Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.

Published byBraeden Widmer Modified over 10 years ago

Similar presentations

Presentation on theme: "Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San."— Presentation transcript:

1 Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San Antonio 1 Institute for Cyber Security World-leading research with real-world impact!

2 Cloud Computing Cloud computing has been the “next big thing.” Has 3 primary service models: – Software-as-a-Service (SaaS) – Platform-as-a-Service (PaaS) – Infrastructure-as-a-Service (IaaS) We focus on PBAC for IaaS – Specifically, multi-tenant single-cloud systems. – OpenStack Nova / Glance. World-leading research with real-world impact! 2

3 Access Control Aspects DSOD concerns for virtual resources management and protection – Ex: Only virtual images up-loaders are allowed to delete. Multi-tenant concerns – A virtual image may be created in one tenant, copied to another tenant and modified, and used to launch a virtual machine instance in another. World-leading research with real-world impact! 3

4 Background: what is provenance? Art definition of provenance – Essential in judging authenticity and evaluating worth. Data provenance in computing systems – Is different from log data. – Contains linkage of information pieces. – Is utilized in different computing areas. World-leading research with real-world impact! 4

5 Provenance Data Model [inspired by OPM] 5 World-leading research with real-world impact! 4 Node Types – Object (Artifact) – Action (Process) – Subject (Agent) – Attribute 3 Causality dependency edge Types (not a dataflow) and Attribute Edge Base PDM Contextual Extension Action (process) Object (artifact) Subject (agent) Object (artifact) c g(type) u(type) Attribute t(type) cwasControlledBy uused gwasGeneratedBy Dep. edge Attrb. edge thasAttribute Inverse edges are enabled for usage in queries, but cycle- avoidant.

6 Dependency List Dependency List (DL): A set of identified dependencies that consists of pairs of – Dependency Name: abstracted dependency names (DNAME) and – regular expression-based dependency path pattern (DPATH) 6 World-leading research with real-world impact! Examples –

7 PBAC Models PBAC B : utilizes base data model – Does not capture contextual information PBAC C : extending the base model – Incorporate contextual information associated with the main entities (Subjects, etc.) – Extend base data model with attributes World-leading research with real-world impact! 7

8 Tenant-aware PBAC World-leading research with real-world impact! 8 Tenants as contextual information.

9 Architecture Overview World-leading research with real-world impact! 9 (PS)(PBAS)

10 Deployment Architecture Variations: Integrated Deployment Stand-alone Deployment Hybrid Deployment Design pros & cons: Ease of integration - Communication latency - Provenance data sharing - World-leading research with real-world impact! 10

11 Logical Architecture World-leading research with real-world impact! 11 PROV-SERVICE Dataflow PROVAUTHZ-SERVICE Dataflow

12 OpenStack Conceptual Architecture World-leading research with real-world impact! 12

13 OpenStack Authorization World-leading research with real-world impact! 13 PBAS ?

14 Nova PBAS Implementation World-leading research with real-world impact! 14

15 Experiments Measure the time an authorization process takes from the time of request until decision is returned. – nova list – glance image-list 4 experimental configurations: – E1: normal Nova and Glance authorization. – E2: integrated PBAS/PS services with Nova and Glance. – E3: integrated PBAS/PS service, stand-alone from Nova and Glance. – E4: separate PBAS and PS services, stand-alone from Nova and Glance. Deployment Configurations: – 4GB RAM, 2.5 GHz quad-core CPU. – OpenStack Devstack (Grizzly) on 12.04 Ubuntu. Mainly test deep-shaped provenance graphs. – Generate mock data for virtual images and machines scenario. World-leading research with real-world impact! 15

16 Results and Evaluation Traversal Distance Glance (e1)Glance (e2)Glance (e3)Glance (e4) No PBAC0.55--- 20 Edges-0.5750.607.642 1000 edges-.612.788.852 World-leading research with real-world impact! 16 Traversal Distance Nova (e1)Nova (e2)Nova (e3)Nova (e4) No PBAC0.75--- 20 Edges-0.840.9021.062 1000 edges-2.292.3624.102

