SlideShare a Scribd company logo

How to Adapt Authentication and Authorization Infrastructure of Applications for the Cloud

Hoang Tri Vo
Hoang Tri Vo

Whenever Cloud services (or Microservices) migrate to a Cloud hosting, they have to adapt their security infrastructures for the target hosting environment (so that users of this environment can authenticate with SSO). In addition, Cloud services need to establish trusts with their partner service providers on demand. Solution: * Describe the security topology of the Cloud application with TOSCA and let the Cloud provider provision the security infrastructure to protect the application on demand. * Describe the capability and requirements of the security topolicy in TOSCA so that the TOSCA engine can match the requirements (of two services) and establish a (direct or indirect) trust between them on demand. More details in publication: http://ieeexplore.ieee.org/document/8114463/

Technology
1 of 14
Download to read offline
How to adapt Authentication & Authorization Infrastructure of applications for the Cloud Tri Hoang Vo Cloud Architect, Deutsche Telekom FiCloud2017, 21.08.2017 On behalf of Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
1. introduction federated identity management (FIDM) • In FIDM, user attributes from one domain are propagated to another domain for SSO, authorization, customizing service, logging, and auditing.  Reduce the cost for SP (no longer manage users that are not under their control). • Traditional approach: developers adapt Authentication & Authorization Infrastructure (AAI) manually. 21.08.2017Tri Hoang Vo / Identity As A Service 2
1. introduction FIDM in the Cloud 21.08.2017Tri Hoang Vo / Identity As A Service 3 In the Cloud environment: • Cloud services adapt to an IDM of a Cloud provider (for user SSO). • Cloud services integrate with each other on demand. Problems: • At the beginning they may adapt AAI manually. • Frequent provisioning/deprovisioning of Cloud services  dynamic adaptation. • Users access Cloud services in various security domains  user privacy.
2. idaas related work 21.08.2017Tri Hoang Vo / Identity As A Service 4 Cloud services need to develop: • Highly secure & flexible access control mechanisms for identity federation. • However, this is not a core competency.  They may prefer to outsource AAI to a third party & focus on developing business functionalities.  In the past, 4 levels to outsource AAI.  Onelogin, PingIdentity: provides AAI framework, Cloud services manually adapted for SSO. • We proposed the 5th level.
3. idaas proposed model 21.08.2017Tri Hoang Vo / Identity As A Service 5 • We consider application components are unprotected. • Cloud provider provision AAI to protect application components. • Application admins control the AAI lifecycle (provisioning, integration update, termination). • To support, a security architect describes the security topology of his application:  In a platform-independent AAI model.  What needed to be preserved across different Cloud providers. • An orchestration engine reads security topology and provision AAI accordingly.  A platform-depedent AAI implementation.
3. Security topology security components 21.08.2017Tri Hoang Vo / Identity As A Service 6 • Security topology describes security component and the relationship with the application backend. • Security architect of SP specifies how he wants to protect an application APIs in the backend:  Using an intercepting web agent (same container)  Using a security gateway (proxy)
3. Security topology capabilities 21.08.2017Tri Hoang Vo / Identity As A Service 7 • Service consumers may or may not propagate the user identity to a SP. • Security architect of SC specifies which capabilities his outgoing Proxy offer for identity propagation. • We collected design patterns for identity propagation between services: Identity impersonation Identity forwarding Identity delegation
3. Security topology requirements 21.08.2017Tri Hoang Vo / Identity As A Service 8 • SP requires controlling access to their services. • Security architect of SP specifies requirements for a service consumer to access resources. • We collected authorization design patterns: Trusted Subsystem (direct trust)  Client calls server with its service id Delegated access control  Client calls server with original caller identity
4. AAI Life cycle example 1. Topology modelling (USE TOSCA metamodel) 21.08.2017Tri Hoang Vo / Identity As A Service 9 Security architect (shipping service) describes the security topology as part of the application topology I want to protect my shipping service APIs with an Intercepting Web Agent. The agent must forward an email address from the user to the web application. I trust my partner service consumer as a Trusted Subsystem.
4. Aai life cycle example 2. provisioning 21.08.2017Hoang Tri Vo / Identity As A Service 10 Cloud provider provisions AAI components accordingly Platform & programming language dependent. e.g.: For JEE application, Cloud provider provisions a ServletFilter that • intercepts client request & commit user principal • performs authorization • forwards user attributes (email address) to the Servlet in the backend
4. Aai life cycle example 3. Integration updates 21.08.2017Hoang Tri Vo / Identity As A Service 11 • When a shopping service signs a contract with the shipping service, orchestrator evaluates two security topologies if the requirements and capabilities are matched. • Update the outgoing Proxy of shopping service  As a Trusted Subsystem for the web agent of shipping service (add truststore).  Proxy forwards an email address to the web agent (identity forwarding).
4. Aai life cycle example 4. Testing 21.08.2017Tri Hoang Vo / Identity As A Service 12 • Send dummy requests from shopping service to shipping service. • To test the Trusted Subsystem pattern:  Shopping service verifies authorization policies (e.g., users with certain roles can access)  Shipping service verifies that the request is coming from the shopping service & accepts it.
4. Aai life cycle example 5. migration 21.08.2017Tri Hoang Vo / Identity As A Service 13 • Shipping service migrates from Cloud A to Cloud B. • Cloud B may have a vendor-specific implementation of AAI  The mutual trust relationship between the two services is provisioned again.
5. Summary & Future work 21.08.2017Tri Hoang Vo / Identity As A Service 14 Summary • We extended the TOSCA model to describe a security topology of an application. • The topology describes the security components, capabilities of identity propagation, and requirements of authorization needed to be preserved across Cloud providers. • A security architect instantiates a security template and takes advantage of known design patterns. • Cloud providers provision AAI with its runtime values. Future work • User identity is disseminated in federated domains  Enhance the security topology with privacy-preserving user identity  Protect confidentiality of disseminated user data. • Demonstrate in OpenStack

