Keywords integral IdM; impersonation; reputation services; trust; SSO

Transcription

1 Volume 4, Issue 3, March 2014 ISSN: X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: User-Centric Single Sign on System for an Enterprise Network Anuja S * Samlinson E Dept. of CSE &Sona College of Technology India Abstract Cloud computing offers different levels of abstractions to its users. In this paper we provide an overview of cloud computing and its current status in enterprise adoption and a new architecture that offers integral identity management for the users within an organization to manage their identities and gain access from the Cloud Service Providers(CSP) based on the method of impersonation and also provides reputation services. We also present some implementation details. The proposed architecture offers certain advantages over the current offerings such as trust based services, audit services and reputation services that are incorporated and these help to determine which services are the most trustworthy. Keywords integral IdM; impersonation; reputation services; trust; SSO I. INTRODUCTION Cloud computing aims to deliver reliable, secure, fault-tolerant, sustainable and scalable infrastructure for hosting internet based application services. According to the NIST[1] Cloud Computing platform offers services in a pay-asyou-go model enabling on-demand network access to a shared pool of resources. The different services[2] offered by the cloud are Software or Application as a Service (SAAS), Platform as a Service (PAAS) and Infrastructure as a service (IAAS). SAAS delivers application services over the internet. PAAS delivers development environments and run time environments as services and IAAS delivers storage, network and computing infrastructure as services. The deployment models in the cloud are Public cloud, Private cloud and Hybrid cloud. Public cloud infrastructure is available to the general public, owned by org selling cloud. Private cloud and Hybrid cloud. Public cloud infrastructure is available to the general public owned by org selling cloud services. Private cloud infrastructure is for a single org only and may be managed by the org or a 3 rd party, on or off premise. Hybrid cloud is a combination of >= 2 clouds that bound by standard or proprietary technology. When an organization or a user submits their data to the websites and cloud service providers (CSP), they have to be ensured that the provider will act in accordance with its advertised policies and contract terms. This places burden on the CSP s to keep the data secure, and from any liability that the data could be lost, compromised or corrupted. Hence we come up with the concept of Identity and Access Management (IAM)[3] wherein a security discipline is followed that enables the right individuals to access the right things at the right time. The different components of IAM are Identity management, Credential management, Access management, Federation, Auditing and Reporting. Administrative IAM systems manage to login accounts, security entitlements, identity attributes and authentication factors that are assigned to the user. The services that are offered by IAM are: 1. Password Management: It s the ability of an IAM system to manage user passwords on one or more systems or applications. Functionally it includes password synchronization, self-service password reset or the management of other authentication factors. 2. User Provisioning: It s the ability of an IAM system to create, modify or delete login accounts for users on systems and applications. This includes auto-provisioning and deactivation of data from an authoritative system, delegated administration of users and entitlements by application owners etc. 3. Role Based Access Control (RBAC): It s a strategy for user provisioning where set of entitlements are collected into roles and roles are assigned to users. This reduces the need to assign individual entitlements to users, which is advantageous because individual entitlements are very technical and hard to manage. 4. Privileged Access Management: It s used to secure the access of users to accounts that have elevated security rights such as Administration on Windows, Root on UNIX, etc. This is typically done by periodically changing the password of these accounts to some random values, storing those password values in a secret vault, applying policy and workflow to control which user is allowed to connect to which account and injecting passwords from the vaults into the login sessions. The current cloud platforms support federated access, delegation of authority and fine grained access control that primarily uses a simple Access Control List (ACL) to provide access to the other users. These ACL based systems restricts to grant access only to the registered users. The fine grained role based access[4] was introduced in the IAAS by having a trusted domain that manages the users, roles and access permissions. But these users, roles and permissions are managed centrally do not provide federated access or allow roles and attributes to be assigned by external attribute authorities. Federated identity management, comprises a trusted Identity Provider (IdP), Service Provider (SP) and user 2014, IJARCSSE All Rights Reserved Page 315

