Dynamic Multiparty Authentication of Data Analytics Services within Cloud Environments

Business analytics processes are often composed from orchestrated, collaborating services, which are consumed by users from multiple cloud systems (in different security realms), which need to be engaged dynamically at runtime. If heterogeneous cloud systems located in different security realms do not have direct authentication relationships, then it is a considerable technical challenge to enable secure collaboration. In order to address this security challenge, a new authentication framework is required to establish trust amongst business analytics service instances and users by distributing a common session secret to all participants of a session. We address this challenge by designing and implementing a secure multiparty authentication framework for dynamic interaction, for the scenario where members of different security realms express a need to access orchestrated services. This novel framework exploits the relationship of trust between session members in different security realms, to enable a user to obtain security credentials that access cloud resources in a remote realm. The mechanism assists cloud session users to authenticate their session membership, thereby improving the performance of authentication processes within multiparty sessions. We see applicability of this framework beyond multiple cloud infrastructure, to that of any scenario where multiple security realms has the potential to exist, such as the emerging Internet of Things (IoT).Comment: Submitted to the 20th IEEE International Conference on High Performance Computing and Communications 2018 (HPCC2018), 28-30 June 2018, Exeter, U

A Scalable Model for Secure Multiparty Authentication

Distributed system architectures such as cloud computing or the emergent architectures of the Internet Of Things, present significant challenges for security and privacy. Specifically, in a complex application there is a need to securely delegate access control mechanisms to one or more parties, who in turn can govern methods that enable multiple other parties to be authenticated in relation to the services that they wish to consume. We identify shortcomings in an existing proposal by Xu et al for multiparty authentication and evaluate a novel model from Al-Aqrabi et al that has been designed specifically for complex multiple security realm environments. The adoption of a Session Authority Cloud ensures that resources for authentication requests are scalable, whilst permitting the necessary architectural abstraction for myriad hardware IoT devices such as actuators and sensor networks, etc. In addition, the ability to ensure that session credentials are confirmed with the relevant resource principles means that the essential rigour for multiparty authentication is established

A Framework for Sensor Networks with Multiple Owners

A framework for sensor networks with multiple owners develops a mechanism for assured and controlled access to sensor assets owned and maintained by disparate organizations. The framework addresses the limitations in an existing system and proposes extensions to it. It also provides new mechanisms for cross-domain authentication and authorization by implementing a prototype as a proof of concept

The InterMesh Network Architecture

The rapid spread of mobile devices, the emergence of key wireless technologies, and the nomadic user and computing lifestyles on current networks are continuously evolving in synergy. MANETs, WSNs, and WMNs are examples of self-organizing unstructured networks that have their local communication paradigms and are optimized to perform under their particular physical constraints. Wireless Mesh Networks (WMNs) are particularly interesting because of their ability to operate in a pure ad-hoc mode or to include some infrastructural components, making them suitable for a multitude of applications. Inter-networking among the heterogeneous access networks is currently offered by the Internet Protocol (IP). However, the evolution of and the innovation within these networks is greatly hindered by the rigidity of the current Internet implementation and its lag in efficiently supporting flexible unstructured communication paradigms. To broaden the user\u27s innovation space and to efficiently embrace the characteristics of emerging networks, clean-slate architectural approaches are being pursued. In this paper, we propose InterMesh, a novel iner-networking platform for wireless mesh networks. InterMesh enables heterogeneous access networks to converge at novel Persistent Identification and Networking Layer (PINL), providing a seamless service to individual network entities. This paper identifies the key concepts behind the InterMesh network platform, presents an interesting prototype implementation that can coexist with today\u27s Internet while still be able to evolve separately, and discusses some preliminary performance results of the prototype