Recommended

Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)Kumaresh Chandra Baruri
 
ASP.NET MVC4 Web application
ASP.NET MVC4 Web application ASP.NET MVC4 Web application
ASP.NET MVC4 Web application Pradeep A
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & InterfacesFI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfacescdanger
 
Integration Within Several Projects
Integration Within Several ProjectsIntegration Within Several Projects
Integration Within Several ProjectsRoman Agaev
 
Rkd Api Overview
Rkd Api OverviewRkd Api Overview
Rkd Api Overviewdquack
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API GatewayKumaresh Chandra Baruri
 

Recommended

Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)Kumaresh Chandra Baruri
 
ASP.NET MVC4 Web application
ASP.NET MVC4 Web application ASP.NET MVC4 Web application
ASP.NET MVC4 Web application Pradeep A
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & InterfacesFI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfaces
FI-WARE Access Control GE (Part 3) – IdM OAuth Setup & Interfacescdanger
 
Integration Within Several Projects
Integration Within Several ProjectsIntegration Within Several Projects
Integration Within Several ProjectsRoman Agaev
 
Rkd Api Overview
Rkd Api OverviewRkd Api Overview
Rkd Api Overviewdquack
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
 
WEB API Gateway
WEB API GatewayWEB API Gateway
WEB API GatewayKumaresh Chandra Baruri
 
Subscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsSubscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsdbpublications
 
iPlanet presentation
iPlanet presentationiPlanet presentation
iPlanet presentationrogerkellerman
 
Netsuite open air connector
Netsuite open air connectorNetsuite open air connector
Netsuite open air connectorD.Rajesh Kumar
 
Mule execution
Mule executionMule execution
Mule executionPraneethchampion
 
Microservices-101
Microservices-101Microservices-101
Microservices-101Subhashish Bhattacharjee
 
Understanding Security for Oracle WebLogic Server
Understanding Security for Oracle WebLogic ServerUnderstanding Security for Oracle WebLogic Server
Understanding Security for Oracle WebLogic ServerHojjat Abedie
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)cdanger
 