2 agent. When the user wants to avail certain services from the SP, the user accesses the SP and the SP redirects the user to the IdP to identify his credentials and if these credentials are authenticated then the SP provides access to its services to the user. Delegation of authority allows a user to delegate any of his privileges to another user or application. If the credentials of the delegated user is authenticated by the SP and theidp then the delegated user is allowed to access the service from the SP. In the traditional application centric IdM model each application keeps trace of identities of the entities that use it. Whereas in an user centric [5] approach users have to authenticate themselves to the service providers (SP) in order to use their services. Here we use another mechanism called Single Sign on (SSO) [6] which is the ability for a user to enter the same id and password to logon to multiple applications within an enterprise. The benefits of SSO are Ability to enforce uniform enterprise authentication and/or authorization policies across the enterprise End to end user audit sessions to improve security reporting and auditing Removes application developers from having to understand and implement identity security in their applications Usually results in significant password help desk cost savings. For the simulation in the cloud the simulator used is Cloudsim by the University Of Melbourne, Australia. Cloudsim simulator is designed in JAVA and is an open-source simulator and works on both Windows and UNIX\Linux. Its first version Cloudsim 1.0 was released in 2009 and the next version Cloudsim 2.1 was released in 2010 with some additional features. The newest version Cloudsim was released in 2012 with all advanced features in it. This paper is organized as follows: Section 2 discusses some related works and in Section 3 we describe the proposed system architecture. II. RELATED WORK 1. Integral Federated Identity Management[7]: Integral federated identity management offers an ability to delegate access to the different users within the organization and provides federated access to cloud services and user s data. It includes the different levels of assurance (LoA), a measure of trustworthiness to make access decisions based on the authentication. Given the attributes of a user the authorization system should decide which resources should be accessed by the user. Given the resources the authorization system should decide which user based on the attribute can access the resources. The major advantages of this system are the possibility for applying security policies for individual users, maintain auditing records, ability to deploy applications on multiple IAAS providers without losing identity unity. Open standard technologies and components are used for the implementation. The disadvantages of this process are technology related challenge; implementing a full scale IdM requires use of various technologies. Mixed use of different technologies poses a risk of component failure. No approved or certified processes in place for authentication. 2. Identity-Centric Internet (IDAAS)[8]: Here every entity, user or a network requesting a service from a SP needs to have a digital identity; this environment is called IC-Agent (Identity in the cloud Agent). IC-Agent monitors and logs personal data and information of the user. IC-Agent disassociates storage of data, metadata, history and relationships that are a part of user s identity from service provisions. IC-Agent provides identity as a service that includes personal data, authentication and authorization as a service. The advantages of this system are privacy, innovation, interoperability, massive meaningful anonymous interactions and data and people are findable. The disadvantages of this method are the SP could cheat by recording personal data, IT infrastructure such as directory, application and IAM system is costly to deploy and manage. 3. User-Centric Federated SSO System[9]: Here the user-centric IdM is adopted into the federated SSO system. The approaches used here are credential based PRIME and relationship based universal user-centric system. The components used here are Attribute Issuer (AI)- issues attributes to the user, UFed Adapter- handles UFed protocols that cause major changes in the existing FSSO system, negotiator- for the communication between the entities. The two processes involved here are set-up process that obtains user s personally identifiable information (PII) from the AI which is unique in AI s realm and SSO Process where SP finds users IdP and makes authentication to determine if the information should be certified or not. The advantages of this method are fewer passwords to remember, better security, resource savings and reduce phishing. The disadvantages of this method are single point failure, single high value target, lack of control over user list, complexity of maintaining another interface and information disclosure between trusting site and SSO authority. 