extensible access control framework for cloud based applications
DESCRIPTION
Extensible Access Control Framework for Cloud based Applications. Funded by National ICT R&D Introduction & Briefing. Outline of the Talk. Extensible Access Control Framework for Cloud based Applications Team Introduction Access Control as a Service ( ACaaS ) - PowerPoint PPT PresentationTRANSCRIPT
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Extensible Access Control Extensible Access Control Framework for Cloud based Framework for Cloud based
ApplicationsApplications
Funded by National ICT R&DFunded by National ICT R&DIntroduction & BriefingIntroduction & Briefing
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Outline of the TalkOutline of the Talk
Extensible Access Control Framework Extensible Access Control Framework for Cloud based Applicationsfor Cloud based ApplicationsTeam Introduction Team Introduction Access Control as a Service (ACaaS)Access Control as a Service (ACaaS)Project Overview (Introduction & Briefing)Project Overview (Introduction & Briefing)Future ProspectsFuture Prospects
2
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Extensible Access Control Extensible Access Control Framework for Cloud based Framework for Cloud based
ApplicationsApplications Funded by Funded by National ICT R&D Status:Status: 2 quarters completed Project Cost: Project Cost: 13 Million Duration: Duration: 2 Years Research Area: Research Area: Cloud Computing Security Workforce: Workforce: 14 Team Members including MS and
BS degree holders Direct Beneficiary: Direct Beneficiary: Educational Institutes,
Cloud Community, IT industry Principal Investigator: Principal Investigator: Dr. Awais Shibli Co-principal Investigator: Co-principal Investigator: Dr. Arshad Ali
3
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Security Challenges in SaaSSecurity Challenges in SaaS
SaaS
Data Breaches
Network Security
Data Integrity
Data Segregation
Data ConfidentialityAuthentication
Data Backup
Data Access
Web Application Security
Data Locality
Identity Management & SSO
6
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Security as a Service (SECaaS) for Security as a Service (SECaaS) for SaaSSaaS
8
SECaaS
Email Security aaS Web content filtering aaS
Access control aaS
Cloud Service Consumers
Identity aaS
Network Security aaS Security assessment aaS
Encryption aaS Data protection aaS
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Access Control in CloudAccess Control in Cloud((Area of Focus)Area of Focus)
Access control’s role is to control and limit the actions or operations in the Cloud systems that are performed by a user on a set of resources.
9
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Authorization Issues in Cloud Authorization Issues in Cloud
10
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Challenging Authorization Challenging Authorization ProblemsProblems
Cloud PerspectiveCloud Perspective•Cloud subscribers often Cloud subscribers often do not have sufficient do not have sufficient control control over technical access policy decision-over technical access policy decision-making and enforcement in the cloud making and enforcement in the cloud infrastructure. infrastructure. •Most cloud providers Most cloud providers do not offer subscriber-do not offer subscriber-configurable policy enforcement points (configurable policy enforcement points (e.g. e.g. based on the OASIS XACML standard).based on the OASIS XACML standard).• Cloud providers naturally Cloud providers naturally cannot pre-configure cannot pre-configure subscriber-specific policies subscriber-specific policies for subscribers for subscribers (because they are subscriber- specific).(because they are subscriber- specific).
11
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Challenging Authorization Challenging Authorization ProblemsProblems
Cloud PerspectiveCloud Perspective•Managing and creating Cloud subscriber access Managing and creating Cloud subscriber access policies policies is the biggest challenge around is the biggest challenge around authorization authorization •There is There is no no common standard common standard policy specification policy specification formatformat adopted yet for cloud. adopted yet for cloud.•Traditional access control models have some Traditional access control models have some specific parameters specific parameters suitable only for particular suitable only for particular scenarios scenarios and and granular access control granular access control is yet a key is yet a key requirement.requirement.•Translating policies into security Translating policies into security implementationimplementation gets more time-consuming, gets more time-consuming, expensive, and error-prone. expensive, and error-prone.
12
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Access Control as a Service Access Control as a Service (ACaaS)(ACaaS)
• There should be a generic framework generic framework for the applications of Cloud consumers that can be customizedcustomized by consumers according to their own security needs own security needs along with the basic security features provided by Cloud providers.
This framework should encompasses multiple models encompasses multiple models and should have the ability to add any access add any access control model control model within framework based on the
security requirements of consumer.
13
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
ACaaS for CloudACaaS for Cloud
14
PDP
PEP
PIP
Attribute Lookup
Trusted Attribute Stores
Policy Request
1
2 3
4
5
6
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Access Control Challenges in Access Control Challenges in CloudCloud
15
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Motivation behind ProjectMotivation behind Project
16
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Project StatementsProject Statements
We aim to provide Access Control-as-a-Service (ACaaS) Access Control-as-a-Service (ACaaS) for Software-as-a-Service (SaaS) Software-as-a-Service (SaaS) layer applications by
incorporating variety of reliable and well-known access control models as Cloud based services.
Framework will be capable of handling a wide variety of Cloud Service Consumers (CSC) and intends to
minimize the chance of data loss and corruption by minimize the chance of data loss and corruption by unauthorized users. unauthorized users.
Final deliverables include the implementation of an extensible API extensible API that is capable of managing and
controlling access for SaaS hosted Cloud applications and resources.
17
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
ArchitectureArchitecture
Figure presents the architecture of framework
18
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Detailed ArchitectureDetailed Architecture
19
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
20
Project SignificanceProject Significance
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Common Policy Language Format
Comprehensive Authorization Application
Customization & Extensibility
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
State of the Art TechnologiesState of the Art Technologies
• OASIS Extensible Access Control Markup OASIS Extensible Access Control Markup Language (XACML 2.0)Language (XACML 2.0)
• Security Assertion Markup Language (SAML)Security Assertion Markup Language (SAML)• HibernateHibernate• Java Server Pages (JSF)Java Server Pages (JSF)• OpenStackOpenStack• CloudStack CloudStack • Eclipse Eclipse • Java 2 Enterprise Edition (J2EE)Java 2 Enterprise Edition (J2EE)
22
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
24
Pleasure in the job puts perfection in the Pleasure in the job puts perfection in the work.work. ----AristotleAristotle