Best practices for multi saa s integrations
Best practices for multi saa s integrationsBest practices for multi saa s integrations
Best practices for multi saa s integrationsD.Rajesh Kumar
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...apidays
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
Flavours of APIs
Flavours of APIs Flavours of APIs
Flavours of APIs Chris Phillips
 
Securing mule
Securing muleSecuring mule
Securing muleSindhu VL
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOpenIDFoundation
 
Technology Focus before investing on Multiscreen content delivery
Technology Focus before investing on Multiscreen content deliveryTechnology Focus before investing on Multiscreen content delivery
Technology Focus before investing on Multiscreen content deliverymachau123
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Hoang Tri Vo
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 

More Related Content

What's hot

Subscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsSubscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsdbpublications
 
Netsuite open air connector
Netsuite open air connectorNetsuite open air connector
Netsuite open air connectorD.Rajesh Kumar
 
Understanding Security for Oracle WebLogic Server
Understanding Security for Oracle WebLogic ServerUnderstanding Security for Oracle WebLogic Server
Understanding Security for Oracle WebLogic ServerHojjat Abedie
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...MikeLeszcz
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)cdanger
 
Best practices for multi saa s integrations
Best practices for multi saa s integrationsBest practices for multi saa s integrations
Best practices for multi saa s integrationsD.Rajesh Kumar
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateBjorn Hjelm
 
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...apidays
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
Securing mule
Securing muleSecuring mule
Securing muleSindhu VL
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOpenIDFoundation
 
Technology Focus before investing on Multiscreen content delivery
Technology Focus before investing on Multiscreen content deliveryTechnology Focus before investing on Multiscreen content delivery
Technology Focus before investing on Multiscreen content deliverymachau123
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 

What's hot (20)

Subscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robotsSubscription based control system to automate management of events for robots
Subscription based control system to automate management of events for robots
 
iPlanet presentation
iPlanet presentationiPlanet presentation
iPlanet presentation
 
Netsuite open air connector
Netsuite open air connectorNetsuite open air connector
Netsuite open air connector
 
Mule execution
Mule executionMule execution
Mule execution
 
Microservices-101
Microservices-101Microservices-101
Microservices-101
 
Understanding Security for Oracle WebLogic Server
Understanding Security for Oracle WebLogic ServerUnderstanding Security for Oracle WebLogic Server
Understanding Security for Oracle WebLogic Server
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
 
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
OpenID Foundation Workshop at EIC 2018 - OpenID Enhanced Authentication Profi...
 
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
FI-WARE OAUTH-XACML-based API Access Control - Overview (Part 1)
 
Best practices for multi saa s integrations
Best practices for multi saa s integrationsBest practices for multi saa s integrations
Best practices for multi saa s integrations
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
Flavours of APIs
Flavours of APIs Flavours of APIs
Flavours of APIs
 
Securing mule
Securing muleSecuring mule
Securing mule
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation Update
 
Technology Focus before investing on Multiscreen content delivery
Technology Focus before investing on Multiscreen content deliveryTechnology Focus before investing on Multiscreen content delivery
Technology Focus before investing on Multiscreen content delivery
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 

Similar to How to Adapt Authentication and Authorization Infrastructure of Applications for the Cloud

Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Hoang Tri Vo
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
5. ijece guideforauthors 2012 edit sat
5. ijece guideforauthors 2012 edit sat5. ijece guideforauthors 2012 edit sat
5. ijece guideforauthors 2012 edit satIAESIJEECS
 
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEDEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEcscpconf
 
IRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET Journal
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
iaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocoliaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocolIaetsd Iaetsd
 
Single Sign-On: Our Path to Password Elimination
Single Sign-On: Our Path to Password EliminationSingle Sign-On: Our Path to Password Elimination
Single Sign-On: Our Path to Password EliminationSymantec
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...idescitation
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsSumit Arora
 
Microservice 微服務
Microservice 微服務Microservice 微服務
Microservice 微服務YOU SHENG CHEN
 
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Canada
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalMauricio Godoy
 
