Institute for Cyber Security. A Multi-Tenant RBAC Model for Collaborative Cloud Services

Similar documents
A Multi-Tenant RBAC Model for Collaborative Cloud Services

MULTI-TENANT ACCESS CONTROL FOR CLOUD SERVICES

Multi-tenancy authorization models for collaborative cloud services

Authorization Federation in IaaS Multi Cloud

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Extending OpenStack Access Control with Domain Trust

Software and Cloud Security

ACaaS: Access Control as a Service for IaaS Cloud

Federated authorization for SaaS applications

Analysis of Different Access Control Mechanism in Cloud

Cloud Essentials for Architects using OpenStack

Identity Management Basics. OWASP May 9, The OWASP Foundation. Derek Browne, CISSP, ISSAP

Access Control Framework of Personal Cloud based on XACML

Adding Federated Identity Management to OpenStack

The Science, Engineering, and Business of Cyber Security

Kerberos-Based Authentication for OpenStack Cloud Infrastructure as a Service

Privacy-Preserving Distributed Encrypted Data Storage and Retrieval

Cloud Computing Trends, Examples & What s Ahead

Architectural Implications of Cloud Computing

Third Party Cloud Services Its Adoption in the New Age

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Outline. What is cloud computing? History Cloud service models Cloud deployment forms Advantages/disadvantages

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

Cloud Computing Flying High (or not) Ben Roper IT Director City of College Station

Cyber Security: Past, Present and Future

SaaS Implementation for Technology & Business software companies

Role Based Access Control (RBAC) Nicola Zannone

Cyber Innovation and Research Consortium

High Performance Computing Cloud Computing. Dr. Rami YARED

AvePoint DocAve Online vs Office SharePoint Online Management

Security Models: Past, Present and Future

Cyber Incident Response

How To Secure Cloud Computing

Oracle E-Business Suite Controls: Application Security Best Practices

1 The intersection of IAM and the cloud

TrustedX - PKI Authentication. Whitepaper

Building SaaSApplications on Microsoft Azure. November 2011

CliQr CloudCenter. Multi-Tenancy

Multi Tenancy Access Control Using Cloud Service in MVC

It s All About Cloud Key Concepts, Players, Platforms And Technologies

Hybrid Cloud Mini Roundtable. April 17, Expect Excellence.

Navigating The World of Cloud Computing

HOL9449 Access Management: Secure web, mobile and cloud access

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

SaaS, PaaS & TaaS. By: Raza Usmani

SGFS: Secure, Flexible, and Policy-based Global File Sharing

Introduction to Cloud Computing

Building a SaaS Application. ReddyRaja Annareddy CTO and Founder

White paper. Planning for SaaS Integration

Analytical Survey Model on Consumption of Cloud Service Models

Certified Cloud Computing Professional VS-1067

The IBM Cognos Platform

6 Cloud computing overview

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Cloud Computing Security: Public vs. Private Cloud Computing

Toward Fine-grained Data-level Access Control Model for Multitenant

Agent-Based Cloud Broker Architecture for Distributed Access Control

AvePoint DocAve Online vs Office SharePoint Online Management

ABFAB and OpenStack(in the Cloud)

Cloud Computing using

Understanding Enterprise Cloud Governance

BM482E Introduction to Computer Security

Oracle Applications and Cloud Computing - Future Direction

Cloud Security and Managing Use Risks

Enabling Public Auditing for Secured Data Storage in Cloud Computing

Cloud federation. Prelude to Hybrid Clouds. CHEP 2015 Okinawa, Japan. Marek Denis CERN Geneva, Switzerland

Why Cloud Backup Now? Ashar Baig Senior Director of Product Marketing

F5 Identity and Access Management (IAM) Overview. Laurent PETROQUE Manager Field Systems Engineering, France

Uniting IAM and data protection for greater security

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Collaboration Platform as Enterprise Game

The Unique Alternative to the Big Four. Identity and Access Management

Implementing XML-based Role and Schema Migration Scheme for Clouds

Design and Implementation of Access Control as a Service for IaaS Cloud

Journey to the Cloud and Application Release Automation Shane Pearson VP, Portfolio & Product Management

