280 likes | 513 Views
Enhancing security in federated cloud environment using the risk based access control. 2012-Fowz Masood-NUST-MS-CCS-23. Supervisor: Dr. Awais Shibli Committee Members: Dr. Abdul Ghafoor , Ms. Hirra Anwar, Ms. Rahat Masood. Agenda. Introduction Cloud federation
E N D
Enhancing security in federated cloud environment using the risk based access control 2012-Fowz Masood-NUST-MS-CCS-23 Supervisor: Dr. AwaisShibli Committee Members: Dr. Abdul Ghafoor, Ms. Hirra Anwar, Ms. RahatMasood
Agenda Introduction Cloud federation Challenges in cloud computing Trust issue in cloud Literature review Limitations Problem statement Proposed architecture Roadmap Industrial survey Response from international community References
Overview of Cloud Computing On-demand Self Services Broad Network Access Rapid Elasticity Measured Services Resource Pooling Infrastructure-as-a-service Software-as-a-service Platform-as-a-service Hybrid Private Community Public Reference: http://cloudblueprint.wordpress.com/cloud-taxonomy/
Cloud Federation Home Cloud Cloud service provider 1 Cloud Federation Cloud service provider 3 Cloud service provider 2 Foreign Cloud Foreign Cloud • Different CSPs form a federation • Benefits • Cloud burst • Load balancing • Global unity • Better resource management
Issues in cloud * Michael A. Davis. (2012, August) Information Week. [Online]. http://www.informationweek.com/global-cio/security/dont-trust-cloud-security/240005687** John Naughton. (2013, September) The Guardian. [Online]. http://www.theguardian.com/technology/2013/sep/15/edward-snowden-nsa-cloud-computing*** The Notorious Nine: Cloud Computing Top Threats in 2013”[Online]https://cloudsecurityalliance.org • Recently conducted survey* shows: • The Edward Snowden - NSA scandal** has also raised many questions in people’s mind. • Due Diligence***.
Trust issues in cloud Building user trust in cloud computing is one the top issues Warwick Ashford “Security in the cloud: Top nine issues in building users' trust” [Online], April 2011http://www.computerweekly.com/feature/Security-in-the-cloud-Top-nine-issues-in-building-users-trust
Cont’d Cloud computing is missing the transparency. Chris Paoli, “Enterprises Have Cloud Trust Issues” [Online], Aug 2012http://redmondmag.com/articles/2012/08/08/cloud-trust-issues.aspx
1 * N Trust Establishment within Dynamic Collaborative Clouds AtulGohad, Praveen S. Rao“1 * N Trust Establishment within Dynamic Collaborative Clouds” Cloud Computing in Emerging Markets (CCEM), 2012 IEEE International Conference • A central entity CSB is used for establishing the trust • Secure tokens are generatedand used • Pros: • CSB has to manage all theCSPs • Better security • Cons: • Complex framework • Single point of failure • Model relies on certificates, which is itself a slow process
A Cloud Trust Model in a Security Aware Cloud • A cloud trust model has been proposed, in which two levels of hierarchy are added • Internal trust relies on TPM and key management • Contracted trust is based on SPS and CSP enters into this trust layer by negotiating the desired security • Pros: • Enhances the security • Cons: • TPM needs hardware modification • Key management is a cumbersometask • No continuous monitoring • Additional layers will make over allsystem slow Hiroyuki Sato, Atsushi Kanai, ShigeakiTanimoto“A Cloud Trust Model in a Security Aware Cloud” Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on, July 2010
SLA-Based Trust Model for Cloud Computing Mohammed Alhamad, Tharam Dillon, Elizabeth Chang “SLA-Based Trust Model for Cloud Computing” 13th International Conference on Network-Based Information Systems 2010 • Authors have used service level agreement (SLA) to calculate the trustworthiness • Both functional and nonfunctional requirements are catered for trust establishment • Pros: • Best possible CSP will be provided on the demand of client • Cons: • Trust level changes • SLA parameters itself are not enough
The privacy-aware access control system using attribute-and role-based access control in private cloud EiEi Mon, Thinn Thu Naing“The privacy-aware access control system using attribute-and role-based access control in private cloud” Broadband Network and Multimedia Technology (IC-BNMT), 2011 4th IEEE International Conference • Authors have merged RBAC and ABAC to make a new enhanced access controlcalled ARBAC. • Pros: • Improves the overallsecurity of cloud • Cons: • Computationally expensive, slow
Risk-Aware RBAC Sessions Khalid ZamanBijon, Ram Krishnan, and Ravi Sandhu“Risk-Aware RBAC Sessions” 8th International Conference, ICISS 2012, Guwahati, India, December 15-19, 2012 • Authors have incorporated therisk parameter in a RBACsession. • Pros: • Robust. • Better security as its dynamicin nature • Cons: • Parameters for risks were notexplained • Testing & evaluation is notprovided
Research Findings • Trust models: • Trust models are fixed. • One time check only. • Detective in nature rather being preventive. • Cryptographic techniques are computationally expensive. • Require third party for verification. • Access Control: • Cloud’s dynamic nature demands a flexible A.C. However, traditional A.C mechanisms are based on static policies which makes them too rigid to handle the complex situations.
