Access control in IaaS multi-cloud heterogeneous environments

SETTE, Ioram Schechtman

Access control in IaaS multi-cloud heterogeneous environments

Detalhes bibliográficos
Autor(a) principal:	SETTE, Ioram Schechtman
Data de Publicação:	2016
Tipo de documento:	Tese
Idioma:	eng
Título da fonte:	Repositório Institucional da UFPE
dARK ID:	ark:/64986/001300000w825
Texto Completo:	https://repositorio.ufpe.br/handle/123456789/22436
Resumo:	Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.

Metadados do item

id	UFPE_a80dc707eebc5ed16e327401b03e35f1
oai_identifier_str	oai:repositorio.ufpe.br:123456789/22436
network_acronym_str	UFPE
network_name_str	Repositório Institucional da UFPE
repository_id_str	2221
spelling	SETTE, Ioram Schechtmanhttp://lattes.cnpq.br/4304915270065653http://lattes.cnpq.br/7716805104151473FERRAZ, Carlos André GuimarãesCHADWICK, David Walter2017-11-30T16:45:19Z2017-11-30T16:45:19Z2016-08-11https://repositorio.ufpe.br/handle/123456789/22436ark:/64986/001300000w825Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.CNPQMúltiplos provedores de computação em nuvem convivem hoje ofertando seus serviços de forma competitiva. Para evitar dependência (o chamado vendor lock-in), usuários utilizam muitos serviços em ambiente terceirizado e heterogêneo multi-nuvens. Desta forma, a segurança de dados e sistemas depende normalmente de mecanismos existentes isoladamente em cada um dos provedores. Mecanismos de controle de acesso são responsáveis pela autenticação, identificação e autorização dos usuários aos recursos. No caso de ambiente multi-nuvens, usuários geralmente precisam se autenticar diversas vezes e definir políticas de segurança para cada um dos serviços, que possivelmente podem apresentar inconsistências. O objetivo desta tese é proporcionar aos usuários de sistemas heterogêneos multi-nuvens uma experiência de acesso homogênea a estes serviços. Federações de identidade proporcionam o Single Sign-On (SSO), ou seja, os usuários são identificados e autenticados por provedores de identidade (IdPs) uma única vez e, através de protocolos como OpenID Connect, SAML ou ABFAB, recebem acesso a serviços federados com os quais possuem relação de confiança. No entanto, federações de autorização ou de políticas de controle de acesso não são comuns. Cada serviço de nuvem costuma ter seu próprio mecanismo de controle de acesso, com linguagens próprias de definição de políticas. Este trabalho define uma solução que provê autenticação e autorização homogêneas a usuários de múltiplos serviços de computação em nuvem heterogêneos no modelo de Infraestrutura como Serviço (IaaS). Isso é possível através de federações de identidade e de políticas de autorização. Nesta solução, políticas de segurança são armazenadas de forma centralizada no padrão “DNF” com semântica definida em uma Ontologia. Portanto, clientes de nuvens podem criar “Federações de Políticas de Autorização (APFs)” e associar suas contas em cada provedor a estas federações. Desta forma, regras de autorização globais, definidas e gerenciadas pela APF, passam a valer em todas as