01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]

Department of Computing, School of Electrical Engineering and Computer

Sciences, NUST - Islamabad

KTH Applied Information Security Lab

Extensible Access Control Framework for Cloud hosted

ApplicationsIntroduction & Briefing

Funded By: National ICT R&DPrincipal Investigator Organization: NUST-SEECS




Session Agenda1. KTH-AIS Lab Profile2. Project Management3. Technical Methodology4. Implementation Perspective

2




KTH-AIS Lab Research Profile




OutlineKTH-AIS Lab Profile

Background Aims & Scope Research Areas/Profile Research Projects

4




Background• SEECS Applied Information Security (AIS)

Lab is a joint effort of: NUST School of Electrical Engineering and

Computer Science (SEECS), Pakistan Royal Institute of Technology (KTH),

Sweden

• Founded in August 2010

5




Research Aims• Design and development of innovative

security solutions to satisfy the privacy needs of industries and academia

• Bridge the gap between cutting edge research and information security problems

• Create high-tech workforce by providing appropriate training to undergraduate and post-graduate students

6




Research Areas Cloud Computing Security -

SecaaS Secure Unstructured

Databases Secure Group

Communications Secure Physical Access

control Smart Cards & Security

Protocols Secure Mobile Applications Secure and Trusted

infrastructure Security in Open

Distributed Systems

8




Extensible Access Control Framework for Cloud Based

Applications Funded by National ICT R&D Status: 3rd quarter in progress (Due Date:

Feb 15, 2014) Project Cost: 13 Million Duration: 2 Years Research Area: Cloud Computing Security Workforce: 11 Team Members including MS

and BS degree holders Direct Beneficiary: Educational Institutes,

Cloud Community, IT industry Principal Investigator: Dr. Awais Shibli Co-principal Investigator: Dr. Arshad Ali

9




Project Management




OutlineManagerial Aspects of Project

Team Introduction Execution Phases Milestones Achieved 1st Quarter Deliverables 2nd Quarter Deliverables 3rd Quarter Deliverables

11




Team Introduction1. Dr. Muhammad Awais Shibli – Principal

Investigator2. Dr. Arshad Ali – Co-principal Investigator3. Ms. Rahat Masood – Team Lead4. Ms. Arjumand Fatima – Professional

Researchers5. Ms. Yumna Ghazi – Professional Researchers6. Mr. Fowz Masood –Technical Writer/ Project

Coordinator7. Ms. Umme Habiba – Research Assistant8. Ms. Ayesha Kanwal – Research Assistant

12




Team IntroductionGroup 011. Mr. Salman Ansari – Development Assistant2. Mr. Ummair Asghar – Development AssistantGroup 023. Mr. Sadiq Alvi– Development Assistant4. Mr. Junaid Bin Sarfraz – Development

AssistantGroup 035. Mr. Jawad Hussain– Development Assistant6. Mr. Amir Hamza– Development Assistant

13

FGAC Model

UCON Model

ABAC Model




Execution Phases

Elapsed Time Deliverables

1-3

• Report 1: “A Literature Survey on Authorization Issues in Cloud Computing: Challenges, Opportunities & Impact”.

• Report 2: “Comparative Analysis of Access Control Systems on Cloud”.

• One publication in highly rated conference.

14

• Submission of chapter entitled “Access Control as a Service in Cloud: Challenges, Impact and Strategies” in Springer Book – (accepted, under publication)

• Submission of Journal Paper entitled “The Prospectives of Cloud Authorization Towards Effective Benchmarking and Appraisal” – Under Review

• Submission of two Technical Reports

1st Quarter

Milestones Achieved(Progress so far)




Book Chapter “Access Control as a Service in Cloud: Challenges, Impact

and Strategies” Publisher: Springer Book Name: Continued Rise of the

Cloud: Advances and Trends in Cloud Computing

Contribution: Issues associated with authorization services in Cloud along with comprehensive solution of Access Control as a Service (ACaaS)

Authors: Awais Shibli, Rahat Masood, Umme Habiba, Ayesha Kanwal, Yumna Ghazi, Rafia Mumtaz

Expected Publication Date : 201415




Journal Paper “The Prospectives of Cloud Authorization”

Journal: Frontiers of Computer Science – Springer

Reviews Received: Oct 22, 2013 Revised Manuscript Submitted: Dec

18, 2013 Contribution: i) Systematic analysis of

the existing authorization solutions in Cloud, ii) derive the general shortcomings of the extant access control techniques, iii) enumerated the features for an ideal access control mechanisms for the Cloud

Authors: Rahat Masood, Awais Shibli, Yumna Ghazi, Dr. Arshad Ali

16




Submission of Technical Reports Report 1: Authorization Issues in Cloud

Computing: Challenges, Opportunities & Impact

Report 2: Comparative Analysis of Access Control Systems on Cloud

Contribution: i) highlights Cloud computing challenges and security issues, ii) helps in understanding various authorization issues in Software as a Service (SaaS) layer of the Cloud, iii) analyze existing Cloud based access control systems against NIST defined generic access control evaluation criteria17




18

• Software Requirement specification (SRS)• System Architecture Document • Software Design Document• Seminar “Cloud Computing: Saviour or a

Buzzword??”