Middleware Technologies for Cloud of Things - a survey

The next wave of communication and applications rely on the new services provided by Internet of Things which is becoming an important aspect in human and machines future. The IoT services are a key solution for providing smart environments in homes, buildings and cities. In the era of a massive number of connected things and objects with a high grow rate, several challenges have been raised such as management, aggregation and storage for big produced data. In order to tackle some of these issues, cloud computing emerged to IoT as Cloud of Things (CoT) which provides virtually unlimited cloud services to enhance the large scale IoT platforms. There are several factors to be considered in design and implementation of a CoT platform. One of the most important and challenging problems is the heterogeneity of different objects. This problem can be addressed by deploying suitable "Middleware". Middleware sits between things and applications that make a reliable platform for communication among things with different interfaces, operating systems, and architectures. The main aim of this paper is to study the middleware technologies for CoT. Toward this end, we first present the main features and characteristics of middlewares. Next we study different architecture styles and service domains. Then we presents several middlewares that are suitable for CoT based platforms and lastly a list of current challenges and issues in design of CoT based middlewares is discussed.Comment: http://www.sciencedirect.com/science/article/pii/S2352864817301268, Digital Communications and Networks, Elsevier (2017

Middleware Technologies for Cloud of Things - a survey

The next wave of communication and applications rely on the new services provided by Internet of Things which is becoming an important aspect in human and machines future. The IoT services are a key solution for providing smart environments in homes, buildings and cities. In the era of a massive number of connected things and objects with a high grow rate, several challenges have been raised such as management, aggregation and storage for big produced data. In order to tackle some of these issues, cloud computing emerged to IoT as Cloud of Things (CoT) which provides virtually unlimited cloud services to enhance the large scale IoT platforms. There are several factors to be considered in design and implementation of a CoT platform. One of the most important and challenging problems is the heterogeneity of different objects. This problem can be addressed by deploying suitable "Middleware". Middleware sits between things and applications that make a reliable platform for communication among things with different interfaces, operating systems, and architectures. The main aim of this paper is to study the middleware technologies for CoT. Toward this end, we first present the main features and characteristics of middlewares. Next we study different architecture styles and service domains. Then we presents several middlewares that are suitable for CoT based platforms and lastly a list of current challenges and issues in design of CoT based middlewares is discussed.Comment: http://www.sciencedirect.com/science/article/pii/S2352864817301268, Digital Communications and Networks, Elsevier (2017

