Authentication Mechanism for Private Cloud of Enterprise. Abstract

Transcription

1 Authentication Mechanism for Private Cloud of Enterprise Mei-Yu Wu *, and Shih-Pin Lo Department of Information Management, Chung Hua University, Hsinchu, Taiwan {mywu, Abstract Enterprises need accurate and efficient reaction speed in their business processes. There are diversity information needs in different departments, locations, or offices around the world. When enterprises adopt private cloud and consider the cost condition, SSL VPN (Secure Sockets Layer Virtual Private Network) gateway is a possible solution. Integrating internal enterprise resource planning application to build a private cloud, the external users of company may use mobile device to access control resources at any time and any place, as long as the network. The main purpose of this research is to achieve the authentication for private cloud of enterprise. The proposed approach adopts three-layers authentication, namely (1) using AD/LDAP to authenticate the user id and password (2) using dynamic password generated from MOTP Token to improve authentication (3) using device fingerprint verification to confirm that the mobile device was pre-authenticated. Based on the proposed three-layer authentication, the information security of company could be achieved and further increasing the feasibility of enterprises to adopt enterprise private cloud. Keywords: Cloud Computing, Authentication, Private Cloud, Secure Sockets Layer Virtual Private Network (SSL VPN) Gateway * Corresponding author. 52

2 1. Introduction The purpose of implementing private cloud for enterprise is to provide existing information system functions and wants to continue the previous application and reduce upfront investment costs. Cloud computing provides employees the required software service at any time and any place. Employees cloud handle business at any time and any place, as long as the place where the network can be connected back to the company. But the important issue of private cloud is the authentication and access control. Existing security mechanism of private cloud in enterprise is merely to match username and password. However, only username and password authentication is not enough. If the account and password leak, any person may use any device to access enterprise resource. Therefore, this research proposes an authentication mechanism for enterprises when they adopt private cloud. The research combined mobile one time password (MOTP) and device fingerprint to enhance the authentication. This study adopted unpredictable, not duplicate, and used only once dynamic password, and further combine information confirmed of important parts of device to reach complete authentication and access control. The proposed authentication mechanism will enhance the security of private cloud for enterprises. The remainder of this paper is organized as follows. Section 2 reviews related works on cloud computing, server virtualization, SSL VPN Gateway and SSL VPN Gateway for cloud computing. Section 3 introduces the proposed authentication mechanism for private cloud. A complete analysis of proposed authentication mechanism is offered in Section 4. Finally, Section 5 presents our conclusions. 2.1 Cloud Computing 2. Related Works The emergence of the phenomenon commonly known as cloud computing represents a fundamental change in the way information technology (IT) services are invented, developed, deployed, scaled, updated, maintained and paid for [8]. According to the definition of National Institute of Standards and Technology (NIST), cloud computing is a model for enabling convenient, on-demand network access to a share pool of configurable computing resource that can be rapidly provisioned and released with minimal management effort or service provider interaction [7][18]. The deployment models of cloud computing includes private cloud, public cloud, community cloud, and hybrid cloud [1][4][6][12]. Public cloud is the main model of cloud service. Multiple users share the applications, storage, and other resources provided by a service provider. Users do not need to construct the information infrastructure by self and pay-per-usage. The disadvantage is the lack of complete control of data, network and security. Private cloud allows enterprises to take complete control of cloud computing resources. Cloud computing resource cloud be constructed by enterprise or service provider to enhance the performance, availability, and security. Community cloud shares infrastructure between several organizations from a specific community. It is suitable for academic institution with sharing data to joint venture. Hybrid cloud is a composition of public cloud and private cloud. Enterprise use services in private cloud and use public cloud computing resources to meet temporary needs [9][11][17][18]. 2.2 Server Virtualization In general, the fastest way to implement a private cloud in enterprise is to make server virtualization. When implementing server virtualization, enterprise may use performance monitoring tool to record the physical average and peak values of CPU, memory, network, and disk I/O resources of servers. In the early evaluation stage, enterprise will collect related data at least one to two weeks to understand the current status of system performance. However, heavier system loading server is not suitable for virtualization [13][14][15]. The comparison table of after and before virtualization is illustrated in Table 1. Table 1. Comparison of after and before virtualization Item before virtualization after virtualization The quantity of Multiple servers physical server is simplify into high. High cost of virtual machines. hardware and Saving hardware electricity power and electricity consuming. cost. Cost of Server Procurement Utilization of hardware resource Deployment Time Variability of hardware resource Maintenance cost 2.3 SSL VPN Gateway Resource utilization uneven Need to wait hardware procurement procedures. not easy Not easy to maintenance Improve hardware resource utilization Rapid deploying new servers in a few minutes. easier Reducing legacy maintenance costs SSL is abbreviation of secure socket layer. The main purpose of SSL is to provide confidential and reliability between two communication applications [2][3][5]. There are three mainly characteristics of secure connections provided by SSL, that is privacy, identification, and reliability. In recent years, enterprises want to get convenient and flexible information infrastructure through the cloud computing. However, information security issue of cloud computing has been one of the threshold for enterprise to adopt cloud computing. In order to solve the cloud security issues, enterprises 53

