Decision Support framework: Reliable Federated Single Sign-on

Toufanpanah, Monir

January 2017

Identity management is a critical concept for enterprises, and it has turned to more challenging issue since businesses are significantly moving towards service oriented architecture (SOA) with the aim to provide seamless service delivery to their customers, partners and employees. The organizational domains are expanded to blur the virtual borders, simplify the business collaboration and maximize opportunities in the competitive market place, which explicitly shows the essentiality for federating the identities. Real-world identity comprises of different dimensions such as Law, Business, Policy, Technology and Society, therefore reliable digital identity management and successful federation are required to take these dimensions and complexity into consideration. Considering variety of academic and industrial researches that report on remarkable demands for identity federation adoption by enterprises, this study has approached federated Identity Management from technological point of view. Technologies provide tools and mechanisms to satisfy the business requirements and enable single sign-on capability in reliable federated platform. Different authentication technologies and standards have emerged to enable federated single sign-on (FSSO) implementation as a core service of the FIdM, each with different features and capabilities. This brings more complexity and confusion for experts and decision makers for FIdM adoption and development. To overcome this obstacle and accelerate the data collection and analysis process for decision makers, this research contributes to the filed by providing a conceptual framework to simplify the analysis of underlying technology for decision making process. In this framework 1) a list of state-of-the-art requirements and mechanisms for successful identity federation and reliable SSO is elaborated, 2) Six most prevalent standard authentication technologies along with latest specifications are analysed, explained and assessed against the defined criteria, and 3) several security and privacy consideration are gathered. The usage of framework is monitored and the efficiency of it is evaluated in 2 real business case scenarios by five IT experts and the result is reported.

Identity and Access Management

Decision Support Framework

Single Sign-on

Identity Federation

Authentication Technology

SAML

Shibboleth

OAuth

PRIME

OpenID

Computer Systems

Datorsystem

Communication Systems

Kommunikationssystem

An architecture to resilient and highly available identity providers based on OpenID standard / Uma arquitetura para provedores de identidade resistente e altamente disponíveis com base no padrão OpenID

Cunha, Hugo Assis

26 September 2014

Submitted by Lúcia Brandão (lucia.elaine@live.com) on 2015-07-14T15:58:20Z No. of bitstreams: 1 Dissertação - Hugo Assis Cunha.pdf: 4753834 bytes, checksum: 4304c038b5fb3c322af4b88ba5d58195 (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2015-07-20T14:08:11Z (GMT) No. of bitstreams: 1 Dissertação - Hugo Assis Cunha.pdf: 4753834 bytes, checksum: 4304c038b5fb3c322af4b88ba5d58195 (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2015-07-20T14:12:26Z (GMT) No. of bitstreams: 1 Dissertação - Hugo Assis Cunha.pdf: 4753834 bytes, checksum: 4304c038b5fb3c322af4b88ba5d58195 (MD5) / Made available in DSpace on 2015-07-20T14:12:26Z (GMT). No. of bitstreams: 1 Dissertação - Hugo Assis Cunha.pdf: 4753834 bytes, checksum: 4304c038b5fb3c322af4b88ba5d58195 (MD5) Previous issue date: 2014-09-26 / Não Informada / Quando se trata de sistemas e serviços de autenticação seguros, há duas abordagens principais: a primeira procura estabelecer defesas para todo e qualquer tipo de ataque. Na verdade, a maioria dos serviços atuais utilizam esta abordagem, a qualsabe-sequeéinfactívelefalha. Nossapropostautilizaasegundaabordagem, a qual procura se defender de alguns ataques, porém assume que eventualmente o sistema pode sofrer uma intrusão ou falha e ao invés de tentar evitar, o sistema simplesmente as tolera através de mecanismos inteligentes que permitem manter o sistema atuando de maneira confiável e correta. Este trabalho apresenta uma arquiteturaresilienteparaserviçosdeautenticaçãobaseadosemOpenIDcomuso deprotocolosdetolerânciaafaltaseintrusões, bemcomoumprotótipofuncional da arquitetura. Por meio dos diversos testes realizados foi possível verificar que o sistema apresenta um desempenho melhor que um serviço de autenticação do OpenID padrão, ainda com muito mais resiliência, alta disponibilidade, proteção a dados sensíveis e tolerância a faltas e intrusões. Tudo isso sem perder a compatibilidade com os clientes OpenID atuais. / Secure authentication services and systems typically are based on two main approaches: the first one seeks to defend itself of all kind of attack. Actually, the major current services use this approach, which is known for present failures as well as being completely infeasible. Our proposal uses the second approach, which seeks to defend itself of some specific attacks, and assumes that eventually the system may suffer an intrusion or fault. Hence, the system does not try avoiding the problems, but tolerate them by using intelligent mechanisms which allow the system keep executing in a trustworthy and safe state. This research presents a resilient architecture to authentication services based on OpenID by the use of fault and intrusion tolerance protocols, as well as a functional prototype. Through the several performed tests, it was possible to note that our system presents a better performance than a standard OpenID service, but with additional resilience, high availability, protection of the sensitive data, beyond fault and intrusion tolerance, always keeping the compatibility with the current OpenID clients.