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Transcription:

Institute for Cyber Security A Multi-Tenant RBAC Model for Collaborative Cloud Services Bo Tang, Qi Li and Ravi Sandhu Presented by Bo Tang at The 11 th International Conference on Privacy, Security and Trust (PST) July 12, 2013 Tarragona, Spain ICS at UTSA World-Leading Research with Real-World Impact! 1

OUTLINE Introduction and Background A Family of Multi-Tenant RBAC (MT-RBAC) Models MT-RBAC 0,1,2 Administrative MT-RBAC (AMT-RBAC) model Constraints Prototype Implementation and Evaluation Related Work Conclusion and Future Work ICS at UTSA World-Leading Research with Real-World Impact! 2

OUTLINE Introduction A Family of Multi-Tenant RBAC (MT-RBAC) Models MT-RBAC 0,1,2 Administrative MT-RBAC (AMT-RBAC) model Constraints Prototype Implementation and Evaluation Related Work Conclusion and Future Work ICS at UTSA World-Leading Research with Real-World Impact! 3

Cloud Computing Shared infrastructure [$$$] -----> [$ $ $] Multi-Tenancy Virtually dedicated resources Drawbacks: Data Locked-in o Collaborations can only be achieved through desktop. o E.g.: create/edit Word documents in Dropbox. How to collaborate in the cloud? Source: http://blog.box.com/2011/06/box-and-google-docs-accelerating-the-cloud-workforce/ ICS at UTSA World-Leading Research with Real-World Impact! 4

Motivation C1. Charlie as a developer in OS has to access the source code stored in Dev.E to perform his out-sourcing job; C2. Alice as an auditor in AF requires read-only access to financial reports stored in Acc.E; and C3. Alice needs read-only accesses to Dev.E and Dev.OS in order to audit the out-sourcing project. ICS at UTSA World-Leading Research with Real-World Impact! 5

Industry Solutions Microsoft and IBM: Fine-grained data sharing in SaaS using DB schema Only feasible in DB NASA: RBAC + OpenStack (Nebula) Lacks ability to support multi-org collaborations Salesforce (Force.com): Single Sign-On + SAML Focus on authentication and simple authorization Heavy management of certificates Source: http://msdn.microsoft.com/en-us/library/aa479086.aspx http://nebula.nasa.gov/blog/2010/06/03/nebulas-implementation-role-based-access-control-rbac/ http://wiki.developerforce.com/page/single_sign-on_with_saml_on_force.com ICS at UTSA World-Leading Research with Real-World Impact! 6

OUTLINE Introduction A Family of Multi-Tenant RBAC (MT-RBAC) Models MT-RBAC 0,1,2 Administrative MT-RBAC (AMT-RBAC) model Constraints Prototype Implementation and Evaluation Related Work Conclusion and Future Work ICS at UTSA World-Leading Research with Real-World Impact! 7

MT-RBAC ICS at UTSA World-Leading Research with Real-World Impact! 8

Trust Model If B (resource owner) trusts A then A can assign B s permissions to A s roles; and B s roles as junior roles to A s roles. CanUse(r B ) = {A, B, } Tenant A Tenant B If No trust Resources AuthStmts Resources AuthStmts If B trust A Resources AuthStmts Resources AuthStmts User ICS at UTSA World-Leading Research with Real-World Impact! 9

MT-RBAC 0,1,2 ICS at UTSA World-Leading Research with Real-World Impact! 10

AMT-RBAC Bo Tang World-Leading Research with Real-World Impact! 11

AMT-RBAC (Contd.) Bo Tang World-Leading Research with Real-World Impact! 12

Constraints Cyclic Role Hierarchy: lead to implicit role upgrades in the role hierarchy SoD: conflict of duties Tenant-level o E.g.: SOX compliance companies may not hire the same company for both consulting and auditing. Role-level o across tenants Tenant 1 Chinese Wall: conflict of interests among tenants o E.g.: do not share infrastructure with competitors. M1 E1 Tenant 2 M2 E2 ICS at UTSA World-Leading Research with Real-World Impact! 13

