G-Cloud on Openstack : Adressing access control and regulation requirements

It is well known that e-Government applications bring several benefits to citizens in terms of efficiency, accessibility and transparency. Today, most of governments tend to propose cloud computing based e-services to their citizens. A key component in these services is the access control management issue. In this paper, we present our research works for building an access control system for the Djiboutian e-Government project that is built using Openstack framework. Specifically, we demonstrate the limitation of the integrated access control system in Openstack for the Djiboutian e-Government access control requirements and for the compliance to the related regulation. Thus, we propose to extend the existing access control system of Openstack by integrating the features of the XACML V3 to the Openstack framework

IaaS-cloud security enhancement: an intelligent attribute-based access control model and implementation

The cloud computing paradigm introduces an efficient utilisation of huge computing resources by multiple users with minimal expense and deployment effort compared to traditional computing facilities. Although cloud computing has incredible benefits, some governments and enterprises remain hesitant to transfer their computing technology to the cloud as a consequence of the associated security challenges. Security is, therefore, a significant factor in cloud computing adoption. Cloud services consist of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing services are accessed through network connections and utilised by multi-users who can share the resources through virtualisation technology. Accordingly, an efficient access control system is crucial to prevent unauthorised access. This thesis mainly investigates the IaaS security enhancement from an access control point of view. [Continues.

An Intelligent Access Control Model

Cybersecurity is a critical issue as the world is moving towered IR4 era (Industrial Revaluation 4.0) where technology is involved, and access to the internet is an imperative need. The traditional computing systems are not able to meet the huge computing demand and growing data (Big-Data). Therefore; new technologies have been evolved such as cloud computing. This chapter is exploring the need for a dynamic access control approach to enhance the Cybersecurity. The scope in this chapter is focusing on IaaS (Infrastructure as a Service) layer of cloud computing. The research approach aims to enhance the basic ABAC (Attribute-Based Access Control) model by adding a context-aware feature and SoD principle. The enhanced model called ABACsh. This proposed enhancement is implemented through a framework based on AI (Artificial Intelligent) to meet the requirements of dynamic systems. The framework is tested in the OpenStack testbed. The results show better performance in the term of computation speed

An access control and authorization model with Open stack cloud for Smart Grid

In compare to Authentication for identification and relationship of an identity of a user with its task and process within the system, authorization in access control is much anxious about confirming that user and its task in the form of system process, access to the assets of any particular domain is only approved when proven obedient to the identified policies. Access control and authorization is always an area of interest for researchers for enhancing security of critical assets from many decades. Our prime focus and interest is in the field of access control model based on Attribute base access control (ABAC) and with this paper we tried to integrate ABAC with openstack cloud for achieving finer level of granularity in access policies for domain like smart grid. Technical advancement of current era demands that critical infrastructure like traditional electrical grid open ups to the modern information and communication technology to get the benefit in terms of efficiency, scalability, accessibility and transparency for better adaptability in real world. Incorporation of ICT with electric grid makes it possible to do greater level of bi-directional interaction among stake holders like customer, generation units, distribution units and administrations and these leads international organization to contribute for standardization of smart grid concepts and technology so that the realization of smart grid becomes reality. Smart grid is a distributed system of very large scale by its nature and needs to integrate available legacy systems with its own security requirements. Cloud computing proven to be most efficient approach for said requirements and we have identified openstack as our cloud platform. We have integrated ABAC approach with default RBAC approach of openstack and provide a frame work that supports and integrate multiple access control polices in making authorization decisions. Smart grid domain in considered as case study which requires support of multiple access policies (RBAC, ABAC or DAC etc) with our model for access control and authorization

Policy-driven Security Management for Gateway-Oriented Reconfigurable Ecosystems

abstract: With the increasing user demand for low latency, elastic provisioning of computing resources coupled with ubiquitous and on-demand access to real-time data, cloud computing has emerged as a popular computing paradigm to meet growing user demands. However, with the introduction and rising use of wear- able technology and evolving uses of smart-phones, the concept of Internet of Things (IoT) has become a prevailing notion in the currently growing technology industry. Cisco Inc. has projected a data creation of approximately 403 Zetabytes (ZB) by 2018. The combination of bringing benign devices and connecting them to the web has resulted in exploding service and data aggregation requirements, thus requiring a new and innovative computing platform. This platform should have the capability to provide robust real-time data analytics and resource provisioning to clients, such as IoT users, on-demand. Such a computation model would need to function at the edge-of-the-network, forming a bridge between the large cloud data centers and the distributed connected devices. This research expands on the notion of bringing computational power to the edge- of-the-network, and then integrating it with the cloud computing paradigm whilst providing services to diverse IoT-based applications. This expansion is achieved through the establishment of a new computing model that serves as a platform for IoT-based devices to communicate with services in real-time. We name this paradigm as Gateway-Oriented Reconfigurable Ecosystem (GORE) computing. Finally, this thesis proposes and discusses the development of a policy management framework for accommodating our proposed computational paradigm. The policy framework is designed to serve both the hosted applications and the GORE paradigm by enabling them to function more efficiently. The goal of the framework is to ensure uninterrupted communication and service delivery between users and their applications.Dissertation/ThesisMasters Thesis Computer Science 201

