Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.

Slides:



Advertisements
Similar presentations
ROWLBAC – Representing Role Based Access Control in OWL
Advertisements

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Institute for Cyber Security
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
© 2012 Open Grid Forum Simplifying Inter-Clouds October 10, 2012 Hyatt Regency Hotel Chicago, Illinois, USA.
Data Management Expert Panel - WP2. WP2 Overview.
Trust Management of Services in Cloud Environments:
Role-Based Access Control CS461/ECE422 Fall 2011.
1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, © Ravi Sandhu World-Leading.
System Center 2012 R2 Overview
Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.
Access Control RBAC Database Activity Monitoring.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,
Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Cloud computing Tahani aljehani.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.
Institute for Cyber Security Multi-Tenant Access Control for Collaborative Cloud Services CS6393 Spring 2014 PhD Seminar Bo Tang April 11, 2014 © ICS at.
Institute for Cyber Security A Multi-Tenant RBAC Model for Collaborative Cloud Services Bo Tang, Qi Li and Ravi Sandhu Presented by Bo Tang at The 11 th.
UTSA Amy(Yun) Zhang, Ram Krishnan, Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio San Antonio, TX Nov 03, 2014 Presented.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Professor (CS) and Executive Director.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 5: Active Directory Logical Design.
Institute for Cyber Security Cross-Tenant Trust Models in Cloud Computing Bo Tang and Ravi Sandhu IRI Aug 14-16, 2013 San Francisco, CA © ICS at UTSA World-Leading.
1 Grand Challenges in Authorization Systems Prof. Ravi Sandhu Executive Director and Endowed Chair November 14, 2011
Institute for Cyber Security Multi-Tenancy Authorization Models for Collaborative Cloud Services Bo Tang, Ravi Sandhu, and Qi Li Presented by Bo Tang ©
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
AN INTEGRATED FRAMEWORK FOR VO-ORIENTED AUTHORIZATION, POLICY-BASED MANAGEMENT AND ACCOUNTING Andrea Caltroni 3, Vincenzo Ciaschini 1, Andrea Ferraro 1,
ROLE BASED ACCESS CONTROL 1 Group 4 : Lê Qu ố c Thanh Tr ầ n Vi ệ t Tu ấ n Anh.
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Computer Security: Principles and Practice
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang.
1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.
1 Views of Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair March 25, © Ravi Sandhu.
1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.
1 Secure Cloud Computing: A Research Perspective Prof. Ravi Sandhu Executive Director and Endowed Chair Texas Fresh Air Big Data and Data Analytics Conference.
Presented By: Smriti Bhatt
Institute for Cyber Security
Institute for Cyber Security
VIRTUALIZATION & CLOUD COMPUTING
Access Control Model for the Hadoop Ecosystem
Institute for Cyber Security
Institute for Cyber Security
Past, Present and Future
Institute for Cyber Security
Federated IdM Across Heterogeneous Clouding Environment
XACML and the Cloud.
World-Leading Research with Real-World Impact!
Infrastructure Provisioning Kenon Owens Sr
UTSA's New Center Center for Security and Privacy Enhanced Cloud Computing (C-SPECC) Ravi Sandhu Executive Director of ICS and C-SPECC Professor.
World-Leading Research with Real-World Impact!
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
Views of Cloud Computing
Assured Information Sharing
Institute for Cyber Security
Cyber Security Research: A Personal Perspective
Presentation transcript:

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo Tang Committee Members: Dr. Ravi Sandhu, Chair Dr. Kay Robbins Dr. Gregory White Dr. Weining Zhang Dr. Jaehong Park 07/31/2014

The Cloud World-Leading Research with Real-World Impact! 2

Really? But where is my data? World-Leading Research with Real-World Impact! 3

Really? But where is my data? World-Leading Research with Real-World Impact! 4

Cloud & Multi-Tenancy  Shared infrastructure  [$$$] -----> [$|$|$]  Multi-Tenancy  Isolated workspace for customers  Virtually temporarily dedicated resources  Problem:  How to collaborate across tenants? o Even if across my own tenants? World-Leading Research with Real-World Impact! 5

Define Tenant  All deployment models are multi-tenant  E.g.: public cloud, private cloud and community cloud.  From Cloud Service Provider (CSP) perspective  A billing customer  Manages its own users and cloud resources  The owner of a tenant can be  An individual, an organization or a department in an organization, etc. World-Leading Research with Real-World Impact! 6

Characteristics of Cloud  Centralized Facility  Resource pooling  Self-Service Agility  Each tenant manages its own authorization  Tenants, users and resources are temporary  Homogeneity  Identical or similar architecture and system settings  Out-Sourcing Trust  Built-in collaboration spirit World-Leading Research with Real-World Impact! 7

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 8 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

Motivation World-Leading Research with Real-World Impact! 9

Problem & Thesis  Problem Statement  Thesis Statement World-Leading Research with Real-World Impact! 10 The fact that contemporary cloud services are intrinsically not designed to cultivate collaboration between tenants limits the development of the cloud. Fine-grained access control models in traditional distributed environments are not directly applicable. The problem of multi-tenant access control in the cloud can be partially solved by integrating various types of unidirectional and unilateral trust relations between tenants into role-based and attribute-based access control models.

Chapter 2: Related Work  Centralized Approaches  RBAC extensions: ROBAC, GB-RBAC  Multi-domain role mapping  Decentralized Approaches  RT, dRBAC: credential-based delegation  Delegation models: PBDM, RBDM  Attribute-Based Approaches  NIST ABAC: application framework for collaboration  ABAC models: ABURA, RBAC-A, ABAC α, ABAC β  Enforcement and Implementation  Grid: PERMIS, VOMS, CAS  Web: ABAC for SOA systems  Cloud: centralized authorization service with trust models World-Leading Research with Real-World Impact! 11

Scope and Assumptions  Standardized APIs  Cross-tenant accesses are functionally available  Properly authenticated users  One Cloud Service  Of a kind: IaaS, PaaS or SaaS.  Two-Tenant Trust (rather than community trust)  Unidirectional Trust Relations  “I trust you” does not mean “you trust me”  Unilateral Trust Relations (trustor trusts trustee)  Trustee cannot control the trust relation World-Leading Research with Real-World Impact! 12

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 13 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

MTAS World-Leading Research with Real-World Impact! 14 Formalizing Calero et al work

Tenant Trust  Tenant Trust (TT) relation is not partial order  Reflexive: A ⊴ A  But not transitive: A ⊴ B ∧ B ⊴ C ⇏ A ⊴ C  Neither symmetric: A ⊴ B ⇏ B ⊴ A  Nor anti-symmetric: A ⊴ B ∧ B ⊴ A ⇏ A ≡ B World-Leading Research with Real-World Impact! 15

Administrative MTAS  Tenants are managed by CSP  on self-service basis  Each tenant administer:  Trust relations with other tenants  Entity components: o users, roles and permissions  UA, PA and RH assignments o Cross-tenant assignments are issued by the trustee (t1)  UA: trustor (t2) users to trustee (t1) roles  PA: trustee (t1) permissions to trustor (t2) roles  RH: trustee (t1) roles junior to trustor (t2) roles World-Leading Research with Real-World Impact! 16 Tenant t2 R2 Tenant t1 P2 u2 R1 P1 u1 t2 β-trusts t1 RH UA PA

Fine-grained Trust Extensions  Problem of MTAS trust model  Over exposure of trustor’s authorization information  Trustor-Centric Public Role (TCPR)  Expose only the trustor’s public roles o E.g.: OS expose only the dev.OS role to all the trustees  Relation-Centric Public Role (RCPR)  Expose public roles specific for each trust relation o E.g.: OS expose only the dev.OS role to E when OS trusts E World-Leading Research with Real-World Impact! 17

Trust Types Between Tenants  Intuitive Trust (Type-α)  Delegations: RT, PBDM, etc.  Trustor gives access to trustee o Trustor has full control  MTAS trust (Type-β)  Trustee gives access to trustor  Other Types?  Trustee takes access from trustor (Type-γ)  Trustor takes access from trustee (Type-δ)  And more? World-Leading Research with Real-World Impact! 18

Example of Cross-Tenant Trust  Example:  Type-α: E trusts OS so that E can say [$].  Type-β: OS trusts E so that E can say [$].  Type-γ: E trusts OS so that OS can say [$].  Type-δ: OS trusts E so that OS can say [$]. World-Leading Research with Real-World Impact! 19 OS E Dev.E Charlie [$]: grant the access

Example of Cross-Tenant Trust  Example:  Type-α: E trusts OS so that E can say [$].  Type-β: OS trusts E so that E can say [$].  Type-γ: E trusts OS so that OS can say [$].  Type-δ: OS trusts E so that OS can say [$]. World-Leading Research with Real-World Impact! 20 OS E Dev.E Charlie [$]: grant the access

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 21 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

MT-RBAC World-Leading Research with Real-World Impact! 22 Issuers: Real-world Owners e.g. E and OS Issuers: Real-world Owners e.g. E and OS Type-γ Trust

Administrative MT-RBAC  Issuers administer tenants  Each issuer administer:  Trust relations from owned tenants  Entity components: o tenants, users, roles and permissions  UA, PA and RH assignments o Cross-tenant assignments are issued by the trustee’s (t2’s) issuer  UA: trustee (t2) users to trustor (t1) roles  RH: trustor (t1) roles junior to trustee (t2) roles o Cross-tenant PA assignments are intentionally banned  PA: trustee (t2) assign trustor (t1) permissions to trustee (t2) roles  Problem: » Trustor cannot revoke PA other than remove the trust World-Leading Research with Real-World Impact! 23 Tenant t2 R2 Tenant t1 P2 u2 R1 P1 u1 t1 γ-trusts t2 RH UA

Finer-grained Trust Models  MT-RBAC0: Base Model  Trustor exposes all the roles to trustees  MT-RBAC1: Trustee-Independent Public Role (TIPR)  Expose only the trustor’s public roles o E.g.: E expose only the dev.E role to all the trustees  MT-RBAC2: Trustee-Dependent Public Role (TDPR)  Expose public roles specific for each trustee o E.g.: E expose only the dev.E role to OS when E trusts OS World-Leading Research with Real-World Impact! 24

Constraints  Cyclic Role Hierarchy: lead to implicit role upgrades in the role hierarchy  SoD: conflict of duties  Tenant-level o E.g.: SOX compliant companies may not hire the same company for both consulting and auditing.  Role-level o Checks across tenants  Chinese Wall: conflict of interests among tenants o E.g.: never share resources with competitors. World-Leading Research with Real-World Impact! 25 Tenant 2 M1M2 Tenant 1 E1E2

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 26 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

CTTM Trust Types  Four potential trust types:  Type-α: trustor can give access to trustee. (e.g. RT)  Type-β: trustee can give access to trustor. (e.g. MTAS)  Type-γ: trustee can take access from trustor. (e.g. MT- RBAC)  Type-δ: trustor can take access from trustee. o No meaningful use case, since the trustor holds all the control of the cross-tenant assignments of the trustee’s permissions. World-Leading Research with Real-World Impact! 27

Formalized CTTM Model World-Leading Research with Real-World Impact! 28

Role-Based CTTM World-Leading Research with Real-World Impact! 29

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 30 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

MT-ABAC World-Leading Research with Real-World Impact! 31 γ-trustee: {t2} tid: t1 γ-trustee: {t2} tid: t1 uid: u2 utid: t2 uid: u2 utid: t2 oid: o1 otid: t1 oid: o1 otid: t1 sowner: u2 sid: s2 sowner: u2 sid: s2

Multi-Tenant Access Example World-Leading Research with Real-World Impact! 32

Real-World Clouds  AWS  Collaboration between accounts o E.g.: E trusts OS  Unilateral trust relation (Type-α) o The trustor needs to map the roles  OpenStack  User-level delegation (trust) can be established  Cross-domain assignments bear no control World-Leading Research with Real-World Impact! 33

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 34 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

MTAaaS Platform Prototype  Centralized (Chosen)  Centralized PDP with distributed PEP o Pros: easy management o Cons: volume of requests may be high  Decentralized  Distributed PDP and PEP o Pros: requests handling o Cons: keep decision consistent World-Leading Research with Real-World Impact! 35

Example MTAS policy structure World-Leading Research with Real-World Impact! 36 OS β-trusts E

MT-RBAC2 Policy Example World-Leading Research with Real-World Impact! 37 tr γ-trusts te

Experiment Environment World-Leading Research with Real-World Impact! 38  FlexCloud Testbed  PEP×8: SmartOS / CPU Cap=350 / 256MB RAM  PDP: 64-bit CentOS 6 / 1-, 2-, 4-, 8-, 16-Units  ATC: SmartOS / CPU Cap=350 / 1GB RAM  PEPs in a same network which is different with PDP’s 1 unit = 1CPU/1GB RAM

Evaluation: Performance  MT-RBAC vs RBAC  More policy references incur more decision time  MT-RBAC2 introduces 12 ms authz. overhead. World-Leading Research with Real-World Impact! 39 PDP PerformanceClient-End Performance when downloading 1KB file

Evaluation: Performance  MTAS introduces 12 ms authz. overhead. World-Leading Research with Real-World Impact! 40 PDP Response Delay with various PEP amount PDP Response Delay with various hardware capability and 1k tenants

Evaluation: Scalability  Scalable in terms of both  PDP hardware capacity  Policy complexity World-Leading Research with Real-World Impact! 41 Policy Complexity Scalability Results

Multi-Tenant Access Control (MTAC) World-Leading Research with Real-World Impact! 42 Top-Down Approach Chapter 3 Chapter 4 Chapter 5

OSAC World-Leading Research with Real-World Impact! 43

AOSAC World-Leading Research with Real-World Impact! 44 Cloud Admin Domain A Admin Project A1 Admin Project A2 Admin Domain B Admin Project B1 Admin Project B2 Admin Source:

Trust Framework World-Leading Research with Real-World Impact! 45

Prototype & Evaluation  Sequential request handling (Queuing)  Domain trust introduces 0.7% authz. Overhead  Scalability changes little with domain trust World-Leading Research with Real-World Impact! 46 PerformanceScalability

Chapter 6: Conclusion  Policy  MTAS: role-based Type-β trust  MT-RBAC: role-based Type-γ trust  CTTM: trust type taxonomy for role-based models  MT-ABAC: attribute-based model trusts  Enforcement  MTAaaS: centralized PDP with distributed PEP  Implementation  Domain Trust in OpenStack World-Leading Research with Real-World Impact! 47

Chapter 6: Future Work  MT-ABAC  Finer-grained extensions  Administration, enforcement and implementation.  More and finer-grained trust models  Trust negotiation and graded trust relations  More MTAC models  MT-PBAC, MT-RAdAC, etc.  Attribute-based MTAC models in OpenStack World-Leading Research with Real-World Impact! 48

Publications  Bo Tang and Ravi Sandhu. Extending OpenStack Access Control with Domain Trust. In Proceedings 8th International Conference on Network and System Security (NSS), Xi’an China, October  Bo Tang, Ravi Sandhu and Qi Li. Multi-Tenancy Authorization Models for Collaborative Cloud Services. Concurrency and Computation: Practice & Experience (CCPE), WILEY, (under review)  Bo Tang and Ravi Sandhu. Cross-Tenant Trust Models in Cloud Computing. In Proceedings 14th IEEE Conference on Information Reuse and Integration (IRI), San Francisco, California, August  Bo Tang, Qi Li and Ravi Sandhu. A Multi-Tenant RBAC Model for Collaborative Cloud Services. In Proceedings 11th IEEE Conference on Privacy, Security and Trust (PST), Tarragona, Spain, July  Bo Tang, Ravi Sandhu and Qi Li. Multi-Tenancy Authorization Models for Collaborative Cloud Services. In Proc. 14th IEEE Conference on Collaboration Technologies and Systems (CTS), San Diego, California, May World-Leading Research with Real-World Impact! 49

Institute for Cyber Security World-Leading Research with Real-World Impact! 50

Institute for Cyber Security World-Leading Research with Real-World Impact! 51