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACSecure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACIRJET Journal
 

Similar to How to Adapt Authentication and Authorization Infrastructure of Applications for the Cloud (20)

Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...Identity as a Service: a missing gap for moving enterprise applications in In...
Identity as a Service: a missing gap for moving enterprise applications in In...
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
5. ijece guideforauthors 2012 edit sat
5. ijece guideforauthors 2012 edit sat5. ijece guideforauthors 2012 edit sat
5. ijece guideforauthors 2012 edit sat
 
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVEDEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
DEVELOPING APPLICATION FOR CLOUD – A PROGRAMMER’S PERSPECTIVE
 
IRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing FeaturesIRJET - Multitenancy using Cloud Computing Features
IRJET - Multitenancy using Cloud Computing Features
 
Cloud computing 101
Cloud computing 101Cloud computing 101
Cloud computing 101
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
iaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocoliaetsd Shared authority based privacy preserving protocol
iaetsd Shared authority based privacy preserving protocol
 
Single Sign-On: Our Path to Password Elimination
Single Sign-On: Our Path to Password EliminationSingle Sign-On: Our Path to Password Elimination
Single Sign-On: Our Path to Password Elimination
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
 
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_awsOn demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
On demand video_streaming_apps_and_its_server_side_cloud_infrastructure_at_aws
 
Microservices
MicroservicesMicroservices
Microservices
 
Microservice 微服務
Microservice 微服務Microservice 微服務
Microservice 微服務
 
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
Cisco Connect Halifax 2018 cloud and on premises collaboration security exp...
 
An Intro to Cloud Computing
An Intro to Cloud ComputingAn Intro to Cloud Computing
An Intro to Cloud Computing
 
Ibm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_finalIbm cloud forum managing heterogenousclouds_final
Ibm cloud forum managing heterogenousclouds_final
 
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMACSecure Data Storage and Forwarding in Cloud Using AES and HMAC
Secure Data Storage and Forwarding in Cloud Using AES and HMAC
 
Microservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerationsMicroservice architecture-api-gateway-considerations
Microservice architecture-api-gateway-considerations
 
Paper1
Paper1Paper1
Paper1
 
Cloud Computing Architecture
Cloud Computing ArchitectureCloud Computing Architecture
Cloud Computing Architecture
 

Recently uploaded

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

How to Adapt Authentication and Authorization Infrastructure of Applications for the Cloud