OUTLINE Introduction A Family of Multi-Tenant RBAC (MT-RBAC) Models MT-RBAC 0,1,2 Administrative MT-RBAC (AMT-RBAC) model Constraints Prototype Implementation and Evaluation Related Work Conclusion and Future Work ICS at UTSA World-Leading Research with Real-World Impact! 14

Policy Specification of MT-RBAC 2 user = Charlie ; permission = (read, /root/)%dev.e tr = Dev.E ; te = Dev.OS ICS at UTSA World-Leading Research with Real-World Impact! 15

MTAaaS Platform Prototype Experiment Settings CloudStorage: an open source web based cloud storage and sharing system. Joyent, FlexCloud Authorization Service Centralized PDP Distributed PEP Bo Tang World-Leading Research with Real-World Impact! 16

Evaluation: Performance MT-RBAC vs RBAC More policy references incur more decision time MT-RBAC 2 introduces 16 ms overhead on average. PDP Performance Client-End Performance ICS at UTSA World-Leading Research with Real-World Impact! 17

Evaluation: Scalability Scalable by changing either PDP capability; or Number of PEPs. PDP Scalability PEP Scalability ICS at UTSA World-Leading Research with Real-World Impact! 18

OUTLINE Introduction A Family of Multi-Tenant RBAC (MT-RBAC) Models MT-RBAC 0,1,2 Administrative MT-RBAC (AMT-RBAC) model Constraints Prototype Implementation and Evaluation Related Work Conclusion and Future Work ICS at UTSA World-Leading Research with Real-World Impact! 19

Characteristics of Cloud Agility Collaboration and collaborators are temporary Centralized Facility No need to use cryptographic certificates Homogeneity Same access control model in each tenant Out-Sourcing Trust Collaboration spirit ICS at UTSA World-Leading Research with Real-World Impact! 20

Literature in Multi-org/dom RBAC CBAC, GB-RBAC, ROBAC (e.g.: player transfer in NBA) Require central authority managing collaborations Delegation Models drbac and PBDM (e.g.: allowing subleasing) Lacks agility (which the cloud requires) Grids CAS, VOMS, PERMIS Absence of centralized facility and homogeneous architecture (which the cloud has) ICS at UTSA World-Leading Research with Real-World Impact! 21

Literature (Contd.) Role-based Trust RT, Traust, RMTN AND RAMARS_TM Calero et al: towards a multi-tenant authorization system for cloud services o Implementation level PoC o Coarse-grained trust model MTAS Suits the cloud (out-sourcing trust) Critical: trust model ICS at UTSA World-Leading Research with Real-World Impact! 22

Role-Based Trust Model Comp. ICS at UTSA World-Leading Research with Real-World Impact! 23

OUTLINE Introduction A Family of Multi-Tenant RBAC (MT-RBAC) Models MT-RBAC 0,1,2 Administrative MT-RBAC (AMT-RBAC) model Constraints Prototype Implementation and Evaluation Related Work Conclusion and Future Work ICS at UTSA World-Leading Research with Real-World Impact! 24

Conclusion Collaboration needs among cloud services MT-RBAC model family Formalization Administration Constraints MTAaaS architecture viable in the cloud Overhead 16ms and scalable in the cloud Comparison of role-based trust models ICS at UTSA World-Leading Research with Real-World Impact! 25

Future Work Cross-tenant trust models in cloud computing Other multi-tenant access control models MT-ABAC MT-RT MT-PBAC and more. Implementation MT-RBAC in OpenStack API. ICS at UTSA World-Leading Research with Real-World Impact! 26

Institute for Cyber Security Q & A ICS at UTSA World-Leading Research with Real-World Impact! 27

Institute for Cyber Security Thank You! ICS at UTSA World-Leading Research with Real-World Impact! 28

Multi-Tenant Authorization as a Service (MTAaaS) MTAaaS User IDs Resource Catalogs Authz Policies Multi-Tenant Access Control Cross-Tenant Access ICS at UTSA World-Leading Research with Real-World Impact! 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information