Institute for Cyber Security Authorization Federation in Multi-Tenant

Institute for Cyber Security Authorization Federation in Multi-Tenant

Institute for Cyber Security Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Dissertation Defense Department of Computer Science University of Texas San Antonio Advisor: Dr. Ravi Sandhu Co-Advisor: Dr. Ram Krishnan Dr. Gregory B. White Dr. Matthew Gibson Dr. Palden Lama 1 Moving to Cloud Flexibility Reliability Mobility

World-Leading Research with Real-World Impact! Accessibility Security 2 Why Federation ? Large organization with multiple tenants Distinct organizations federation Service Provider CERN Software Development Tenant Software Development

Tenant Acme Financial Tenant World-Leading Research with Real-World Impact! 3 Why Multi-Cloud? London Private Cloud Federation consist of multiple clouds or multiple tenants. Amazon Public Cloud ACME Multi-Cloud Shanghai Private Cloud World-Leading Research with Real-World Impact!

4 Problem & Thesis Statement Problem Statement Current access control models provided by cloud platforms are not sufficient to cultivate effective peer-to-peer and circle-of-trust federation between tenants in a cloud or across multiple cloud platforms. Prior role-based and attribute-based access control models in distributed systems are not effectively applicable to cloud IaaS. Thesis Statement The problem of authorization federation in multitenant cloud IaaS can be partially solved by integrating multiple types of peer-to-peer and circle-of-trust relations between tenants in cloud and multi-cloud environments into role-based and attribute-based access control models. World-Leading Research with Real-World Impact!

5 What is Cloud Federation? Multi-Cloud, Federation of multiple cloud service providers (public or private) within different administrative domains (Cloud and Domain) to provide complex services at specified service model (Infrastructure, Platform and Software). Multi-Cloud Deployment Hybrid Cloud Broker Seamless Communication Cloud

Cloud Federation Federation Inter-Cloud Inter-Cloud Broker Cloud Federation, Federation of cloud service providers and identity providers in order to share their services and resources based on trust agreements. Hybrid Cloud, A composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities. World-Leading Research with Real-World Impact! 6

Federation in Cloud Cloud Federation Service Heterogeneous Homogeneous Platform Heterogeneous Homogeneous Trust Circle-of-Trust Identity

Peer-to-Peer World-Leading Research with Real-World Impact! Authentication Authorization 7 Service in Cloud Federation Service Heterogeneous o Google account (Open ID 2.0) Heterogeneous within google. Heterogeneous Service Federation Homogeneous o Eduroam federated network access. o OpenStack Federation.

Homogeneous Service Federation World-Leading Research with Real-World Impact! 8 Platform in Cloud Federation Heterogeneous Platform Federation Amazon Public AWS Cloud Platform ICS Private OpenStack Cloud Heterogeneous o OpenStack federation with AWS. Homogeneous o Keystone to Keystone federation.

Homogeneous Platform Federation Rackspace Public OpenStack Cloud ICS Private OpenStack Cloud World-Leading Research with Real-World Impact! 9 Peer-to-Peer vs Circle-of-Trust Peer-to-Peer Federation Tenant A Tenant A Tenant C Tenant E

Tenant B Tenant B Trust between a pair of tenants. Specific set of actions between tenants. Only trusted tenant. Circle-of-Trust Federation Trust between a group of tenants. Similar policies and rules. Acceptance of all tenants in the circle. Tenant D Tenant F World-Leading Research with Real-World Impact! 10

Authentication vs Authorization Authentication Federation Authenticating users (services and applications) in a cloud service provider other than their registered identity provider. SAML, OAuth, OpenID, SSO. Authorization Federation Determining federated users permissions to access federated resources and services. SAML, OAuth. Authorization federation is dependent on authenticated users. What permissions she should be granted? (Authorization Federation) Is the user the one she claims to be? (Authentication Federation) World-Leading Research with Real-World Impact!

