Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Published byHollie Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective."— Presentation transcript:

1 Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective

2 Agenda Motivation Background – XACML – Access control models Our Contribution – Research Perspective – Implementation Perspective Work in Progress – Implementation Demo Q & A Session

3 Motivation SECaaS Email Security aaS Access control aaS Cloud Service Consumers Identity aaS Network Security aaS Encryption aaS Data protection aaS

4 Extensible Access Control Framework for Cloud Applications Framework: Essential supporting structure of a system Access Control: Restrict the illegal access from resources under consideration Extensible: Ability to extend the system through addition of new functionality

5 What we are providing ?? Access Control Framework Extensible

6 Access Control Models 6

7 Holistic solution for deployment of these models?? Any Standard set for implementation ??

8 What we need ?? Externalized Policy Based Standardized Attribute Based Fine grained Dynamic

9

10 XACML XACML stands for eXtensible Access Control Markup Language Standard which is ratified by standards organization

11 Existing Solutions Enhancements in XACML 3.0 ABAC Implementation (Proprietary) Picket-Link XACML Implementation (Open-source) XACML PEP in JAVA XACML Implementation (Open-source) Extensible Access Control Framework for Cloud Applications Our Solution

12 Why we need 3 ACMs ?? Identities Roles Resources

13 RBAC Issues Challenges appears when extended across the domain Doesn’t consider environment attributes Not well suited for a highly distributed environment Adding, deleting the duties of a role involved updating too many policy stores.

14 Attribute based Access Control (ABAC) Professor Software Teaches (CSP 401) Office (238) Head (SEC lab)

15 Fine Grained Access Control (FGAC)

16 Usage based Access Control (UCON) Pre Usage Decisions Post Usage Decisions On-Going Usage Decisions

17 Contribution ResearchDevelopment

18 Research Contribution XACML Profile for Attribute based Access Control XACML Profile for Fine Grained Access Control XACML Profile for UCON Access Control

19 XACML Profile The standard set of OASIS eXtensible Access Control Markup Language (XACML) specifications for implementation of an [xyz] access control is known as the XACML profile for xyz access control.

20 Development Perspective

21 Architecture & Workflow PDPaaS Policy Repository PEPaaS Resources 3 rd Party Resources Application User 1. Authentication 2a. Access Application Resource 2b. Redirect to PEPaaS 3.Forward XACML Request 6. Return XACML Request to PEPaaS 5.Evaluate 4a. Find Policy 4b. Applicable Policy 6. Access Granted Register User Exchange Meta-data Resources System Administrator b) After authentication redirect browser to PAPaaS a)Authenticate Admin Attribute Repository PAPaaS c) Store d) Retrieve Policy Repository e) Store XACML Policies

22 System Administrator Register User Exchange Meta-data b) After authen Redirect browser to PAPaaS a)Authenticate Admin PDPaaS Policy Repository PEPaaS Resources 3 rd Party Resources Application User 1. Authentication 2a. Access Application Resource 2b. Redirect to PEPaaS 3.Forward XACML Request 6. Return XACML Request to 5.Evaluate 4a. Find Policy 4b. Applicable Policy Attribute Repository PAPaaS c) Store d) Retrieve 6.Access Granted Workflow

23 PAP Components System Learning Policy Creation XACML Generation 1.Subject 2.Resource 3.Action 4.Environment 1. XACML Policy Generation 2. XACML PolicySet Generation 1.Condition 2.Target 3.Rule 4.Obligation 5.Policy 6.Policy Set

24 Technologies

25 MVC based Architecture View-.xhtml Controller- DAO Classes Controller- Managed Beans Model- Entity Classes

26 Implementation Demo

27 Conclusion Deliverables for this Quarter –Version 1.0* will be uploaded on sourcefourge.net. –Report 3: “Unit Testing of ABAC model”. –Initialization of Cloud Instances in AIS lab.

28 Q & A

Download ppt "Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Trust and Security for Next Generation Grids, www.gridtrust.eu Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.

Trust and Security for Next Generation Grids, Implementing UCON with XACML for Grid Services Bruno Crispo Vrije Universiteit Amsterdam.
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
NRL Security Architecture: A Web Services-Based Solution

NRL Security Architecture: A Web Services-Based Solution
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.

RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Understanding Active Directory

Understanding Active Directory
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.

Carl A. Foster.  What is SAML?  Security Assertion and Markup Language is an XML-based standard for exchanging authentication and authorization between.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.

Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.

Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Similar presentations

Ads by Google