My private cloud overview

My Private Cloud Overview

David W Chadwick, Matteo Casenove,

Stijn F Lievens, Jerry I den Hartog,

Andreas Pashalidis, Joseph Alhadeff

5 July 2011 IEEE Cloud 2011 1

Project Objectives

• Migrate the trust, security and privacy preserving infrastructure from the EC TAS3 project to cloud services.

• The TSP infrastructure relies on trusted cloud providers to operate in good faith but this can be checked – trust but verify

• Infrastructure is built from legal agreements and open source software services

• Software services include: trust and reputation management, sticky policies with fine grained access controls, privacy preserving delegation of authority, federated identity management, different levels of assurance and configurable audit trails


Trust

Network

CSP

Authz

Infr

P

E

P

Audit

IdP

DSAA

Authn

Legend

IdP=Identity Provider

AA=Attribute Authority

DS=Delegation Service

Authn=Authentication

Service

P/S=Publish-Subscribe

Service

CSP=Cloud Service

Provider

PEP=Policy

Enforcement Point

PDP= Policy Decision

Point

Authz=Authorisation

Infrastructure

Appln=Application Code

WSC=Web Services

Client

Dash=User’s dashboard

service

TAAS=Trusted Attribute

Aggregation Service

WSC

Audit

Service

TAAS

Appln

Trust and

Reputation

Service

Service

Directory

P/S

Dash

DSPDP

Architectural Components


Progress To Date

• Have defined and implemented APIs (in php) for

• Federated Identity Management with different Levels of Assurance

• Privacy Preserving Delegation of Authority

• Granting of Access Rights to Other Account Holders

• And built these into a front end Proxy Service to Amazon/Eucalyptus S3 service


= External Services

= Locally Provided Services

= Cloud API Security Services

LEGEND

Delegation Issuing

Web Service

UK AMF

Simple

SAMLphp

Proxy

IdP

Account

DB

WAYF

OpenID Facebook Google Twitter

Other IdPs

Cloud

Service

Authn

API

(Simple

SAML

phpSP)

IdP 1

IdP 2

IdP n

…

Org

LDAPDelegation API

CVS

Authz API

Authz Database

Welcome Screen


Login Redirects to Proxy IdP


User Logs In via chosen IdP


User is shown all the Accounts that his Attributes give

him Ownership of, and Opens (or Creates) one


User is shown Account Details of Opened Account

List of Your Delegates

List of Buckets You Own

List of Buckets and Files that other

Account Owners have shared with you


User Opens a Bucket

Can view/alter Access Rights Can upload/download files


Showing Permissions that You have Granted to Others

Permissions given to Contacts

Permissions given to other Account Holders

Give New Permissions to Others


Granting Permissions To Others

Granting access

to Contacts/Delegates

Granting access to other

Account Holders

Granting Public access


Adding a New Contact


Next Steps

• Define an API for secure auditing and

integrate this into system

• Implement existing APIs in other cloud

services

• Define APIs for trust and reputation

management


Acknowledgements

• This research has received funding from

• EC’s FP7 under grant agreement n° 216287

(Trusted Architecture for Securely Shared

Services) and

• UK’s EPSRC under grant ref. n° EP/1034181/1

(My Private Cloud)


Technology

My private cloud overview