Institute for Cyber Security Authorization Federation in Multi-Tenant

Institute for Cyber Security Authorization Federation in Multi-Tenant

Institute for Cyber Security Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Dissertation Defense Department of Computer Science University of Texas San Antonio Advisor: Dr. Ravi Sandhu Co-Advisor: Dr. Ram Krishnan Dr. Gregory B. White Dr. Matthew Gibson Dr. Palden Lama 1 Moving to Cloud Flexibility Reliability Mobility

World-Leading Research with Real-World Impact! Accessibility Security 2 Why Federation ? Large organization with multiple tenants Distinct organizations federation Service Provider CERN Software Development Tenant Software Development

Tenant Acme Financial Tenant World-Leading Research with Real-World Impact! 3 Why Multi-Cloud? London Private Cloud Federation consist of multiple clouds or multiple tenants. Amazon Public Cloud ACME Multi-Cloud Shanghai Private Cloud World-Leading Research with Real-World Impact!

4 Problem & Thesis Statement Problem Statement Current access control models provided by cloud platforms are not sufficient to cultivate effective peer-to-peer and circle-of-trust federation between tenants in a cloud or across multiple cloud platforms. Prior role-based and attribute-based access control models in distributed systems are not effectively applicable to cloud IaaS. Thesis Statement The problem of authorization federation in multitenant cloud IaaS can be partially solved by integrating multiple types of peer-to-peer and circle-of-trust relations between tenants in cloud and multi-cloud environments into role-based and attribute-based access control models. World-Leading Research with Real-World Impact!

5 What is Cloud Federation? Multi-Cloud, Federation of multiple cloud service providers (public or private) within different administrative domains (Cloud and Domain) to provide complex services at specified service model (Infrastructure, Platform and Software). Multi-Cloud Deployment Hybrid Cloud Broker Seamless Communication Cloud

Cloud Federation Federation Inter-Cloud Inter-Cloud Broker Cloud Federation, Federation of cloud service providers and identity providers in order to share their services and resources based on trust agreements. Hybrid Cloud, A composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities. World-Leading Research with Real-World Impact! 6

Federation in Cloud Cloud Federation Service Heterogeneous Homogeneous Platform Heterogeneous Homogeneous Trust Circle-of-Trust Identity

Peer-to-Peer World-Leading Research with Real-World Impact! Authentication Authorization 7 Service in Cloud Federation Service Heterogeneous o Google account (Open ID 2.0) Heterogeneous within google. Heterogeneous Service Federation Homogeneous o Eduroam federated network access. o OpenStack Federation.

Homogeneous Service Federation World-Leading Research with Real-World Impact! 8 Platform in Cloud Federation Heterogeneous Platform Federation Amazon Public AWS Cloud Platform ICS Private OpenStack Cloud Heterogeneous o OpenStack federation with AWS. Homogeneous o Keystone to Keystone federation.

Homogeneous Platform Federation Rackspace Public OpenStack Cloud ICS Private OpenStack Cloud World-Leading Research with Real-World Impact! 9 Peer-to-Peer vs Circle-of-Trust Peer-to-Peer Federation Tenant A Tenant A Tenant C Tenant E

Tenant B Tenant B Trust between a pair of tenants. Specific set of actions between tenants. Only trusted tenant. Circle-of-Trust Federation Trust between a group of tenants. Similar policies and rules. Acceptance of all tenants in the circle. Tenant D Tenant F World-Leading Research with Real-World Impact! 10

Authentication vs Authorization Authentication Federation Authenticating users (services and applications) in a cloud service provider other than their registered identity provider. SAML, OAuth, OpenID, SSO. Authorization Federation Determining federated users permissions to access federated resources and services. SAML, OAuth. Authorization federation is dependent on authenticated users. What permissions she should be granted? (Authorization Federation) Is the user the one she claims to be? (Authentication Federation) World-Leading Research with Real-World Impact!

