domain IDMS for Cloud Environment
Umme Habiba, March 17, 2014
Healthcare as a Case-studyThesis Final Defense
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Introduction Motivation Contributions Research Methodology Implementation Demonstration Future Directions References
3
Agenda
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
User Provisioning & De-provisioning Authn & Authz Federated Identity Management Single-Sign-On Self-service Access Right Delegation Identity Info. Synchronization Auditing and Reporting
4
Identity: Core of Every Service
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
5
Challenges for IDMSs in Cloud
Identity Management System S
elf
-S
erv
iceAut
horiz
a
tion
Authentic
ation
Synchronization
Interoperability
Access Right Delegation
04/19/23 6Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Literature Review - State-of-the-Art
Industrial Perspective Security Perspective
UnboundID Hitachi ID ORACLE Identity Management Ping Identity RSA- Secure ID Kantara Initiative Okta Symplified - The Cloud Security Experts
Conference & Journal papers Cloud Identity Management Pressing Need of securing Identity credentials at
Cloud International IDMS Security Standards
Emerging Security Trends Widely Adopted Security Standards
Best Practices State-of-the-art Technologies
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Research Methodology
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad8
Con’t Research Methodology
Problems
1. Assessment criterion for Cloud IDMSs
2. Cloud IDMS Security Issues & Solutions: A Taxonomy
3. Cross-domain IDMS for Cloud
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
In order to address the security, interoperability, and privacy concerns in Cloud domain there is a need for cross-domain Identity Management System for Cloud environment that can ensure seamless integration and utilization of identity credentials. In addition to basic identity management features, it must provide advanced security features including access right delegation, synchronization and self-service in Cloud computing scenarios.
9
Problem Statement
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Our Contribution is twofold, which includes: 1.Establishment of a benchmark to ensure the security of Identity credentials at Cloud. 2.Design and implementation of cross-domain Identity Management System for Cloud, in particular enhancing SCIM open source protocol.
10
Contribution
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Survey Paper ( Status - Published)Umme Habiba, A. Ghafoor Abbasi, Rahat Masood, M. Awais Shibli, “Assessment Criteria for Cloud Identity
Management Systems”, Proceedings of The 19th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC-2013), Vancouver, BC, Canada, December 2-4, 2013
Conceptual Paper ( Status - Accepted Only)Umme Habiba, Rahat Masood, M. Awais Shibli, “Cross-domain Identity Management Systems for Cloud”, In
the proceedings of 22nd Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP-2014), Turin , Italy, February 12-14, 2014.
Journal Paper ( Status – Under Review)Umme Habiba, Rahat Masood, M. Awais Shibli, Yumna Ghazi, “Cloud Identity Management Security Issues &
Solutions: A Taxonomy”, Under Review at IEEE Transactions on Cloud Computing (TCC-SI), Submitted on January 15, 2014
11
Research Perspective
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Features
Categories
Identity Management SystemsAuthentication Authorization Identity
FederationConsistent Experience
Self-Service
Audit
&Compliance
Limited
Disclosure
Multiple Operators
& Technology
IsolatedIDMS
A Strong User Authentication Framework for CC High
Low High
Low
Medium
Low
High
Low
Protection of Identity Info. in CC without TTP
Medium
Low High High
Low
Medium High
Low
CentralizedIDMS
An Identity-Centric Internet: Identity in the Cloud, IDaaS High High
High High High
Medium
Low High
Distributed Identity for Secure Service Interaction
Medium High
High High High
Low High High
FederatedIDMS
Security and Cloud Computing: ICIMIHigh
Low High
Low
Low
Low High High
Strengthen Cloud Computing Security with FIM Using HIBC
High
Low High
Low
Low
Low High High
Chord Based IdM for e-Healthcare Cloud Apps High High High
Low
Low
Low High High
AnonymousIDMS
An Identity-Based OTP Scheme with Anonymous Authentication Medium High High Low Medium Low High Low
UIMM Based on Anonymous Credentials
Medium
High
Low High High
Low High High
An Entity-centric Approach for Privacy & IDM in CC
Medium
Low
Low
Low
Low
Medium High
Low
Conference Paper - Assessment Criteria
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Implement a secure Identity management system based on underlying SCIM protocol to ensure:
Credentials Synchronization across CSPs.User-centricityCommunication level security.
13
Implementation Perspective
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad14
SCIM features by UnboundID
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad15
Why UnbounID SCIM SDK ?
Widely adopted Open Source
Customizable User Friendly Generic
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Netbeans IDE 7.3.1 (JAVA) MySQL Workbench 5.2 CE Apache Maven 3.0.5 Jetty web Server UnboundID SCIM SDK Crypto Java API RESTful Architecture Style JSON (Data Exchange Format) Log4j API
16
Development Toolkit
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad17
Identity System – Workflow
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad18
Access Right Delegation–Workflow
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
19
Detailed Work flow
//localhost:8080
CSP1
Domain 1
Jetty Server
//localhost:8081
CSP2
Domain 2
Jetty Server
SCIM SDKSCIM Service
SCIM Endpoint
SCIM Method
REST based SCIM
Endpoint
Decrypt
Unmarshaller
MySQL DB
Response
MySQL DB
CSC
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad21
Goals - IDMS perspective
Credentials sync. across CSPs.
