Upload
davidwchadwick
View
280
Download
1
Tags:
Embed Size (px)
Citation preview
My Private Cloud Overview
David W Chadwick, Matteo Casenove,
Stijn F Lievens, Jerry I den Hartog,
Andreas Pashalidis, Joseph Alhadeff
5 July 2011 IEEE Cloud 2011 1
Project Objectives
• Migrate the trust, security and privacy preserving infrastructure from the EC TAS3 project to cloud services.
• The TSP infrastructure relies on trusted cloud providers to operate in good faith but this can be checked – trust but verify
• Infrastructure is built from legal agreements and open source software services
• Software services include: trust and reputation management, sticky policies with fine grained access controls, privacy preserving delegation of authority, federated identity management, different levels of assurance and configurable audit trails
5 July 2011 IEEE Cloud 2011 2
Trust
Network
CSP
Authz
Infr
P
E
P
Audit
IdP
DSAA
Authn
Legend
IdP=Identity Provider
AA=Attribute Authority
DS=Delegation Service
Authn=Authentication
Service
P/S=Publish-Subscribe
Service
CSP=Cloud Service
Provider
PEP=Policy
Enforcement Point
PDP= Policy Decision
Point
Authz=Authorisation
Infrastructure
Appln=Application Code
WSC=Web Services
Client
Dash=User’s dashboard
service
TAAS=Trusted Attribute
Aggregation Service
WSC
Audit
Service
TAAS
Appln
Trust and
Reputation
Service
Service
Directory
P/S
Dash
DSPDP
Architectural Components
5 July 2011 IEEE Cloud 2011 3
Progress To Date
• Have defined and implemented APIs (in php) for
• Federated Identity Management with different Levels of Assurance
• Privacy Preserving Delegation of Authority
• Granting of Access Rights to Other Account Holders
• And built these into a front end Proxy Service to Amazon/Eucalyptus S3 service
5 July 2011 IEEE Cloud 2011 4
= External Services
= Locally Provided Services
= Cloud API Security Services
LEGEND
Delegation Issuing
Web Service
UK AMF
Simple
SAMLphp
Proxy
IdP
Account
DB
WAYF
OpenID Facebook Google Twitter
Other IdPs
Cloud
Service
Authn
API
(Simple
SAML
phpSP)
IdP 1
IdP 2
IdP n
…
Org
LDAPDelegation API
CVS
Authz API
Authz Database
Welcome Screen
5 July 2011 IEEE Cloud 2011 6
Login Redirects to Proxy IdP
5 July 2011 IEEE Cloud 2011 7
User Logs In via chosen IdP
5 July 2011 IEEE Cloud 2011 8
User is shown all the Accounts that his Attributes give
him Ownership of, and Opens (or Creates) one
5 July 2011 IEEE Cloud 2011 9
User is shown Account Details of Opened Account
List of Your Delegates
List of Buckets You Own
List of Buckets and Files that other
Account Owners have shared with you
5 July 2011 IEEE Cloud 2011 10
User Opens a Bucket
Can view/alter Access Rights Can upload/download files
5 July 2011 IEEE Cloud 2011 11
Showing Permissions that You have Granted to Others
Permissions given to Contacts
Permissions given to other Account Holders
Give New Permissions to Others
5 July 2011 IEEE Cloud 2011 12
Granting Permissions To Others
Granting access
to Contacts/Delegates
Granting access to other
Account Holders
Granting Public access
5 July 2011 IEEE Cloud 2011 13
Adding a New Contact
5 July 2011 IEEE Cloud 2011 14
Next Steps
• Define an API for secure auditing and
integrate this into system
• Implement existing APIs in other cloud
services
• Define APIs for trust and reputation
management
5 July 2011 IEEE Cloud 2011 15
Acknowledgements
• This research has received funding from
• EC’s FP7 under grant agreement n° 216287
(Trusted Architecture for Securely Shared
Services) and
• UK’s EPSRC under grant ref. n° EP/1034181/1
(My Private Cloud)
5 July 2011 IEEE Cloud 2011 16