Enhancing security in federated cloud environment using the risk based access control
-
Upload
madonna-delgado -
Category
Documents
-
view
27 -
download
4
description
Transcript of Enhancing security in federated cloud environment using the risk based access control
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Enhancing security in federated cloud environment using the risk
based access control
2012-Fowz Masood-NUST-MS-CCS-23
Supervisor: Dr. Awais Shibli
Committee Members: Dr. Abdul Ghafoor, Ms. Hirra Anwar, Ms. Rahat Masood
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Agenda Introduction Cloud federation Challenges in cloud computing Trust issue in cloud Literature review Limitations Problem statement Proposed architecture Roadmap Industrial survey Response from international community References
2
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Overview of Cloud Computing
Broad Network Access
Rapid Elasticity
Measured Services
Resource Pooling
Software-as-a-service
Platform-as-a-service
Infrastructure-as-a-service
Public Private Hybrid Community
Reference: http://cloudblueprint.wordpress.com/cloud-taxonomy/
On-demand Self Services
3
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Cloud Federation
Foreign Cloud Foreign Cloud
Home CloudCloud service
provider 1
Cloud service
provider 2
Cloud service
provider 3
Different CSPs form a federation
Benefits– Cloud burst– Load balancing– Global unity– Better resource
management Cloud Federation
4
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Issues in cloud Recently conducted survey* shows:
The Edward Snowden - NSA scandal** has also raised many
questions in people’s mind. Due Diligence***.
* Michael A. Davis. (2012, August) Information Week. [Online]. http://www.informationweek.com/global-cio/security/dont-trust-cloud-security/240005687** John Naughton. (2013, September) The Guardian. [Online]. http://www.theguardian.com/technology/2013/sep/15/edward-snowden-nsa-cloud-computing*** The Notorious Nine: Cloud Computing Top Threats in 2013”[Online] https://cloudsecurityalliance.org
70%
30%
Plan of switching to public cloud
YesNo
Security Other46
50
54
Reasons of not shifting to cloud ?
5
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Trust issues in cloud
Warwick Ashford “Security in the cloud: Top nine issues in building users' trust” [Online], April 2011http://www.computerweekly.com/feature/Security-in-the-cloud-Top-nine-issues-in-building-users-trust
Building user trust in cloud computing is one the top issues
6
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Cont’d
Chris Paoli, “Enterprises Have Cloud Trust Issues” [Online], Aug 2012http://redmondmag.com/articles/2012/08/08/cloud-trust-issues.aspx
Cloud computing is missing the transparency.
7
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Literature Survey
8
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
1 * N Trust Establishment within Dynamic Collaborative Clouds
A central entity CSB is used for establishing the trust
Secure tokens are generatedand used
Pros:– CSB has to manage all the
CSPs– Better security
Cons:– Complex framework– Single point of failure– Model relies on certificates,
which is itself a slow processAtul Gohad, Praveen S. Rao“1 * N Trust Establishment within Dynamic Collaborative Clouds” Cloud Computing in Emerging Markets (CCEM), 2012 IEEE International Conference
9
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
A Cloud Trust Model in a Security Aware Cloud
Hiroyuki Sato, Atsushi Kanai, Shigeaki Tanimoto“A Cloud Trust Model in a Security Aware Cloud” Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on, July 2010
A cloud trust model has been proposed, in which two levels of hierarchy are added
Internal trust relies on TPM and key management Contracted trust is based on SPS and CSP enters into this trust layer by
negotiating the desired security
Pros: – Enhances the security
Cons:– TPM needs hardware modification– Key management is a cumbersome
task– No continuous monitoring– Additional layers will make over all
system slow
10
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
SLA-Based Trust Model for Cloud Computing
Authors have used service level agreement (SLA) to calculate the trustworthiness
Both functional and nonfunctional requirements are catered for trust establishment
Pros:– Best possible CSP will be provided on
the demand of client
Cons:– Trust level changes – SLA parameters itself are not enough
Mohammed Alhamad, Tharam Dillon, Elizabeth Chang “SLA-Based Trust Model for Cloud Computing” 13th International Conference on Network-Based Information Systems 2010
11
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
The privacy-aware access control system using attribute-and role-based access control in private cloud
Authors have merged RBAC and ABAC to make a new enhanced access controlcalled ARBAC.
Pros:– Improves the overall
security of cloud
Cons:– Computationally
expensive, slow
Ei Ei Mon, Thinn Thu Naing “The privacy-aware access control system using attribute-and role-based access control in private cloud” Broadband Network and Multimedia Technology (IC-BNMT), 2011 4th IEEE International Conference
12
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Risk-Aware RBAC Sessions
Authors have incorporated therisk parameter in a RBACsession.
Pros:– Robust.– Better security as its dynamic
in nature
Cons:– Parameters for risks were not
explained– Testing & evaluation is not
provided
Khalid Zaman Bijon, Ram Krishnan, and Ravi Sandhu“Risk-Aware RBAC Sessions” 8th International Conference, ICISS 2012, Guwahati, India, December 15-19, 2012
13
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Research Findings Trust models:
– Trust models are fixed.– One time check only.– Detective in nature rather being preventive.– Cryptographic techniques are computationally expensive.– Require third party for verification.
Access Control:– Cloud’s dynamic nature demands a flexible A.C. However,
traditional A.C mechanisms are based on static policies which makes them too rigid to handle the complex situations.
