The Identity And Access Management

Published Date: 02 Nov 2017

Identity Management Protocols

Abstract — Cloud computing is a cheaper service oriented system concept that is used to deliver services to the customer. It provides several services in the market, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The three main security issues are addressed with respect to Cloud computing: confidentiality, integrity and availability. In this paper, Identity management protocols for cloud computing customers and cloud service providers is proposed. This protocol is used for authentication and authorization of customers/service provider. This protocol can be developed to set global security objectives in cloud environments. The protocol can be used to provide privacy and security to customers and cloud service provider’s infrastructure.

Keywords — Cloud Computing, Confidentiality, Integrity, Availability, Privacy, Security, Identity and Access Management.

Introduction

A. Cloud Computing

In cloud computing, the customers are provided with the resources as a service over the internet, on demand basis. Computing services are available through data centers and universally, in order to create an image of single point of access for tools that can address the entire customer’s computing requirements. Economically, the main attraction of cloud computing is that customers use only what they need, and only pay on usage basis. Resources are made available to be accessed from the cloud round the clock, and everywhere via the internet. Customers are free from knowing behind the scenes and simply required to purchase the IT service needed same as any other utility. This lead the cloud computing to be called as utility computing, or simply ‘IT on demand’. The cloud computing will bring several advantages to the market and the three most important are: cost effectiveness, security and scalability. Our main concern is to discuss some of the security Identity Management protocols used to protect cloud users and to conclude which of these protocols will be best for organizations.

NIST definition of cloud computing[1] :-

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (i.e. applications, and services, networks, servers, storage) that can be rapidly provisioned and released with minimal service provider interaction or management effort .

B. Service Models:-

Cloud computing employs a service-driven business model. every layer can be perceived as a customer of the layer below.

Infrastructure as a Service: IaaS refers to on-demand provisioning of infrastructural resources, usually in terms of VMs. The cloud owner who offers IaaS is called an IaaS provider. Examples of IaaS providers include Amazon EC2 , GoGrid and Flexiscale. Consumers control and manage the systems in terms of the operating systems, applications, storage, and network connectivity, but do not themselves control the cloud infrastructure.

Platform as a Service: PaaS refers to providing platform layer resources, including operating system support and software development frameworks. Examples of PaaS providers include Google App Engine , Microsoft Windows Azure and Force.com . Consumers purchase access to the platforms, enabling them to deploy their own software and applications in the cloud.

Software as a Service: SaaS refers to providing on demand applications over the Internet. Examples of SaaS providers include Salesforce.com, Rackspace and SAP Business ByDesign . Consumers purchase the ability to access and use an application or service that is hosted in the cloud. A benchmark example of this is Salesforce.com,where necessary information for the interaction between the consumer and the service is hosted as part of the service in the cloud.

Clients

WebBrowser, MobileApps, thinClient Terminal Emulators

Saas

CRM, Email, Virtual Desktop, Communication

Paas

Execution Runtime , Database , Webserver, Development Tools, ….

Iaas

Virtual Machines , Servers, Storage, Load Balancers , Networks

Figure 1. Architectural component

C. Deployment Models:-

Public Cloud (‘external’ cloud)

Public cloud describes the conventional meaning of cloud computing: scalable, dynamically provisioned, often virtualised resources made available by an off-site third-party provider over the Internet, which distributes resources and charges its customers on a ‘utility’ basis.

Private Cloud (‘corporate’ or ‘internal’ cloud)

Private cloud can be described as a proprietary computing architecture providing hosted services on private networks. The users of this type of cloud computing are generally the large companies, and are allowed to make their corporate network and data centre administrators to effectively become in-house ‘service providers’ catering to ‘customers’ within the corporation. Although, many of the benefits of cloud computing are negated, as organisations still need to purchase, set up and manage their own clouds.

Hybrid Cloud

It is envisaged that a hybrid cloud environment as a combination of resources from both internal and external providers will become the most popular choice for enterprises. E.g., a company could use a public cloud service for general computing, but store its data which are critical to its own data centre. This may be because larger organisations are likely to have already invested heavily in the infrastructure required to provide resources in-house or they may be concerned about the security of public clouds

Community Cloud

The cloud infrastructure is shared among a number of organizations with similar interests and requirements. This may help limit the capital expenditure costs for its establishment as the costs are shared among the organizations. The operation may be in-house or with a third party on the premises.

