A JSON Token-Based Authentication and Access Management Schema for Cloud SaaS Applications

Cloud computing is significantly reshaping the computing industry built around core concepts such as virtualization, processing power, connectivity and elasticity to store and share IT resources via a broad network. It has emerged as the key technology that unleashes the potency of Big Data, Internet of Things, Mobile and Web Applications, and other related technologies, but it also comes with its challenges - such as governance, security, and privacy. This paper is focused on the security and privacy challenges of cloud computing with specific reference to user authentication and access management for cloud SaaS applications. The suggested model uses a framework that harnesses the stateless and secure nature of JWT for client authentication and session management. Furthermore, authorized access to protected cloud SaaS resources have been efficiently managed. Accordingly, a Policy Match Gate (PMG) component and a Policy Activity Monitor (PAM) component have been introduced. In addition, other subcomponents such as a Policy Validation Unit (PVU) and a Policy Proxy DB (PPDB) have also been established for optimized service delivery. A theoretical analysis of the proposed model portrays a system that is secure, lightweight and highly scalable for improved cloud resource security and management.Comment: 6 Page

To Share or Not to Share in Client-Side Encrypted Clouds

With the advent of cloud computing, a number of cloud providers have arisen to provide Storage-as-a-Service (SaaS) offerings to both regular consumers and business organizations. SaaS (different than Software-as-a-Service in this context) refers to an architectural model in which a cloud provider provides digital storage on their own infrastructure. Three models exist amongst SaaS providers for protecting the confidentiality data stored in the cloud: 1) no encryption (data is stored in plain text), 2) server-side encryption (data is encrypted once uploaded), and 3) client-side encryption (data is encrypted prior to upload). This paper seeks to identify weaknesses in the third model, as it claims to offer 100% user data confidentiality throughout all data transactions (e.g., upload, download, sharing) through a combination of Network Traffic Analysis, Source Code Decompilation, and Source Code Disassembly. The weaknesses we uncovered primarily center around the fact that the cloud providers we evaluated were each operating in a Certificate Authority capacity to facilitate data sharing. In this capacity, they assume the role of both certificate issuer and certificate authorizer as denoted in a Public-Key Infrastructure (PKI) scheme - which gives them the ability to view user data contradicting their claims of 100% data confidentiality. We have collated our analysis and findings in this paper and explore some potential solutions to address these weaknesses in these sharing methods. The solutions proposed are a combination of best practices associated with the use of PKI and other cryptographic primitives generally accepted for protecting the confidentiality of shared information

Identity-Based Proxy-Oriented Data Uploading and Remote Data Integrity Checking in Public Cloud

More and more clients would like to store their data to public cloud servers (PCSs) along with the rapid development of cloud computing. New security problems have to be solved in order to help more clients process their data in public cloud. When the client is restricted to access PCS, he will delegate its proxy to process his data and upload them. On the other hand, remote data integrity checking is also an important security problem in public cloud storage. It makes the clients check whether their outsourced data are kept intact without downloading the whole data. From the security problems, we propose a novel proxy-oriented data uploading and remote data integrity checking model in identity-based public key cryptography: identity-based proxy-oriented data uploading and remote data integrity checking in public cloud (ID-PUIC). We give the formal definition, system model, and security model. Then, a concrete ID-PUIC protocol is designed using the bilinear pairings. The proposed ID-PUIC protocol is provably secure based on the hardness of computational Diffie–Hellman problem. Our ID-PUIC protocol is also efficient and flexible. Based on the original client’s authorization, the proposed ID-PUIC protocol can realize private remote data integrity checking, delegated remote data integrity checking, and public remote data integrity checking

Implementing Azure Active Directory Integration with an Existing Cloud Service

Training Simulator (TraSim) is an online, web-based platform for holding crisis management exercises. It simulates epidemics and other exceptional situations to test the functionality of an organization’s operating instructions in the hour of need. The main objective of this thesis is to further develop the service by delegating its existing authentication and user provisioning mechanisms to a centralized, cloud-based Identity and Access Management (IAM) service. Making use of a centralized access control service is widely known as a Single Sign-On (SSO) implementation which comes with multiple benefits such as increased security, reduced administrative overhead and improved user experience. The objective originates from a customer organization’s request to enable SSO for TraSim. The research mainly focuses on implementing SSO by integrating TraSim with Azure Active Directory (AD) from a wide range of IAM services since it is considered as an industry standard and already utilized by the customer. Anyhow, the complexity of the integration is kept as reduced as possible to retain compatibility with other services besides Azure AD. While the integration is a unique operation with an endless amount of software stacks that a service can build on and multiple IAM services to choose from, this thesis aims to provide a general guideline of how to approach a resembling assignment. Conducting the study required extensive search and evaluation of the available literature about terms such as IAM, client-server communication, SSO, cloud services and AD. The literature review is combined with an introduction to the basic technologies that TraSim is built with to justify the choice of OpenID Connect as the authentication protocol and why it was implemented using the mozilla-django-oidc library. The literature consists of multiple online articles, publications and the official documentation of the utilized technologies. The research uses a constructive approach as it focuses into developing and testing a new feature that is merged into the source code of an already existing piece of software