  • 1. How to adapt Authentication & Authorization Infrastructure of applications for the Cloud Tri Hoang Vo Cloud Architect, Deutsche Telekom FiCloud2017, 21.08.2017 On behalf of Prof. Dr. Woldemar Fuhrmann, Darmstadt University of Applied Sciences Dr. Klaus-Peter Fischer-Hellmann, Digamma GmbH
  • 2. 1. introduction federated identity management (FIDM) • In FIDM, user attributes from one domain are propagated to another domain for SSO, authorization, customizing service, logging, and auditing.  Reduce the cost for SP (no longer manage users that are not under their control). • Traditional approach: developers adapt Authentication & Authorization Infrastructure (AAI) manually. 21.08.2017Tri Hoang Vo / Identity As A Service 2
  • 3. 1. introduction FIDM in the Cloud 21.08.2017Tri Hoang Vo / Identity As A Service 3 In the Cloud environment: • Cloud services adapt to an IDM of a Cloud provider (for user SSO). • Cloud services integrate with each other on demand. Problems: • At the beginning they may adapt AAI manually. • Frequent provisioning/deprovisioning of Cloud services  dynamic adaptation. • Users access Cloud services in various security domains  user privacy.
  • 4. 2. idaas related work 21.08.2017Tri Hoang Vo / Identity As A Service 4 Cloud services need to develop: • Highly secure & flexible access control mechanisms for identity federation. • However, this is not a core competency.  They may prefer to outsource AAI to a third party & focus on developing business functionalities.  In the past, 4 levels to outsource AAI.  Onelogin, PingIdentity: provides AAI framework, Cloud services manually adapted for SSO. • We proposed the 5th level.
  • 5. 3. idaas proposed model 21.08.2017Tri Hoang Vo / Identity As A Service 5 • We consider application components are unprotected. • Cloud provider provision AAI to protect application components. • Application admins control the AAI lifecycle (provisioning, integration update, termination). • To support, a security architect describes the security topology of his application:  In a platform-independent AAI model.  What needed to be preserved across different Cloud providers. • An orchestration engine reads security topology and provision AAI accordingly.  A platform-depedent AAI implementation.
  • 6. 3. Security topology security components 21.08.2017Tri Hoang Vo / Identity As A Service 6 • Security topology describes security component and the relationship with the application backend. • Security architect of SP specifies how he wants to protect an application APIs in the backend:  Using an intercepting web agent (same container)  Using a security gateway (proxy)
  • 7. 3. Security topology capabilities 21.08.2017Tri Hoang Vo / Identity As A Service 7 • Service consumers may or may not propagate the user identity to a SP. • Security architect of SC specifies which capabilities his outgoing Proxy offer for identity propagation. • We collected design patterns for identity propagation between services: Identity impersonation Identity forwarding Identity delegation
  • 8. 3. Security topology requirements 21.08.2017Tri Hoang Vo / Identity As A Service 8 • SP requires controlling access to their services. • Security architect of SP specifies requirements for a service consumer to access resources. • We collected authorization design patterns: Trusted Subsystem (direct trust)  Client calls server with its service id Delegated access control  Client calls server with original caller identity
  • 9. 4. AAI Life cycle example 1. Topology modelling (USE TOSCA metamodel) 21.08.2017Tri Hoang Vo / Identity As A Service 9 Security architect (shipping service) describes the security topology as part of the application topology I want to protect my shipping service APIs with an Intercepting Web Agent. The agent must forward an email address from the user to the web application. I trust my partner service consumer as a Trusted Subsystem.
  • 10. 4. Aai life cycle example 2. provisioning 21.08.2017Hoang Tri Vo / Identity As A Service 10 Cloud provider provisions AAI components accordingly Platform & programming language dependent. e.g.: For JEE application, Cloud provider provisions a ServletFilter that • intercepts client request & commit user principal • performs authorization • forwards user attributes (email address) to the Servlet in the backend
  • 11. 4. Aai life cycle example 3. Integration updates 21.08.2017Hoang Tri Vo / Identity As A Service 11 • When a shopping service signs a contract with the shipping service, orchestrator evaluates two security topologies if the requirements and capabilities are matched. • Update the outgoing Proxy of shopping service  As a Trusted Subsystem for the web agent of shipping service (add truststore).  Proxy forwards an email address to the web agent (identity forwarding).
  • 12. 4. Aai life cycle example 4. Testing 21.08.2017Tri Hoang Vo / Identity As A Service 12 • Send dummy requests from shopping service to shipping service. • To test the Trusted Subsystem pattern:  Shopping service verifies authorization policies (e.g., users with certain roles can access)  Shipping service verifies that the request is coming from the shopping service & accepts it.
  • 13. 4. Aai life cycle example 5. migration 21.08.2017Tri Hoang Vo / Identity As A Service 13 • Shipping service migrates from Cloud A to Cloud B. • Cloud B may have a vendor-specific implementation of AAI  The mutual trust relationship between the two services is provisioned again.
  • 14. 5. Summary & Future work 21.08.2017Tri Hoang Vo / Identity As A Service 14 Summary • We extended the TOSCA model to describe a security topology of an application. • The topology describes the security components, capabilities of identity propagation, and requirements of authorization needed to be preserved across Cloud providers. • A security architect instantiates a security template and takes advantage of known design patterns. • Cloud providers provision AAI with its runtime values. Future work • User identity is disseminated in federated domains  Enhance the security topology with privacy-preserving user identity  Protect confidentiality of disseminated user data. • Demonstrate in OpenStack