4. Trust Concept: Trust if a fiduciary arrangement that allowsa third party, or trustee, to hold assets on behalf of a beneficiary or beneficiaries [11]. It can specify exactly how and when the assets pass to the beneficiaries. The two important forms of trust are a) third-party trust and b) direct trust. Jonesidentified the two kinds of beliefs a) rule belief and b) conformity belief. Sloman and Grandison [12] define that trust is belief to act dependable, reliably and securely in a given context. Marsh and Dibben [13] find the necessity for distinguishing the concepts of trust, mistrust and distrust and how they are related to each other. Michalakpoulos and Fasli [14] identify the effects and attributes of trust and the dispositions the trust has on individual agents. 5. Trust Management: Blazeet al.[15]identified trustmanagement problem as an important component of a security system. Here approaches are specified to to describe trust actions and trust relationships and a prototype implementation called PolicyMaker to facilitate the development of security features. Winslettet al[16-18] contributed for the automated trust establishment and proposed an architecture for trust negotiation. The above mentioned works represent a good approach for homogenous as well as distributed environment. The credential translations in the above are heavily based on Security Assertion Mark-Up Language (SAML). This is not easily applicable on all popular operating systems, thus restricting its usage mostly to web based resources and systems that are SAML compatible. 2014, IJARCSSE All Rights Reserved Page 316

3 III. USER CENTRIC SSO FOR AN ENTERPRISE NETWORK First we define the entities belonging to the scenario considered in this work: Admin:responsible for running the organization, storing and controlling the user s data in the database. Privileged user: authorized entity who wants to access applications and services offered within the organization. Normal user: unauthorized entity who wants to access services offered within the organization. IdP: any entity that is responsible for managing the user s authentication data and providing identity credentials to the users. SP: offers applications and services to the end users based on their identity. When a user tries to access a service from the SP, the SP offers its services based on the authorization of the user. Initially when an access is made, Proxy IdP retrieves the credentials of the user and verifies if the corresponding user is authorized or not. The Proxy IdP does this by using the Credential Value Services (CVS) which keeps track of the credentials of the users and updates any new information of the user. The Proxy IdP then sends a message to the SP. Once the SP receives this message it offers services to the user based on the privileges the user has. Here we use three different types of three different types of users.they are admin, privileged user and the normal remote user. Admin has the control to insert the data of the new user or update the data of the existing user. Admin manages the entire applications that are offered by the organization and also manages the credentials of the user. Privileged user has the control to access the services provided by the organization and the normal remote user has the control to access only the limited set of services that are provided by the organization. The SP offers this kind of services using the Role Based Access Control (RBAC). This method is called impersonation. User-Centric Single Sign on system uses a service called Reputation service which defines and displays a set of trusts that are offered by each of its application in the IAAS based on which user can make his own choice of the application he needs access from. This method follows a purely usercentric approach wherein the user himself is responsible for all the actions. The figure given below represents the different roles of an user who tries to access certain resources that are given within the organization. Based upon the role of the user, the organization has defined certain policies which implements the Role based Access Control (RBAC) using which the resources are allocated. Each of the layers given in the diagram represents the disjoint roles that consist of the methods used for the authentication. The authentication methods that are used by different roles U, O, P and A are m1, m2, m3 and m4. These authentication methods use a set of policies (Po) that are predefined to identify the role of the user in order to provide access to the resources and how reliable the user is based on his previous transactions; these are termed as Policy Compilation (T p ). It also consists of certificates (C) that are used for credential encoding (T c ) and a set of authorization queries (Q) that helps us query the users logging in to identify the degree of trust the system can have on that corresponding user and is called the Query Compilation (T q ). This is how the trust is managed and maintained in a dynamic environment where there is a chance for an user to gain or lose trust at any random point of time. We establish a theory for trusting the system and vice-versa. The predicates used are USER CENTRIC SINGLE SIGN ON SYSTEM FOR AN ENTERPRISE NETWORK FIREWALL 1 PROXY IDP FIREWALL 2 CVS AS RS IAAS OPEN LDAP DMZ EDGE NODE ADMIN NORMAL REMOTE USER PRIVILEGED USER Fig.1 Architecture diagram for User-Centric Single Sign on System for an Enterprise Network 2014, IJARCSSE All Rights Reserved Page 317

