3 research outputs found
Controle de autenticação tolerante a intrusões em federações de clouds
Tese (doutorado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Engenharia de Automação e Sistemas, Florianópolis, 2017.Federações de clouds tem sido um tópico de muitos estudos atualmente na área de Sistemas Distribuídos. A associação de provedores de clouds para formação de federações pode ser movida pela necessidade de pequenos provedores se unirem no sentido de competirem em mercado agressivo. O objetivo principal desta tese sempre foi o estudo dos controles de segurança em federações de clouds. A autenticação por ser peça fundamental na implantação de políticas de segurança acabou sendo o foco principal de nossos esforços. Em se tratando dos controles de autenticação, um ponto que quase sempre permanece em aberto nas formações destas federações é o gerenciamento de seus usuários. Neste sentido desenvolvemos uma proposta de federação de clouds cujas autenticações de seus usuários são baseadas no uso de provedores de identidades. Por se tornar ator principal na aplicação de políticas nestas federações, usamos técnicas que agregassem segurança e tolerância a intrusões a estes provedores de identidades. E, neste sentido, exploramos o uso da virtualização para permitir a proteção de entidades importantes para a segurança destes Provedores de Identidades (Identity Providers ? IdPs). Estes trabalhos preliminares de autenticação foram incorporados ao projeto SecFuNet e adotaram características definidas pelos parceiros de projeto, entre estas, o uso de processadores seguros. Posteriormente, diante de limitações de flexibilidade impostas pelo hardware especializado usado no projeto SecFuNet, outra abordagem envolvendo o armazenamento de informações de usuários em seus IdPs foi desenvolvida. Nesta segunda abordagem, a própria federação de clouds através de recursos de memorização foi utilizada como base para o armazenamento de credenciais e atributos de usuários. Protocolos de disseminação baseados em técnicas de compartilhamento de segredo foram introduzidos no modelo, de forma que o armazenamento das informações de usuários se mantivessem seguras mesmo em casos de intrusões tanto nos IdPs como em parte dos provedores de cloud da federação. A evolução de nossos trabalhos envolveu protótipos, os quais foram submetidos a vários experimentos de testes a fim de verificar sua viabilidade prática de nossas propostas.Abstract : Cloud federations have been the topic of many studies in the area of Distributed Systems. An association of cloud providers for federation formation can be motivated by the need for small providers not to groups their efforts to survive in the aggressive market. The main objective of this thesis is the study of security controls in cloud federations. Authentication as a key part of deploying security policies was the primary focus of our efforts. One point that usually remains open in federations is the management of its users. In this sense, a proposal of federation of clouds whose authentications of its users are based on the use of identities providers. By becoming a key point in policy enforcement in these federations, we use techniques that deploys security and intrusion tolerance to these identity providers. In this sense, we explore the use of virtualization to allow protection of important entities for an IdPs security. These preliminary works on authentication have been incorporated into the SecFuNet project and featured features defined by project partners, among them, and use of secure processors. Subsequently, faced with limitations of flexibility imposed by specialized hardware used no SecFuNet project, another approach involving the storage of information in their IdPs was developed. In this second approach, the federation of clouds was used as memory and database resources for storing attributes of users. Dissemination protocols based on secret sharing techniques for was applied on this model, so that the stored user information has remained secure even in cases of intrusion both in the IdPs and in part the cloud providers of the federation. The evolution of our work involved prototypes, which were submitted to several test experiments
Recommended from our members
Context-Aware Attribute-Based Techniques for Data Security and Access Control in Mobile Cloud Environment
The explosive growth of mobile applications and Cloud computing has enabled smart mobile devices to host various Cloud-based services such as Google apps, Instagram, and Facebook. Recent developments in smart devices‟ hardware and software provide seamless interaction between the users and devices. As a result, in contrast to the traditional user, the mobile user in mobile Cloud environment generates a large volume of data which can be easily collected by mobile Cloud service providers. However, the users do not know the exact physical location of their personal data. Hence, the users cannot control over their data once it is stored in the Cloud. This thesis investigates security and privacy issues in such mobile Cloud environments and presents new user-centric access control techniques tailored for the mobile Cloud environments. Most of the work to date has tried to address the data security issues on the Cloud server and only little attention has been given to protect the users‟ data privacy. One way to address the privacy issues is to deploy access control technique such as Extensible Access Control Markup Language (XACML) to control data access on users‟ data. XACML defines a standard of access control policies, rule obligations and conditions in data access control. XACML utilizes Extensible Markup Language (XML) schema to define attributes of data requesters, resources, and environment in order to evaluate access requests. A user-centric attribute-based access control model using XACML which enables users to define privacy access policies over the personal data based on their preferences is presented. In order to integrate the data security and user‟s privacy in mobile Cloud environment, the thesis investigates attribute-based encryption (ABE) scheme. ABE scheme enables data owners to enforce access policies during the encryption. Context-related attributes such as requester‟s location and behavior are incorporated within ABE scheme to provide data security and user privacy. This will enable the mobile data owners to dynamically control the access to their data at runtime. In order to improve the performance, a solution that offloads the high-cost computational work and communications from the mobile device to the Cloud is proposed. Anonymisation techniques are applied in the key issuing protocol so that the users‟ identities are protected from being tracked by the service providers during transactions. The proposed schemes are secure from known attacks and hence suitable for mobile Cloud environment. Security of the proposed schemes is formally analyzed using standard methods