Access control in IaaS multi-cloud heterogeneous environments

Detalhes bibliográficos
Autor(a) principal: SETTE, Ioram Schechtman
Data de Publicação: 2016
Tipo de documento: Tese
Idioma: eng
Título da fonte: Repositório Institucional da UFPE
dARK ID: ark:/64986/001300000z10x
Texto Completo: https://repositorio.ufpe.br/handle/123456789/22436
Resumo: Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.
id UFPE_a80dc707eebc5ed16e327401b03e35f1
oai_identifier_str oai:repositorio.ufpe.br:123456789/22436
network_acronym_str UFPE
network_name_str Repositório Institucional da UFPE
repository_id_str 2221
spelling SETTE, Ioram Schechtmanhttp://lattes.cnpq.br/4304915270065653http://lattes.cnpq.br/7716805104151473FERRAZ, Carlos André GuimarãesCHADWICK, David Walter2017-11-30T16:45:19Z2017-11-30T16:45:19Z2016-08-11https://repositorio.ufpe.br/handle/123456789/22436ark:/64986/001300000z10xMultiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.CNPQMúltiplos provedores de computação em nuvem convivem hoje ofertando seus serviços de forma competitiva. Para evitar dependência (o chamado vendor lock-in), usuários utilizam muitos serviços em ambiente terceirizado e heterogêneo multi-nuvens. Desta forma, a segurança de dados e sistemas depende normalmente de mecanismos existentes isoladamente em cada um dos provedores. Mecanismos de controle de acesso são responsáveis pela autenticação, identificação e autorização dos usuários aos recursos. No caso de ambiente multi-nuvens, usuários geralmente precisam se autenticar diversas vezes e definir políticas de segurança para cada um dos serviços, que possivelmente podem apresentar inconsistências. O objetivo desta tese é proporcionar aos usuários de sistemas heterogêneos multi-nuvens uma experiência de acesso homogênea a estes serviços. Federações de identidade proporcionam o Single Sign-On (SSO), ou seja, os usuários são identificados e autenticados por provedores de identidade (IdPs) uma única vez e, através de protocolos como OpenID Connect, SAML ou ABFAB, recebem acesso a serviços federados com os quais possuem relação de confiança. No entanto, federações de autorização ou de políticas de controle de acesso não são comuns. Cada serviço de nuvem costuma ter seu próprio mecanismo de controle de acesso, com linguagens próprias de definição de políticas. Este trabalho define uma solução que provê autenticação e autorização homogêneas a usuários de múltiplos serviços de computação em nuvem heterogêneos no modelo de Infraestrutura como Serviço (IaaS). Isso é possível através de federações de identidade e de políticas de autorização. Nesta solução, políticas de segurança são armazenadas de forma centralizada no padrão “DNF” com semântica definida em uma Ontologia. Portanto, clientes de nuvens podem criar “Federações de Políticas de Autorização (APFs)” e associar suas contas em cada provedor a estas federações. Desta forma, regras de autorização globais, definidas e gerenciadas pela APF, passam a valer em todas as contas que