cross-domain idms for cloud environment

Cross-domain IDMS for Cloud Environment

Umme Habiba, March 17, 2014

Healthcare as a Case-studyThesis Final Defense

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

Introduction Motivation Contributions Research Methodology Implementation Demonstration Future Directions References

3

Agenda



User Provisioning & De-provisioning Authn & Authz Federated Identity Management Single-Sign-On Self-service Access Right Delegation Identity Info. Synchronization Auditing and Reporting

4

Identity: Core of Every Service



5

Challenges for IDMSs in Cloud

Identity Management System S

elf

-S

erv

iceAut

horiz

a

tion

Authentic

ation

Synchronization

Interoperability

Access Right Delegation

04/21/23 6Department of Computing, School of Electrical Engineering and Computer


Literature Review - State-of-the-Art

Industrial Perspective Security Perspective

UnboundID Hitachi ID ORACLE Identity Management Ping Identity RSA- Secure ID Kantara Initiative Okta Symplified - The Cloud Security Experts

Conference & Journal papers Cloud Identity Management Pressing Need of securing Identity credentials at

Cloud International IDMS Security Standards

Emerging Security Trends Widely Adopted Security Standards

Best Practices State-of-the-art Technologies



Research Methodology


Sciences, NUST - Islamabad8

Con’t Research Methodology

Problems

1. Assessment criterion for Cloud IDMSs

2. Cloud IDMS Security Issues & Solutions: A Taxonomy

3. Cross-domain IDMS for Cloud



In order to address the security, interoperability, and privacy concerns in Cloud domain there is a need for cross-domain Identity Management System for Cloud environment that can ensure seamless integration and utilization of identity credentials. In addition to basic identity management features, it must provide advanced security features including access right delegation, synchronization and self-service in Cloud computing scenarios.

9

Problem Statement



Our Contribution is twofold, which includes: 1.Establishment of a benchmark to ensure the security of Identity credentials at Cloud. 2.Design and implementation of cross-domain Identity Management System for Cloud, in particular enhancing SCIM open source protocol.

10

Contribution



Survey Paper ( Status - Published)Umme Habiba, A. Ghafoor Abbasi, Rahat Masood, M. Awais Shibli, “Assessment Criteria for Cloud Identity

Management Systems”, Proceedings of The 19th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC-2013), Vancouver, BC, Canada, December 2-4, 2013

Conceptual Paper ( Status - Accepted Only)Umme Habiba, Rahat Masood, M. Awais Shibli, “Cross-domain Identity Management Systems for Cloud”, In

the proceedings of 22nd Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP-2014), Turin , Italy, February 12-14, 2014.

Journal Paper ( Status – Under Review)Umme Habiba, Rahat Masood, M. Awais Shibli, Yumna Ghazi, “Cloud Identity Management Security Issues &

Solutions: A Taxonomy”, Under Review at IEEE Transactions on Cloud Computing (TCC-SI), Submitted on January 15, 2014

11

Research Perspective



Features

Categories

Identity Management SystemsAuthentication Authorization Identity

FederationConsistent Experience

Self-Service

Audit

&Compliance

Limited

Disclosure

Multiple Operators

& Technology

IsolatedIDMS

A Strong User Authentication Framework for CC High

Low High

Low

Medium

Low

High

Low

Protection of Identity Info. in CC without TTP

Medium

Low High High

Low

Medium High

Low

CentralizedIDMS

An Identity-Centric Internet: Identity in the Cloud, IDaaS High High

High High High

Medium

Low High

Distributed Identity for Secure Service Interaction

Medium High

High High High

Low High High

FederatedIDMS

Security and Cloud Computing: ICIMIHigh

Low High

Low

Low

Low High High

Strengthen Cloud Computing Security with FIM Using HIBC

High

Low High

Low

Low

Low High High

Chord Based IdM for e-Healthcare Cloud Apps High High High

Low

Low

Low High High

AnonymousIDMS

An Identity-Based OTP Scheme with Anonymous Authentication Medium High High Low Medium Low High Low

UIMM Based on Anonymous Credentials

Medium

High

Low High High

Low High High

An Entity-centric Approach for Privacy & IDM in CC

Medium

Low

Low

Low

Low

Medium High

Low

Conference Paper - Assessment Criteria



Implement a secure Identity management system based on underlying SCIM protocol to ensure:

Credentials Synchronization across CSPs.User-centricityCommunication level security.