Novel architectures and strategies for security offloading

Internet has become an indispensable and powerful tool in our modern society. Its ubiquitousness, pervasiveness and applicability have fostered paradigm changes around many aspects of our lives. This phenomena has positioned the network and its services as fundamental assets over which we rely and trust. However, Internet is far from being perfect. It has considerable security issues and vulnerabilities that jeopardize its main core functionalities with negative impact over its players. Furthermore, these vulnerabilities¿ complexities have been amplified along with the evolution of Internet user mobility. In general, Internet security includes both security for the correct network operation and security for the network users and endpoint devices. The former involves the challenges around the Internet core control and management vulnerabilities, while the latter encompasses security vulnerabilities over end users and endpoint devices. Similarly, Internet mobility poses major security challenges ranging from routing complications, connectivity disruptions and lack of global authentication and authorization. The purpose of this thesis is to present the design of novel architectures and strategies for improving Internet security in a non-disruptive manner. Our novel security proposals follow a protection offloading approach. The motives behind this paradigm target the further enhancement of the security protection while minimizing the intrusiveness and disturbance over the Internet routing protocols, its players and users. To accomplish such level of transparency, the envisioned solutions leverage on well-known technologies, namely, Software Defined Networks, Network Function Virtualization and Fog Computing. From the Internet core building blocks, we focus on the vulnerabilities of two key routing protocols that play a fundamental role in the present and the future of the Internet, i.e., the Border Gateway Protocol (BGP) and the Locator-Identifier Split Protocol (LISP). To this purpose, we first investigate current BGP vulnerabilities and countermeasures with emphasis in an unresolved security issue defined as Route Leaks. Therein, we discuss the reasons why different BGP security proposals have failed to be adopted, and the necessity to propose innovative solutions that minimize the impact over the already deployed routing solution. To this end, we propose pragmatic security methodologies to offload the protection with the following advantages: no changes to the BGP protocol, neither dependency on third party information nor on third party security infrastructure, and self-beneficial. Similarly, we research the current LISP vulnerabilities with emphasis on its control plane and mobility support. We leverage its by-design separation of control and data planes to propose an enhanced location-identifier registration process of end point identifiers. This proposal improves the mobility of end users with regards on securing a dynamic traffic steering over the Internet. On the other hand, from the end user and devices perspective we research new paradigms and architectures with the aim of enhancing their protection in a more controllable and consolidated manner. To this end, we propose a new paradigm which shifts the device-centric protection paradigm toward a user-centric protection. Our proposal focus on the decoupling or extending of the security protection from the end devices toward the network edge. It seeks the homogenization of the enforced protection per user independently of the device utilized. We further investigate this paradigm in a mobility user scenario. Similarly, we extend this proposed paradigm to the IoT realm and its intrinsic security challenges. Therein, we propose an alternative to protect both the things, and the services that leverage from them by consolidating the security at the network edge. We validate our proposal by providing experimental results from prof-of-concepts implementations.Internet se ha convertido en una poderosa e indispensable herramienta para nuestra sociedad moderna. Su omnipresencia y aplicabilidad han promovido grandes cambios en diferentes aspectos de nuestras vidas. Este fenómeno ha posicionado a la red y sus servicios como activos fundamentales sobre los que contamos y confiamos. Sin embargo, Internet está lejos de ser perfecto. Tiene considerables problemas de seguridad y vulnerabilidades que ponen en peligro sus principales funcionalidades. Además, las complejidades de estas vulnerabilidades se han ampliado junto con la evolución de la movilidad de usuarios de Internet y su limitado soporte. La seguridad de Internet incluye tanto la seguridad para el correcto funcionamiento de la red como la seguridad para los usuarios y sus dispositivos. El primero implica los desafíos relacionados con las vulnerabilidades de control y gestión de la infraestructura central de Internet, mientras que el segundo abarca las vulnerabilidades de seguridad sobre los usuarios finales y sus dispositivos. Del mismo modo, la movilidad en Internet plantea importantes desafíos de seguridad que van desde las complicaciones de enrutamiento, interrupciones de la conectividad y falta de autenticación y autorización globales. El propósito de esta tesis es presentar el diseño de nuevas arquitecturas y estrategias para mejorar la seguridad de Internet de una manera no perturbadora. Nuestras propuestas de seguridad siguen un enfoque de desacople de la protección. Los motivos detrás de este paradigma apuntan a la mejora adicional de la seguridad mientras que minimizan la intrusividad y la perturbación sobre los protocolos de enrutamiento de Internet, sus actores y usuarios. Para lograr este nivel de transparencia, las soluciones previstas aprovechan nuevas tecnologías, como redes definidas por software (SDN), virtualización de funciones de red (VNF) y computación en niebla. Desde la perspectiva central de Internet, nos centramos en las vulnerabilidades de dos protocolos de enrutamiento clave que desempeñan un papel fundamental en el presente y el futuro de Internet, el Protocolo de Puerta de Enlace Fronterizo (BGP) y el Protocolo de Separación Identificador/Localizador (LISP ). Para ello, primero investigamos las vulnerabilidades y medidas para contrarrestar un problema no resuelto en BGP definido como Route Leaks. Proponemos metodologías pragmáticas de seguridad para desacoplar la protección con las siguientes ventajas: no cambios en el protocolo BGP, cero dependencia en la información de terceros, ni de infraestructura de seguridad de terceros, y de beneficio propio. Del mismo modo, investigamos las vulnerabilidades actuales sobre LISP con énfasis en su plano de control y soporte de movilidad. Aprovechamos la separacçón de sus planos de control y de datos para proponer un proceso mejorado de registro de identificadores de ubicación y punto final, validando de forma segura sus respectivas autorizaciones. Esta propuesta mejora la movilidad de los usuarios finales con respecto a segurar un enrutamiento dinámico del tráfico a través de Internet. En paralelo, desde el punto de vista de usuarios finales y dispositivos investigamos nuevos paradigmas y arquitecturas con el objetivo de mejorar su protección de forma controlable y consolidada. Con este fin, proponemos un nuevo paradigma hacia una protección centrada en el usuario. Nuestra propuesta se centra en el desacoplamiento o ampliación de la protección de seguridad de los dispositivos finales hacia el borde de la red. La misma busca la homogeneización de la protección del usuario independientemente del dispositivo utilizado. Además, investigamos este paradigma en un escenario con movilidad. Validamos nuestra propuesta proporcionando resultados experimentales obtenidos de diferentes experimentos y pruebas de concepto implementados