Data security in cloud storage services

Cloud Computing is considered to be the next-generation architecture for ICT where it moves the application software and databases to the centralized large data centers. It aims to offer elastic IT services where clients can benefit from significant cost savings of the pay-per-use model and can easily scale up or down, and do not have to make large investments in new hardware. However, the management of the data and services in this cloud model is under the control of the provider. Consequently, the cloud clients have less control over their outsourced data and they have to trust cloud service provider to protect their data and infrastructure from both external and internal attacks. This is especially true with cloud storage services. Nowadays, users rely on cloud storage as it offers cheap and unlimited data storage that is available for use by multiple devices (e.g. smart phones, tablets, notebooks, etc.). Besides famous cloud storage providers, such as Amazon, Google, and Microsoft, more and more third-party cloud storage service providers are emerging. These services are dedicated to offering more accessible and user friendly storage services to cloud customers. Examples of these services include Dropbox, Box.net, Sparkleshare, UbuntuOne or JungleDisk. These cloud storage services deliver a very simple interface on top of the cloud storage provided by storage service providers. File and folder synchronization between different machines, sharing files and folders with other users, file versioning as well as automated backups are the key functionalities of these emerging cloud storage services. Cloud storage services have changed the way users manage and interact with data outsourced to public providers. With these services, multiple subscribers can collaboratively work and share data without concerns about their data consistency, availability and reliability. Although these cloud storage services offer attractive features, many customers have not adopted these services. Since data stored in these services is under the control of service providers resulting in confidentiality and security concerns and risks. Therefore, using cloud storage services for storing valuable data depends mainly on whether the service provider can offer sufficient security and assurance to meet client requirements. From the way most cloud storage services are constructed, we can notice that these storage services do not provide users with sufficient levels of security leading to an inherent risk on users\u27 data from external and internal attacks. These attacks take the form of: data exposure (lack of data confidentiality); data tampering (lack of data integrity); and denial of data (lack of data availability) by third parties on the cloud or by the cloud provider himself. Therefore, the cloud storage services should ensure the data confidentiality in the following state: data in motion (while transmitting over networks), data at rest (when stored at provider\u27s disks). To address the above concerns, confidentiality and access controllability of outsourced data with strong cryptographic guarantee should be maintained. To ensure data confidentiality in public cloud storage services, data should be encrypted data before it is outsourced to these services. Although, users can rely on client side cloud storage services or software encryption tools for encrypting user\u27s data; however, many of these services fail to achieve data confidentiality. Box, for example, does not encrypt user files via SSL and within Box servers. Client side cloud storage services can intentionally/unintentionally disclose user decryption keys to its provider. In addition, some cloud storage services support convergent encryption for encrypting users\u27 data exposing it to “confirmation of a file attack. On the other hand, software encryption tools use full-disk encryption (FDE) which is not feasible for cloud-based file sharing services, because it encrypts the data as virtual hard disks. Although encryption can ensure data confidentiality; however, it fails to achieve fine-grained access control over outsourced data. Since, public cloud storage services are managed by un-trusted cloud service provider, secure and efficient fine-grained access control cannot be realized through these services as these policies are managed by storage services that have full control over the sharing process. Therefore, there is not any guarantee that they will provide good means for efficient and secure sharing and they can also deduce confidential information about the outsourced data and users\u27 personal information. In this work, we would like to improve the currently employed security measures for securing data in cloud store services. To achieve better data confidentiality for data stored in the cloud without relying on cloud service providers (CSPs) or putting any burden on users, in this thesis, we designed a secure cloud storage system framework that simultaneously achieves data confidentiality, fine-grained access control on encrypted data and scalable user revocation. This framework is built on a third part trusted (TTP) service that can be employed either locally on users\u27 machine or premises, or remotely on top of cloud storage services. This service shall encrypts users data before uploading it to the cloud and decrypts it after downloading from the cloud; therefore, it remove the burden of storing, managing and maintaining encryption/decryption keys from data owner\u27s. In addition, this service only retains user\u27s secret key(s) not data. Moreover, to ensure high security for these keys, it stores them on hardware device. Furthermore, this service combines multi-authority ciphertext policy attribute-based encryption (CP-ABE) and attribute-based Signature (ABS) for achieving many-read-many-write fine-grained data access control on storage services. Moreover, it efficiently revokes users\u27 privileges without relying on the data owner for re-encrypting massive amounts of data and re-distributing the new keys to the authorized users. It removes the heavy computation of re-encryption from users and delegates this task to the cloud service provider (CSP) proxy servers. These proxy servers achieve flexible and efficient re-encryption without revealing underlying data to the cloud. In our designed architecture, we addressed the problem of ensuring data confidentiality against cloud and against accesses beyond authorized rights. To resolve these issues, we designed a trusted third party (TTP) service that is in charge of storing data in an encrypted format in the cloud. To improve the efficiency of the designed architecture, the service allows the users to choose the level of severity of the data and according to this level different encryption algorithms are employed. To achieve many-read-many-write fine grained access control, we merge two algorithms (multi-authority ciphertext policy attribute-based encryption (MA- CP-ABE) and attribute-based Signature (ABS)). Moreover, we support two levels of revocation: user and attribute revocation so that we can comply with the collaborative environment. Last but not least, we validate the effectiveness of our design by carrying out a detailed security analysis. This analysis shall prove the correctness of our design in terms of data confidentiality each stage of user interaction with the cloud