17 Future Work and Directions  Expanding provenance data model to include user-declared provenance data.  Collaborated PBAC usage – Multi-cloud. – Distributed systems.  Full-cycle implementation and evaluation – including provenance capturing service. World-leading research with real-world impact! 17

18 Thank you!!! Questions and Comments? 18 World-leading research with real-world impact!

19 PBAC B Components 19 World-leading research with real-world impact! Subjects Actions Objects Access Evaluation Policies Dependency Lists Dependency Lists Base Provenance Data Request(s,a,o) Action on O access decision activities utilized by User authorizationAction validation

20 PBAC C Components World-leading research with real-world impact! 20 Subjects Actions Objects Access Evaluation Policies Dependency Lists Dependency Lists Base Provenance Data Contextual Info. Attribute Provenance Data Attribute Provenance Data Assoc. with Captured as

Download ppt "Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San."

Similar presentations

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.

INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
Institute for Cyber Security

Institute for Cyber Security
Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.

Provenance-Aware Storage Systems Margo Seltzer April 29, 2005.
Vasinee Siripoonya Kasidit Chanchio

Vasinee Siripoonya Kasidit Chanchio
SLA-Oriented Resource Provisioning for Cloud Computing

SLA-Oriented Resource Provisioning for Cloud Computing
PROVENANCE FOR THE CLOUD (USENIX CONFERENCE ON FILE AND STORAGE TECHNOLOGIES(FAST `10)) Kiran-Kumar Muniswamy-Reddy, Peter Macko, and Margo Seltzer Harvard.

PROVENANCE FOR THE CLOUD (USENIX CONFERENCE ON FILE AND STORAGE TECHNOLOGIES(FAST `10)) Kiran-Kumar Muniswamy-Reddy, Peter Macko, and Margo Seltzer Harvard.
A Provenance-based Access Control Model for Dynamic Separation of Duties July 10, 2013 PST 2013 Dang Nguyen, Jaehong Park, and Ravi Sandhu Institute for.

A Provenance-based Access Control Model for Dynamic Separation of Duties July 10, 2013 PST 2013 Dang Nguyen, Jaehong Park, and Ravi Sandhu Institute for.
A Provenance-based Access Control Model (PBAC) July 18, 2012 PST’12, Paris, France Jaehong Park, Dang Nguyen and Ravi Sandhu Institute for Cyber Security.

A Provenance-based Access Control Model (PBAC) July 18, 2012 PST’12, Paris, France Jaehong Park, Dang Nguyen and Ravi Sandhu Institute for Cyber Security.
11 World-Leading Research with Real-World Impact! Integrated Provenance Data for Access Control in Group-centric Collaboration Dang Nguyen, Jaehong Park.

11 World-Leading Research with Real-World Impact! Integrated Provenance Data for Access Control in Group-centric Collaboration Dang Nguyen, Jaehong Park.
Security Prospects through Cloud Computing by Adopting Multiple Clouds Meiko Jensen, Jorg Schwenk Jens-Matthias Bohli, Nils Gruschka Luigi Lo Iacono Presented.

Security Prospects through Cloud Computing by Adopting Multiple Clouds Meiko Jensen, Jorg Schwenk Jens-Matthias Bohli, Nils Gruschka Luigi Lo Iacono Presented.
Provenance-based Access Control Models July 31, 2014 Dissertation Defense Dang Nguyen Institute for Cyber Security University of Texas at San Antonio 1.

Provenance-based Access Control Models July 31, 2014 Dissertation Defense Dang Nguyen Institute for Cyber Security University of Texas at San Antonio 1.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.

An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.
Cloud Usability Framework

Cloud Usability Framework
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
Plan Introduction What is Cloud Computing?

Plan Introduction What is Cloud Computing?
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.
NIST Information Technology Laboratory Cloud Computing Program NIST Cloud Computing Program Current Activities Robert Bohn OASIS – International Cloud.

NIST Information Technology Laboratory Cloud Computing Program NIST Cloud Computing Program Current Activities Robert Bohn OASIS – International Cloud.

Similar presentations

Ads by Google