enhancing trust in federated cloud environment using the risk based access control

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied

Information Security

Lab

Enhancing trust in federated cloud environment using the risk

based access control

2012-Fowz Masood-NUST-MS-CCS-23

Supervisor: Dr. Awais Shibli

Committee Members: Dr. Abdul Ghafoor, Ms. Hirra Anwar, Ms. Rahat Masood



KTH Applied


Lab

Agenda Introduction Cloud federation Challenges in cloud computing Trust issue in cloud Literature review Limitations Problem statement Proposed architecture Roadmap Industrial survey Response from international community References

2



KTH Applied


Lab

Overview of Cloud Computing

Broad Network Access

Rapid Elasticity

Measured Services

Resource Pooling

Software-as-a-service

Platform-as-a-service

Infrastructure-as-a-service

Public Privat

eHybrid Community

Reference: http://cloudblueprint.wordpress.com/cloud-taxonomy/

On-demand Self Services

3



KTH Applied


Lab

Cloud Federation

Foreign Cloud Foreign Cloud

Home CloudCloud service

provider 1

Cloud service

provider 2

Cloud service

provider 3

Different CSPs form a federation

Benefits– Cloud burst– Load balancing– Global unity– Better resource

managementCloud

Federation

4



KTH Applied


Lab

Issues in cloud Recently conducted survey* shows:

The Edward Snowden - NSA scandal** has also raised many questions in people’s mind.

Due Diligence***.* Michael A. Davis. (2012, August) Information Week. [Online]. http://www.informationweek.com/global-cio/security/dont-trust-cloud-security/240005687** John Naughton. (2013, September) The Guardian. [Online]. http://www.theguardian.com/technology/2013/sep/15/edward-snowden-nsa-cloud-computing*** The Notorious Nine: Cloud Computing Top Threats in 2013”[Online] https://cloudsecurityalliance.org

5



KTH Applied


Lab

Trust issues in cloud

Warwick Ashford “Security in the cloud: Top nine issues in building users' trust” [Online], April 2011http://www.computerweekly.com/feature/Security-in-the-cloud-Top-nine-issues-in-building-users-trust

Building user trust in cloud computing is one the top issues

6



KTH Applied


Lab

Cont’d

Chris Paoli, “Enterprises Have Cloud Trust Issues” [Online], Aug 2012http://redmondmag.com/articles/2012/08/08/cloud-trust-issues.aspx

Cloud computing is missing the transparency.

7



KTH Applied


Lab

Literature Survey

8



KTH Applied


Lab

1 * N Trust Establishment within Dynamic Collaborative Clouds

A central entity CSB is used for establishing the trust

Secure tokens are generatedand used

Pros:– CSB has to manage all the

CSPs.– Better security.

Cons:– Complex framework– Single point of failure– Model relies on certificates,

which is itself a slow process

Atul Gohad, Praveen S. Rao“1 * N Trust Establishment within Dynamic Collaborative Clouds” Cloud Computing in Emerging Markets (CCEM), 2012 IEEE International Conference

9



KTH Applied


Lab

A Cloud Trust Model in a Security Aware Cloud

Hiroyuki Sato, Atsushi Kanai, Shigeaki Tanimoto“A Cloud Trust Model in a Security Aware Cloud” Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on, July 2010

A cloud trust model has been proposed, in which two additional layers of trust has been added.

Pros: – Enhances the security

Cons:– TPM needs hardware modification.– Key management is a cumbersome

task.– No continuous monitoring.– Additional layers will make over all

system slow.

10



KTH Applied


Lab

SLA-Based Trust Model for Cloud Computing Authors have used service level

agreement (SLA) to calculate the trustworthiness

Both functional and nonfunctional requirements are catered for trust establishment

Pros:– Best possible CSP will be provided on

the demand of client

Cons:– Trust level changes – SLA parameters itself are not enough

Mohammed Alhamad, Tharam Dillon, Elizabeth Chang “SLA-Based Trust Model for Cloud Computing” 13th International Conference on Network-Based Information Systems 2010

11



KTH Applied


Lab

The privacy-aware access control system using attribute-and role-based access control in private cloud

To make the system secure both RBAC and ABAC are placed

Pros:– Enhances the overall

security of cloud

Cons:– Computationally

expensive, slow

Ei Ei Mon, Thinn Thu Naing “The privacy-aware access control system using attribute-and role-based access control in private cloud” Broadband Network and Multimedia Technology (IC-BNMT), 2011 4th IEEE International Conference

12



KTH Applied


Lab

Risk-Aware RBAC Sessions

Authors have incorporated therisk parameter in a RBACsession.

Pros:– Robust.– Better security as its dynamic

in nature.

Cons:– Parameters for risks were not

explained.– Testing & evaluation is not

provided.

Khalid Zaman Bijon, Ram Krishnan, and Ravi Sandhu“Risk-Aware RBAC Sessions” 8th International Conference, ICISS 2012, Guwahati, India, December 15-19, 2012

13



KTH Applied


Lab

Research Findings Trust models:

– Trust models are fixed.– One time check only.– Detective in nature rather being preventive.– Cryptographic techniques are computationally expensive.– Require third party for verification.

Access Control:– Cloud’s dynamic nature demands a flexible A.C. However,

traditional A.C mechanisms are based on static policies which makes them too rigid to handle the complex situations.

14



KTH Applied


Lab

Problem Statement

The performance of a CSP in a cloud federation can deteriorate over the time, in this case the existing trust and access control schemes fail to provide an appropriate security solution.