3 began to deploy private cloud. SSL virtual private network (VPN) gateway is a solution for enterprise to securely access private cloud services [16]. There are two main types of SSL VPN gateway, i.e. SSL Portal VPN and SSL Tunnel VPN. IT administrators may integrate existing account of active directory (AD) or lightweight directory access protocol (LDAP) to SSL VPN gateway. Therefore, IT administrators can easily configure SSL VPN gateway to control the different groups of users which can use what kind of resources and applications. Besides, SSL VPN gateway provides mobile one-time password (MOTP) to enhance security authentication [10]. 3. Authentication Mechanism for Private Cloud 3.1 System Architecture The research proposed an authentication mechanism for private cloud of enterprise. The system architecture is illustrated in Figure 1. Figure 1. System Architecture There are five main components in the system architecture and the detail description of each component is as the following. (1) External Mobile Device User Users from public cloud or private cloud use browser of mobile device or app to login the SSL VPN gateway. The dotted line means wireless connection by mobile devices. (2) Firewall Firewall is set up before SSL VPN gateway. Besides, SSL VPN may be established in demilitarized zone (DMZ) of firewall. If attackers attack the server, the internal network of enterprise will not be affected. (3) SSL VPN Gateway When users want to use the resource in the internal server, the SSL VPN gateway will check the authentication license of users. The SSL VPN gateway records the authorized applications and resource for users and log connection activities and login time of users. (4) 3-Layers Authentication In the research, we propose 3-layers authentication including LDAP and AD authentication, mobile one time password authentication, and device fingerprint. The detail description of 3-layers authentication mechanism is described in next subsection. (5) Terminal Server and MOTP Server When external mobile device user connects to private cloud, MOTP server will give user a mobile one time password, i.e. the second layer authentication, MOTP, to allow user to verify third layer authentication, i.e. device fingerprint Layers Authentication The proposed authentication mechanism for private of enterprise include three layers, which is LDAP and AD authentication, mobile one time password authentication, and device fingerprint. The detail description of 3-layers authentication mechanism is described in next subsection. (1) LDAP and AD authentication When users use browsers, such as Internet Explorer, Chrome, or Firefox, or app program, such as download from apple store or android play, LDAP and AD of SSL VPN gateway will verify the account and group. SSL VPN gateway will use SSL encryption technology to encode the input data to enhance the security. (2) Mobile one time password (MOTP) When users finish the first layer authentication, SSL VPN gateway will connect to MOTP server to process the second layer authentication. MOTP server will send a short message service (SMS) with random authentication code according to the original verified device. When user input the correct authentication code, the third authentication mechanism will be processed. The detail second layer authentication mechanism is shown in Figure 2. Figure 2. The Second Layer Authentication Mechanism (3) Device fingerprint The third layer authentication is device fingerprint. The main purpose of this authentication stage is to verify whether the device is registered in the database of the SSL VPN gateway. SSL VPN gateway will scan the related information of mobile device, i.e. device fingerprint. IT administrator may define the scan rules, like only check the status or must be consistent with the original registered device 54

