Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective
Agenda Motivation Background – XACML – Access control models Our Contribution – Research Perspective – Implementation Perspective Work in Progress – Implementation Demo Q & A Session
Motivation SECaaS Security aaS Access control aaS Cloud Service Consumers Identity aaS Network Security aaS Encryption aaS Data protection aaS
Extensible Access Control Framework for Cloud Applications Framework: Essential supporting structure of a system Access Control: Restrict the illegal access from resources under consideration Extensible: Ability to extend the system through addition of new functionality
What we are providing ?? Access Control Framework Extensible
Access Control Models 6
Holistic solution for deployment of these models?? Any Standard set for implementation ??
What we need ?? Externalized Policy Based Standardized Attribute Based Fine grained Dynamic
XACML XACML stands for eXtensible Access Control Markup Language Standard which is ratified by standards organization
Existing Solutions Enhancements in XACML 3.0 ABAC Implementation (Proprietary) Picket-Link XACML Implementation (Open-source) XACML PEP in JAVA XACML Implementation (Open-source) Extensible Access Control Framework for Cloud Applications Our Solution
Why we need 3 ACMs ?? Identities Roles Resources
RBAC Issues Challenges appears when extended across the domain Doesn’t consider environment attributes Not well suited for a highly distributed environment Adding, deleting the duties of a role involved updating too many policy stores.
Attribute based Access Control (ABAC) Professor Software Teaches (CSP 401) Office (238) Head (SEC lab)
Fine Grained Access Control (FGAC)
Usage based Access Control (UCON) Pre Usage Decisions Post Usage Decisions On-Going Usage Decisions
Contribution ResearchDevelopment
Research Contribution XACML Profile for Attribute based Access Control XACML Profile for Fine Grained Access Control XACML Profile for UCON Access Control
XACML Profile The standard set of OASIS eXtensible Access Control Markup Language (XACML) specifications for implementation of an [xyz] access control is known as the XACML profile for xyz access control.
Development Perspective
Architecture & Workflow PDPaaS Policy Repository PEPaaS Resources 3 rd Party Resources Application User 1. Authentication 2a. Access Application Resource 2b. Redirect to PEPaaS 3.Forward XACML Request 6. Return XACML Request to PEPaaS 5.Evaluate 4a. Find Policy 4b. Applicable Policy 6. Access Granted Register User Exchange Meta-data Resources System Administrator b) After authentication redirect browser to PAPaaS a)Authenticate Admin Attribute Repository PAPaaS c) Store d) Retrieve Policy Repository e) Store XACML Policies
System Administrator Register User Exchange Meta-data b) After authen Redirect browser to PAPaaS a)Authenticate Admin PDPaaS Policy Repository PEPaaS Resources 3 rd Party Resources Application User 1. Authentication 2a. Access Application Resource 2b. Redirect to PEPaaS 3.Forward XACML Request 6. Return XACML Request to 5.Evaluate 4a. Find Policy 4b. Applicable Policy Attribute Repository PAPaaS c) Store d) Retrieve 6.Access Granted Workflow
PAP Components System Learning Policy Creation XACML Generation 1.Subject 2.Resource 3.Action 4.Environment 1. XACML Policy Generation 2. XACML PolicySet Generation 1.Condition 2.Target 3.Rule 4.Obligation 5.Policy 6.Policy Set
Technologies
MVC based Architecture View-.xhtml Controller- DAO Classes Controller- Managed Beans Model- Entity Classes
Implementation Demo
Conclusion Deliverables for this Quarter –Version 1.0* will be uploaded on sourcefourge.net. –Report 3: “Unit Testing of ABAC model”. –Initialization of Cloud Instances in AIS lab.
Q & A