Novel architectures and strategies for security offloading

Internet has become an indispensable and powerful tool in our modern society. Its ubiquitousness, pervasiveness and applicability have fostered paradigm changes around many aspects of our lives. This phenomena has positioned the network and its services as fundamental assets over which we rely and trust. However, Internet is far from being perfect. It has considerable security issues and vulnerabilities that jeopardize its main core functionalities with negative impact over its players. Furthermore, these vulnerabilities¿ complexities have been amplified along with the evolution of Internet user mobility. In general, Internet security includes both security for the correct network operation and security for the network users and endpoint devices. The former involves the challenges around the Internet core control and management vulnerabilities, while the latter encompasses security vulnerabilities over end users and endpoint devices. Similarly, Internet mobility poses major security challenges ranging from routing complications, connectivity disruptions and lack of global authentication and authorization. The purpose of this thesis is to present the design of novel architectures and strategies for improving Internet security in a non-disruptive manner. Our novel security proposals follow a protection offloading approach. The motives behind this paradigm target the further enhancement of the security protection while minimizing the intrusiveness and disturbance over the Internet routing protocols, its players and users. To accomplish such level of transparency, the envisioned solutions leverage on well-known technologies, namely, Software Defined Networks, Network Function Virtualization and Fog Computing. From the Internet core building blocks, we focus on the vulnerabilities of two key routing protocols that play a fundamental role in the present and the future of the Internet, i.e., the Border Gateway Protocol (BGP) and the Locator-Identifier Split Protocol (LISP). To this purpose, we first investigate current BGP vulnerabilities and countermeasures with emphasis in an unresolved security issue defined as Route Leaks. Therein, we discuss the reasons why different BGP security proposals have failed to be adopted, and the necessity to propose innovative solutions that minimize the impact over the already deployed routing solution. To this end, we propose pragmatic security methodologies to offload the protection with the following advantages: no changes to the BGP protocol, neither dependency on third party information nor on third party security infrastructure, and self-beneficial. Similarly, we research the current LISP vulnerabilities with emphasis on its control plane and mobility support. We leverage its by-design separation of control and data planes to propose an enhanced location-identifier registration process of end point identifiers. This proposal improves the mobility of end users with regards on securing a dynamic traffic steering over the Internet. On the other hand, from the end user and devices perspective we research new paradigms and architectures with the aim of enhancing their protection in a more controllable and consolidated manner. To this end, we propose a new paradigm which shifts the device-centric protection paradigm toward a user-centric protection. Our proposal focus on the decoupling or extending of the security protection from the end devices toward the network edge. It seeks the homogenization of the enforced protection per user independently of the device utilized. We further investigate this paradigm in a mobility user scenario. Similarly, we extend this proposed paradigm to the IoT realm and its intrinsic security challenges. Therein, we propose an alternative to protect both the things, and the services that leverage from them by consolidating the security at the network edge. We validate our proposal by providing experimental results from prof-of-concepts implementations.Internet se ha convertido en una poderosa e indispensable herramienta para nuestra sociedad moderna. Su omnipresencia y aplicabilidad han promovido grandes cambios en diferentes aspectos de nuestras vidas. Este fenómeno ha posicionado a la red y sus servicios como activos fundamentales sobre los que contamos y confiamos. Sin embargo, Internet está lejos de ser perfecto. Tiene considerables problemas de seguridad y vulnerabilidades que ponen en peligro sus principales funcionalidades. Además, las complejidades de estas vulnerabilidades se han ampliado junto con la evolución de la movilidad de usuarios de Internet y su limitado soporte. La seguridad de Internet incluye tanto la seguridad para el correcto funcionamiento de la red como la seguridad para los usuarios y sus dispositivos. El primero implica los desafíos relacionados con las vulnerabilidades de control y gestión de la infraestructura central de Internet, mientras que el segundo abarca las vulnerabilidades de seguridad sobre los usuarios finales y sus dispositivos. Del mismo modo, la movilidad en Internet plantea importantes desafíos de seguridad que van desde las complicaciones de enrutamiento, interrupciones de la conectividad y falta de autenticación y autorización globales. El propósito de esta tesis es presentar el diseño de nuevas arquitecturas y estrategias para mejorar la seguridad de Internet de una manera no perturbadora. Nuestras propuestas de seguridad siguen un enfoque de desacople de la protección. Los motivos detrás de este paradigma apuntan a la mejora adicional de la seguridad mientras que minimizan la intrusividad y la perturbación sobre los protocolos de enrutamiento de Internet, sus actores y usuarios. Para lograr este nivel de transparencia, las soluciones previstas aprovechan nuevas tecnologías, como redes definidas por software (SDN), virtualización de funciones de red (VNF) y computación en niebla. Desde la perspectiva central de Internet, nos centramos en las vulnerabilidades de dos protocolos de enrutamiento clave que desempeñan un papel fundamental en el presente y el futuro de Internet, el Protocolo de Puerta de Enlace Fronterizo (BGP) y el Protocolo de Separación Identificador/Localizador (LISP ). Para ello, primero investigamos las vulnerabilidades y medidas para contrarrestar un problema no resuelto en BGP definido como Route Leaks. Proponemos metodologías pragmáticas de seguridad para desacoplar la protección con las siguientes ventajas: no cambios en el protocolo BGP, cero dependencia en la información de terceros, ni de infraestructura de seguridad de terceros, y de beneficio propio. Del mismo modo, investigamos las vulnerabilidades actuales sobre LISP con énfasis en su plano de control y soporte de movilidad. Aprovechamos la separacçón de sus planos de control y de datos para proponer un proceso mejorado de registro de identificadores de ubicación y punto final, validando de forma segura sus respectivas autorizaciones. Esta propuesta mejora la movilidad de los usuarios finales con respecto a segurar un enrutamiento dinámico del tráfico a través de Internet. En paralelo, desde el punto de vista de usuarios finales y dispositivos investigamos nuevos paradigmas y arquitecturas con el objetivo de mejorar su protección de forma controlable y consolidada. Con este fin, proponemos un nuevo paradigma hacia una protección centrada en el usuario. Nuestra propuesta se centra en el desacoplamiento o ampliación de la protección de seguridad de los dispositivos finales hacia el borde de la red. La misma busca la homogeneización de la protección del usuario independientemente del dispositivo utilizado. Además, investigamos este paradigma en un escenario con movilidad. Validamos nuestra propuesta proporcionando resultados experimentales obtenidos de diferentes experimentos y pruebas de concepto implementados.Postprint (published version