My private cloud--granting federated access to cloud resources

We describe the research undertaken in the six month JISC/EPSRC funded My Private Cloud project, in which we built a demonstration cloud file storage service that allows users to login to it, by using their existing credentials from a configured trusted identity provider. Once authenticated, users are shown a set of accounts that they are the owners of, based on their identity attributes. Once users open one of their accounts, they can upload and download files to it. Not only that, but they can then grant access to their file resources to anyone else in the federated system, regardless of whether their chosen delegate has used the cloud service before or not. The system uses standard identity management protocols, attribute based access controls, and a delegation service. A set of APIs have been defined for the authentication, authorisation and delegation processes, and the software has been released as open source to the community. A public demonstration of the system is available online

SLA-Based Continuous Security Assurance in Multi-Cloud DevOps

Multi-cloud applications, i.e. those that are deployed over multiple independent Cloud providers, pose a number of challenges to the security-aware development and operation. Security assurance in such applications is hard due to the lack of insights of security controls ap- plied by Cloud providers and the need of controlling the security levels of all the components and layers at a time. This paper presents the MUSA approach to Service Level Agreement (SLA)-based continuous security assurance in multi-cloud applications. The paper details the proposed model for capturing the security controls in the o ered application Se- curity SLA and the approach to continuously monitor and asses the controls at operation phase. This new approach enables to easily align development security requirements with controls monitored at operation as well as early react at operation to any possible security incident or SLA violation.The MUSA project leading to this paper has received funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 644429

Cloud technology options towards Free Flow of Data

This whitepaper collects the technology solutions that the projects in the Data Protection, Security and Privacy Cluster propose to address the challenges raised by the working areas of the Free Flow of Data initiative. The document describes the technologies, methodologies, models, and tools researched and developed by the clustered projects mapped to the ten areas of work of the Free Flow of Data initiative. The aim is to facilitate the identification of the state-of-the-art of technology options towards solving the data security and privacy challenges posed by the Free Flow of Data initiative in Europe. The document gives reference to the Cluster, the individual projects and the technologies produced by them

Architectural Generation of Context-based Attack Paths

In industriellen Prozessen (Industrie 4.0) und anderen Bereichen unseres Lebens wie dem Energie- oder Gesundheitssektor wird die Vertraulichkeit von Daten zunehmend wichtig. Um vertrauliche Informationen auf kritischen Systemen zu schützen, ist es wichtig zu bestimmen ob die Kompromittierung dieser kritischen Systeme möglich ist. Deshalb müssen relevante Angriffspfade in verschiedenen Zugriffskontrollkontexten gefunden werden, um verschiedene Softwarearchitekturen bezüglich dieses Sicherheitsaspekts zu vergleichen. Um Kosten zu sparen, ist es wichtig potentielle Angriffspfade bereits in der Entwurfsphase der Softwarearchitektur zu betrachten. Es gibt bereits Ansätze, die das Thema der Angriffspfadgenerierung adressieren. Allerdings betrachten sie es oft nicht auf einer Softwarearchitekturmodellierungsebene, was die Analyse für den Zweck der komponentenbasierten Softwaremodellierung erschwert. Des Weiteren, betrachten andere Ansätze oft nicht sowohl Verwundbarkeiten als auch Zugriffskontrollmechanismen. Deshalb stellt diese Arbeit einen Ansatz vor, um alle potentiellen Angriffspfade in einem Softwarearchitekturmodell bezüglich Verwundbarkeiten und Zugriffskontrolle zu finden. Das hilft Softwarearchitekten und Sicherheitsexperten relevante und kritische Angriffspfade zu einem kritischen Element leichter zu finden. Jedoch sind alle Angriffspfade oft zu viele, sodass der hier präsentierte Ansatz sinnvolle Filterkriterien einführt und verwendet, welche auf verbreiteten Verwundbarkeitsklassifikationsstandarts beruhen. Der Grund für diese Filter ist es, dem Softwarearchitekt zu ermöglichen, die resultierenden Angriffspfade auf die relevanten zu begrenzen. Die Evaluation der Arbeit deutete an, dass das verwendete Modell und der implementierte Ansatz in kleinen Szenarien, die aus Fallstudien aus der echten Welt extrahiert wurden, meistens angewendet werden kann. Außerdem deutete die Evaluation ebenfalls eine Aufwandsreduktion von 35 % bis zu 80 % für den Softwarearchitekt an. Allerdings konnte keine größere Skalierbarkeit des Ansatzes gezeigt werden, da ein exponentielles Laufzeitverhalten festgestellt wurde. Allerdings ist das Abmildern des Skalierbarkeitsproblem einer der Hauptgründe für das Verwenden der Filterkriterien