14
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Problem Statement
The performance of a CSP in a cloud federation can deteriorate over the time, in this case the existing trust and access control schemes fail to provide an appropriate security solution.
15
Existing work
Trust evaluation module
Trust management
module
Trust management
module
Home Cloud Foreign Cloud
Trust service provider
Trust protocol
Customer
Ayesha Kanwal “Establishment and propagation of trust in federated cloud environment” October 2012
16
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Abstract Diagram
17
Foreign CSP 01
Home CSP
Users
Different cloud service providers have form a federation
Risk based access control
Storage Services
Storage Services
Risk based access control
Foreign CSP 01
Home CSP
Foreign CSP 02
Users
Different cloud service providers have form a federation
Risk based access control
Storage Services
Computing Resources
Risk based access control
Word processing application
Risk based access control
Proposed Architecture
Cloud Service
Provider 1
Cloud Service
Provider 2
Cloud Service
Provider 3
Risk based access control
PDP PIPPEP
Risk thresholdRisk score
1 - Client Request
2 - Service Request
3 – Service
reply (Y
es/No)
5 – Trust parameters Send
+User credential
request
6 - I
f R.S
<=
R.T
, gra
nt a
cces
s
4 - If y
es, R
eques
t for
trust
paramete
rs
18
Risk Engine
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Technologies and Standards
Security assertion mark-up language (SAML)
Java Open stack Identity creditable and access
management
19
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
RoadmapMilestones Duration
Preliminary study and research Done
Implementation
Risk based access control implementation
2 month
Configuration of cloud 20 days
Deploying the R.A.C in cloud 20 days
Testing and evaluation 1.5 month
Initial thesis draft 1 month
Final documentation 1 month
20
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Industrial Survey
21
1. CERN and Rackspace are probing the possibility of true federated hybrid clouds built on OpenStack.
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Community Response
1. I believe that your idea of confidentiality, integrity and availability is very interesting. Actually, I think you can explore many possibilities these three concepts.
2. I can’t think right now how could you fit SLA in the analysis, however it could be very interesting.
22
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
THANKYOU
23
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
References[1] Khalid Zaman Bijon, Ram Krishnan, Ravi Sandhu, “Risk-Aware RBAC Sessions”, 8th International Conference, ICISS 2012, Guwahati, India, December 15-19, 2012.[2] Liang Chen, Jason Crampton, “Risk-Aware Role-Based Access Control”, 7th International Workshop, STM 2011, Copenhagen, Denmark, June 27-28, 2011.[3] Kandala, S, Sandhu, R., Bhamidipati, V., “An Attribute Based Framework for Risk-Adaptive Access Control Models”, Availability, Reliability and Security (ARES), 2011 Sixth International Conference, 2011.[4] David Brossard “XACML 101 – a quick intro to Attribute-based Access Control with XACML”, [web] www.webframer.eu, September 30, 2010.[5] Jaehong Park Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA Dang Nguyen ; Sandhu, R., “A provenance-based access control model”, Privacy, Security and Trust (PST), 2012 Tenth Annual International Conference on, 16-18 July 2012.[6] Yuan Cheng ; Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA ; Jaehong Park ; Sandhu, R., “Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships”, Privacy, Security, Risk and Trust (PASSAT), 2012 International Conference on and 2012 International Conference on Social Computing (SocialCom), 3-5 Sept. 2012.[7] Dimitrios Zissis, Dimitrios Lekkas , “Addressing cloud computing security issues”, Future Generation Computer Systems, March 2012.[8] Sandeep K. Sood, “A combined approach to ensure data security in cloud computing”, Journal of Network and Computer Applications, November 2012.
24
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied
Information Security
Lab
Refrences[9] M Singhal, Univ. of California, Merced, Merced, CA, USA S Chandrasekhar Ge Tingjian R. Sandhu R Krishnan Ahn Gail-Joon Elisa Bertino, Purdue University, IN USA “Collaboration in multicloud computing environments: Framework and security issues”, Computer (Volume:46 , Issue: 2 ), Feb. 2013.[10] Mohammed Alhamad, Tharam Dillon, Elizabeth Chang “SLA-Based Trust Model for Cloud Computing” 13th International Conference on Network-Based Information Systems 2010[11] Atul Gohad, Praveen S. Rao“1 * N Trust Establishment within Dynamic Collaborative Clouds” Cloud Computing in Emerging Markets (CCEM), 2012 IEEE International Conference[12] Hiroyuki Sato, Atsushi Kanai, Shigeaki Tanimoto“A Cloud Trust Model in a Security Aware Cloud” Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on, July 2010[13] Ei Ei Mon, Thinn Thu Naing “The privacy-aware access control system using attribute-and role-based access control in private cloud” Broadband Network and Multimedia Technology (IC-BNMT), 2011 4th IEEE International Conference [14] Marcela Roxana Farcasescu “Trust Model Engines in cloud computing” 2012 14th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing[15] Monoj Kumar Muchahari, Smriti Kumar Sinha “A New Trust Management Architecture for Cloud Computing Environment”, 2012 International Symposium on Cloud and Services Computing[16] Vijay Varadharajan Udaya Tupakula “TREASURE: Trust Enhanced Security for Cloud Environments ” 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications
25