2nd Quarter Elapsed Time Deliverables

4-6

• Detailed Software Requirement Specification (SRS) document.

• High-Level Design (architecture) document.

• Software Design Specification (SDS) document.

• Seminar 1: “Cloud Computing: A Buzzword or a Savior”.


Execution Phases




Project Requirements, Design & Architecture Documents

Software Requirement Specification (SRS): intended for gathering the technical and operational requirements for the project, provide adequate details regarding the design, requirements, user interfaces and the core functionality.

High-Level Architecture: illustrates the architectural design of the framework, provide adequate detail regarding the architecture and various architectural views/workflows to depict different aspects

19




Project Requirements, Design & Architecture Documents

Software Design Specification (SDS): explains in-depth design and architectural details, interaction between the components is explained, describes design strategies, detailed system design, various design views, UML diagrams and deployment architecture

20




Seminar “Cloud Computing: Buzzword or a Saviour…???”

Agenda: Emergence, Opportunities, Challenges and Future Prospects of Cloud Computing

Date: December 6, 2013 Speakers: Dr. Awais Shibli, Dr. Abdul Ghafoor,

Ms. Rahat Masood Targeted Audience : Open for all Nustians Sponsors: National ICT R&D Fund Organizers: KTH-AIS Lab, NUST-SEECS URL: http://

ais.seecs.nust.edu.pk/Seminars.php 21

http://ais.seecs.nust.edu.pk/Seminars.php

http://ais.seecs.nust.edu.pk/Seminars.php





• Source Code of Attribute based Access Control (ABAC) Model

• ABAC Profile• User Manual & Acceptance Testing

Report• Initialization of Cloud Instances in AIS

lab (Cloud Configuration Manuals)• Development Manual

3rd Quarter

22




Execution Phases Elapsed Time Deliverables

7-9• Version 1.0* will be uploaded on

sourcefourge.net.(a)• Report 3: “Unit Testing of ABAC

model”.• Initialization of Cloud Instances in AIS

lab

10-12

• Test application (financial) hosted on OpenStack.

• Version 2.0* will be uploaded on sourcefourge.net.(a)

• Report 4: “Unit Testing of UCON and FGAC model”.

• Core research idea publication in category A conference/journal.23





13-15

• Report 5: “Unit and Integration Testing Results of Framework w.r.t Access Control Models and Cloud Applications”.

• Cloud hosted application with framework integrated.

• Workshop 1: “Development and Deployment of Applications in OpenStack”.

16-18

• Version 3.0* will be uploaded on sourceforge.net. (a)

• Report 6: “Integration Testing Results on Extensibility of framework”. 24





19-21

• Report 7: “Quality Assurance Report on Extensible Access Control Framework”.

• Version 4.0** will be uploaded on sourcefourge.net.(a)

22-24

• Report 8: “Performance Results of the Extensible Access Control Framework”.

• Paper publication in Category A conference/Journal.

• Report 9: “Framework Effects on Cross-domain Cloud Environments.”

• Workshop 2: “Demonstration and working of Extensible Access Control Framework”.

25




Technical Methodology




OutlineTechnical Methodology

Cloud Computing Challenges of Cloud Computing Security Challenge Security as a Service (SecaaS) Authorization Issues in Cloud Project Overview (Introduction

& Briefing)

27




Cloud Computing…???• Generally means:

Lots of general purpose hosts Central management Distributed data storage Ability to move applications from system

to system Low-touch provisioning system Soft failover/redundancy

28




Characteristics of Cloud Computing

Broad Network Access

Rapid Elasticity

On-demand Self Service

Measured Services

Resource Pooling

29




Cloud Service Delivery Models

Infrastructure as a Service (IaaS)

Software as a Service (SaaS)

Platform as a Service (PaaS)

30




Software as a Service (SaaS)

Applications are hosted as a service and

provided to the Cloud customers.

Eliminate the need for installing

and running different soft wares locally.

31




Reasons for not using Cloud…….

32




Cloud Computing Challenges

33

PortabilitySecurityPrivacy

Lack of knowledge &

Expertise

Reliability

Performance

Abuse of Cloud Services

Shared Technology IssuesInsufficient due diligence

Interoperability

Service Delivery & Billing

CLOUD

Bandwidth Cost

Usage Control

Availability




34

Notorious-9 - Cloud Challenges

1. Efficiency of Service Provisioning

• Usage of development tools & components• Creation of scalable architectures• Resource management and flexibility• Availability of services

2. Effectiveness of Service Usage & Control

• Contracts including questions of liability• Control of services by users• Governance/escalation of mechanisms

3. Transparency Of Service Delivery And Billing

• Billing including license management• QA by monitoring SLA• Type and location of data processing

4. Compliance With Regulatory Requirements




35

Notorious-9 - Cloud Challenges..

