Identity Manager in Cloud with Openflow Switches

351 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
351
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Identity Manager in Cloud with Openflow Switches

  1. 1. Identity Managerin SoftwareDefined NetMohammad FarajiEmail: ms.faraji@utoronto.ca
  2. 2. SAVI Identity Manager DesignRequirements  SAVI is a federation of autonomous systems:  Testbeds  Cloud Datacenters  Information Providers (e.g. Identity providers)  Researcher needs a fine-grained Access Control to have flexibility:  Policy negotiation  Attribute Assertion
  3. 3. SAVI Federation Architecture SAVI Federation SAVI Core Oversight node Trust Anchor Domain (Keystone) AdminUser User User Service Accounting 1 2 3 SAVI edge (Beacon) node Repository Testbed Identity Providers   Remote  Datacenter  s
  4. 4. Authentication Interoperability StandardSecurity Assertion Markup Language - SAML Policy Policy Policy Credentials Authentication Attribute Policy Decision Collector Authority Authority Point SAML Authentication Attribute Authorization Assertion Assertion Decision Assertion System Application Policy Enforcement Entity Request Point Source: OASIS SAML Standard
  5. 5. 5 Authorization Interoperability Standards eXtensible Access Control Markup Language – XACML XACML Policy Policy Serve in SAVI XML XML XML XML XACML XACML XACML XACML Federation Layer Virtualizatio Openflow Firewall n Switch Policy server distributes policy changes to all network elements using XACML
  6. 6. 6SAVI Access Control Technologies Access-control lists (ACL) Lists of specific users and groups and permissions Role-Based Access Control - (RBAC) Access based on users roles. Role assignment. Role authentication. Action authorization Empty Role Contains just roles without any associated role Explicit Capability Mapping Under Developm Roles have capabilities not in the context of any given resource Restricted Roles The role, capability, resource collection will be complete Attribute-Based Access Control - (ABAC) On user attributes and object metadata
  7. 7. Attribute Based Access Control (ABAC)  Subject Attributes  Related to a subject (e.g. user, application, process) that defines the identity and characteristics of the subject  E.g. identifier, name, job title, role  Resource Attributes  Associated with a resource (web service, system function, or data)  E.g. Dublin Core metadata elements  Environment Attributes  Describes the operational, technical, or situational environment or context in which the information access occurs  E.g. current date time, current threat level, network security classification
  8. 8. ABAC Policy Formulation1. S, R, and E are subjects, resources, and environments, respectively;2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre- defined attributes for subjects, resources, and environments, respectively;3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively: ATTR( s) SA1 SA2 ... SAK ATTR(r ) RA1 RA2 ... RAM ATTR(e) EA1 EA2 ... EAN
  9. 9. ABAC in SAVIResearcher SA Edge Node SOAP Msg 1 3 Resources Control Service APIs Web 1 SA 2 RA Access Service Catalog Trust Anchor EA Control (Beacon)SA Policy Attribute Admin. Policy Unit Service & Policy Identity Services Provider

×