13

Implementation Perspective



SCIM features by UnboundID



Why UnbounID SCIM SDK ?

Widely adopted Open Source

Customizable User Friendly Generic



Netbeans IDE 7.3.1 (JAVA) MySQL Workbench 5.2 CE Apache Maven 3.0.5 Jetty web Server UnboundID SCIM SDK Crypto Java API RESTful Architecture Style JSON (Data Exchange Format) Log4j API

16

Development Toolkit



Identity System – Workflow



Access Right Delegation–Workflow



19

Detailed Work flow

//localhost:8080

CSP1

Domain 1

Jetty Server

//localhost:8081

CSP2

Domain 2

Jetty Server

SCIM SDKSCIM Service

SCIM Endpoint

SCIM Method

REST based SCIM

Endpoint

Decrypt

Unmarshaller

MySQL DB

Response

MySQL DB

CSC



Goals - IDMS perspective

Credentials sync. across CSPs.

Communication level security

Interoperability

User-centricity (Privacy)



Protocol Enhancements

Unbound SCIM SDK

Single SCIM Endpoint SCIM Schema SDK for CRUD

Enhanced SCIM

GUI

Encryption

JSON Marshaller/Unmarshaller

RESTful Architecture style

Dual SCIM Endpoint

Synchronization



Evaluation

EvaluationSecurity

Functionality



Functionality Perspective

Aspects of Evaluation

Correctness and Effectiveness Leading Versus Lagging Indicators Organizational Security Objectives Qualitative and Quantitative Properties Measurements of the Large Versus Small



Security Guidance for Critical Areas Of Focus In Cloud Computing - V3.0 Domain 1 : Cloud Computing Architectural Framework Governing in the Cloud Domain 2 : Governance and Enterprise Risk Management

. . .

Domain 10 : Application Security Domain 11 : Encryption and Key Management Domain 12 : Guidance for Identity and Access Management (IAM) Domain 13 : Virtualization Domain 14 : Security as a Service

Con’t..



Category No. of Test CasesPlanned

No. of Test CasesExecuted

No. of Test Cases Executed Successfully

No. of Defects Found

Provisioning Test Cases 3 3 3 0

De-Provisioning Test Cases 3 3 3 0

Synchronization Test Cases 3 3 3 0

Self-Service Test Cases 3 3 3 0

Encryption/Decryption Test Cases 3 3 3 0

Total 15 15 15 0

26

Results -- Test Cases



Security Perspective - SCYTHER



Enhanced SCIM Protocol – Healthcare as a Case-study

Decryption

Application Layer

Business LogicLayer

Key Management

Server

SCIM Patient Interface

Posted to CSP2

Encryption

Key

V/U My Profile

SCIM Administrator

Interface

User Provisioning , De-provisioning, A/C

Management

SCIM DoctorInterface

V/U My ProfileV/U Patient Details

SCIM SDKEncryption/Decryption

Module

MySQL DB

StorageLayer



Access Right Delegation is among our main system components. However, in the presented system we have not considered the concept of delegation chaining which is typically required in the real world environments thus is one of the possible future research directions in the field of cross-domain identity management.

Encryption of identity credentials raises the concerns of key management and storage issues which need to be addressed. Future research should focus on defining proper key generation and management mechanisms.

Sharing and storage of sensitive identity information at third party provided CSPs raises issues like lack of trusted security and privacy mechanisms, therefore requires some trust establishment technique. Integration of trust establishment module in the proposed system is yet another significant research direction that should be explored in detail.