4 fingerprint. Possible device fingerprint includes CPU, memory, solid state drive (SSD), network card, and operating system version and so on. 4. Analysis of Proposed Authentication Mechanism According to the definition of domain 12 defined by the cloud security alliance (CSA), there are three main specifications named identity provisioning/deprovisioning, authentication, and authorization and user profile management [12]. This study adopted these specifications to analyze effectiveness assessment of the proposed 3-layers authentication mechanism. (1) Identity provisioning/deprovisioning When enterprises use cloud computing services, one of the main challenges is cloud security and timely management of existing staff, i.e. provisioning, in other words, create, and update accounts, and outgoing staff, i.e. deprovisioning, in other words, canceled, or deleting user accounts. Traditional SSL VPN gateway cannot make share unique identity user. In contrast, this study proposed three-layer authentication mechanism that will be able to identify the user uniqueness. (2) Authentication When enterprises began to use cloud services, reliable and easy managed authentication is a crucial requirement. Authentication mechanisms of traditional SSL VPN gateway cannot provide MOTP and device fingerprint verification. The authentication mechanism proposed in this research included MOTP and device fingerprint verification, so that enterprises will achieve into more rigorous access control of private cloud. (3) Authorization and user profile management The requirement of authorization and user profile management is depending on whether the user is acting in its own name. Traditional SSL VPN gateway architecture did not set group policy to define what the user can use the application for authorization and user profile management. SSL VPN gateway defined in this research provides group policy. When the user login the home page, the system recognize what group the user belong to and what application user can use. The proposed authentication follows the identity and access management specified by CSA to achieve confidentiality, integrity, and available. 5. Conclusions and Future Works After importing enterprise private cloud, make ensure the confidentiality, integrity and availability of transferred information is an important issue. Both of SSL VPN and virtualization cloud import private cloud for enterprise. Compared to the virtualization technology, SSL VPN has advantages, such as easy implementing, without further acquired servers and changing the existing structure. The research proposed three layers authentication mechanism for private cloud of enterprise, including LDAP and AD authentication, MOTP authentication, and device fingerprint. The proposed authentication mechanism will enhance the security of private cloud for enterprises. The access control of existing SSL VPN gateway still needs to overcome. In addition to the proposed three layers authentication mechanism, researchers may combine other access control mechanisms to enhance the authentication and access control for private cloud of enterprise. References [1] Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J., and Brandic, I., 2009, Cloud Computing and Emerging IT Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility, Future Generation Computer Systems, Vol. 25, No. 6, pp [2] Cai, L. Z., Yu, S. S., and Zhou, J. L., 2004, Research and Implementation of Remote Desktop Protocol Service over SSL VPN, IEEE Internet Computing. [3] Freier, Alan O., Karlton Philp, Kocher, and Paul C. 1996, The SSL Protocol Version 3.0, Internet Draft. [4] Goscinski, A. and Brock, M. 2010, Toward Dynamic and Attribute Based Publication, Discovery and Selection for Cloud Computing, Future Generation Computer Systems, Vol. 26, No. 7, pp [5] Hickman, Kipp E.B., 1995, The SSL Protocol, Internet Draft of Netscape Communications Corp, e-ssl-00, Retrieved Date: 2013/6/28 [6] Hofmann, P., and Woods, D., 2010, Cloud Computing: the Limits of Public Clouds for Business Applications, IEEE Internet Computing, Vol. 14, No. 6, pp [7] Kaufman, L. M. Data Security in the World of Cloud Computing, IEEE Security &Privacy, Vol. 7, No. 4, pp , July [8] Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., and Ghalsasi, A., 2011, Cloud Computing the Business Perspective, Decision Support Systems, Vol. 51, No. 1, pp [9] Merino, L. R., Vaquero, L. M., Gil, V., Galán, F., Fontán, J., Montero, R. S., and Llorente, I. M., 2010, From Infrastructure Delivery to Service Management in Clouds, Future Generation Computer Systems, Vol. 26, No. 8, pp [10] Mucha, G., 2010, RSA Security Solution for Virtualization, the Journal of the Private Cloud Stars Now. [11] Rimal, B. P., Choi E., and Lumb, I., 2009, A Taxonomy and Survey of Cloud Computing Systems, the fifth International Joint Conference on INC, IMS and IDC (NCM '09). 55

5 [12] Security Guidance for Critical Areas of Focus in Cloud Computing. csaguide.v2.1.pdf, Retrievd Date: 2013/6/28 [13] Sotomayor, B., Montero, R. S., Llorente, I. M. and Foster, I., 2009, Virtual Infrastructure Management in Private and Hybrid Clouds, IEEE Internet Computing, Vol. 13, No. 5, pp [14] Tsai, C. L., Lin, U. C., Chang, A. Y. and Chen, C. J., 2010, Information Security Issue of Enterprises Adopting the Application of Cloud Computing, Networked Computing and Advanced Information Management (NCM). [15] Vall ee, G., Naughton, T., Engelmann, C., and Ong, Hong, 2008, System-Level Virtualization for High Performance, 16th Euromicro Conference on, Parallel, Distributed and Network-Based Processing, pp [16] Venkateswaran, R., 2001, Virtual Private Networks, IEEE Potentials, Vol. 20, No. 1, pp [17] Yang, J., and Chen, Z., Cloud Computing Research and Security Issues, Computational Intelligence and Software Engineering (CISE), [18] Zhang, Q., Cheng, L., and Boutaba, R., 2010, Cloud Computing: State-of-the-Art and Research Challenges, Journal of Internet Services and Applications (JISA), Vol. 1, No. 1, pp Journal of Information Technology and Applications 56