Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Cyber Security Multi-Tenancy Authorization Models for Collaborative Cloud Services Bo Tang, Ravi Sandhu, and Qi Li Presented by Bo Tang ©

Published byGwen Lamb Modified over 8 years ago

Similar presentations

Presentation on theme: "Institute for Cyber Security Multi-Tenancy Authorization Models for Collaborative Cloud Services Bo Tang, Ravi Sandhu, and Qi Li Presented by Bo Tang ©"— Presentation transcript:

1 Institute for Cyber Security Multi-Tenancy Authorization Models for Collaborative Cloud Services Bo Tang, Ravi Sandhu, and Qi Li Presented by Bo Tang © ICS at UTSA World-Leading Research with Real-World Impact! 1

2 OUTLINE  Introduction  Background & Motivation  Formalized Models  MTAS  AMTAS  Enhanced Trust Models  Policy Specification  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 2

3 OUTLINE  Introduction  Background & Motivation  Formalized Models  MTAS  AMTAS  Enhanced Trust Models  Policy Specification  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 3

4 Cloud Computing  Shared infrastructure  [$$$] -----> [$|$|$]  Multi-Tenancy  Virtually dedicated resources  Drawbacks:  Data Locked-in o Collaborations can only be achieved through desktop. o E.g.: open Dropbox files with GoogleDoc.  How to collaborate? © ICS at UTSA World-Leading Research with Real-World Impact! 4 Source:http://blog.box.com/2011/06/box-and-google-docs-accelerating-the-cloud-workforce/

5 Collaborative Access Control  Centralized Facility  Chance for centralized models in distributed systems  Agility  Collaboration and collaborators are temporary  Homogeneity  Handful of popular brands  Out-Sourcing Trust  Built-in collaboration spirit © ICS at UTSA World-Leading Research with Real-World Impact! 5

6 Industry Solutions  Microsoft and IBM: Fine-grained data sharing in SaaS using DB schema  Only feasible in DB  NASA: RBAC + OpenStack  Lacks ability to support collaborations  Salesforce (Force.com): SSO + SAML  Focus on authentication  Heavy management of certificates © ICS at UTSA World-Leading Research with Real-World Impact! 6 Source:http://msdn.microsoft.com/en-us/library/aa479086.aspx http://nebula.nasa.gov/blog/2010/06/03/nebulas-implementation-role-based-access-control-rbac/ http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.com

7 OUTLINE  Introduction  Background & Motivation  Formalized Models  MTAS  AMTAS  Enhanced Trust Models  Policy Specification  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 7

8 Example © ICS at UTSA World-Leading Research with Real-World Impact! 8

9 Literature  RBAC  CBAC, GB-RBAC, ROBAC  Require central authority managing collaborations  Delegation Models  dRBAC and PBDM  Lacks agility (which the cloud requires)  Grids  CAS, VOMS, PERMIS  Absence of centralized facility and homogeneous architecture (which the cloud has) © ICS at UTSA World-Leading Research with Real-World Impact! 9 Problem: semantic mismatch

10 Literature (Contd.)  Role-based Trust  RT, Traust, RMTN AND RAMARS_TM  Calero et al: towards a multi-tenant authorization system for cloud services o Implementation level PoC o Open for extensions in trust models  Suits the cloud (out-sourcing trust) © ICS at UTSA World-Leading Research with Real-World Impact! 10 Challenge: trust relation

11 OUTLINE  Introduction  Background & Motivation  Formalized Models  MTAS  AMTAS  Enhanced Trust Models  Policy Specification  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 11

12 Authorization as a Service (AaaS) © ICS at UTSA World-Leading Research with Real-World Impact! 12 AaaS Multi-Tenant Access Control Cross-Tenant Access

13 MTAS © ICS at UTSA World-Leading Research with Real-World Impact! 13

14 MTAS Trust Model  If A trusts B then B (resource owner) can assign  B’s permissions to A’s roles; and  B’s roles as junior roles to A’s roles. © ICS at UTSA World-Leading Research with Real-World Impact! 14 AuthStmts Resources Tenant ATenant B AuthStmts Resources AuthStmts Resources No trust A trust B AuthStmts Resources User

15 AMTAS © ICS at UTSA World-Leading Research with Real-World Impact! 15 CSP admin Issuer 1 admin Issuer 2 admin

16 Enhanced Trust Models  Problem of MTAS  Over exposure of truster’s authorization information  Truster-Centric Public Role (TCPR)  Expose only the truster’s public roles  Relation-Centric Public Role (RCPR)  Expose public roles in terms of each trust relation © ICS at UTSA World-Leading Research with Real-World Impact! 16

17 Constraints  Cyclic Role Hierarchy: lead to implicit role upgrades in the role hierarchy  SoD: conflict of duties  Tenant-level o E.g.: SOX compliance companies may not hire same the same company for both consulting and auditing.  Role-level o across tenants  Chinese Wall: conflict of interests among tenants © ICS at UTSA World-Leading Research with Real-World Impact! 17

18 OUTLINE  Introduction  Background & Motivation  Formalized Models  MTAS  AMTAS  Enhanced Trust Models  Policy Specification  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 18

19 Example © ICS at UTSA World-Leading Research with Real-World Impact! 19

20 OUTLINE  Introduction  Background & Motivation  Formalized Models  MTAS  AMTAS  Enhanced Trust Models  Policy Specification  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 20

21 Conclusion  Collaboration needs in the cloud eco-system  Novel service model: AaaS  Proposed formal models  MTAS, AMTAS, Enhanced Trust Models  Constraints  Policy Specification © ICS at UTSA World-Leading Research with Real-World Impact! 21

22 Future Work  Accomplished  Prototype and evaluation o Performance overhead ≈ 0.016 seconds o Scalable in the cloud  MT-RBAC (delegation-centric trust model)  On-going Projects  OpenStack Keystone extensions  Integrate trust into ABAC: MT-ABAC  Unified trust framework © ICS at UTSA World-Leading Research with Real-World Impact! 22

23 Institute for Cyber Security © ICS at UTSA World-Leading Research with Real-World Impact! 23

24 Institute for Cyber Security © ICS at UTSA World-Leading Research with Real-World Impact! 24

Download ppt "Institute for Cyber Security Multi-Tenancy Authorization Models for Collaborative Cloud Services Bo Tang, Ravi Sandhu, and Qi Li Presented by Bo Tang ©"

Similar presentations

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010

1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.

Towards Secure Information Sharing Models for Community Cyber Security Ravi Sandhu, Ram Krishnan and Gregory B. White Institute for Cyber Security University.
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Institute for Cyber Security

Institute for Cyber Security
Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,

Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.

1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.

Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.
Attribute-Based Access Control Models and Beyond

Attribute-Based Access Control Models and Beyond
11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.

11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.

CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.
“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.

“A Service-enabled Access Control Model for Distributed Data” Mark Turner, Philip Woodall Pennine Forum - 16 th September 2004.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.

1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.

Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Similar presentations

Ads by Google