29

Future Research Directions



1. Antonio Celesti, Francesco Tusa, Massimo Villari and Antonio Puliafito, “Security and Cloud Computing: InterCloud Identity Management Infrastructure” , Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Larissa- Greece 2010.

2. Liang Yan, Chunming Rong, and Gansen Zhao, "Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography", Springer 1st International Conference on Cloud Computing, Beijing-China 2009.

3. Il Kon Kim, Zeeshan Pervez, Asad Masood Khattak and Sungyoung Lee, “Chord Based Identity Management for e-Healthcare Cloud Applications”, 10th Annual International Symposium on Applications and the Intern IEEE, Seoul-Korea 2010.

4. David W Chadwick and Matteo Casenove, “Security APIs for My Private Cloud Granting access to anyone, from anywhere at any time”, Third IEEE International Conference on Coud Computing Technology and Science, Athens-Greece 2011.

5. Anu Gopalakrishnan, "Cloud Computing Identity Management", SETLabs Briefings VOL 7 NO 7, Business Innovation through Technology, 2009.

6. Yang Zhang and Jun-Liang Chen, “A Delegation Solution for Universal Identity Management in SOA”, IEEE Transactions On Services Computing, Vol. 4, No. 1, January-March 2011

7. R. Sánchez et al., “Enhancing Privacy and Dynamic Federation in IdM for Consumer Cloud Computing”, IEEE Transactions on Consumer Electronics, Vol. 58, No. 1, February 2012

8. Rohit Ranchal, Bharat Bhargava, Lotfi Ben Othmane and Leszek Lilien, “Protection of Identity Information in Cloud Computing without Trusted Third Party”, Published in 29th IEEE International Symposium on Reliable Distributed Systems, New Delhi-India 2010.

31

References



9. Mika¨el Ates, Serge Ravet, Abakar Mohamat Ahmat and Jacques Fayolle, “An Identity-Centric Internet: Identity in the Cloud,Identity as a Service and other delights”, Sixth International Conference on Availability, Reliability and Security, Vienna-Austria 2011.

10. Mohammad M. R. Chowdhury, Josef Noll, “Distributed Identity for Secure Service Interaction”, Proceedings of the Third International Conference on Wireless and Mobile Communications (ICWMC'07), Guadeloupe 2007.

11. Amlan Jyoti Choudhury, Pardeep Kumar, Mangal Sain, Hyotaek Lim and Hoon Jae-Lee, “A Strong User Authentication Framework for Cloud Computing” , IEEE Asia -Pacific Services Computing Conference, Jeju Island-South Korea 2011.

12. Albeshri, A, and W Caelli. "Mutual Protection in a Cloud Computing Environment", IEEE 12th International Conference on High Performance Computing and Communications, 2010.

13. Yuan Cao, , and Lin Yang. "A Survey of Identity Management Technology", IEEE International Conference on Information Theory and Information Security, 2010.

14. Song Luo, Jianbin Hu* and Zhong Chen, “An Identity-Based One-Time Password Scheme with Anonymous Authentication”, International Conference on Networks Security, Wireless Communications and Trusted Computing, Wuhan, Hubei –China 2009.

15. Yang Zhang Jun-Liang Chen, “Universal Identity Management Model Based on Anonymous Credentials”, IEEE International Conference on Services Computing, Miami-Florida 2010

16. Pelin Angin, Bharat Bhargava, Mark Linderman and Leszek Lilien ,"An Entity-centric Approach for Privacy and Identity Management in Cloud Computing", 29th IEEE International Symposium on Reliable Distributed Systems, New Delhi-India 2010.

32

Cont..



Many Thanks to my thesis supervisor and committee members

cross-domain idms for cloud environment

Documents

computer sciences

cloud computing scenarios

cloud domain

agendadepartment of

servicedepartment of

cloud environmenthealthcare

cloud environmentumme

nust islamabadin order