2014 Seventh International Symposium on Computational Intelligence and Design
An Identity and Access Management Architecture in Cloud
Yan Yang1,2, Xingyuan Chen2, Guangxia Wang2, Lifeng Cao2
1
School of Computer and Information Technology, Beijing Jiaotong University, Beijing, China
2
ZhengZhou Information Science and Technology Institute, Zhengzhou, China
yangyan302@sohu.com, chxy302@vip.sina.com, sunnywgx@sina.com, caolf302@sina.com
Although the identity management and access control
technology have made some achievements in the traditional
model, however, this new cloud computing model has
brought a series of new problems in IAM.
Developing security approaches suitable for such a
context requires addressing the following several
requirements:
(1) Strong Authentication
The main requirement for strong authentication is to use
two or more types of authentication factors. In the cloud,
authentication mechanisms should include strong
authentication for validating the asserted identity information.
One Time Password should be supported as a standard
function of authentication in cloud. The multi-factor
authentication approaches should be available as options in
the IAM offering [3].
(2) Data Loss Prevention
A cloud storage service allows data owner to create,
upload and store numerous resources across the cloud. Users
also can easy access to cloud applications. However, it is still
a serious concern for the cloud users that how to protect
these resources from different security threats in cloud
environment. Data Loss Prevention is to monitor, protect,
and verify the security of data at rest, in motion and in use
both in the cloud. Because the cloud server and the data
owner are not in the same trust domain, the access policy
cannot completely rely on the semi-trusted cloud server.
(3) Security as a Service
The security industry has recognized the benefits of a
standardized security framework for both the cloud providers
and consumers. A standardized security framework takes the
form of a document that specifies which security services are
provided how and where, and to achieve a cloud service
level agreement between providers and consumers. The
adoption of Security as a Service on a global scale is one of
the milestones of the maturity of cloud as a platform for
business operations. The standardization of security
framework enhanced security mechanisms.
In this work, we propose an Identity and Access
Management (IAM) Architecture that aims to address the
aforementioned security requirements.
The rest of the paper is organized as follows: section 2
discusses related work; section 3 describes the system
components and workflow of the security architecture;
section 4 analyzes the advantages of the architecture and
discusses further considerations and gives an outlook to
future developments.
Abstract—Identity and access management is essential of
security issues in cloud. This paper presents an identity and
access management architecture to solve a series of new
problems that cloud computing model has brought in identity
and access management. The architecture considering the
problem of security access provided by users to access cloud
resources and users upload resources to solve some of the
limitations of the existing architecture. The architecture uses
security as a service technology to achieve a standardized and
scalable architecture, and proposed specific architecture can
be implemented.
Keywords: Cloud computing;
Management; Security as a Service.
I.
Identity
and
Access
Introduction
Cloud computing is an evolutionary technology that is
evolved from grid computing, distributed computing,
applications, networks, storage resources and infrastructure
containing pools of computers[1]. The important
characteristics of cloud computing include dynamic
provisioning, ubiquitous network access, rapid elasticity,
shared infrastructure and managed metering [2]. These
features provide the benefits to the enterprises of cost
effectiveness, scalability and operating efficiencies. The
benefits of cloud computing attracts numerous users to use
cloud applications to store, create and share resources.
However, different surveys show that security is main
obstacle to wide range application of cloud computing.
Identity and Access Management (IAM) is essential of
security. Identity and Access Management is considered as
the key issues in the majority of cloud computing security
investigations and standardization documents. In the
recommendations prepared by the National Institute of
Standards and Technology (NIST) IAM is defined as an
important research area [2]. