Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
NRL Security Architecture: A Web Services-Based Solution
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Understanding Active Directory
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
James Cabral, David Webber, Farrukh Najmi, July 2012.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
 background and intro  client deployment  system Architecture and server deployment  behind the scenes  data protection and security  multi-server.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
Shibboleth: An Introduction
Access Management in Federated Digital Libraries Kailash Bhoopalam Kurt Maly Mohammed Zubair Ravi Mukkamala Old Dominion University Norfolk, Virginia.
Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
Approaching Fine-grain Access Control for Distributed Biomedical Databases within Virtual Environments Onur Kalyoncu, Yi Pan, Matthias Assel High Performance.
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.
An answer to your common XACML dilemmas Asela Pathberiya Senior Software Engineer.
RSVP Policy Control using XACML Pontifícia Universidade Católica do Paraná PUC-PR, Brazil Presented by: Emir Toktar Emir Toktar Edgard.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Access Control for IEEE IEs Date Submitted: January, 15,
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
Access Control and Audit Indrakshi Ray Computer Science Department Colorado State University Fort Collins CO
De Rigueur - Adding Process to Your Business Analytics Environment Diane Hatcher, SAS Institute Inc, Cary, NC Falko Schulz, SAS Institute Australia., Brisbane,
Argus EMI Authorization Integration
Presented By: Smriti Bhatt
Access Policy - Federation March 23, 2016
Institute for Cyber Security
Lan Zhou, Vijay Varadharajan, and Michael Hitchens
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Institute for Cyber Security
XACML and the Cloud.
NextGen Access Control Platform
Ebusiness Infrastructure Platform
NAAS 2.0 Features and Enhancements
Groups and Permissions
Presentation transcript:

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective

Agenda Motivation Background – XACML – Access control models Our Contribution – Research Perspective – Implementation Perspective Work in Progress – Implementation Demo Q & A Session

Motivation SECaaS Security aaS Access control aaS Cloud Service Consumers Identity aaS Network Security aaS Encryption aaS Data protection aaS

Extensible Access Control Framework for Cloud Applications Framework: Essential supporting structure of a system Access Control: Restrict the illegal access from resources under consideration Extensible: Ability to extend the system through addition of new functionality

What we are providing ?? Access Control Framework Extensible

Access Control Models 6

Holistic solution for deployment of these models?? Any Standard set for implementation ??

What we need ?? Externalized Policy Based Standardized Attribute Based Fine grained Dynamic

XACML XACML stands for eXtensible Access Control Markup Language Standard which is ratified by standards organization

Existing Solutions Enhancements in XACML 3.0 ABAC Implementation (Proprietary) Picket-Link XACML Implementation (Open-source) XACML PEP in JAVA XACML Implementation (Open-source) Extensible Access Control Framework for Cloud Applications Our Solution

Why we need 3 ACMs ?? Identities Roles Resources

RBAC Issues Challenges appears when extended across the domain Doesn’t consider environment attributes Not well suited for a highly distributed environment Adding, deleting the duties of a role involved updating too many policy stores.

Attribute based Access Control (ABAC) Professor Software Teaches (CSP 401) Office (238) Head (SEC lab)

Fine Grained Access Control (FGAC)

Usage based Access Control (UCON) Pre Usage Decisions Post Usage Decisions On-Going Usage Decisions

Contribution ResearchDevelopment

Research Contribution XACML Profile for Attribute based Access Control XACML Profile for Fine Grained Access Control XACML Profile for UCON Access Control

XACML Profile The standard set of OASIS eXtensible Access Control Markup Language (XACML) specifications for implementation of an [xyz] access control is known as the XACML profile for xyz access control.

Development Perspective

Architecture & Workflow PDPaaS Policy Repository PEPaaS Resources 3 rd Party Resources Application User 1. Authentication 2a. Access Application Resource 2b. Redirect to PEPaaS 3.Forward XACML Request 6. Return XACML Request to PEPaaS 5.Evaluate 4a. Find Policy 4b. Applicable Policy 6. Access Granted Register User Exchange Meta-data Resources System Administrator b) After authentication redirect browser to PAPaaS a)Authenticate Admin Attribute Repository PAPaaS c) Store d) Retrieve Policy Repository e) Store XACML Policies

System Administrator Register User Exchange Meta-data b) After authen Redirect browser to PAPaaS a)Authenticate Admin PDPaaS Policy Repository PEPaaS Resources 3 rd Party Resources Application User 1. Authentication 2a. Access Application Resource 2b. Redirect to PEPaaS 3.Forward XACML Request 6. Return XACML Request to 5.Evaluate 4a. Find Policy 4b. Applicable Policy Attribute Repository PAPaaS c) Store d) Retrieve 6.Access Granted Workflow

PAP Components System Learning Policy Creation XACML Generation 1.Subject 2.Resource 3.Action 4.Environment 1. XACML Policy Generation 2. XACML PolicySet Generation 1.Condition 2.Target 3.Rule 4.Obligation 5.Policy 6.Policy Set

Technologies

MVC based Architecture View-.xhtml Controller- DAO Classes Controller- Managed Beans Model- Entity Classes

Implementation Demo

Conclusion Deliverables for this Quarter –Version 1.0* will be uploaded on sourcefourge.net. –Report 3: “Unit Testing of ABAC model”. –Initialization of Cloud Instances in AIS lab.

Q & A