Identity management in a public IaaS Cloud

In this thesis the unique environment that is the public IaaS cloud along with its differences from a traditional data center environment has been considered. The Cloud Security Alliance (CSA), states that “Managing identities and access control for enterprise applications remains one of the greatest challenges facing IT today”. The CSA also points out that “there is a lack of consistent secure methods for extending identity management into the cloud and across the cloud” [1]. This thesis examines this challenge of managing identities in the cloud by developing a list of best practices for implementing identity management in the cloud. These best practices were then tested by simulated misuse cases which were tested in a prototype of the implementation strategy. The results and analysis of the misuse cases show that the implementation of the identity management solution solves the problem of managing identities for the control of the infrastructure in the cloud. However, the analysis also shows that there are still areas where the properly implemented identity management solution fails to mitigate attacks to the infrastructure. These failures in particular are attacks that are sourced from the subscriber environments in the cloud. Finally, the best practices from this thesis also present some consistent methods for extending identity management into the cloud

Identity Management in M2M Networks

Evolving communication technologies stimulate a rapid growth in utilisation of communication-capable devices and therefore amount of transmitted data. This imposes new requirements for automatic device and data management necessary for successful exploitation of new opportunities. Unfortunately, currently developed systems, including Internet of Things and Machine-to-Machine communications, mainly focus on industrial applications that involve fixed users, proprietary environments as well as ad-hoc devices and things, whereas regular users along with possibilities and challenges created by growing sets of personal user equipment remain ignored. This thesis addresses the defined problem by analysing currently developed and utilised communication technologies and identity management systems as well as proposing an advanced identity management system that considers user-related needs and enables user-aware automatic device-to-device communications. Our system is unique compared to other automatic communication systems in that it enables global communication of devices owned or used by different parties and supports dynamic connection and relationship establishment based on data administered in a sophisticated identity management infrastructure. Unlike existing identity management mechanisms, our system extends the notion of an identified and authenticated entity to a combination of both user and device. Furthermore, the system introduces an original Single Device Sign-On feature that simplifies user login procedure when accessing a service with multiple devices. As a consequence, this thesis suggests a new direction for evolution of communication technologies as well as user-targeted Internet-based services and applications

Policy based network management : state of the industry and desired functionality for the enterprise network: security policy / testing technology evaluation.

Policy-based network management (PBNM) uses policy-driven automation to manage complex enterprise and service provider networks. Such management is strongly supported by industry standards, state of the art technologies and vendor product offerings. We present a case for the use of PBNM and related technologies for end-to-end service delivery. We provide a definition of PBNM terms, a discussion of how such management should function and the current state of the industry. We include recommendations for continued work that would allow for PBNM to be put in place over the next five years in the unclassified environment

Automated Security Testing for Identity Management of Large-scale Digital Infrastructures

Ensuring the security of an organization's digital assets against cyber threats is critical in today's technology-driven world. Regular security testing is one of the measures that can help assess the effectiveness of security controls, identify vulnerabilities, and strengthen the overall cybersecurity posture. Identity Management (IdM) protocols such as Security Assertion Markup Language 2.0, OpenID Connect, and OAuth 2.0 play a crucial role in protecting against identity theft, fraud, and security breaches. Also, following the Best Current Practices introduced by the standards to enhance the security of IdM protocols is essential to minimize the risk of unauthorized access, data breaches, and other security threats and to maintain compliance with regulatory requirements, and build trust with users and stakeholders. However, deploying these protocols can be challenging due to the complexity in designing, developing and implementing cryptographic mechanisms. The implementation of IdM protocols encounters three significant obstacles: fragmented security information, rapidly evolving threat environment, and the need for a controlled testing environment. Security testers must stay up-to-date with emerging threats and establish an appropriate testing infrastructure to guarantee the security and robustness of IdM implementations, while also minimizing the possibility of security incidents that could adversely affect operations. Automated security testing plays a crucial role in addressing security concerns, particularly as the intricate functional aspects of IdM solutions contribute to their complexity. It is essential to prioritize automation to bridge the cybersecurity skills gap among IT professionals. In this thesis, we propose Micro-Id-Gym (MIG), a framework that offers (i) an easy way to configure and reproduce the IdM production environment in a sandbox, allowing hands-on experiences with potentially impactful security tests that may winder availability of services and (ii) automatic security testing of IdM implementations together with suggestions for mitigations to avoid identified vulnerabilities. MIG provides a set of security testing tools for creating, executing, and analyzing security test cases through MIG-L, a declarative test specification language. We have evaluated the effectiveness of MIG by conducting experiments to assess the accuracy in supporting detection of relevant vulnerabilities in the implementation of IdM protocols. We utilized MIG to conduct security analyses across various corporate scenarios and projects, identifying vulnerabilities and responsibly disclosing them through bug bounty programs. Our findings were recognized by the providers, who awarded us both monetary compensation and public recognition. Overall, MIG can help organizations establish a robust and agile security testing strategy, supported by suitable infrastructure and testing procedures, that can ensure the security and resilience of their IdM implementations

