Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad KTH Applied Informati on Security Lab Extensible Access Control Framework for Cloud hosted Applications Introduction & Briefing Funded By: National ICT R&D Principal Investigator Organization: NUST-SEECS
48
Embed
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Extensible Access Control Framework for Cloud hosted
ApplicationsIntroduction & Briefing
Funded By: National ICT R&DPrincipal Investigator Organization: NUST-SEECS
Department of Computing, School of Electrical Engineering and Computer
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Team Introduction1. Dr. Muhammad Awais Shibli – Principal
Investigator2. Dr. Arshad Ali – Co-principal Investigator3. Ms. Rahat Masood – Team Lead4. Ms. Arjumand Fatima – Professional
Researchers5. Ms. Yumna Ghazi – Professional Researchers6. Mr. Fowz Masood –Technical Writer/ Project
Coordinator7. Ms. Umme Habiba – Research Assistant8. Ms. Ayesha Kanwal – Research Assistant
12
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Team IntroductionGroup 011. Mr. Salman Ansari – Development Assistant2. Mr. Ummair Asghar – Development AssistantGroup 023. Mr. Sadiq Alvi– Development Assistant4. Mr. Junaid Bin Sarfraz – Development
AssistantGroup 035. Mr. Jawad Hussain– Development Assistant6. Mr. Amir Hamza– Development Assistant
13
FGAC Model
UCON Model
ABAC Model
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Execution Phases
Elapsed Time Deliverables
1-3
• Report 1: “A Literature Survey on Authorization Issues in Cloud Computing: Challenges, Opportunities & Impact”.
• Report 2: “Comparative Analysis of Access Control Systems on Cloud”.
• One publication in highly rated conference.
14
• Submission of chapter entitled “Access Control as a Service in Cloud: Challenges, Impact and Strategies” in Springer Book – (accepted, under publication)
• Submission of Journal Paper entitled “The Prospectives of Cloud Authorization Towards Effective Benchmarking and Appraisal” – Under Review
• Submission of two Technical Reports
1st Quarter
Milestones Achieved(Progress so far)
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Book Chapter “Access Control as a Service in Cloud: Challenges, Impact
and Strategies” Publisher: Springer Book Name: Continued Rise of the
Cloud: Advances and Trends in Cloud Computing
Contribution: Issues associated with authorization services in Cloud along with comprehensive solution of Access Control as a Service (ACaaS)
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Journal Paper “The Prospectives of Cloud Authorization”
Journal: Frontiers of Computer Science – Springer
Reviews Received: Oct 22, 2013 Revised Manuscript Submitted: Dec
18, 2013 Contribution: i) Systematic analysis of
the existing authorization solutions in Cloud, ii) derive the general shortcomings of the extant access control techniques, iii) enumerated the features for an ideal access control mechanisms for the Cloud
Authors: Rahat Masood, Awais Shibli, Yumna Ghazi, Dr. Arshad Ali
16
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Submission of Technical Reports Report 1: Authorization Issues in Cloud
Computing: Challenges, Opportunities & Impact
Report 2: Comparative Analysis of Access Control Systems on Cloud
Contribution: i) highlights Cloud computing challenges and security issues, ii) helps in understanding various authorization issues in Software as a Service (SaaS) layer of the Cloud, iii) analyze existing Cloud based access control systems against NIST defined generic access control evaluation criteria17
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
18
• Software Requirement specification (SRS)• System Architecture Document • Software Design Document• Seminar “Cloud Computing: Saviour or a
Software Requirement Specification (SRS): intended for gathering the technical and operational requirements for the project, provide adequate details regarding the design, requirements, user interfaces and the core functionality.
High-Level Architecture: illustrates the architectural design of the framework, provide adequate detail regarding the architecture and various architectural views/workflows to depict different aspects
19
Department of Computing, School of Electrical Engineering and Computer
Software Design Specification (SDS): explains in-depth design and architectural details, interaction between the components is explained, describes design strategies, detailed system design, various design views, UML diagrams and deployment architecture
20
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Seminar “Cloud Computing: Buzzword or a Saviour…???”