contas que fazem parte da federação, garantindo uma experiência homogênea de acesso. Um protótipo do sistema, composto de um Ponto de Administração de Políticas (PAP) centralizado e mecanismos de tradução e sincronismo de políticas, foi implementado para nuvens OpenStack e Amazon Web Services (AWS). Uma ontologia também foi definida baseada no controle de acesso destas tecnologias. A métrica “nível de equivalência semântica (LSE)” foi definida para calcular o percentual de regras de uma política que pode ser traduzido para termos de uma ontologia. Na validação da solução, políticas de autorização baseadas em exemplos fornecidos por OpenStack e AWS foram convertidos para regras globais, baseadas na ontologia, e vice-versa, com nível de equivalência semântica superior a 80%.engUniversidade Federal de PernambucoPrograma de Pos Graduacao em Ciencia da ComputacaoUFPEBrasilAttribution-NonCommercial-NoDerivs 3.0 Brazilhttp://creativecommons.org/licenses/by-nc-nd/3.0/br/info:eu-repo/semantics/openAccessCiência da computaçãoComputação em nuvemAccess control in IaaS multi-cloud heterogeneous environmentsinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisdoutoradoreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPETHUMBNAILIoram_Sette_PhD_Thesis.pdf.jpgIoram_Sette_PhD_Thesis.pdf.jpgGenerated Thumbnailimage/jpeg1228https://repositorio.ufpe.br/bitstream/123456789/22436/5/Ioram_Sette_PhD_Thesis.pdf.jpgbf687912ad912fc549c6666e87790586MD55ORIGINALIoram_Sette_PhD_Thesis.pdfIoram_Sette_PhD_Thesis.pdfapplication/pdf10382850https://repositorio.ufpe.br/bitstream/123456789/22436/1/Ioram_Sette_PhD_Thesis.pdfa2a362f0971460d5758e3cf1ff71db96MD51CC-LICENSElicense_rdflicense_rdfapplication/rdf+xml; charset=utf-8811https://repositorio.ufpe.br/bitstream/123456789/22436/2/license_rdfe39d27027a6cc9cb039ad269a5db8e34MD52LICENSElicense.txtlicense.txttext/plain; charset=utf-82311https://repositorio.ufpe.br/bitstream/123456789/22436/3/license.txt4b8a02c7f2818eaf00dcf2260dd5eb08MD53TEXTIoram_Sette_PhD_Thesis.pdf.txtIoram_Sette_PhD_Thesis.pdf.txtExtracted texttext/plain532237https://repositorio.ufpe.br/bitstream/123456789/22436/4/Ioram_Sette_PhD_Thesis.pdf.txtd9551147e5bbca9101426e091516d0b2MD54123456789/224362019-10-25 10:04:12.207oai:repositorio.ufpe.br:123456789/22436TGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKClRvZG8gZGVwb3NpdGFudGUgZGUgbWF0ZXJpYWwgbm8gUmVwb3NpdMOzcmlvIEluc3RpdHVjaW9uYWwgKFJJKSBkZXZlIGNvbmNlZGVyLCDDoCBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBQZXJuYW1idWNvIChVRlBFKSwgdW1hIExpY2Vuw6dhIGRlIERpc3RyaWJ1acOnw6NvIE7Do28gRXhjbHVzaXZhIHBhcmEgbWFudGVyIGUgdG9ybmFyIGFjZXNzw612ZWlzIG9zIHNldXMgZG9jdW1lbnRvcywgZW0gZm9ybWF0byBkaWdpdGFsLCBuZXN0ZSByZXBvc2l0w7NyaW8uCgpDb20gYSBjb25jZXNzw6NvIGRlc3RhIGxpY2Vuw6dhIG7Do28gZXhjbHVzaXZhLCBvIGRlcG9zaXRhbnRlIG1hbnTDqW0gdG9kb3Mgb3MgZGlyZWl0b3MgZGUgYXV0b3IuCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKTGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKCkFvIGNvbmNvcmRhciBjb20gZXN0YSBsaWNlbsOnYSBlIGFjZWl0w6EtbGEsIHZvY8OqIChhdXRvciBvdSBkZXRlbnRvciBkb3MgZGlyZWl0b3MgYXV0b3JhaXMpOgoKYSkgRGVjbGFyYSBxdWUgY29uaGVjZSBhIHBvbMOtdGljYSBkZSBjb3B5cmlnaHQgZGEgZWRpdG9yYSBkbyBzZXUgZG9jdW1lbnRvOwpiKSBEZWNsYXJhIHF1ZSBjb25oZWNlIGUgYWNlaXRhIGFzIERpcmV0cml6ZXMgcGFyYSBvIFJlcG9zaXTDs3JpbyBJbnN0aXR1Y2lvbmFsIGRhIFVGUEU7CmMpIENvbmNlZGUgw6AgVUZQRSBvIGRpcmVpdG8gbsOjbyBleGNsdXNpdm8gZGUgYXJxdWl2YXIsIHJlcHJvZHV6aXIsIGNvbnZlcnRlciAoY29tbyBkZWZpbmlkbyBhIHNlZ3VpciksIGNvbXVuaWNhciBlL291IGRpc3RyaWJ1aXIsIG5vIFJJLCBvIGRvY3VtZW50byBlbnRyZWd1ZSAoaW5jbHVpbmRvIG8gcmVzdW1vL2Fic3RyYWN0KSBlbSBmb3JtYXRvIGRpZ2l0YWwgb3UgcG9yIG91dHJvIG1laW87CmQpIERlY2xhcmEgcXVlIGF1dG9yaXphIGEgVUZQRSBhIGFycXVpdmFyIG1haXMgZGUgdW1hIGPDs3BpYSBkZXN0ZSBkb2N1bWVudG8gZSBjb252ZXJ0w6otbG8sIHNlbSBhbHRlcmFyIG8gc2V1IGNvbnRlw7pkbywgcGFyYSBxdWFscXVlciBmb3JtYXRvIGRlIGZpY2hlaXJvLCBtZWlvIG91IHN1cG9ydGUsIHBhcmEgZWZlaXRvcyBkZSBzZWd1cmFuw6dhLCBwcmVzZXJ2YcOnw6NvIChiYWNrdXApIGUgYWNlc3NvOwplKSBEZWNsYXJhIHF1ZSBvIGRvY3VtZW50byBzdWJtZXRpZG8gw6kgbyBzZXUgdHJhYmFsaG8gb3JpZ2luYWwgZSBxdWUgZGV0w6ltIG8gZGlyZWl0byBkZSBjb25jZWRlciBhIHRlcmNlaXJvcyBvcyBkaXJlaXRvcyBjb250aWRvcyBuZXN0YSBsaWNlbsOnYS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBhIGVudHJlZ2EgZG8gZG9jdW1lbnRvIG7Do28gaW5mcmluZ2Ugb3MgZGlyZWl0b3MgZGUgb3V0cmEgcGVzc29hIG91IGVudGlkYWRlOwpmKSBEZWNsYXJhIHF1ZSwgbm8gY2FzbyBkbyBkb2N1bWVudG8gc3VibWV0aWRvIGNvbnRlciBtYXRlcmlhbCBkbyBxdWFsIG7Do28gZGV0w6ltIG9zIGRpcmVpdG9zIGRlCmF1dG9yLCBvYnRldmUgYSBhdXRvcml6YcOnw6NvIGlycmVzdHJpdGEgZG8gcmVzcGVjdGl2byBkZXRlbnRvciBkZXNzZXMgZGlyZWl0b3MgcGFyYSBjZWRlciDDoApVRlBFIG9zIGRpcmVpdG9zIHJlcXVlcmlkb3MgcG9yIGVzdGEgTGljZW7Dp2EgZSBhdXRvcml6YXIgYSB1bml2ZXJzaWRhZGUgYSB1dGlsaXrDoS1sb3MgbGVnYWxtZW50ZS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBlc3NlIG1hdGVyaWFsIGN1am9zIGRpcmVpdG9zIHPDo28gZGUgdGVyY2Vpcm9zIGVzdMOhIGNsYXJhbWVudGUgaWRlbnRpZmljYWRvIGUgcmVjb25oZWNpZG8gbm8gdGV4dG8gb3UgY29udGXDumRvIGRvIGRvY3VtZW50byBlbnRyZWd1ZTsKZykgU2UgbyBkb2N1bWVudG8gZW50cmVndWUgw6kgYmFzZWFkbyBlbSB0cmFiYWxobyBmaW5hbmNpYWRvIG91IGFwb2lhZG8gcG9yIG91dHJhIGluc3RpdHVpw6fDo28gcXVlIG7Do28gYSBVRlBFLMKgZGVjbGFyYSBxdWUgY3VtcHJpdSBxdWFpc3F1ZXIgb2JyaWdhw6fDtWVzIGV4aWdpZGFzIHBlbG8gcmVzcGVjdGl2byBjb250cmF0byBvdSBhY29yZG8uCgpBIFVGUEUgaWRlbnRpZmljYXLDoSBjbGFyYW1lbnRlIG8ocykgbm9tZShzKSBkbyhzKSBhdXRvciAoZXMpIGRvcyBkaXJlaXRvcyBkbyBkb2N1bWVudG8gZW50cmVndWUgZSBuw6NvIGZhcsOhIHF1YWxxdWVyIGFsdGVyYcOnw6NvLCBwYXJhIGFsw6ltIGRvIHByZXZpc3RvIG5hIGFsw61uZWEgYykuCg==Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212019-10-25T13:04:12Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false
dc.title.pt_BR.fl_str_mv	Access control in IaaS multi-cloud heterogeneous environments
title	Access control in IaaS multi-cloud heterogeneous environments
spellingShingle	Access control in IaaS multi-cloud heterogeneous environments SETTE, Ioram Schechtman Ciência da computação Computação em nuvem
title_short	Access control in IaaS multi-cloud heterogeneous environments
title_full	Access control in IaaS multi-cloud heterogeneous environments
title_fullStr	Access control in IaaS multi-cloud heterogeneous environments
title_full_unstemmed	Access control in IaaS multi-cloud heterogeneous environments
title_sort	Access control in IaaS multi-cloud heterogeneous environments