Cybersecurity and the Digital Health: An Investigation on the State of the Art and the Position of the Actors

Cybercrime is increasingly exposing the health domain to growing risk. The push towards a strong connection of citizens to health services, through digitalization, has undisputed advantages. Digital health allows remote care, the use of medical devices with a high mechatronic and IT content with strong automation, and a large interconnection of hospital networks with an increasingly effective exchange of data. However, all this requires a great cybersecurity commitment—a commitment that must start with scholars in research and then reach the stakeholders. New devices and technological solutions are increasingly breaking into healthcare, and are able to change the processes of interaction in the health domain. This requires cybersecurity to become a vital part of patient safety through changes in human behaviour, technology, and processes, as part of a complete solution. All professionals involved in cybersecurity in the health domain were invited to contribute with their experiences. This book contains contributions from various experts and different fields. Aspects of cybersecurity in healthcare relating to technological advance and emerging risks were addressed. The new boundaries of this field and the impact of COVID-19 on some sectors, such as mhealth, have also been addressed. We dedicate the book to all those with different roles involved in cybersecurity in the health domain

A Comprehensive Security Architecture for Information Management throughout the Lifecycle of IoT Products

The Internet of things (IoT) is expected to have an impact on business and the world at large in a way comparable to the Internet itself. An IoT product is a physical product with an associated virtual counterpart connected to the internet with computational as well as communication capabilities. The possibility to collect information from internet-connected products and sensors gives unprecedented possibilities to improve and optimize product use and maintenance. Virtual counterpart and digital twin (DT) concepts have been proposed as a solution for providing the necessary information management throughout the whole product lifecycle, which we here call product lifecycle information management (PLIM). Security in these systems is imperative due to the multiple ways in which opponents can attack the system during the whole lifecycle of an IoT product. To address this need, the current study proposes a security architecture for the IoT, taking into particular consideration the requirements of PLIM. The security architecture has been designed for the Open Messaging Interface (O-MI) and Open Data Format (O-DF) standards for the IoT and product lifecycle management (PLM) but it is also applicable to other IoT and PLIM architectures. The proposed security architecture is capable of hindering unauthorized access to information and restricts access levels based on user roles and permissions. Based on our findings, the proposed security architecture is the first security model for PLIM to integrate and coordinate the IoT ecosystem, by dividing the security approaches into two domains: user client and product domain. The security architecture has been deployed in smart city use cases in three different European cities, Helsinki, Lyon, and Brussels, to validate the security metrics in the proposed approach. Our analysis shows that the proposed security architecture can easily integrate the security requirements of both clients and products providing solutions for them as demonstrated in the implemented use cases

Blockchain based Identity Management and Ticketing for MaaS

Trabalho de projeto de mestrado, Engenharia Informatica (Engenharia de Software) Universidade de Lisboa, Faculdade de Ciências, 2020As time moves further into the 21st century, the world is progressively becoming more sophisticated, and our capacity to forecast the future is decreasing at the same rate. The emerging global problems require new kinds of tools paving the way to move forward. Across Europe, privatised public transport systems are frequently conceived in separation by an operator resulting in legacy systems with proprietary ticketing solutions causing fragmentation and lack of uniformity of information. The Mobility-as-a-Service (MaaS) concept promises to solve existing problems in the transport industry since it allows the integration of different mobility services, such as car and bicycle sharing, among others, with traditional public transport. To plan a trip, passengers have several mobility options, interconnected to each other, with a range of alternatives according to their preferences. However, it is a huge challenge to expand the MaaS network that includes several operators. Recent innovations in Blockchain and distributed ledger technologies, especially the current developments of smart contracts, it is expected that a novel distributed approach to MaaS is finally feasible. MaaS systems benefit from the power of Blockchain disruptive technology, improving transparency and trust among service providers thereby eliminat ing the middle tier. In order to implement the new MaaS concept and take advantage of the high volumes of data relating to passengers and their tickets, it is essential that trans port operators have a unified system, thus allowing each participant to create, view and modify the information. This project enables the development of a new ticketing solution based on Blockchain, with an Identity Management module capable of managing the identities of passengers across the entire system, as well as the creation of a MaaS application mock-up for the passenger. Finally, the proposed system is evaluated in terms of operation and perfor mance, according predefined use cases and requirements. Results are achieved in terms of the collaboration between multiple service providers operating on a single platform