fazem parte da federação, garantindo uma experiência homogênea de acesso. Um protótipo do sistema, composto de um Ponto de Administração de Políticas (PAP) centralizado e mecanismos de tradução e sincronismo de políticas, foi implementado para nuvens OpenStack e Amazon Web Services (AWS). Uma ontologia também foi definida baseada no controle de acesso destas tecnologias. A métrica “nível de equivalência semântica (LSE)” foi definida para calcular o percentual de regras de uma política que pode ser traduzido para termos de uma ontologia. Na validação da solução, políticas de autorização baseadas em exemplos fornecidos por OpenStack e AWS foram convertidos para regras globais, baseadas na ontologia, e vice-versa, com nível de equivalência semântica superior a 80%.engUniversidade Federal de PernambucoPrograma de Pos Graduacao em Ciencia da ComputacaoUFPEBrasilAttribution-NonCommercial-NoDerivs 3.0 Brazilhttp://creativecommons.org/licenses/by-nc-nd/3.0/br/info:eu-repo/semantics/openAccessCiência da computaçãoComputação em nuvemAccess control in IaaS multi-cloud heterogeneous environmentsinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisdoutoradoreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPETHUMBNAILIoram_Sette_PhD_Thesis.pdf.jpgIoram_Sette_PhD_Thesis.pdf.jpgGenerated Thumbnailimage/jpeg1228https://repositorio.ufpe.br/bitstream/123456789/22436/5/Ioram_Sette_PhD_Thesis.pdf.jpgbf687912ad912fc549c6666e87790586MD55ORIGINALIoram_Sette_PhD_Thesis.pdfIoram_Sette_PhD_Thesis.pdfapplication/pdf10382850https://repositorio.ufpe.br/bitstream/123456789/22436/1/Ioram_Sette_PhD_Thesis.pdfa2a362f0971460d5758e3cf1ff71db96MD51CC-LICENSElicense_rdflicense_rdfapplication/rdf+xml; charset=utf-8811https://repositorio.ufpe.br/bitstream/123456789/22436/2/license_rdfe39d27027a6cc9cb039ad269a5db8e34MD52LICENSElicense.txtlicense.txttext/plain; charset=utf-82311https://repositorio.ufpe.br/bitstream/123456789/22436/3/license.txt4b8a02c7f2818eaf00dcf2260dd5eb08MD53TEXTIoram_Sette_PhD_Thesis.pdf.txtIoram_Sette_PhD_Thesis.pdf.txtExtracted texttext/plain532237https://repositorio.ufpe.br/bitstream/123456789/22436/4/Ioram_Sette_PhD_Thesis.pdf.txtd9551147e5bbca9101426e091516d0b2MD54123456789/224362019-10-25 10:04:12.207oai:repositorio.ufpe.br:123456789/22436TGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKClRvZG8gZGVwb3NpdGFudGUgZGUgbWF0ZXJpYWwgbm8gUmVwb3NpdMOzcmlvIEluc3RpdHVjaW9uYWwgKFJJKSBkZXZlIGNvbmNlZGVyLCDDoCBVbml2ZXJzaWRhZGUgRmVkZXJhbCBkZSBQZXJuYW1idWNvIChVRlBFKSwgdW1hIExpY2Vuw6dhIGRlIERpc3RyaWJ1acOnw6NvIE7Do28gRXhjbHVzaXZhIHBhcmEgbWFudGVyIGUgdG9ybmFyIGFjZXNzw612ZWlzIG9zIHNldXMgZG9jdW1lbnRvcywgZW0gZm9ybWF0byBkaWdpdGFsLCBuZXN0ZSByZXBvc2l0w7NyaW8uCgpDb20gYSBjb25jZXNzw6NvIGRlc3RhIGxpY2Vuw6dhIG7Do28gZXhjbHVzaXZhLCBvIGRlcG9zaXRhbnRlIG1hbnTDqW0gdG9kb3Mgb3MgZGlyZWl0b3MgZGUgYXV0b3IuCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwoKTGljZW7Dp2EgZGUgRGlzdHJpYnVpw6fDo28gTsOjbyBFeGNsdXNpdmEKCkFvIGNvbmNvcmRhciBjb20gZXN0YSBsaWNlbsOnYSBlIGFjZWl0w6EtbGEsIHZvY8OqIChhdXRvciBvdSBkZXRlbnRvciBkb3MgZGlyZWl0b3MgYXV0b3JhaXMpOgoKYSkgRGVjbGFyYSBxdWUgY29uaGVjZSBhIHBvbMOtdGljYSBkZSBjb3B5cmlnaHQgZGEgZWRpdG9yYSBkbyBzZXUgZG9jdW1lbnRvOwpiKSBEZWNsYXJhIHF1ZSBjb25oZWNlIGUgYWNlaXRhIGFzIERpcmV0cml6ZXMgcGFyYSBvIFJlcG9zaXTDs3JpbyBJbnN0aXR1Y2lvbmFsIGRhIFVGUEU7CmMpIENvbmNlZGUgw6AgVUZQRSBvIGRpcmVpdG8gbsOjbyBleGNsdXNpdm8gZGUgYXJxdWl2YXIsIHJlcHJvZHV6aXIsIGNvbnZlcnRlciAoY29tbyBkZWZpbmlkbyBhIHNlZ3VpciksIGNvbXVuaWNhciBlL291IGRpc3RyaWJ1aXIsIG5vIFJJLCBvIGRvY3VtZW50byBlbnRyZWd1ZSAoaW5jbHVpbmRvIG8gcmVzdW1vL2Fic3RyYWN0KSBlbSBmb3JtYXRvIGRpZ2l0YWwgb3UgcG9yIG91dHJvIG1laW87CmQpIERlY2xhcmEgcXVlIGF1dG9yaXphIGEgVUZQRSBhIGFycXVpdmFyIG1haXMgZGUgdW1hIGPDs3BpYSBkZXN0ZSBkb2N1bWVudG8gZSBjb252ZXJ0w6otbG8sIHNlbSBhbHRlcmFyIG8gc2V1IGNvbnRlw7pkbywgcGFyYSBxdWFscXVlciBmb3JtYXRvIGRlIGZpY2hlaXJvLCBtZWlvIG91IHN1cG9ydGUsIHBhcmEgZWZlaXRvcyBkZSBzZWd1cmFuw6dhLCBwcmVzZXJ2YcOnw6NvIChiYWNrdXApIGUgYWNlc3NvOwplKSBEZWNsYXJhIHF1ZSBvIGRvY3VtZW50byBzdWJtZXRpZG8gw6kgbyBzZXUgdHJhYmFsaG8gb3JpZ2luYWwgZSBxdWUgZGV0w6ltIG8gZGlyZWl0byBkZSBjb25jZWRlciBhIHRlcmNlaXJvcyBvcyBkaXJlaXRvcyBjb250aWRvcyBuZXN0YSBsaWNlbsOnYS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBhIGVudHJlZ2EgZG8gZG9jdW1lbnRvIG7Do28gaW5mcmluZ2Ugb3MgZGlyZWl0b3MgZGUgb3V0cmEgcGVzc29hIG91IGVudGlkYWRlOwpmKSBEZWNsYXJhIHF1ZSwgbm8gY2FzbyBkbyBkb2N1bWVudG8gc3VibWV0aWRvIGNvbnRlciBtYXRlcmlhbCBkbyBxdWFsIG7Do28gZGV0w6ltIG9zIGRpcmVpdG9zIGRlCmF1dG9yLCBvYnRldmUgYSBhdXRvcml6YcOnw6NvIGlycmVzdHJpdGEgZG8gcmVzcGVjdGl2byBkZXRlbnRvciBkZXNzZXMgZGlyZWl0b3MgcGFyYSBjZWRlciDDoApVRlBFIG9zIGRpcmVpdG9zIHJlcXVlcmlkb3MgcG9yIGVzdGEgTGljZW7Dp2EgZSBhdXRvcml6YXIgYSB1bml2ZXJzaWRhZGUgYSB1dGlsaXrDoS1sb3MgbGVnYWxtZW50ZS4gRGVjbGFyYSB0YW1iw6ltIHF1ZSBlc3NlIG1hdGVyaWFsIGN1am9zIGRpcmVpdG9zIHPDo28gZGUgdGVyY2Vpcm9zIGVzdMOhIGNsYXJhbWVudGUgaWRlbnRpZmljYWRvIGUgcmVjb25oZWNpZG8gbm8gdGV4dG8gb3UgY29udGXDumRvIGRvIGRvY3VtZW50byBlbnRyZWd1ZTsKZykgU2UgbyBkb2N1bWVudG8gZW50cmVndWUgw6kgYmFzZWFkbyBlbSB0cmFiYWxobyBmaW5hbmNpYWRvIG91IGFwb2lhZG8gcG9yIG91dHJhIGluc3RpdHVpw6fDo28gcXVlIG7Do28gYSBVRlBFLMKgZGVjbGFyYSBxdWUgY3VtcHJpdSBxdWFpc3F1ZXIgb2JyaWdhw6fDtWVzIGV4aWdpZGFzIHBlbG8gcmVzcGVjdGl2byBjb250cmF0byBvdSBhY29yZG8uCgpBIFVGUEUgaWRlbnRpZmljYXLDoSBjbGFyYW1lbnRlIG8ocykgbm9tZShzKSBkbyhzKSBhdXRvciAoZXMpIGRvcyBkaXJlaXRvcyBkbyBkb2N1bWVudG8gZW50cmVndWUgZSBuw6NvIGZhcsOhIHF1YWxxdWVyIGFsdGVyYcOnw6NvLCBwYXJhIGFsw6ltIGRvIHByZXZpc3RvIG5hIGFsw61uZWEgYykuCg==Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212019-10-25T13:04:12Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false
dc.title.pt_BR.fl_str_mv Access control in IaaS multi-cloud heterogeneous environments
title Access control in IaaS multi-cloud heterogeneous environments
spellingShingle Access control in IaaS multi-cloud heterogeneous environments
SETTE, Ioram Schechtman
Ciência da computação
Computação em nuvem
title_short Access control in IaaS multi-cloud heterogeneous environments
title_full Access control in IaaS multi-cloud heterogeneous environments
title_fullStr Access control in IaaS multi-cloud heterogeneous environments