5. Information Security• Identity and Rights management• Privacy and Integrity• Access control, logging and attack prevention• Verification and certification

6. Data Privacy• Migration into/out of Cloud• Ability to integrate into on-premise IT• Cloud Federation

7. Interoperability

• Service portability• Data portability

8. Portability Between Providers

9. Ensuring Fair Competition In The Market




36

Data Confidentiali

ty Data

Integrity

IdentityManageme

ntVirtualizatio

n

Audit & Complianc

e

Privacy

Data Security

Data Locality

Network Security

Cloud Security Challenges

Trust

Access Control




CSA Top Cloud Security threats

No. CSA Top Threat

1 Abuse and Nefarious Use of Cloud Computing

2 Insecure Interfaces and APIs

3 Malicious Insiders

4 Data Loss or Leakage

5 Account or Service Hijacking

6 Shared Technology Vulnerabilities

7 Inadequate Infrastructure design and Planning

8 Abuse of Cloud Services

9 Cloud related malware / Denial of Service

37




CSA Top Cloud Security threats

No. CSA Top Threat

1 Abuse and Nefarious Use of Cloud Computing 2 Insecure Interfaces and APIs 3 Malicious Insiders 4 Data Loss or Leakage 5 Account or Service Hijacking

6 Shared Technology Vulnerabilities

7 Inadequate Infrastructure design and Planning

8 Abuse of Cloud Services

9 Cloud related malware / Denial of Service

38




39

Security Challenges in SaaS

SaaS

Data Breaches

Network Security

Data Integrity

Data Segregation

Data ConfidentialityAuthentication

Data Backup

Data Access

Web Application Security

Data Locality

Identity Management & SSO




Security as a Service (SECaaS) for SaaS

40

SECaaS

Email Security aaS Web content filtering aaS

Access control aaS

Cloud Service Consumers

Identity aaS

Network Security aaS Security assessment aaS

Encryption aaS Data protection aaS




Access Control in Cloud(Area of Focus)

Access control’s role is to control and limit the actions or operations in the Cloud systems that are performed by a user on a set of resources.

41




Access Control Issues What access control model is used and how well does it meet a customer requirements?

Where do user accounts reside, how are they provisioned and de-provisioned, and how is the integrity of the information protected?

What support is provided for delegated administration by policy administration services?

Authorization Issues in Cloud

42




43

Challenging Authorization Problems

Cloud Perspective• Cloud subscribers often do not have sufficient

control over technical access policy decision-making and enforcement in the cloud infrastructure.

• Most cloud providers do not offer subscriber-configurable policy enforcement points (e.g. based on the OASIS XACML standard).

• Cloud providers naturally cannot pre-configure subscriber-specific policies for subscribers (because they are subscriber- specific).




44

Challenging Authorization Problems

Cloud Perspective• Managing and creating Cloud subscriber access policies

is the biggest challenge around authorization • There is no common standard policy specification

format adopted yet for cloud.• Traditional access control models have some

specific parameters suitable only for particular scenarios and granular access control is yet a key requirement.

• Translating policies into security implementation gets more time-consuming, expensive, and error-prone.




Access Control as a Service (ACaaS)

• There should be a generic framework for the applications of Cloud consumers that can be customized by consumers according to their own security needs along with the basic security features provided by Cloud providers.

This framework should encompasses multiple models and should have the ability to add any

access control model within framework based on the security requirements of consumer.

45




Project StatementsWe aim to provide Access Control-as-a-Service (ACaaS) for

Software-as-a-Service (SaaS) layer applications by incorporating variety of reliable and well-known access

control models as Cloud based services.

Framework will be capable of handling a wide variety of Cloud Service Consumers (CSC) and intends to minimize the chance of data loss and corruption by unauthorized

users.

Final deliverables include the implementation of an extensible API that is capable of managing and controlling access for SaaS hosted Cloud applications and resources.

46




Extensibility: incorporate multiple access control models pertaining to the needs of Cloud service consumers.Generic: act independently as an access control layer for Cloud application.

Open-source access control solution: perform research and analysis on upcoming and existing access control models w.r.t security challenges of Cloud.Manageability: ability for defining, managing, and accessing the access control rules

Policy Specification Format: use of Common Access Control Policy Language (XACML)

Development and Support for Third Party Plug-ins

47

Project Significance




Project Website

http://ais.seecs.nust.edu.pk/templates/project/




49

Pleasure in the job puts perfection in the work. --Aristotle

Date post:	15-Apr-2017
Category:	Documents
Upload:	awais-shibli
View:	112 times
Download:	0 times