Communication level security
Interoperability
User-centricity (Privacy)
04/19/23 22Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Protocol Enhancements
Unbound SCIM SDK
Single SCIM Endpoint SCIM Schema SDK for CRUD
Enhanced SCIM
GUI
Encryption
JSON Marshaller/Unmarshaller
RESTful Architecture style
Dual SCIM Endpoint
Synchronization
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Evaluation
EvaluationSecurity
Functionality
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad24
Functionality Perspective
Aspects of Evaluation
Correctness and Effectiveness Leading Versus Lagging Indicators Organizational Security Objectives Qualitative and Quantitative Properties Measurements of the Large Versus Small
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Security Guidance for Critical Areas Of Focus In Cloud Computing - V3.0 Domain 1 : Cloud Computing Architectural Framework Governing in the Cloud Domain 2 : Governance and Enterprise Risk Management
. . .
Domain 10 : Application Security Domain 11 : Encryption and Key Management Domain 12 : Guidance for Identity and Access Management (IAM) Domain 13 : Virtualization Domain 14 : Security as a Service
Con’t..
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Category No. of Test CasesPlanned
No. of Test CasesExecuted
No. of Test Cases Executed Successfully
No. of Defects Found
Provisioning Test Cases 3 3 3 0
De-Provisioning Test Cases 3 3 3 0
Synchronization Test Cases 3 3 3 0
Self-Service Test Cases 3 3 3 0
Encryption/Decryption Test Cases 3 3 3 0
Total 15 15 15 0
26
Results -- Test Cases
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Security Perspective - SCYTHER
04/19/23 28Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Enhanced SCIM Protocol – Healthcare as a Case-study
Decryption
Application Layer
Business LogicLayer
Key Management
Server
SCIM Patient Interface
Posted to CSP2
Encryption
Key
V/U My Profile
SCIM Administrator
Interface
User Provisioning , De-provisioning, A/C
Management
SCIM DoctorInterface
V/U My ProfileV/U Patient Details
SCIM SDKEncryption/Decryption
Module
MySQL DB
StorageLayer
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Access Right Delegation is among our main system components. However, in the presented system we have not considered the concept of delegation chaining which is typically required in the real world environments thus is one of the possible future research directions in the field of cross-domain identity management.
Encryption of identity credentials raises the concerns of key management and storage issues which need to be addressed. Future research should focus on defining proper key generation and management mechanisms.
Sharing and storage of sensitive identity information at third party provided CSPs raises issues like lack of trusted security and privacy mechanisms, therefore requires some trust establishment technique. Integration of trust establishment module in the proposed system is yet another significant research direction that should be explored in detail.
29
Future Research Directions
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
1. Antonio Celesti, Francesco Tusa, Massimo Villari and Antonio Puliafito, “Security and Cloud Computing: InterCloud Identity Management Infrastructure” , Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Larissa- Greece 2010.
2. Liang Yan, Chunming Rong, and Gansen Zhao, "Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography", Springer 1st International Conference on Cloud Computing, Beijing-China 2009.
3. Il Kon Kim, Zeeshan Pervez, Asad Masood Khattak and Sungyoung Lee, “Chord Based Identity Management for e-Healthcare Cloud Applications”, 10th Annual International Symposium on Applications and the Intern IEEE, Seoul-Korea 2010.
4. David W Chadwick and Matteo Casenove, “Security APIs for My Private Cloud Granting access to anyone, from anywhere at any time”, Third IEEE International Conference on Coud Computing Technology and Science, Athens-Greece 2011.
5. Anu Gopalakrishnan, "Cloud Computing Identity Management", SETLabs Briefings VOL 7 NO 7, Business Innovation through Technology, 2009.
6. Yang Zhang and Jun-Liang Chen, “A Delegation Solution for Universal Identity Management in SOA”, IEEE Transactions On Services Computing, Vol. 4, No. 1, January-March 2011
7. R. Sánchez et al., “Enhancing Privacy and Dynamic Federation in IdM for Consumer Cloud Computing”, IEEE Transactions on Consumer Electronics, Vol. 58, No. 1, February 2012
8. Rohit Ranchal, Bharat Bhargava, Lotfi Ben Othmane and Leszek Lilien, “Protection of Identity Information in Cloud Computing without Trusted Third Party”, Published in 29th IEEE International Symposium on Reliable Distributed Systems, New Delhi-India 2010.
31
References
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
9. Mika¨el Ates, Serge Ravet, Abakar Mohamat Ahmat and Jacques Fayolle, “An Identity-Centric Internet: Identity in the Cloud,Identity as a Service and other delights”, Sixth International Conference on Availability, Reliability and Security, Vienna-Austria 2011.
10. Mohammad M. R. Chowdhury, Josef Noll, “Distributed Identity for Secure Service Interaction”, Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07), Guadeloupe 2007.
11. Amlan Jyoti Choudhury, Pardeep Kumar, Mangal Sain, Hyotaek Lim and Hoon Jae-Lee, “A Strong User Authentication Framework for Cloud Computing” , IEEE Asia -Pacific Services Computing Conference, Jeju Island-South Korea 2011.
12. Albeshri, A, and W Caelli. "Mutual Protection in a Cloud Computing Environment", IEEE 12th International Conference on High Performance Computing and Communications, 2010.
13. Yuan Cao, , and Lin Yang. "A Survey of Identity Management Technology", IEEE International Conference on Information Theory and Information Security, 2010.
14. Song Luo, Jianbin Hu* and Zhong Chen, “An Identity-Based One-Time Password Scheme with Anonymous Authentication”, International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, Hubei –China 2009.
15. Yang Zhang Jun-Liang Chen, “Universal Identity Management Model Based on Anonymous Credentials”, IEEE International Conference on Services Computing, Miami-Florida 2010
16. Pelin Angin, Bharat Bhargava, Mark Linderman and Leszek Lilien ,"An Entity-centric Approach for Privacy and Identity Management in Cloud Computing", 29th IEEE International Symposium on Reliable Distributed Systems, New Delhi-India 2010.
32
Cont..
04/19/23 33Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
Many Thanks to my thesis supervisor and committee members