4 1) RequestAccess (x,resource): x is an user who wants to acces a particular resource r ranging over the set of users {U, O, P, A} that uses the methods m1, m2, m3 and m4 to authenticate and identify the user and allocate the corresponding resource based on his role. 2) GetThrough(x, rules): where x has to get through a set of rules to disclose how reliable the user is to the system where the rules are defined ranging over {Po, C, Q} Admin Privileged Normal Remote User User within org. Fig 2. Venn Diagram representing the User Roles 3) Authenticate (x, u, t): x is identified as u at time t, where x is an user ranging over the set of user role { U, O, P, A} and t represents a point in time ranging over the set of natural numbers. 4) AuthenticatedBy (x, m): the identity of x is authenticated by m, where m represents the authentication method ranging over (m1, m2, m3, m4}. 5) Invalid(x, t): the user x is identified to be an unauthorized user at the time t. 1V. CONCLUSION Here we have proposed an approach for managing IAM for different types of users by identifying their roles and providing access to them based on the hierarchy of the user using RBAC. The CVS and RS used here manages the credentials that are given by the user in a secure way without disclosing the user details to a third party without the consent of the user and RS provides an user-centric approach where the degree of security for each of the services provided by the SP are displayed to the user based on which the user can make a choice of his own to decide what service he wants to gain access to. The future work to be done is to develop a prototype, conduct experiments and evaluate the approach. REFERENCES [1] Peter Mell, Timothy Grance: The NIST Definition of Cloud Computing. [2] Christian A. Christiansen Charles J. Kolodgy, Identity and Access Management for Approaching Clouds. May 201l [3] Williams Drive, Suite 610, Fairfax, VA Advisory Council (p) (703) (f) (703) [4] IBM Software security, Managing user identities and access in the cloud December 2011 [5] PelinAngin, Bharat Bhargava, RohitRanchal, Noopur Singh, Lotfi Ben Othmane, LeszekLilien, Mark Linderman, An Entity-centric Approach for Privacy and Identity Management in Cloud Computing 2010 [6] David Nunez, Isaac Agudo, ProkopiosDrogkaris and StefanosGritzalis; Identity Management Challenges for Intercloud Applications. [7] MaiconStihler, Altair OlivoSantin, Arlindo L. Marcon Jr:Integral federated Identity Management for Cloud Computing [8] Mikael Ates, Serge Ravet, Akbar Ahmat, JacquesFayolle: An IdentityCentric Internet: Identity in the Cloud, Identity as a Service and other delights. In proceedings of 6th IEEE International Conference on Availability, Reliability and Security, 2011 [9] SuriadiSuriadi, Ernst Foo, AudunJosang: A user centric federated single sign-on system: Journal of Network and Computer Application [10] Xceedium, New Platforms, New Requirements. Next Generation Privileged Identity Management 2013 [11] Entrust White Paper. (2000, aug.). The concept of trust in Network Security, Version 1.2 [12] T.Grandison and M.Sloman. (2000). A survey of trust in internet applications, IEEE Commun. Surveys Tuts., Fourth Quarter. [13] S.Marsh and M.R.Dibben, Trust,untrust,distrust and mistrust: An exploration of the darker sid, in Proc. itrust, vol. 2477, Lecture notes incomputer Science. Berlin, Germany: Springer-Verlag, 2005, pp [14] M. Michalokopoulosamd M. Fasli, On deciding to trust, in Proc.iTrust, vol.2477, Lecture Notes in Computer Science. Berlin, Germany:Springer-Verlag, 2005,pp , IJARCSSE All Rights Reserved Page 318

5 [15] M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis, The role of trust management in distributed systems security, in Chapter in SecureInternet Programming: Security Issues for Mobile and Distributed Objects, Vitek and Jensen, Eds. New York: Springer-Verlag,1999. [16] M. Winslett, An introduction to automated trust negotiation, in Proc.Int. Conf. Multimedia and Its Appl. (unpaginated), Agra, India, Jan.2003 [17] M.Winslett, T. Yu, K. E. Seamons, A. Hess, J. Jacobson, R. Jarvis,B.Smith, and L. Yu, The trustbuilder architecture for trust negotiation, IEEE Internet Comput.,vol 6, no.6,pp.30-37, Nov./Dec [18] T. Yu and M. Winslett, A unified scheme for resource protection in automated trust negotiation, in Proc. IEEE Symp. Security Privacy, Berkeley, CA, May 2003,pp , IJARCSSE All Rights Reserved Page 319