There are several papers[2]and[3] that are published which are related to the usability and functionality of cloud computing. This paper will focus on the identity management and techniques that are used to provide a secure environment. Specifically, IAM security can be achived via using appropriate protocols and standards. In this paper we discuss the security and privacy issues for cloud computing also.

At each level, it is required to satisfy security requirements to preserve data security in the cloud such as confidentiality, integrity and availability as follows:

(1) Confidentiality:

It is an act that keeps private or sensitive information from being disclosed to unauthorized individuals, entities or processes. This can be achieved through proper encryption techniques taking into consideration the type of encryption: symmetric or asymmetric encryption algorithms, also key length and key management in case of the symmetric cipher. Actually, it is all based on the CSP. For like[4], Mozy Enterprise uses encryption techniques to protect customer data but Amazon S3 does not use. Also, The CSP should ensure proper deployment of encryption standards using NIST standards in [5].

(2) Integrity:

Cloud users also Worry about the data integrity. Data could be encrypted to provide confidentiality where it will not guarantee that the data has not been altered while it is reside in the cloud. There are Mainly two approaches which provide integrity, using Message Authentication Code (MAC) and Digital Signature (DS). In MAC, it is depended on symmetric key to provide a check sum that will be append to the data. On the other hand, in the DS algorithm it depends on the public key structure. This is important in cloud computing environment, because the mobile de-vices use air medium and for this reason, data must be well protected.

(3) Availability:

The Another Problem is availability of the data when it is requested by the authorized users. The most powerful technique is prevention through avoiding threats affecting the availability of the service or data. It is very difficult to detect threats Which targets the availability. Threats which targets availability can be either Network based attacks such as Distributed Denial of Service (DDoS) attacks or CSP availability.

In the next section, we will discuss the identity and access management practices of the cloud computing by using some protocols.

s of II. IDENTITY AND ACCESS MANAGEMENT

Identity and Access Management (IAM) can be defined as a methods that provide an adequate level of protection for organization resources and data through rules and policies which are enforced on users via various techniques such as enforcing login password, assigning privileges to the users and provisioning user accounts. IAM is the management of credentials, identities, and their associated privileges that are used to control and grant access to information resources such as files, documents, applications, and data. While IAM is not unique to cloud computing, the complex relationships between providers and consumers increase the need to plan and manage access controls and identity credentials.

A. Challenges:-

• The main challenge for any organization in managing the identities resulted from the variety of the user population that an organization consists- customers, employers, partners, etc.

• Managing and maintaining staff turnover within the organization where it varies based on the current trend of the business in the market and its function.

• Handling user’s identities in the case of merges and demerges.

• Avoid the duplication of identities, attributes and credentials.

Thus, we would like to discuss the current practice of identity and access management (IAM) which is considered a great help in providing Authentication, Authorization and Auditing for users who are accessing the cloud computing as follows:

1) Authentication:

It is a process by which one entity verifies the identity of another entity.This can be a person or program. The authentication process can be done in three ways; something that user knows such as password or login name, something user has such as personal identification number (PIN) and something user is such as finger print.

2) Authorization:

It is the process that ensures that a person has the right to access certain resources. Users can not be allowed to access any resources without knowing the attributes of such users. In this stage, the system will enforce the security policies.

3) Auditing:

It is a process of collecting information about user attempting access to a particular resource, or performs actions.It is the process of reviewing and examining the authorization and authentication records in order to check, whether compliances with predefined security standards and policies. Also, it will aid in detecting any system breaches.

B. Readiness of Cloud Environment:-

In order to get ready for the cloud, enterprises should prepare IAM strategy, structure, understand the IAM lifecycle and specify which model of the equipments will support the identity federation technical requirements as follow:

1. Defining authorized source for the identity information.

2. Defining the required attributes for user’s profile.

3. Defining the current structure of the identity management system within enterprises (isolated active directories which are connected on the internal network, active directories within the Demilitarized Zone (DMZ) and if the company is id-federation friendly environment where active directories can be accessed by a trusted third party, where deploying federation can be faster and more cost effective).

4. Implement identity providers which support SSO technology such as OpenID, Microsoft CardSpace and Microsoft Novell Digital Me.

5. Identity Providers compatibility with the internally built active directory.

III. IAM LIFECYCLE

In this stage, we should consider all different stages that an identity is going through which known as identity lifecycle. One important question is that we should rise what is happening for the user’s identity from the time it has been created, used and terminated. According to Mather, Kumarasuamy and Latif [4], the digital identity management will go through five stages as follow:

1) Provisioning and deprovisioning :

In this process users will be assigned required access to the information based on the role with the organization and in case of the user authority escalation or degradation, proper access roles will be assigned. This process requires numerous amounts of time, effort and staff to keep the identity assigned privileges as adequate as possible. However, cloud management using proper techniques such as identity Management as a Service (IDaaS) it can take this burden off from the organization shoulders.

2) Authentication and Authorization:

A central authentication and authorization infrastructure will be required to build up a custom authentication and authorization model that meets the organization business goals. Having such model will enforce the security policy which should be followed to protect applications and databases.

3) Self-Service:

Enabling self-service in the identity management will enhance the identity management systems. At this stage users can reset their password, maintain and update their own information and view the ability to view? The organizational information from any location.

4) Password Management:

Through implementing federated systems which support Single Sign On (SSO) to access cloud-base services. Password management consists of how the password will be stored in the cloud database using MD5 or SHA1as in [6] and [7].

5) Compliance and Audit:

In this process the access will be monitored and tracked to ensure that there will be no security breaches in the system. It also will help auditors to verify the fulfillment to different access control policies, periodic auditing and reporting.

IV.IDENTITY MANAGEMENT PROTOCOLS

In the Previous section, we discussed what is the requirements to apply the IAM structures. In this, we will discuss some protocols to manage identities in the cloud; however, it is worth to mention here that the IAM standards and protocols should be considered from both parties: the organizations and consumers.

In this paper, our main concerned is to discuss how the organization will handle IAM using protocols. There are several protocols and standards which organizations should consider such as: OpenID and Security Assertion Markup Language (SAML) protocol. We will discuss each of these protocols in details as below.

A. OpenID

It is an authentication system that is based on the premise that anyone can have a URL and an OpenID Identity Provider (OP) which is willing to speak on behalf of this URL. A user uses one username and one password to access many web applications With OpenID. The user authenticate to an OpenID server to get his/her OpenID and use the token to authenticate to web applications. OpenID is a decentralized authentication protocol. No central authority must approve or register service providers or OpenID Providers. An end user can easily choose an OpenID Providere, and can preserve their Identity if they change OpenID Providers [8]. A user of OpenID does not need to provide a service provider with his credentials or other important information like an email address.

OpenID is highly susceptible to phishing attacks, as the whole OpenID structure hinges on the URL routing to the correct machine on the Internet i.e. the OpenID Provider. A user who visits an evil site sends the imposter service provider her URL. The provider checks the URL’s content in order to determine the location of the OpenID provider. Inplace of redirecting the user to the legitimate OP, it redirects the user to the Evil Scooper site. The Evil Scooper contacts the legitimate OP and pulls down an exact copy of its login experience (it can even simply become a "man in the middle"). Convinced she is talking to her OP, the user posts the credentials which can now be used by the Evil Scooper to get tokens from the legitimate OP. These tokens can then be used to gain access to any legitimate Service Provider. [9]

Figure 2. The OpenID Authentication Process

OpenID works as shown above in Figure2. The user present its URL at the time of contacting the SP that supports OpenID.Using that to see who is the OP that speaks for it, the SP contacts the URL.This is the process of Identity Provider Discovery. Using the well known process of MAC, the SP must establish a shared secret with it so that future message can be authenticated, After the identity provider has been discovered. To establish the shared secret between the OP and SP the OpenID specifications use Diffie-Hellman. For doing the authentication using any mechanism deemed appropriate by the OP, the SP redirects the user to the OP. By displaying the "realm" of the SP to the user, at the time of the authentication process the OP is supposed to check that the user wants to be authenticated to this SP. After user authentication process successfully completed, the OP redirects the user back to the SP along with an authentication token saying that the user has been authenticated and has control over the OpenID they specified. The SP then Provides the user access to its services. One might regard OpenID as a direct competitor of Single signon or login mechanism for user authentication. On the face of it OpenID is an attractive way of assigning global unique Ids to the people based on URLs, and an authentication service that will validate this binding.

B. SAML(Security assertion Markup Language)

SAML is based on XML standards [10], used as a tool to exchange the authorization and authentication attributes between two entities – in the case of the cloud, between the Identity provider (IdP) and Cloud Service Provider (CSP). The main goal of SAML is trying to achieve is to support SSO using the internet. There are different versions of the SAML for example: SAML v1.0, SAML v1.1 and SAML v2.0. It supports digital signature and encryption. Following is an illustrative example to help in understanding of SAML used for SSO, between the user, IdP and CSP.

Figure3 Shows the SAML communication process.

1. User will request a web page from the CSP.

2. CSP will respond to the User by redirecting the user’s browser to the SSO website located at the IdP.

3. Browser redirecting process.

4. Exchange authentication protocol between the IdP and user for identification.

5. IdP responds using encoded SAML to user.

6. User browser will send SAML response to CSP to access the URL.

7. User will be able to log in the CSP application.

Cloud Service Provider

Identity Provider

User

1

Figure 3. SAML communication process

COMPARISION OF OPENID AND SAML

OpenID

SAML

Architectural approach

OpenID 2.0 specifies a solid web SSO protocol, IDP discovery protocol, user identifier format, an extensibility mechanism, backwards compatibility and security considerations, in a single draft specification ( OpenID.openid‑authentication‑2_0) (OpenID, "OpenID Authentication 2.0 - Final," September 20.

SAML specifies an abstract extensible security assertion and an abstract extensible request-response protocol via XML schemas, in one specification, the SAML "core" (OASIS.saml‑core‑2.0‑os) (Cantor, S., Kemp, J., Philpott, R., and E. Maler, "Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0," March 20.

End-user Privacy

In OpenID's specification, End-user privacy is not presently explicitly addressed.

In SAML v2.0's design, End-user privacy is an explicit first-order consideration Several aspects of the design, e.g. establishment of pseudonyms between an IDP and an RP, one-time or transient identifiers.

Simplicity

The latest OpenID specification is considerably

thinner and much easier to understand than the latest SAML specification. OpenID specifies how data is carried over HTTP.

SAML is an abstract framework. For specification of what content is carried over which Internet protocols ,SAML requires profiles and bindings.

Flexibility And Extensibility

OpenID specifies the format of user identifiers and it shows how the user’s OpenID provider is discovered.

The SAML is far more flexible and extensible than OpenID, but as a result, is more complex. SAML’s framework does not specifies any particular user identifier, and it does not show how the user’s identity provider is discovered.

Implementation Approach

An OpenID infrastructure should be significantly easier to implement and deploy than a SAML-based one. Because the OpenID specification is simpler, with far fewer options, most OpenID implementations should interwork .

SAML implementations on the other hand will most

likely only implement a specific subset of profiles and

protocol bindings, which will necessarily mean that not all

implementations will interwork, and may

require significant configuration in order to do so.

Security

In the OpenID specs there are security provisions in terms of key establishment, verification mechanisms and message signature, and use of TLS/SSL-protected channels.

In the SAML specification sets, there are robust security provisions based on explicit stipulations in profiles, the bindings profiles employ, as well as in the design of the SAML assertion semantics.

CONCLUSION

In conclusion, cloud computing is very attractive environment for business world in term of providing required services in a very cost effective way. Identity Management is one of the major issues for the security in cloud environment. Our main concern is to discuss some of the security Identity Management protocols used to protect cloud users and to conclude which of these protocols will be best for organizations which are moving in the direction of consuming the cloud Services.

Acknowledgement

Ronak R. Patel would like to thank to my thesis guide Prof. Bhavesh Oza for his great effort and instructive comments in this paper work. Lastly, I wish to thank to all those who helped me during the lifetime of my research work.