Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and opportunities

Diego Kreutz and Eduardo Feitosa

FedCSIS/SODIS 2014, Warsaw, Poland

Outline

Resilient & Secure IdPs

Motivation & Goals

Deployments & Trade Offs

Open Roads & Opportunities

Experimental Evaluations

Common Threats and Challenges

Cyber Crimes/Attacks!

Software Bugs & Vulnerabilities

Logical Failures

3

4

Vulnerabilities and Treats in IdPs

Vulnerability/Support RADIUS OpenID Tolerates crash faults (e.g., back-end clusters) YES YES Tolerates arbitrary faults NO NO Tolerates infrastructure outages NO NO Tolerates DDoS attacks NO NO Risk of common vulnerabilities HIGH HIGH Risk of sensitive data leakage HIGH HIGH Diverse security-related vulnerabilities YES YES Susceptible to resource depletion attacks YES YES

5

What can we do about it?

6

What can we do about it?

Approach 1: try to fix everything!?

7

What can we do about it?

Approach 2: increase the system’s resilience and

trustworthiness

Hybrid system architectures, specialized components, clouds, …

8

Current State of Affairs

Fault  tolerance/resilience  

Leve

l  of  trust  

C1

C2

C3 C4

C6

C5

Goals

9

Develop new hybrid system architectures.

Use cloud and multi-cloud environments to increase the

resilience and trustworthiness of critical systems.

Reduce costs and foster new business models.

Cloud: some benefits

10

Ø Elasticity of resources"

Ø Cost-effectiveness"§  Reduce CAPEX and OPEX for business"

Ø Efficient and productive tools and systems"

Ø Protection against high scale attacks"

Cloud: some challenges

11

Ø  Failures: are still high"

Ø Performance"§  Hard to measure"§  Not yet enough for HPC apps"

Ø Price models"§  No standards"§  No easy way to measure and compare"

Ø Confidentiality & Privacy"§  Cloud provider has access to your data"

Multi-Cloud: some benefits

12

Ø  Increasing reliability"§  Up to three nines"

Ø  Lower costs"

Ø No vendor lock-in"

Ø Better privacy and confidentiality"§  Multi-cloud storage crypto solutions"

Ø  Improved performance"

Ø Diversity of attack defenses"

Multi-Cloud: challenges

13

Ø  Inter-cloud high network latency"

Ø Network performance, reliability and costs"

Ø Privacy and confidentiality"§  Yet, still easier to solve than in a single cloud"

Ø Deployment and management costs"§  Different technologies"§  Diversity of tools"§  Lack of standardized interoperability"

Multi-DCs/Cloud Trade Offs

14

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Overall System

Performance

!High

Ava

ilabi

lity (t

owar

ds 3

nin

es)!

Resis

tanc

e to

Atta

cks

and

Vuln

erab

ilitie

s!Single Data Center (Multiple Physical Machines)

Susceptibility to Physical and Logical Failures!

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Multiple Data Centers (Single Cloud Provider)

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Multiple Cloud Providers

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Outline

Resilient & Secure IdPs

Motivation & Goals

Deployments & Trade Offs

Open Roads & Opportunities

Experimental Evaluations

16

OpenID: traditional architecture

Client / Web Browser!

Service Provider!(Relying Party)!

OpenID server!

steps 4 and 5!

OpenID! Backends!

SQL$

LDAP$

17

ROpenID Architecture

User Browser / !

Certificate / Attributes!

IdP Service Replicas!

Service Providers (SPs) / Relying Parties (RPs)!

IdP Gateways!

Resilient and Secue IdP!

Secure Authentication!(confidentiality)!

Alternative Path!

Default Path!

Ø  Arbitrary faults: §  Between the

CIS and gateway

18

Clie

nt!

Cx!

CIS!

Cx!

Serv

ice

!Sx!

Gat

eway

!G

x!

Timeout A! Timeout B!

Corrupted response !from replica Sx!

Corrupted response !from replica Gx!

Byzantine behavior!from replica Cx!

ROpenID Fault Detection Mechanisms

Ø  Timeouts:"§  Between client and service"§  Between service and gateway"

Ø  Corrupted messages detection"§  Between service and client"§  Between gateway and service"

19

Main Building Blocks 1.  Virtual Machines"2.  Trusted Computing Base"

§  e.g. hypervisors"

3.  Trusted Components"§  e.g. smart cards, TPMs, isolated VMs, secured PCs"

4.  Replication & Recovery Protocols"§  e.g. BFT-SMaRt and ITVM"

5.  Diversity"§  e.g. different operating systems"

6.  Strong mutual authentication"§  e.g. EAP-TLS"

20

What is a TC in our model?

A trusted/secure component can be “any” device capable of ensuring !the data and operation confidentiality of the target system/environment.!

Smart Cards" TPM" Tamper Resistant a FPGA"

A Highly Secured (shielded) Computer"

Virtual TPM"(e.g. vTPM)"

Secure Hypervisor (e.g. sHyper)"

Outline

Resilient & Secure IdPs

Motivation & Goals

Deployments & Trade Offs

Open Roads & Opportunities

Experimental Evaluations

22

ROpenID Deployments

23

ROpenID Deployments

24

Deployments & Trade Offs

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

VM2!