Agenda: Emergence, Opportunities, Challenges and Future Prospects of Cloud Computing
Date: December 6, 2013 Speakers: Dr. Awais Shibli, Dr. Abdul Ghafoor,
Ms. Rahat Masood Targeted Audience : Open for all Nustians Sponsors: National ICT R&D Fund Organizers: KTH-AIS Lab, NUST-SEECS URL: http://
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Milestones Achieved(Progress so far)
• Source Code of Attribute based Access Control (ABAC) Model
• ABAC Profile• User Manual & Acceptance Testing
Report• Initialization of Cloud Instances in AIS
lab (Cloud Configuration Manuals)• Development Manual
3rd Quarter
22
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Execution Phases Elapsed Time Deliverables
7-9• Version 1.0* will be uploaded on
sourcefourge.net.(a)• Report 3: “Unit Testing of ABAC
model”.• Initialization of Cloud Instances in AIS
lab
10-12
• Test application (financial) hosted on OpenStack.
• Version 2.0* will be uploaded on sourcefourge.net.(a)
• Report 4: “Unit Testing of UCON and FGAC model”.
• Core research idea publication in category A conference/journal.23
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Execution Phases Elapsed Time Deliverables
13-15
• Report 5: “Unit and Integration Testing Results of Framework w.r.t Access Control Models and Cloud Applications”.
• Cloud hosted application with framework integrated.
• Workshop 1: “Development and Deployment of Applications in OpenStack”.
16-18
• Version 3.0* will be uploaded on sourceforge.net. (a)
• Report 6: “Integration Testing Results on Extensibility of framework”. 24
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Execution Phases Elapsed Time Deliverables
19-21
• Report 7: “Quality Assurance Report on Extensible Access Control Framework”.
• Version 4.0** will be uploaded on sourcefourge.net.(a)
22-24
• Report 8: “Performance Results of the Extensible Access Control Framework”.
• Paper publication in Category A conference/Journal.
• Report 9: “Framework Effects on Cross-domain Cloud Environments.”
• Workshop 2: “Demonstration and working of Extensible Access Control Framework”.
25
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Technical Methodology
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
OutlineTechnical Methodology
Cloud Computing Challenges of Cloud Computing Security Challenge Security as a Service (SecaaS) Authorization Issues in Cloud Project Overview (Introduction
& Briefing)
27
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Cloud Computing…???• Generally means:
Lots of general purpose hosts Central management Distributed data storage Ability to move applications from system
to system Low-touch provisioning system Soft failover/redundancy
28
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Characteristics of Cloud Computing
Broad Network Access
Rapid Elasticity
On-demand Self Service
Measured Services
Resource Pooling
29
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Cloud Service Delivery Models
Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Platform as a Service (PaaS)
30
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Software as a Service (SaaS)
Applications are hosted as a service and
provided to the Cloud customers.
Eliminate the need for installing
and running different soft wares locally.
31
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Reasons for not using Cloud…….
32
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Cloud Computing Challenges
33
PortabilitySecurityPrivacy
Lack of knowledge &
Expertise
Reliability
Performance
Abuse of Cloud Services
Shared Technology IssuesInsufficient due diligence
Interoperability
Service Delivery & Billing
CLOUD
Bandwidth Cost
Usage Control
Availability
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
34
Notorious-9 - Cloud Challenges
1. Efficiency of Service Provisioning
• Usage of development tools & components• Creation of scalable architectures• Resource management and flexibility• Availability of services
2. Effectiveness of Service Usage & Control
• Contracts including questions of liability• Control of services by users• Governance/escalation of mechanisms
3. Transparency Of Service Delivery And Billing
• Billing including license management• QA by monitoring SLA• Type and location of data processing
4. Compliance With Regulatory Requirements
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
35
Notorious-9 - Cloud Challenges..