11 Scope of Contribution Cloud Federation Service SaaS PaaS Platform Trust Identity IaaS Homogeneous

Circle-of-Trust Heterogeneous Peer-to-Peer Authentication World-Leading Research with Real-World Impact! Authorization 12 Scope of Contributed Models Cloud IaaS Multi-Tenant Multi-Cloud Peer-to-Peer

MC MT-RBAC Multi-Tenant Cloud Circle-of-Trust Peer-to-Peer Heterogeneous Homogeneous MT-RABA MT-RBA World-Leading Research with Real-World Impact! MT-ABAC

13 Administrative Domains Cloud Domain Administration of services (compute, storage, network, and identity) and tenant domains. Cloud bursting. Tenant Domain Administration of resources (users, groups and projects in OpenStack). Resource federation (cross-tenant access). World-Leading Research with Real-World Impact! 14 Peer-to-Peer Federation Models Cloud IaaS Multi-Tenant Multi-Cloud

Peer-to-Peer MC MT-RBAC Multi-Tenant Cloud Circle-of-Trust Peer-to-Peer Heterogeneous Homogeneous MT-RABA MT-RBA World-Leading Research with Real-World Impact!

MT-ABAC 15 Peer-to-Peer Federation Trust Peer-to-Peer Trust Initiation Bilateral Direction Transitivity Bidirectional Transitive Unilateral

Unidirectional Non-transitive Tenant-Trust Unilateral, Unidirectional, and Non-Transitive. World-Leading Research with Real-World Impact! 16 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA World-Leading Research with Real-World Impact!

BoA 17 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. o UTSA can assign BoA employees to courses. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA : World-Leading Research with Real-World Impact! BoA 18

P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. o BoA can assign employees to UTSA courses. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA : World-Leading Research with Real-World Impact! BoA 19 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. UTSA students can get student accounts at BoA.

BoA can select courses for its employee students at UTSA. UTSA : World-Leading Research with Real-World Impact! BoA 20 P2P Trust Types Use Case UTSA and BoA contract BoA employees can get UTSA courses at discounted rates. UTSA students can get student accounts at BoA. BoA can select courses for its employee students at UTSA. UTSA :

World-Leading Research with Real-World Impact! BoA 21 Multi-Cloud MT-RBAC Multi-Cloud Multi-Tenant Role-Based Access Control Homogeneous multi-cloud IaaS (OpenStack). Peer-to-Peer federation between tenants across cloud service providers. User-role assignments. Trust is defined as tenant-trust. Trust types authorizes user-role assignments. World-Leading Research with Real-World Impact! 22 Keystone to Keystone Federation

OpenStack Paris Summit, Keystone to Keystone Federation, https://www.openstack.org/summit/openstack-paris-summit-2014/session-videos/ presentation/keystone-to-keystone-federation, (2014) World-Leading Research with Real-World Impact! 23 Multi-Cloud MT-RBAC OpenStack Cloud 1 Cloud 2 Domain A ProjectRole-Pair Domain B domain_admin

ProjectRole-Pair World-Leading Research with Real-World Impact! 24 Attribute-Based Access Control () Attributes are name:value pairs. o Represents user and resource properties. Associated with o o o o U Users Objects

Tenants Contexts OATT UATT Auth O A Converted to rights by authorization policies o In-time o Entity attributes o Set of actions Association World-Leading Research with Real-World Impact!

Access Decision 25 Multi-Tenant Attribute-Based Access Control () Multi-tenant cloud IaaS. Peer-to-Peer Federation. Attribute assignments. Trust is defined as tenant-trust. Trust types authorizes attribute assignments. World-Leading Research with Real-World Impact! 26 Contributed Models Cloud IaaS

Multi-Tenant Multi-Cloud Peer-to-Peer MC MT-RBAC Multi-Tenant Cloud Circle-of-Trust Peer-to-Peer Heterogeneous Homogeneous MT-RABA MT-RBA

World-Leading Research with Real-World Impact! MT-ABAC 27 Circle-of-Trust Federation Trust Homogeneous Circles Multilateral, Bidirectional, Transitive. Heterogeneous Circles Multilateral, Unidirectional, Non-Transitive. World-Leading Research with Real-World Impact! 28 CoT Trust Types Use Case UT System CoT Federation. UT system students can take courses at any UT campus. Students can access to libraries in UT system.