author	SETTE, Ioram Schechtman
author_facet	SETTE, Ioram Schechtman
author_role	author
dc.contributor.authorLattes.pt_BR.fl_str_mv	http://lattes.cnpq.br/4304915270065653
dc.contributor.advisorLattes.pt_BR.fl_str_mv	http://lattes.cnpq.br/7716805104151473
dc.contributor.author.fl_str_mv	SETTE, Ioram Schechtman
dc.contributor.advisor1.fl_str_mv	FERRAZ, Carlos André Guimarães
dc.contributor.advisor-co1.fl_str_mv	CHADWICK, David Walter
contributor_str_mv	FERRAZ, Carlos André Guimarães CHADWICK, David Walter
dc.subject.por.fl_str_mv	Ciência da computação Computação em nuvem
topic	Ciência da computação Computação em nuvem
description	Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.
publishDate	2016
dc.date.issued.fl_str_mv	2016-08-11
dc.date.accessioned.fl_str_mv	2017-11-30T16:45:19Z
dc.date.available.fl_str_mv	2017-11-30T16:45:19Z
dc.type.status.fl_str_mv	info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv	info:eu-repo/semantics/doctoralThesis
format	doctoralThesis
status_str	publishedVersion
dc.identifier.uri.fl_str_mv	https://repositorio.ufpe.br/handle/123456789/22436
dc.identifier.dark.fl_str_mv	ark:/64986/001300000w825
url	https://repositorio.ufpe.br/handle/123456789/22436
identifier_str_mv	ark:/64986/001300000w825
dc.language.iso.fl_str_mv	eng
language	eng
dc.rights.driver.fl_str_mv	Attribution-NonCommercial-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nc-nd/3.0/br/ info:eu-repo/semantics/openAccess
rights_invalid_str_mv	Attribution-NonCommercial-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nc-nd/3.0/br/
eu_rights_str_mv	openAccess
dc.publisher.none.fl_str_mv	Universidade Federal de Pernambuco
dc.publisher.program.fl_str_mv	Programa de Pos Graduacao em Ciencia da Computacao
dc.publisher.initials.fl_str_mv	UFPE
dc.publisher.country.fl_str_mv	Brasil
publisher.none.fl_str_mv	Universidade Federal de Pernambuco
dc.source.none.fl_str_mv	reponame:Repositório Institucional da UFPE instname:Universidade Federal de Pernambuco (UFPE) instacron:UFPE
instname_str	Universidade Federal de Pernambuco (UFPE)
instacron_str	UFPE
institution	UFPE
reponame_str	Repositório Institucional da UFPE
collection	Repositório Institucional da UFPE
bitstream.url.fl_str_mv	https://repositorio.ufpe.br/bitstream/123456789/22436/5/Ioram_Sette_PhD_Thesis.pdf.jpg https://repositorio.ufpe.br/bitstream/123456789/22436/1/Ioram_Sette_PhD_Thesis.pdf https://repositorio.ufpe.br/bitstream/123456789/22436/2/license_rdf https://repositorio.ufpe.br/bitstream/123456789/22436/3/license.txt https://repositorio.ufpe.br/bitstream/123456789/22436/4/Ioram_Sette_PhD_Thesis.pdf.txt
bitstream.checksum.fl_str_mv	bf687912ad912fc549c6666e87790586 a2a362f0971460d5758e3cf1ff71db96 e39d27027a6cc9cb039ad269a5db8e34 4b8a02c7f2818eaf00dcf2260dd5eb08 d9551147e5bbca9101426e091516d0b2
bitstream.checksumAlgorithm.fl_str_mv	MD5 MD5 MD5 MD5 MD5
repository.name.fl_str_mv	Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)
repository.mail.fl_str_mv	attena@ufpe.br
_version_	1814448373947695104

Access control in IaaS multi-cloud heterogeneous environments

Registros relacionados