Resilient Service!

VM3!

Resilient Service!

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Adm

inis

trativ

e D

omai

n 1!

Adm

inis

trativ

e D

omai

n 1!

Adm

inis

trativ

e D

omai

n 1!

Performance

!

Avai

labi

lity!

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Adm

inis

trativ

e D

omai

n 3!

Adm

inis

trativ

e D

omai

n 2!

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Susceptible to depletion attacks!

(a)!

(b)!

(c)!

25

Deployments & Trade Offs

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Overall System

Performance

!High

Ava

ilabi

lity (t

owar

ds 3

nin

es)!

Resis

tanc

e to

Atta

cks

and

Vuln

erab

ilitie

s!Single Data Center (Multiple Physical Machines)

Susceptibility to Physical and Logical Failures!

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Multiple Data Centers (Single Cloud Provider)

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Phy

Mac

hine

1!

Hypervisor 1!

VM1!

Resilient Service!

Multiple Cloud Providers

Phy

Mac

hine

2!

Hypervisor 2!

VM2!

Resilient Service!

Phy

Mac

hine

3!

Hypervisor 3!

VM3!

Resilient Service!

Wait! What about resource depletion

attacks?

In virtualized environments, how malicious VMs can

affect the execution of non-malicious VMs?

27

Resource Depletion Attacks

200

400

600

800

1000

1200

1400

1600

10 20 40 80 100

Number of authentications/s

Number of OpenID clients

ROpenID throughput under CPU depletion attacks

FF-Exec

3vCPUs-Attack

6vCPUs-Attack

12vCPUs-Attack

28

Resource Depletion Attacks

200

400

600

800

1000

1200

1400

1600

10 20 40 80 100

Number of authentications/s

Number of OpenID clients

ROpenID throughput under attacks

QuintaVMs

TCP-ACK-A

TCP-SYN-A

TCP-SYN-ACK-A

TCP-SSH-A

Outline

Resilient & Secure IdPs

Motivation & Goals

Deployments & Trade Offs

Open Roads & Opportunities

Experimental Evaluations

30

ROpenID Evaluation

Average Latency: 78.360ms!

Average Latency: 87.343ms!

Average Latency: 32.103ms!

Environment vCPU ECUs MEM Disk Network UFAM-VMs 2 --- 2GB 20GB Gigabit Amazon-EC2 4 13 15GB 2x40 SSD High Speed Amazon-DCs 4 13 15GB 2x40 SSD Public WAN

31

ROpenID Evaluation

Average Latency: 78.360ms!

Average Latency: 87.343ms!

Average Latency: 32.103ms!

# of clients UFAM-VMs Amazon-EC2 Amazon-DCs 20 867.73 1969.17 26.66 40 984.59 2166.58 50.72 80 995.12 2244.30 92.42

100 960.11 2244.04 114.05

Outline

Resilient & Secure IdPs

Motivation & Goals

Deployments & Trade Offs

Open Roads & Opportunities

Experimental Evaluations

33

Multi-DCs/Clouds deployments

IdP-R2!

SP1/RP1!SP2/RP2!

IdP-R2! IdP-R2!

GW2!(Colocation)!

GW1!

34

Scaling up ROpenID

Environment 20 clients 40 clients 80 clients 100 clients UFAM-VMs 867 984 995 960 Amazon-EC2 1969 2166 2244 2444 Amazon-DCs 26 50 92 114

Environment 10k users 100k users 500k users 1M users UFAM-VMs 4.16% 41.66% 208.30% 416.61% Amazon-EC2 1.78% 17.82% 89.11% 178.22% Amazon-DCs 35.07% 350.72% 1753.61% 3507.23%

35

Scaling up ROpenID

Cost/Users 10k users 100k users 500k users 1M users IaaS $350.40 $3,507.65 $17,531.90 $35,083.80 Service $550.37 $5,503.70 $27,518.50 $55,037.00 Total cost/y $900.77 $9,011.35 $45,060.40 $90,120.80

Environment 10k users 100k users 500k users 1M users UFAM-VMs 4.16% 41.66% 208.30% 416.61% Amazon-EC2 1.78% 17.82% 89.11% 178.22% Amazon-DCs 35.07% 350.72% 1753.61% 3507.23%

Technical and Business Challenges

36

Ø Efficient networks"§  Low latency"§  High throughput"

Ø Cost-effective three nines"§  Combined multi-cloud solutions"

Ø Confidentiality and Privacy"§  Combined multi-cloud solutions"

37

Multi-DCs/Clouds Efficient Networks

38

Final remarks on multi-cloud IdPs

Ø New business opportunities for"§  Cloud providers"§  Startups"

Ø Research open reads & challenges"§  Efficient WANs"§  Telco Clouds"§  Multi-cloud elasticity "§  Multi-cloud interoperability"§  Confidentiality & Privacy"

SecFuNet Project (FP7-ICT-2011-EU-Brazil – STREP number 288349)

Acknowledgments

Identity Providers-as-a-Service built as Cloud-of-Clouds: challenges and opportunities

Diego Kreutz and Eduardo Feitosa

FedCSIS/SODIS 2014, Warsaw, Poland