11 Scope of Contribution Cloud Federation Service SaaS PaaS Platform Trust Identity IaaS Homogeneous

Circle-of-Trust Heterogeneous Peer-to-Peer Authentication World-Leading Research with Real-World Impact! Authorization 12 Scope of Contributed Models Cloud IaaS Multi-Tenant Multi-Cloud Peer-to-Peer

MC MT-RBAC Multi-Tenant Cloud Circle-of-Trust Peer-to-Peer Heterogeneous Homogeneous MT-RABA MT-RBA World-Leading Research with Real-World Impact! MT-ABAC

13 Administrative Domains Cloud Domain Administration of services (compute, storage, network, and identity) and tenant domains. Cloud bursting. Tenant Domain Administration of resources (users, groups and projects in OpenStack). Resource federation (cross-tenant access). World-Leading Research with Real-World Impact! 14 Peer-to-Peer Federation Models Cloud IaaS Multi-Tenant Multi-Cloud

Peer-to-Peer MC MT-RBAC Multi-Tenant Cloud Circle-of-Trust Peer-to-Peer Heterogeneous Homogeneous MT-RABA MT-RBA World-Leading Research with Real-World Impact!

MT-ABAC 15 Peer-to-Peer Federation Trust Peer-to-Peer Trust Initiation Bilateral Direction Transitivity Bidirectional Transitive Unilateral

Unidirectional Non-transitive Tenant-Trust Unilateral, Unidirectional, and Non-Transitive. World-Leading Research with Real-World Impact! 16 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA World-Leading Research with Real-World Impact!

BoA 17 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. o UTSA can assign BoA employees to courses. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA : World-Leading Research with Real-World Impact! BoA 18

P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. o BoA can assign employees to UTSA courses. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA : World-Leading Research with Real-World Impact! BoA 19 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. UTSA students can get student accounts at BoA.

BoA can select courses for its employee students at UTSA. UTSA : World-Leading Research with Real-World Impact! BoA 20 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA :

World-Leading Research with Real-World Impact! BoA 21 Multi-Cloud MT-RBAC Multi-Cloud Multi-Tenant Role-Based Access Control Homogeneous multi-cloud IaaS (OpenStack). Peer-to-Peer federation between tenants across cloud service providers. User-role assignments. Trust is defined as tenant-trust. Trust types authorizes user-role assignments. World-Leading Research with Real-World Impact! 22 Keystone to Keystone Federation

OpenStack Paris Summit, Keystone to Keystone Federation, https://www.openstack.org/summit/openstack-paris-summit-2014/session-videos/ presentation/keystone-to-keystone-federation, (2014) World-Leading Research with Real-World Impact! 23 Multi-Cloud MT-RBAC OpenStack Cloud 1 Cloud 2 Domain A ProjectRole-Pair Domain B domain_admin

ProjectRole-Pair World-Leading Research with Real-World Impact! 24 Attribute-Based Access Control () Attributes are name:value pairs. o Represents user and resource properties. Associated with o o o o U Users Objects

Tenants Contexts OATT UATT Auth O A Converted to rights by authorization policies o In-time o Entity attributes o Set of actions Association World-Leading Research with Real-World Impact!

Access Decision 25 Multi-Tenant Attribute-Based Access Control () Multi-tenant cloud IaaS. Peer-to-Peer Federation. Attribute assignments. Trust is defined as tenant-trust. Trust types authorizes attribute assignments. World-Leading Research with Real-World Impact! 26 Contributed Models Cloud IaaS

Multi-Tenant Multi-Cloud Peer-to-Peer MC MT-RBAC Multi-Tenant Cloud Circle-of-Trust Peer-to-Peer Heterogeneous Homogeneous MT-RABA MT-RBA

World-Leading Research with Real-World Impact! MT-ABAC 27 Circle-of-Trust Federation Trust Homogeneous Circles Multilateral, Bidirectional, Transitive. Heterogeneous Circles Multilateral, Unidirectional, Non-Transitive. World-Leading Research with Real-World Impact! 28 CoT Trust Types Use Case UT System CoT Federation. UT system students can take courses at any UT campus. Students can access to libraries in UT system.

