1 / 30

Cross-domain IDMS for Cloud Environment

Umme Habiba , March 17, 2014. Cross-domain IDMS for Cloud Environment. Healthcare as a C ase-study Thesis Final Defense. Agenda. Introduction Motivation Contributions Research Methodology Implementation Demonstration Future Directions References. Identity: Core of Every Service.

pete
Download Presentation

Cross-domain IDMS for Cloud Environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Umme Habiba, March 17, 2014 Cross-domain IDMS for Cloud Environment Healthcare as a Case-study Thesis Final Defense

  2. Agenda • Introduction • Motivation • Contributions • Research Methodology • Implementation • Demonstration • Future Directions • References

  3. Identity: Core of Every Service • User Provisioning & De-provisioning • Authn & Authz • Federated Identity Management • Single-Sign-On • Self-service • Access Right Delegation • Identity Info. Synchronization • Auditing and Reporting

  4. Challenges for IDMSs in Cloud Authentication Self-Service Access Right Delegation Synchronization Authorization Interoperability Identity Management System

  5. Literature Review - State-of-the-Art Industrial Perspective Security Perspective • Conference & Journal papers • Cloud Identity Management • Pressing Need of securing Identity credentials at Cloud • International IDMS Security Standards • Emerging Security Trends • Widely Adopted Security Standards • Best Practices • State-of-the-art Technologies • UnboundID • Hitachi ID • ORACLE Identity Management • Ping Identity • RSA- Secure ID • Kantara Initiative • Okta • Symplified - The Cloud Security Experts

  6. Research Methodology

  7. Problems Assessment criterion for Cloud IDMSs Cloud IDMS Security Issues & Solutions: A Taxonomy Cross-domain IDMS for Cloud Con’t Research Methodology

  8. Problem Statement In order to address the security, interoperability, and privacy concerns in Cloud domain there is a need for cross-domain Identity Management System for Cloud environment that can ensure seamless integration and utilization of identity credentials. In addition to basic identity management features, it must provide advanced security features including access right delegation, synchronization and self-service in Cloud computing scenarios.

  9. Contribution Our Contribution is twofold, which includes: • Establishment of a benchmark to ensure the security of Identity credentials at Cloud. • Design and implementation of cross-domain Identity Management System for Cloud, in particular enhancing SCIM open source protocol.  

  10. Research Perspective • Survey Paper ( Status - Published) • UmmeHabiba, A. GhafoorAbbasi, RahatMasood, M. AwaisShibli, “Assessment Criteria for Cloud Identity Management Systems”, Proceedings of The 19th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC-2013), Vancouver, BC, Canada, December 2-4, 2013 • Conceptual Paper ( Status - Accepted Only) • UmmeHabiba, RahatMasood, M. AwaisShibli, “Cross-domain Identity Management Systems for Cloud”, In the proceedings of 22nd Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP-2014), Turin , Italy, February 12-14, 2014. • Journal Paper ( Status – Under Review) • Umme Habiba, RahatMasood, M. AwaisShibli, Yumna Ghazi, “Cloud Identity Management Security Issues & Solutions: A Taxonomy”, Under Review at IEEE Transactions on Cloud Computing (TCC-SI), Submitted on January 15, 2014

  11. Conference Paper-Assessment Criteria

  12. Implementation Perspective Implement a secure Identity management system based on underlying SCIM protocol to ensure: • Credentials Synchronization across CSPs. • User-centricity • Communication level security.

  13. SCIM features by UnboundID

  14. Why UnbounID SCIM SDK ? • Open Source • Widely adopted • Customizable • User Friendly • Generic

  15. Development Toolkit • Netbeans IDE 7.3.1 (JAVA) • MySQL Workbench 5.2 CE • Apache Maven 3.0.5 • Jetty web Server • UnboundID SCIM SDK • Crypto Java API • RESTful Architecture Style • JSON (Data Exchange Format) • Log4j API

  16. Identity System – Workflow

  17. Access Right Delegation–Workflow

  18. MySQL DB Decrypt Unmarshaller SCIM Method Domain 1 Domain 2 REST based SCIM Endpoint SCIM SDK Response Detailed Work flow SCIM Service CSP1 CSP2 SCIM Endpoint //localhost:8080 //localhost:8081 MySQL DB Jetty Server Jetty Server CSC

  19. Goals - IDMS perspective     • Interoperability • Credentials sync. across CSPs. • User-centricity (Privacy) • Communication level security

  20. Protocol Enhancements Unbound SCIM SDK Enhanced SCIM GUI Encryption JSON Marshaller/Unmarshaller RESTful Architecture style Dual SCIM Endpoint Synchronization • Single SCIM Endpoint • SCIM Schema • SDK for CRUD      

  21. Evaluation Security Evaluation Functionality

  22. Functionality Perspective • Aspects of Evaluation • Correctness and Effectiveness • Leading Versus Lagging Indicators • Organizational Security Objectives • Qualitative and Quantitative Properties • Measurements of the Large VersusSmall