Cloud BI: A Multi-party Authentication Framework for Securing Business Intelligence on the Cloud

Business intelligence (BI) has emerged as a key technology to be hosted on Cloud computing. BI offers a method to analyse data thereby enabling informed decision making to improve business performance and profitability. However, within the shared domains of Cloud computing, BI is exposed to increased security and privacy threats because an unauthorised user may be able to gain access to highly sensitive, consolidated business information. The business process contains collaborating services and users from multiple Cloud systems in different security realms which need to be engaged dynamically at runtime. If the heterogamous Cloud systems located in different security realms do not have direct authentication relationships then it is technically difficult to enable a secure collaboration. In order to address these security challenges, a new authentication framework is required to establish certain trust relationships among these BI service instances and users by distributing a common session secret to all participants of a session. The author addresses this challenge by designing and implementing a multiparty authentication framework for dynamic secure interactions when members of different security realms want to access services. The framework takes advantage of the trust relationship between session members in different security realms to enable a user to obtain security credentials to access Cloud resources in a remote realm. This mechanism can help Cloud session users authenticate their session membership to improve the authentication processes within multi-party sessions. The correctness of the proposed framework has been verified by using BAN Logics. The performance and the overhead have been evaluated via simulation in a dynamic environment. A prototype authentication system has been designed, implemented and tested based on the proposed framework. The research concludes that the proposed framework and its supporting protocols are an effective functional basis for practical implementation testing, as it achieves good scalability and imposes only minimal performance overhead which is comparable with other state-of-art methods