5. Information Security• Identity and Rights management• Privacy and Integrity• Access control, logging and attack prevention• Verification and certification
6. Data Privacy• Migration into/out of Cloud• Ability to integrate into on-premise IT• Cloud Federation
7. Interoperability
• Service portability• Data portability
8. Portability Between Providers
9. Ensuring Fair Competition In The Market
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
36
Data Confidentiali
ty Data
Integrity
IdentityManageme
ntVirtualizatio
n
Audit & Complianc
e
Privacy
Data Security
Data Locality
Network Security
Cloud Security Challenges
Trust
Access Control
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
CSA Top Cloud Security threats
No. CSA Top Threat
1 Abuse and Nefarious Use of Cloud Computing
2 Insecure Interfaces and APIs
3 Malicious Insiders
4 Data Loss or Leakage
5 Account or Service Hijacking
6 Shared Technology Vulnerabilities
7 Inadequate Infrastructure design and Planning
8 Abuse of Cloud Services
9 Cloud related malware / Denial of Service
37
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
CSA Top Cloud Security threats
No. CSA Top Threat
1 Abuse and Nefarious Use of Cloud Computing 2 Insecure Interfaces and APIs 3 Malicious Insiders 4 Data Loss or Leakage 5 Account or Service Hijacking
6 Shared Technology Vulnerabilities
7 Inadequate Infrastructure design and Planning
8 Abuse of Cloud Services
9 Cloud related malware / Denial of Service
38
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
39
Security Challenges in SaaS
SaaS
Data Breaches
Network Security
Data Integrity
Data Segregation
Data ConfidentialityAuthentication
Data Backup
Data Access
Web Application Security
Data Locality
Identity Management & SSO
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Security as a Service (SECaaS) for SaaS
40
SECaaS
Email Security aaS Web content filtering aaS
Access control aaS
Cloud Service Consumers
Identity aaS
Network Security aaS Security assessment aaS
Encryption aaS Data protection aaS
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Access Control in Cloud(Area of Focus)
Access control’s role is to control and limit the actions or operations in the Cloud systems that are performed by a user on a set of resources.
41
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Access Control Issues What access control model is used and how well does it meet a customer requirements?
Where do user accounts reside, how are they provisioned and de-provisioned, and how is the integrity of the information protected?
What support is provided for delegated administration by policy administration services?
Authorization Issues in Cloud
42
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
43
Challenging Authorization Problems
Cloud Perspective• Cloud subscribers often do not have sufficient
control over technical access policy decision-making and enforcement in the cloud infrastructure.
• Most cloud providers do not offer subscriber-configurable policy enforcement points (e.g. based on the OASIS XACML standard).
• Cloud providers naturally cannot pre-configure subscriber-specific policies for subscribers (because they are subscriber- specific).
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
44
Challenging Authorization Problems
Cloud Perspective• Managing and creating Cloud subscriber access policies
is the biggest challenge around authorization • There is no common standard policy specification
format adopted yet for cloud.• Traditional access control models have some
specific parameters suitable only for particular scenarios and granular access control is yet a key requirement.
• Translating policies into security implementation gets more time-consuming, expensive, and error-prone.
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Access Control as a Service (ACaaS)
• There should be a generic framework for the applications of Cloud consumers that can be customized by consumers according to their own security needs along with the basic security features provided by Cloud providers.
This framework should encompasses multiple models and should have the ability to add any
access control model within framework based on the security requirements of consumer.
45
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Project StatementsWe aim to provide Access Control-as-a-Service (ACaaS) for
Software-as-a-Service (SaaS) layer applications by incorporating variety of reliable and well-known access
control models as Cloud based services.
Framework will be capable of handling a wide variety of Cloud Service Consumers (CSC) and intends to minimize the chance of data loss and corruption by unauthorized
users.
Final deliverables include the implementation of an extensible API that is capable of managing and controlling access for SaaS hosted Cloud applications and resources.
46
Department of Computing, School of Electrical Engineering and Computer
Sciences, NUST - Islamabad
KTH Applied Information Security Lab
Extensibility: incorporate multiple access control models pertaining to the needs of Cloud service consumers.Generic: act independently as an access control layer for Cloud application.
Open-source access control solution: perform research and analysis on upcoming and existing access control models w.r.t security challenges of Cloud.Manageability: ability for defining, managing, and accessing the access control rules
Policy Specification Format: use of Common Access Control Policy Language (XACML)
Development and Support for Third Party Plug-ins
47
Project Significance
Department of Computing, School of Electrical Engineering and Computer