Dynamic Access Control Infrastructure (DACI) for on-demand ...
Dynamic Access Control Infrastructure (DACI) for on-demand ...
Dynamic Access Control Infrastructure (DACI) for on-demand ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g><br />
<str<strong>on</strong>g>for</str<strong>on</strong>g> On-<strong>demand</strong><br />
Provisi<strong>on</strong>ed Cloud Services<br />
Canh Ngo<br />
SNE Group, University of Amsterdam<br />
OGF-ISOD 33<br />
September 19-21, 2011<br />
Ly<strong>on</strong>, 2011
Agenda<br />
• Introducti<strong>on</strong><br />
– Scenario<br />
– Motivati<strong>on</strong><br />
• Proposals <strong>on</strong> Security <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g> <str<strong>on</strong>g>for</str<strong>on</strong>g> On<strong>demand</strong><br />
Provisi<strong>on</strong>ed Cloud Services<br />
– Security Reference Model<br />
– Trust Relati<strong>on</strong>ship Model<br />
– <str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g><br />
• Implementati<strong>on</strong>s<br />
• Summary<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
2
Introducti<strong>on</strong><br />
Scenario<br />
Virtual security<br />
domain<br />
Company A<br />
• Cloud IaaS<br />
• Multi-provider<br />
• Multi-tenant<br />
• Service Lifecycle<br />
Management<br />
Company B<br />
Company C<br />
Cloud Provider 1 Cloud Provider 2<br />
Virtual Resource from Cloud Prov 1<br />
Virtual Resource from Cloud Prov 2<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
3
Introducti<strong>on</strong><br />
Motivati<strong>on</strong><br />
Security c<strong>on</strong>text management issues:<br />
• Integrate with service lifecycles<br />
• C<strong>on</strong>text delivery and synchr<strong>on</strong>izati<strong>on</strong> of isolated operati<strong>on</strong>s am<strong>on</strong>g multiple tenants<br />
• Binding end-users operati<strong>on</strong>s to separate customers/tenants<br />
Trust Management<br />
• Trust model proposal<br />
• Trust establishment protocols: establish trust-path/trust-chain between end-users and<br />
virtualized resources through supply-chain of providers<br />
• Bootstrapping protocols <str<strong>on</strong>g>for</str<strong>on</strong>g> trusted virtualized devices<br />
Identity and <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> Management<br />
• Authorizati<strong>on</strong> policy management: synchr<strong>on</strong>izati<strong>on</strong> of policies & rec<strong>on</strong>figurable resources<br />
• Identity management, access c<strong>on</strong>trol<br />
• Support <str<strong>on</strong>g>for</str<strong>on</strong>g> virtual security domains across multiple Cloud providers<br />
Delegati<strong>on</strong>: Security services/tools delegati<strong>on</strong> <str<strong>on</strong>g>for</str<strong>on</strong>g> customers/tenants<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
4
Security <str<strong>on</strong>g>for</str<strong>on</strong>g> On-<strong>demand</strong> Provisi<strong>on</strong>ed Cloud Services<br />
Security Reference Model<br />
Comm<strong>on</strong> Security<br />
Service Interface<br />
(CSSI) proposal<br />
Comm<strong>on</strong> Security Service Layer<br />
<str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> <str<strong>on</strong>g>Access</str<strong>on</strong>g><br />
<str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g><br />
(<str<strong>on</strong>g>DACI</str<strong>on</strong>g>) proposal<br />
Trust model proposal,<br />
trust establishment<br />
protocols,<br />
bootstrapping<br />
processes<br />
Authenticati<strong>on</strong> &<br />
Identity Man.<br />
Trust Management<br />
(<str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> trust establishment, Bootstrapping)<br />
SLA Management<br />
Authorizati<strong>on</strong> &<br />
Policy Man.<br />
Security C<strong>on</strong>text Management<br />
Security Service Lifecycle<br />
Management (SSLM)<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong> 5
Security <str<strong>on</strong>g>for</str<strong>on</strong>g> On-<strong>demand</strong> Provisi<strong>on</strong>ed Cloud Services<br />
Trust Relati<strong>on</strong>ship Model<br />
Trust model using cryptographic-based<br />
with trust transitivity<br />
VIO1<br />
VIO2<br />
Building trust-paths from end-users to<br />
virtualized resources<br />
• Trust-path establishment protocols<br />
• Bootstrapping <str<strong>on</strong>g>for</str<strong>on</strong>g> trusted virtualized<br />
resources<br />
• <str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> Security Associati<strong>on</strong><br />
PIP1<br />
VIP1<br />
VIP2<br />
VIP3<br />
PIP2 PIP3 PIP4<br />
PIP: Physical <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g> Provider<br />
VIP: Virtual <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g> Provider<br />
VIO: Virtual <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g> Operator<br />
Static trust link<br />
<str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> trust link<br />
Virtual Resource<br />
End-user<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
6
Security <str<strong>on</strong>g>for</str<strong>on</strong>g> On-<strong>demand</strong> Provisi<strong>on</strong>ed Cloud Services<br />
<str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g><br />
Comm<strong>on</strong> Security<br />
Service Interface (CSSI)<br />
SecurityGateway<br />
C<strong>on</strong>solidate a comm<strong>on</strong><br />
interface to access security<br />
services<br />
DACS<br />
instance[i]<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> Management<br />
Authenticati<strong>on</strong> Authority<br />
SAML-XACML Layer<br />
Authz-token<br />
Svc<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> C<strong>on</strong>figurati<strong>on</strong><br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> M<strong>on</strong>itoring<br />
Attr DB<br />
Attribute<br />
Authority<br />
Identity Management<br />
Service<br />
PIP (Authz<br />
Ctx Hdlr)<br />
PDP<br />
Obligati<strong>on</strong><br />
Handler<br />
PAP<br />
Authorizati<strong>on</strong> Service<br />
Authz-token<br />
Authority<br />
Authz Token<br />
Service<br />
DACS<br />
Man.<br />
Service<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> Policy<br />
Management<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> C<strong>on</strong>text<br />
Management<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> Trust<br />
Management<br />
DACS Trust Manager<br />
Provisi<strong>on</strong>ed security<br />
services (DACS)<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g>: <str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g><br />
DACS: <str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g> Services<br />
Update authz-policies up<strong>on</strong><br />
rec<strong>on</strong>figuring Virtual<br />
<str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g><br />
<str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> Trust<br />
Establishment: DSA,<br />
Bootstrapping<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
7
Implementati<strong>on</strong><br />
GAAA-ISOD Toolkit Library<br />
• Features<br />
– <str<strong>on</strong>g>Dynamic</str<strong>on</strong>g> authorizati<strong>on</strong> policies: auto generate XACML authz-policies by predefined templates<br />
– PEP: Comm<strong>on</strong> Security Service Interface (CSSI): facilitate integrati<strong>on</strong>s of virtualized security<br />
services to resources<br />
– Security token service: XML-based AuthzToken & AuthzTicket, persistent caches, digital<br />
signatures<br />
Authenticati<strong>on</strong><br />
(SAML, X.509,<br />
User/Password)<br />
Authorizati<strong>on</strong><br />
(PDP, PEP, PAP)<br />
Security Token<br />
OpenSAML<br />
SunXACML<br />
BouncyCastle<br />
(Java crypto library)<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
8
Implementati<strong>on</strong><br />
GEYSERS Project<br />
• Based <strong>on</strong> GAAATK-ISOD toolkit<br />
• WP3-dev: Logical <str<strong>on</strong>g>Infrastructure</str<strong>on</strong>g> Compositi<strong>on</strong> Layer (LICL)<br />
– FUSE ESB env, OSGi bundles<br />
– Packages: AAI (AuthN/Z <str<strong>on</strong>g>for</str<strong>on</strong>g> LICL, NCP+), <str<strong>on</strong>g>DACI</str<strong>on</strong>g> (AuthN/Z provisi<strong>on</strong>ing <str<strong>on</strong>g>for</str<strong>on</strong>g> Cloud IaaS)<br />
• WP4-dev: NCP+<br />
– AAI web services<br />
SecurityGateway<br />
AuthnSvc AuthzSvc TokenSvc<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> Policy<br />
Man.<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> Man.<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g> Trust<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g><br />
C<strong>on</strong>text<br />
DACS<br />
AAI <str<strong>on</strong>g>for</str<strong>on</strong>g> LICL (eu.geysers.licl.aai.*)<br />
<str<strong>on</strong>g>DACI</str<strong>on</strong>g><br />
GAAA-ISOD Toolkit<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
9
Implementati<strong>on</strong><br />
DACS Integrati<strong>on</strong> using SecurityGateway library<br />
Isolate<br />
tenants/subscribers<br />
by Reservati<strong>on</strong> Id (VI-GRI)<br />
CSSI<br />
Client<br />
VR service<br />
CSSI<br />
CSSI/GAAPI<br />
Policy En<str<strong>on</strong>g>for</str<strong>on</strong>g>cement Point<br />
SecurityGateway Library<br />
AuthN AuthZ TokenSvc<br />
Identity<br />
Management<br />
Service<br />
Authorizati<strong>on</strong><br />
Service<br />
DACS instance<br />
Security Token<br />
Service<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong> 10
Summary<br />
• Future work<br />
– Trust modeling across virtual security domains<br />
– SSLM bootstrapping protocols <str<strong>on</strong>g>for</str<strong>on</strong>g> virtual devices:<br />
• Trusted Computing Plat<str<strong>on</strong>g>for</str<strong>on</strong>g>m Architecture (TCPA)<br />
• Trusted Plat<str<strong>on</strong>g>for</str<strong>on</strong>g>m Module (TPM)<br />
– Federated virtualized Identity and <str<strong>on</strong>g>Access</str<strong>on</strong>g> <str<strong>on</strong>g>C<strong>on</strong>trol</str<strong>on</strong>g><br />
Management<br />
– GAAA-ISOD toolkit implementati<strong>on</strong>s with SSLM<br />
supports <str<strong>on</strong>g>for</str<strong>on</strong>g> <strong>on</strong>-<strong>demand</strong> infrastructure services<br />
provisi<strong>on</strong>ing<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong><br />
11
Thank you<br />
Any questi<strong>on</strong>s?<br />
ISOD, OGF33, 19-21 Sept 2010, Ly<strong>on</strong> 12