Abu Shohel Ahmed

OpenID authentication as a service in OpenStack

The evolution of cloud computing is driving the next generation of internet services. OpenStack is one of the largest open-source cloud computing middleware development communities. Currently, OpenStack supports platform specific signatures and tokens for user authentication. In this paper, we aim to introduce a cloud platform independent, flexible, and decentralized authentication mechanism, using OpenID as an open-source authentication mechanism in OpenStack. OpenID allows a decentralized framework for user authentication. It has its own advantages for web services, which include improvements in usability and seamless Single-Sign-On experience for the users. This paper presents the OpenlD-Authentication-as-a-Service APIs in OpenStack for front-end GUI servers, and performs the authentication in the back-end at a single Policy Decision Point (PDP). Our implementation allows users to use their OpenID Identifiers from standard OpenTD providers and log into the Dashboard/Django-Nova graphical interface of OpenStack.

Towards Building an Automated Security Compliance Tool for the Cloud

Security, especially security compliance, is a major concern that is slowing down large scale adoption of cloud computing in the enterprise environment. Governmental regulations, business requirements and trust are among the reasons why enterprises require certain levels of security compliance from cloud providers. So far, security compliance or auditing information has been generated manually by security specialists. This involves manual data collection and assessment, which is slow and expensive. Thus, there is a need for an automated security compliance tool (ASCT) to verify and express the compliance of various cloud providers. Such a tool can reduce the human intervention and eventually reduce the cost and time by verifying the compliance automatically. Also, the tool will enable transparency of the cloud vendors to the customers which in turn will help grow confidence on the cloud vendors. Having these goals in mind, we have developed an architecture to build an ASCT for a cloud computing platform. We have also outlined four possible approaches to achieve this automation. These possible four approaches refer to four data collection mechanisms to collect data from the cloud systems and these are: API, vulnerability scanning, log analysis and manual entry. Finally, we have implemented a proof-of-concept prototype of this ASCT based on the proposed architecture. The prototype is integrated with OpenStack cloud platform and the results are exposed using the CloudAudit API.

A Framework for Authentication and Authorization Credentials in Cloud Computing

Security is a key concern when adopting cloud technology. Cloud solutions include not only issues inherited from related technologies, such as virtualization and distributed computing, but also new concerns associated to complexity of the cloud ecosystem, composed by the cloud entities and their interactions. One of the concerns is related to authentication and authorization in the cloud in order to provide robust mechanisms to identify entities and establish their permissions and roles in the cloud, controlling resource usage and promoting accounting and isolation. This paper identifies the state of the art in terms of credential management focusing on the cloud ecosystem. It proposes a credential classification and a framework for studying and developing solutions in this context, unifying concepts related to cloud deployment models, service types, entities and lifecycle controls.

Demo Paper: Automatic Provisioning, Deploy and Monitoring of Virtual Machines Based on Security Service Level Agreement in the Cloud

This demo presents a Security Service Level Agreement (SSLA) management solution for the cloud. In this work we aim to bind security in the Service Level Agreement (SLA) as a measurable and agreeable parameter between cloud service provider (CSP) and the customer. To achieve this, we allow cloud customer to choose between different security levels when negotiating the SLA and then our automated SLA engine finds the requirements from the SSLA and deploys the Virtual Machine (VM) based on that. Finally, we also provide monitoring of the security services from where the customer can review the current security status of the VMs. If there are any violations from the agreed SSLA, then the customer can immediately notice that and file a SLA breach complaint to the CSP.

A framework to orchestrate security SLA lifecycle in cloud computing

Security issues of cloud computing environments are considered a major challenge for its full adoption. A Service Level Agreement (SLA) corroborates the shared management vision provided by the cloud computing paradigm, which can assist with related security issues. The necessity to address security requirements in cloud computing SLAs is considered important for both providers and consumers, along with the tools and mechanisms necessary to deal with these requirements. These issues are current research challenges; therefore, this paper aims at proposing a framework to orchestrate the management of cloud services based on security requirements defined by the SLA in an automated manner during its entire lifecycle. In addition, mechanisms to support the phases of the SLA lifecycle are proposed as a part of the framework. also the preliminary validation of the proposed framework. Finally, it is presented the integration of the framework with a cloud solution and in what manner the SLA lifecycle is supported by the framework.

Managing the Lifecycle of Security SLA Requirements in Cloud Computing

One of the major barriers for full adoption of cloud computing is the security issue. As the cloud computing paradigm presents a shared management vision, it is important that security requirements are addressed inside the Service Level Agreements (SLAs) established between cloud providers and consumers, along with the tools and mechanisms necessary to deal with these requirements. This work aims at proposing a framework to orchestrate the management of cloud services and security mechanisms based on the security requirements defined by a SLA, in an automated manner, throughout their lifecycles. In addition, the integration of the framework with a cloud computing solution is presented, in order to demonstrate and validate the framework support throughout SLAs lifecycle phases.

Formal Security Analysis of OpenID with GBA Protocol

The paper presents the formal security analysis of 3GPP standardized OpenID with Generic Bootstrapping Architecture protocol which allows phone users to use OpenID services based on SIM credentials. We have used an automatic protocol analyzer to prove key security properties of the protocol. Additionally, we have analyzed robustness of the protocol under several network attacks and different threat models (e.g., compromised OP, user entity). The result shows the protocol is secure against key security properties under specific security settings and trust assumptions.