Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.

Published byHoratio Dominick Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu."— Presentation transcript:

1 Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu NSS 2014 © Bo Tang

2 The Cloud World-Leading Research with Real-World Impact! 2 © Bo Tang

3 Moving to the Cloud  Driving force:  Anytime, Anywhere (Centralized infrastructure)  [$$$] -----> [$|$|$] (Shared resources)  Pay-on-the-go (On-demand services)  Scalable and flexible  Resistance: © Bo Tang World-Leading Research with Real-World Impact! 3  Security & Privacy o Data governance o Access control  Other problems o Data Locked-in o Lack Standard APIs

4 What is OpenStack?  Open source Cloud platform  12,000 individual members  260 supporting organizations  130 countries  Havana Release  Nov. 2013 - Hong Kong Summit  Keystone (IAM)  Identity API v3  Introduction of Domain concept © Bo Tang World-Leading Research with Real-World Impact! 4 Source: http://www.openstack.org/software/havana/press-release

5 Multi-Tenancy  Multi-tenancy  From Cloud Service Provider (CSP) perspective o A billing customer, isolated with each other o Manages its own users and cloud resources  The owner of a tenant can be o An individual, an organization or a department in an organization, etc.  Domain in OpenStack  Each domain manages its own users and projects World-Leading Research with Real-World Impact! 5 © Bo Tang

6 Motivation © Bo Tang World-Leading Research with Real-World Impact! 6

7 Existing Approaches  Trust  Active Directory Federation Service (AD FS) o Multiple types of federation trust among domains  Cross-account trust in AWS o Unilateral trust with another account or external credentials  Trust in OpenStack o User to user delegation via roles © Bo Tang World-Leading Research with Real-World Impact! 7

8 Scope and Assumptions  Standardized APIs  Cross-tenant accesses are functionally available  Properly authenticated users  One Cloud Service  Of a kind: IaaS, PaaS or SaaS.  Multi-tenancy collaboration on a single cloud World-Leading Research with Real-World Impact! 8 © Bo Tang

9 Core OSAC World-Leading Research with Real-World Impact! 9 © Bo Tang

10 Definitions of OSAC  Roles  Globally available  Not owned by domains or projects  Tokens  Credentials issued to authenticated users  Will expire, similar to session concept in RBAC  Services  Examples: Nova, Glance, Neutron  Different services have different policies based on the role-permission assignments © Bo Tang World-Leading Research with Real-World Impact! 10

11 Administration (AOSAC) World-Leading Research with Real-World Impact! 11 Cloud Admin Domain A Admin Project A1 Admin Project A2 Admin Domain B Admin Project B1 Admin Project B2 Admin Source: https://wiki.openstack.org/wiki/Domains rule:add_user_to_project -> (role:keystone_admin || (role:project_admin && project_id:%(target_project_id)s) || (domain_role:domain_admin && domain_id:%(target_domain_id)s)) rule:add_project_to_domain -> (role:keystone_admin || (domain_role:domain_admin && domain_id:%(target_domain_id)s)) © Bo Tang

12 Domain-Level Collaboration  Basic scenario  User: u1 from Domain: d1  Project: p2 from Domain: d2  Cross-domain actions  Administrative o Assign u1 to roles in p2  Operational o Allowing u1 to access p2 with the assigned roles  Require proper trust relation between d1 and d2 © Bo Tang World-Leading Research with Real-World Impact! 12

13 Trust Framework World-Leading Research with Real-World Impact! 13 © Bo Tang

14 Domain Trust World-Leading Research with Real-World Impact! 14 © Bo Tang

15 Trust Types  Two-party unilateral unidirectional non-transitive  Type-α, requires visibility of the trustee’s user information for the trustor to assign trustee’s users to roles in trustor’s projects, written as “ ⊴ α ”.  Type-β, requires the trustor to expose its user information for the trustee to assign trustor’s users to roles in trustee’s projects, written as “ ⊴ β ”.  Type-γ, requires the trustor to expose its project information for the trustee to assign trustee’s users to roles in trustor’s projects, written as “ ⊴ γ ”. © Bo Tang World-Leading Research with Real-World Impact! 15

16 OSAC-DT World-Leading Research with Real-World Impact! 16 © Bo Tang

17 Constraints & Administration  Constraints  Separation of Duties (SoD) o Mutually exclusive domain list  Minimum Exposure o Limit exposure of project and user to other domains  Cardinality o Limit the number of domains to be trusted  Domain Trust Administration  The trustor manages the trust relation and constraints © Bo Tang World-Leading Research with Real-World Impact! 17

18 Implementation  Type-γ trust  Trustee manages cross-domain assignments  Implemented as a extension module in Keystone  Experiment Environment  1 unit = 1 CPU/1GB  VMs with 1, 2, 4, 8 units of capability  Devstack deployed in cloud environment  Stand-alone Keystone service  Test with REST API calls through curl commands © Bo Tang World-Leading Research with Real-World Impact! 18

19 Prototype & Evaluation  Sequential request handling (Queuing)  Domain trust introduces 0.7% authz. Overhead  Scalability changes little with domain trust World-Leading Research with Real-World Impact! 19 PerformanceScalability © Bo Tang

20 Related Work  RBAC extensions  Centralized authority is usually required o ROBAC, collaboration not supported o GB-RBAC, group does not own users  Role-Based Delegation models  Delegation chain lacks support of agile entities  Multi-Domain Interoperation  Role-mapping requires PA to be domain-specific  Multi-Tenant Access Control models  MTAS, MT-RBAC, CTTM © Bo Tang World-Leading Research with Real-World Impact! 20

21 Conclusion & Future Work  Formalized OSAC model  Administrative model (AOSAC)  Trust Framework & Trust Types  Formalized OSAC-DT model  Administrative model (AOSAC-DT) & Constraints  Implementation & Experiments in OpenStack  Acceptable performance & scalability change  Future work  Hierarchical Multi-tenancy model  Attribute-based models  Implementation in future OpenStack World-Leading Research with Real-World Impact! 21 © Bo Tang

22 Acknowledgements  Dolph Mathews  PTL of Keystone  Farhan Patwa  Director of ICS  Jaehone Park  Research Associate Profession in ICS © Bo Tang World-Leading Research with Real-World Impact! 22

23 Institute for Cyber Security World-Leading Research with Real-World Impact! 23 © Bo Tang

24 Institute for Cyber Security World-Leading Research with Real-World Impact! 24 © Bo Tang

Download ppt "Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu."

Similar presentations

Institute for Cyber Security

Institute for Cyber Security
Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.
The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.

The RBAC96 Model Prof. Ravi Sandhu. 2 © Ravi Sandhu WHAT IS RBAC?  multidimensional  open ended  ranges from simple to sophisticated.
Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.

Adopting Provenance-based Access Control in OpenStack Cloud IaaS October, 2014 NSS Presentation Institute for Cyber Security University of Texas at San.
Www.cloudsecurityalliance.org Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.

Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.

1 Security on OpenStack 11/7/2013 Brian Chong – Global Technology Strategist.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,

Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.

11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.
11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.

11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
Geneva, Switzerland, 15-16 September 2014 Introduction of ISO/IEC 29003 Identity Proofing Patrick Curry Director, British Business Federation Authority.

Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.

Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

Similar presentations

Ads by Google