  23. Con’t.. • Security Guidance for Critical Areas Of Focus In Cloud Computing - V3.0 • Domain 1 : Cloud Computing Architectural Framework Governing in the Cloud • Domain 2 : Governance and Enterprise Risk Management • . • . • . • Domain 10 : Application Security • Domain 11 : Encryption and Key Management • Domain 12 : Guidance for Identity and Access Management (IAM) • Domain 13 : Virtualization • Domain 14 : Security as a Service

  24. Results -- Test Cases

  25. Security Perspective - SCYTHER

  26. Enhanced SCIM Protocol – Healthcare as a Case-study Application Layer Business LogicLayer Posted to CSP2 StorageLayer SCIM Doctor Interface MySQL DB Encryption SCIM SDK Encryption/ Decryption Module V/U My Profile V/U Patient Details SCIM Administrator Interface User Provisioning , De-provisioning, A/C Management Decryption Key Key Management Server SCIM Patient Interface V/U My Profile

  27. Future Research Directions • Access Right Delegation is among our main system components. However, in the presented system we have not considered the concept of delegation chaining which is typically required in the real world environments thus is one of the possible future research directions in the field of cross-domain identity management. • Encryption of identity credentials raises the concerns of key management and storage issues which need to be addressed. Future research should focus on defining proper key generation and management mechanisms. • Sharing and storage of sensitive identity information at third party provided CSPs raises issues like lack of trusted security and privacy mechanisms, therefore requires some trust establishment technique. Integration of trust establishment module in the proposed system is yet another significant research direction that should be explored in detail.

  28. References • Antonio Celesti, Francesco Tusa, Massimo Villari and Antonio Puliafito, “Security and Cloud Computing: InterCloud Identity Management Infrastructure” , Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Larissa- Greece 2010. • Liang Yan, ChunmingRong, and Gansen Zhao, "Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography", Springer 1st International Conference on Cloud Computing, Beijing-China 2009. • Il Kon Kim, Zeeshan Pervez, AsadMasoodKhattak and Sungyoung Lee, “Chord Based Identity Management for e-Healthcare Cloud Applications”, 10th Annual International Symposium on Applications and the Intern IEEE, Seoul-Korea 2010. • David W Chadwick and MatteoCasenove, “Security APIs for My Private Cloud Granting access to anyone, from anywhere at any time”, Third IEEE International Conference on Coud Computing Technology and Science, Athens-Greece 2011. • AnuGopalakrishnan, "Cloud Computing Identity Management", SETLabs Briefings VOL 7 NO 7, Business Innovation through Technology, 2009. • Yang Zhang and Jun-Liang Chen, “A Delegation Solution for Universal Identity Management in SOA”, IEEE Transactions On Services Computing, Vol. 4, No. 1, January-March 2011 • R. Sánchez et al., “Enhancing Privacy and Dynamic Federation in IdM for Consumer Cloud Computing”, IEEE Transactions on Consumer Electronics, Vol. 58, No. 1, February 2012 • RohitRanchal, Bharat Bhargava, Lotfi Ben Othmane and LeszekLilien, “Protection of Identity Information in Cloud Computing without Trusted Third Party”, Published in 29th IEEE International Symposium on Reliable Distributed Systems, New Delhi-India 2010.

  29. Cont.. • Mika¨elAtes, Serge Ravet, AbakarMohamatAhmat and Jacques Fayolle, “An Identity-Centric Internet: Identity in the Cloud,Identity as a Service and other delights”, Sixth International Conference on Availability, Reliability and Security, Vienna-Austria 2011. • Mohammad M. R. Chowdhury, Josef Noll, “Distributed Identity for Secure Service Interaction”, Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07), Guadeloupe 2007. • AmlanJyotiChoudhury, Pardeep Kumar, MangalSain, Hyotaek Lim and Hoon Jae-Lee, “A Strong User Authentication Framework for Cloud Computing” , IEEE Asia -Pacific Services Computing Conference, Jeju Island-South Korea 2011. • Albeshri, A, and W Caelli. "Mutual Protection in a Cloud Computing Environment", IEEE 12th International Conference on High Performance Computing and Communications, 2010. • Yuan Cao, , and Lin Yang. "A Survey of Identity Management Technology", IEEE International Conference on Information Theory and Information Security, 2010. • Song Luo, Jianbin Hu* and Zhong Chen, “An Identity-Based One-Time Password Scheme with Anonymous Authentication”, International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, Hubei –China 2009. • Yang Zhang Jun-Liang Chen, “Universal Identity Management Model Based on Anonymous Credentials”, IEEE International Conference on Services Computing, Miami-Florida 2010 • PelinAngin, Bharat Bhargava, Mark Linderman and LeszekLilien,"An Entity-centric Approach for Privacy and Identity Management in Cloud Computing", 29th IEEE International Symposium on Reliable Distributed Systems, New Delhi-India 2010.

  30. Many Thanks to my thesis supervisor and committee members

More Related