Tolerância a faltas e intrusões

Sistemas resilientes

Replicação de máquinas de estado

Fault and intrusion tolerance

Resilient systems

State machine replication

OpenID

Securing Cloud Storage Service

Zapolskas, Vytautas

January 2012

Cloud computing brought flexibility, scalability, and capital cost savings to the IT industry. As more companies turn to cloud solutions, securing cloud based services becomes increasingly important, because for many organizations, the final barrier to adopting cloud computing is whether it is sufficiently secure. More users rely on cloud storage as it is mainly because cloud storage is available to be used by multiple devices (e.g. smart phones, tablets, notebooks, etc.) at the same time. These services often offer adequate protection to user's private data. However, there were cases where user's private data was accessible to other users, since this data is stored in a multi-tenant environment. These incidents reduce the trust of cloud storage service providers, hence there is a need to securely migrate data from one cloud storage provider to another. This thesis proposes a design of a service for providing Security as a Service for cloud brokers in a federated cloud. This scheme allows customers to securely migrate from one provider to another. To enable the design of this scheme, possible security and privacy risks of a cloud storage service were analysed and identified. Moreover, in order to successfully protect private data, data protection requirements (for data retention, sanitization, and processing) were analysed. The proposed service scheme utilizes various encryption techniques and also includes identity and key management mechanisms, such as "federated identity management". While our proposed design meets most of the defined security and privacy requirements, it is still unknown how to properly handle data sanitization, to meet data protection requirements, and provide users data recovery capabilities (backups, versioning, etc.). / Cloud computing erbjuder flexibilitet, skalbarhet, och kapital kostnadsbesparingar till IT-industrin. Eftersom fler företag vänder sig till moln lösningar, trygga molntjänster blir allt viktigare, eftersom det för många organisationer, det slutliga hindret att anta cloud computing är om det är tillräckligt säkert. Fler användare förlita sig påmoln lagring som det är främst pågrund moln lagring är tillgängligt att användas av flera enheter (t.ex. smarta telefoner, tabletter, bärbara datorer, etc.) påsamtidigt. Dessa tjänster erbjuder ofta tillräckligt skydd för användarens privata data. Men det fanns fall där användarens privata uppgifter var tillgängliga för andra användare, eftersom denna data lagras i en flera hyresgäster miljö. Dessa händelser minskar förtroende molnleverantörer lagring tjänsteleverantörer, därför finns det ett behov av att säkert migrera data från en moln lagring till en annan. Denna avhandling föreslår en utformning av en tjänst för att erbjuda säkerhet som tjänst för molnmäklare i en federativ moln. Detta system gör det möjligt för kunderna att säkert flytta från en leverantör till en annan. För att möjliggöra utformningen av detta system, möjliga säkerhet och risker integritet av ett moln lagring tjänst har analyserats och identifierats. Dessutom att man framgångsrikt skydda privata uppgifter, dataskydd krav (för data retention, sanering och bearbetning) analyserades. Den föreslagna tjänsten systemet utnyttjar olika krypteringsteknik och även inkluderar identitet och nyckelhantering mekanismer, såsom "federerad identitetshantering". Även om vår föreslagna utformningen uppfyller de flesta av den definierade säkerhet och integritet krav, är det fortfarande okänt hur korrekt hantera data sanering, för att uppfyller kraven för dataskydd och ge användarna data recovery kapacitet (säkerhetskopior, versionshantering osv.)

Cloud

storage

security

privacy

zero knowledge

Security as a Service

federation

broker

Cloud Service Provider (CSP)

federated cloud

federated identity management

OAuth

OpenID

CDMI

interoperability

Communication Systems

Kommunikationssystem