UTA UTD UTSA UT World-Leading Research with Real-World Impact! 29 CoT Trust Types Use Case UT System CoT Federation. UT system students can take courses at any UT campus. o UTSA can assign students in UT to its courses. UTA UTD

UTSA UT World-Leading Research with Real-World Impact! 30 CoT Trust Types Use Case UT System CoT Federation. Students can access to libraries in UT system. o UTA can assign its students to libraries in UT system. UTA UTD UTSA

UT World-Leading Research with Real-World Impact! 31 Multi-Tenant Role-Based Access Control in Circle () Multi-tenant cloud IaaS. Circle-of-Trust Federation. Homogeneous circles. User-role assignments. Trust is defined as tenant-trust. Trust types authorizes user-role assignments. World-Leading Research with Real-World Impact! 32

Circle Use Case Heterogeneous circle of BoA, Chase, UTSA, Geico, Allstate. Each tenant can make user-role assignment based on its type to a domain. UTSA can assign its students to discounted insurance offers and student accounts. UTSA University domain Geico BoA Insurance domain Bank domain Chase Allstate

World-Leading Research with Real-World Impact! 33 Multi-Tenant Role-Centric Attribute-Based Access Control () Multi-tenant cloud IaaS. Circle-of-Trust Federation. Heterogeneous circles. Attributes are associated with o Tenants o Users o Objects Tenant attributes separate tenants with tenant type attribute. World-Leading Research with Real-World Impact! 34

Questions ? Peer-to-Peer Policy Multi-cloud multi-tenant role-based model. Multi-tenant attribute-based model. Circle-of-Trust Policy Multi-tenant role-based access control model in circle. Multi-tenant role-centric attribute-based access control model. Implementation Federated-cloud role-based tenant trust. World-Leading Research with Real-World Impact!

Recently Viewed Presentations

  • The Battle of Saratoga - Mr. Kelly

    The Battle of Saratoga - Mr. Kelly

    The Battle of Saratoga The turning point in the Revolutionary War Waiting in Saratoga Burgoyne was in Saratoga waiting for reinforcements They never came Howe was still in Philadelphia St. Leger had been stopped by the Americans at Fort Stanwix...
  • Thank You!

    Thank You!

    Additional Requirements: Temple University's Education Abroad & Overseas Campus. I'm happy to inform that Temple now provides international travel medical insurance through International SOS at no cost to travelers, provided that they create a profile and then register their travel...
  • Bootstrapping a Better World - munnecke.com

    Bootstrapping a Better World - munnecke.com

    And he invented the mouse, windows, hypertext, etc. Me: "What is the simplest thing I can do which will have the maximum benefit to humanity?" And I am here. Ask Your Own Question Caution: The generation teaching you is the...
  • Workshop for BCO6606 ERP Systems: Assessment 4

    Workshop for BCO6606 ERP Systems: Assessment 4

    The paper should demonstrate a depth and breadth of reading and should be appropriately referenced. The paper should be referenced using the Harvard referencing standards and formatted according to the approved style guide. Assessment = 30%. Format=report. Words = 2500...
  • WizFolio & RefWorks

    WizFolio & RefWorks

    WizFolio is a web-based reference management software using the latest Web 2.0 technologies. It can be used to manage and share journal references, web pages, pictures, videos, and all kinds of information. It comes with two productivity plug-ins - WizAdd...
  • HSP3M: Intro to Anthropology, Sociology & Psychology

    HSP3M: Intro to Anthropology, Sociology & Psychology

    Topics in HSP3U/ HSP3C Unit 3: Forces Shaping Behaviour. Topics include: Why we behave the way we do? How do respond with frustration? Is it nature or nurture that shapes us? [genes vs. environment] What is the role of race,...
  • What happens when Metals are burnt in Air?

    What happens when Metals are burnt in Air?

    What happens when Metals are burnt in Air? ... We know that when Copper Oxide react with Acid it forms salt and water. We have learnt that metal oxides are basic in nature. ... Most metal oxides are insoluble in...
  • Judaism … Christianity … Islam

    Judaism … Christianity … Islam

    Toward Monotheism "Thus saith HaShem, the G-d of Israel: Your fathers dwelt of old time beyond the River, even Terah, the father of Abraham, and the father of Nahor; and they served other gods." (Joshua 24:2). Abram's family … of...