Problem Statement The performance of a CSP in a cloud federation can deteriorate over the time, in this case the existing trust and access control schemes fail to provide an appropriate security solution.
Existing work Trust service provider Trust evaluation module Foreign Cloud Home Cloud Trust protocol Trust management module Trust management module Customer Ayesha Kanwal“Establishment and propagation of trust in federated cloud environment” October 2012
Proposed Architecture Cloud Service Provider 2 Cloud Service Provider 3 2 - Service Request 3 – Service reply (Yes/No) 4 - If yes, Request for trust parameters 5 – Trust parameters Send + User credential request Cloud Service Provider 1 6 - If R.S <= R.T, grant access Risk based access control Risk Engine 1 - Client Request Risk threshold Risk score PIP PEP PDP
Technologies and Standards Security assertion mark-up language (SAML) Java Open stack Identity creditable and access management
Industrial Survey CERN and Rackspace are probing the possibility of true federated hybrid clouds built on OpenStack.
Community Response I believe that your idea of confidentiality, integrity and availability is very interesting. Actually, I think you can explore many possibilities these three concepts. I can’t think right now how could you fit SLA in the analysis, however it could be very interesting.
References [1] Khalid ZamanBijon, Ram Krishnan, Ravi Sandhu, “Risk-Aware RBAC Sessions”, 8th International Conference, ICISS 2012, Guwahati, India, December 15-19, 2012. [2] Liang Chen, Jason Crampton, “Risk-Aware Role-Based Access Control”, 7th International Workshop, STM 2011, Copenhagen, Denmark, June 27-28, 2011. [3] Kandala, S, Sandhu, R., Bhamidipati, V., “An Attribute Based Framework for Risk-Adaptive Access Control Models”, Availability, Reliability and Security (ARES), 2011 Sixth International Conference, 2011. [4] David Brossard “XACML 101 – a quick intro to Attribute-based Access Control with XACML”, [web] www.webframer.eu, September 30, 2010. [5] Jaehong Park Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA Dang Nguyen ; Sandhu, R., “A provenance-based access control model”, Privacy, Security and Trust (PST), 2012 Tenth Annual International Conference on, 16-18 July 2012. [6] Yuan Cheng ; Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA ; Jaehong Park ; Sandhu, R., “Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships”, Privacy, Security, Risk and Trust (PASSAT), 2012 International Conference on and 2012 International Conference on Social Computing (SocialCom), 3-5 Sept. 2012. [7] DimitriosZissis, DimitriosLekkas , “Addressing cloud computing security issues”, Future Generation Computer Systems, March 2012. [8] Sandeep K. Sood, “A combined approach to ensure data security in cloud computing”, Journal of Network and Computer Applications, November 2012.
Refrences [9] M Singhal, Univ. of California, Merced, Merced, CA, USA S Chandrasekhar GeTingjian R. Sandhu R Krishnan Ahn Gail-Joon Elisa Bertino, Purdue University, IN USA “Collaboration in multicloud computing environments: Framework and security issues”, Computer (Volume:46 , Issue: 2 ), Feb. 2013. [10] Mohammed Alhamad, Tharam Dillon, Elizabeth Chang “SLA-Based Trust Model for Cloud Computing” 13th International Conference on Network-Based Information Systems 2010 [11] AtulGohad, Praveen S. Rao“1 * N Trust Establishment within Dynamic Collaborative Clouds” Cloud Computing in Emerging Markets (CCEM), 2012 IEEE International Conference [12] Hiroyuki Sato, Atsushi Kanai, ShigeakiTanimoto“A Cloud Trust Model in a Security Aware Cloud” Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on, July 2010 [13] EiEi Mon, Thinn Thu Naing“The privacy-aware access control system using attribute-and role-based access control in private cloud” Broadband Network and Multimedia Technology (IC-BNMT), 2011 4th IEEE International Conference [14] Marcela Roxana Farcasescu “Trust Model Engines in cloud computing” 2012 14th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing [15] Monoj Kumar Muchahari, Smriti Kumar Sinha “A New Trust Management Architecture for Cloud Computing Environment”, 2012 International Symposium on Cloud and Services Computing [16] Vijay VaradharajanUdayaTupakula“TREASURE: Trust Enhanced Security for Cloud Environments ” 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications