Skip navigation
Use este identificador para citar ou linkar para este item:
Título: Access control in IaaS multi-cloud heterogeneous environments
Autor(es): SETTE, Ioram Schechtman
Palavras-chave: Ciência da computação; Computação em nuvem
Data do documento: 11-Ago-2016
Editor: Universidade Federal de Pernambuco
Resumo: Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%.
Aparece na(s) coleção(ções):Teses de Doutorado - Ciência da Computação

Arquivos deste item:
Arquivo Descrição TamanhoFormato 
Ioram_Sette_PhD_Thesis.pdf10,14 MBAdobe PDFVer/Abrir

Este arquivo é protegido por direitos autorais

Este item está licenciada sob uma Licença Creative Commons Creative Commons