title_full_unstemmed Access control in IaaS multi-cloud heterogeneous environments
title_sort Access control in IaaS multi-cloud heterogeneous environments
author SETTE, Ioram Schechtman
author_facet SETTE, Ioram Schechtman
author_role author
dc.contributor.authorLattes.pt_BR.fl_str_mv http://lattes.cnpq.br/4304915270065653
dc.contributor.advisorLattes.pt_BR.fl_str_mv http://lattes.cnpq.br/7716805104151473
dc.contributor.author.fl_str_mv SETTE, Ioram Schechtman
dc.contributor.advisor1.fl_str_mv FERRAZ, Carlos André Guimarães
dc.contributor.advisor-co1.fl_str_mv CHADWICK, David Walter
contributor_str_mv FERRAZ, Carlos André Guimarães
CHADWICK, David Walter
dc.subject.por.fl_str_mv Ciência da computação
Computação em nuvem
topic Ciência da computação
Computação em nuvem
description Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.
publishDate 2016
dc.date.issued.fl_str_mv 2016-08-11
dc.date.accessioned.fl_str_mv 2017-11-30T16:45:19Z
dc.date.available.fl_str_mv 2017-11-30T16:45:19Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv https://repositorio.ufpe.br/handle/123456789/22436
dc.identifier.dark.fl_str_mv ark:/64986/001300000z10x
url https://repositorio.ufpe.br/handle/123456789/22436
identifier_str_mv ark:/64986/001300000z10x
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv Attribution-NonCommercial-NoDerivs 3.0 Brazil
http://creativecommons.org/licenses/by-nc-nd/3.0/br/
info:eu-repo/semantics/openAccess
rights_invalid_str_mv Attribution-NonCommercial-NoDerivs 3.0 Brazil
http://creativecommons.org/licenses/by-nc-nd/3.0/br/
eu_rights_str_mv openAccess
dc.publisher.none.fl_str_mv Universidade Federal de Pernambuco
dc.publisher.program.fl_str_mv Programa de Pos Graduacao em Ciencia da Computacao
dc.publisher.initials.fl_str_mv UFPE
dc.publisher.country.fl_str_mv Brasil
publisher.none.fl_str_mv Universidade Federal de Pernambuco
dc.source.none.fl_str_mv reponame:Repositório Institucional da UFPE
instname:Universidade Federal de Pernambuco (UFPE)
instacron:UFPE
instname_str Universidade Federal de Pernambuco (UFPE)
instacron_str UFPE
institution UFPE
reponame_str Repositório Institucional da UFPE
collection Repositório Institucional da UFPE
bitstream.url.fl_str_mv https://repositorio.ufpe.br/bitstream/123456789/22436/5/Ioram_Sette_PhD_Thesis.pdf.jpg
https://repositorio.ufpe.br/bitstream/123456789/22436/1/Ioram_Sette_PhD_Thesis.pdf
https://repositorio.ufpe.br/bitstream/123456789/22436/2/license_rdf
https://repositorio.ufpe.br/bitstream/123456789/22436/3/license.txt
https://repositorio.ufpe.br/bitstream/123456789/22436/4/Ioram_Sette_PhD_Thesis.pdf.txt
bitstream.checksum.fl_str_mv bf687912ad912fc549c6666e87790586
a2a362f0971460d5758e3cf1ff71db96
e39d27027a6cc9cb039ad269a5db8e34
4b8a02c7f2818eaf00dcf2260dd5eb08
d9551147e5bbca9101426e091516d0b2
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
MD5
MD5
MD5
repository.name.fl_str_mv Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)
repository.mail.fl_str_mv attena@ufpe.br
_version_ 1815172948977254400