15

Existing work

SLA-monitor module

Feedback collection module

Identity provider

Trust evaluation module

Trust management

module

Trust management

module

Home Cloud Foreign Cloud

Trust service provider

Trust protocol

Customer

Ayesha Kanwal “Establishment and propagation of trust in federated cloud environment” October 2012

16



KTH Applied


Lab

Abstract Diagram

17

Foreign CSP 01

Home CSP

Foreign CSP 02

Users

Different cloud service providers have form a federation

Risk based access control

Dynamic Access Control

Storage Services

Storage Services


Foreign CSP 01

Home CSP

Foreign CSP 02

Users

Different cloud service providers have form a federation


Dynamic Access Control

Storage Services

Storage Services


Proposed Architecture

Cloud Service Provider 1

Cloud Service

Provider 2

Cloud Service

Provider 3


PDP PIPPEP

Risk thresholdRisk score

1 - Client Request

2 - Serv

ice Request

3 – Service

reply (Y

es/No)

5 – Trust parameters Send

+User credential

request

6 - I

f R.S

<=

R.T,

gra

nt ac

cess

4 - If

yes, Request

for

trust p

aramete

rs

18

Risk Engine



KTH Applied


Lab

Technologies and Standards

Security assertion mark-up language (SAML)

Java Open stack Identity creditable and access

management

19



KTH Applied


Lab

RoadmapMilestones Duration

Preliminary study and research Done

Implementation

Risk based access control implementation

2 month

Configuration of cloud 20 days

Deploying the R.A.C in cloud 20 days

Testing and evaluation 1.5 month

Initial thesis draft 1 month

Final documentation 1 month

20



KTH Applied


Lab

Industrial Survey

21



KTH Applied


Lab

Community Response

1. I believe that your idea of confidentiality, integrity and availability is very interesting. Actually, I think you can explore many possibilities these three concepts.

2. I can’t think right now how could you fit SLA in the analysis, however it could be very interesting.

22



KTH Applied


Lab

23



KTH Applied


Lab

References[1] Khalid Zaman Bijon, Ram Krishnan, Ravi Sandhu, “Risk-Aware RBAC Sessions”, 8th International Conference, ICISS 2012, Guwahati, India, December 15-19, 2012.[2] Liang Chen, Jason Crampton, “Risk-Aware Role-Based Access Control”, 7th International Workshop, STM 2011, Copenhagen, Denmark, June 27-28, 2011.[3] Kandala, S, Sandhu, R., Bhamidipati, V., “An Attribute Based Framework for Risk-Adaptive Access Control Models”, Availability, Reliability and Security (ARES), 2011 Sixth International Conference, 2011.[4] David Brossard “XACML 101 – a quick intro to Attribute-based Access Control with XACML”, [web] www.webframer.eu, September 30, 2010.[5] Jaehong Park Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA Dang Nguyen ; Sandhu, R., “A provenance-based access control model”, Privacy, Security and Trust (PST), 2012 Tenth Annual International Conference on, 16-18 July 2012.[6] Yuan Cheng ; Inst. for Cyber Security, Univ. of Texas at San Antonio, San Antonio, TX, USA ; Jaehong Park ; Sandhu, R., “Relationship-Based Access Control for Online Social Networks: Beyond User-to-User Relationships”, Privacy, Security, Risk and Trust (PASSAT), 2012 International Conference on and 2012 International Conference on Social Computing (SocialCom), 3-5 Sept. 2012.[7] Dimitrios Zissis, Dimitrios Lekkas , “Addressing cloud computing security issues”, Future Generation Computer Systems, March 2012.[8] Sandeep K. Sood, “A combined approach to ensure data security in cloud computing”, Journal of Network and Computer Applications, November 2012.

24



KTH Applied


Lab

Refrences[9] M Singhal, Univ. of California, Merced, Merced, CA, USA S Chandrasekhar Ge Tingjian R. Sandhu R Krishnan Ahn Gail-Joon Elisa Bertino, Purdue University, IN USA “Collaboration in multicloud computing environments: Framework and security issues”, Computer (Volume:46 , Issue: 2 ), Feb. 2013.[10] Mohammed Alhamad, Tharam Dillon, Elizabeth Chang “SLA-Based Trust Model for Cloud Computing” 13th International Conference on Network-Based Information Systems 2010[11] Atul Gohad, Praveen S. Rao“1 * N Trust Establishment within Dynamic Collaborative Clouds” Cloud Computing in Emerging Markets (CCEM), 2012 IEEE International Conference[12] Hiroyuki Sato, Atsushi Kanai, Shigeaki Tanimoto“A Cloud Trust Model in a Security Aware Cloud” Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on, July 2010[13] Ei Ei Mon, Thinn Thu Naing “The privacy-aware access control system using attribute-and role-based access control in private cloud” Broadband Network and Multimedia Technology (IC-BNMT), 2011 4th IEEE International Conference [14] Marcela Roxana Farcasescu “Trust Model Engines in cloud computing” 2012 14th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing[15] Monoj Kumar Muchahari, Smriti Kumar Sinha “A New Trust Management Architecture for Cloud Computing Environment”, 2012 International Symposium on Cloud and Services Computing[16] Vijay Varadharajan Udaya Tupakula “TREASURE: Trust Enhanced Security for Cloud Environments ” 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications

25

enhancing trust in federated cloud environment using the risk based access control

Documents