UTA UTD UTSA UT World-Leading Research with Real-World Impact! 29 CoT Trust Types Use Case UT System CoT Federation. UT system students can take courses at any UT campus. o UTSA can assign students in UT to its courses. UTA UTD

UTSA UT World-Leading Research with Real-World Impact! 30 CoT Trust Types Use Case UT System CoT Federation. Students can access to libraries in UT system. o UTA can assign its students to libraries in UT system. UTA UTD UTSA

UT World-Leading Research with Real-World Impact! 31 Multi-Tenant Role-Based Access Control in Circle () Multi-tenant cloud IaaS. Circle-of-Trust Federation. Homogeneous circles. User-role assignments. Trust is defined as tenant-trust. Trust types authorizes user-role assignments. World-Leading Research with Real-World Impact! 32

Circle Use Case Heterogeneous circle of BoA, Chase, UTSA, Geico, Allstate. Each tenant can make user-role assignment based on its type to a domain. UTSA can assign its students to discounted insurance offers and student accounts. UTSA University domain Geico BoA Insurance domain Bank domain Chase Allstate

World-Leading Research with Real-World Impact! 33 Multi-Tenant Role-Centric Attribute-Based Access Control () Multi-tenant cloud IaaS. Circle-of-Trust Federation. Heterogeneous circles. Attributes are associated with o Tenants o Users o Objects Tenant attributes separate tenants with tenant type attribute. World-Leading Research with Real-World Impact! 34

Questions ? Peer-to-Peer Policy Multi-cloud multi-tenant role-based model. Multi-tenant attribute-based model. Circle-of-Trust Policy Multi-tenant role-based access control model in circle. Multi-tenant role-centric attribute-based access control model. Implementation Federated-cloud role-based tenant trust. World-Leading Research with Real-World Impact!

Recently Viewed Presentations

  • Confucius and His Teachings

    Confucius and His Teachings

    Taoism is based on the writings of Laozi, who lived in the 500s BC. Influence of Confucius The teachings of Confucius came to have a major effect on Chinese government. The teachings became part of the basic training for members...
  • International Student Academic Support

    International Student Academic Support

    Primary instructor of ICS 110. Tracks INTL student academic standing. proactively engages with struggling students. coordinates with Student Success team. Academic advising, Registration, and Acculturation assistance. Assists with coordination and promotion of. Conversation Partners, English Tutoring Center, Test proctoring, Technology....
  • Aligning CME Programs with Continuing Certification (MOC) Programs

    Aligning CME Programs with Continuing Certification (MOC) Programs

    Define the standard of practice in the specialty. Specialty standards inform the ACGME Program Requirements that residency and fellowship training are based upon. Program requirements are developed by members of the ACGME Residency Review Committees comprised of the profession, including...
  • Continental Arcs - University at Buffalo

    Continental Arcs - University at Buffalo

    Continental Arcs Reading: Winter Chapter 17 Continental Arc Magmatism * Potential differences with respect to Island Arcs: Thick sialic crust contrasts greatly with mantle-derived partial melts may more pronounced effects of contamination Low density of crust may retard ascent stagnation...
  • XBASS: Cross Battery Updates - Region One ESC

    XBASS: Cross Battery Updates - Region One ESC

    What is Cross Battery? It is an approach that provides evaluators with the means to make systematic, valid, and up-to-date interpretations of intelligence batteries and to augment them with academic ability tests in a way that is consistent with the...
  • Process Costing - Pearson Education

    Process Costing - Pearson Education

    7 Process-Costing Systems Process Costing Accumulate costs by departments and allocate costs to products based on broad, average costs Process costing systems are usually simpler and less expensive than job-order costing systems Equivalent Units Basic unit of measurement to convert...
  • AOSS 321, Fall 2006 Earth Systems Dynamics 10/9/2006 ...

    AOSS 321, Fall 2006 Earth Systems Dynamics 10/9/2006 ...

    Atmosphere exerts a downward force on the underlying surface due to the Earth's gravitational acceleration Downward force (here: the weight force) of a unit volume (1 m3) of air with density is given by F/V = g Pressure and mass...
  • Problemas de salud comunes en pequeños rumiantes

    Problemas de salud comunes en pequeños rumiantes

    Author: Ixchel Reyes Herrera Created Date: 10/01/2012 11:17:29 Title: Problemas de salud comunes en pequeños rumiantes Subject: Aun con el manejo y nutrición adecuadas, los animales pueden desarrollar problemas de salud.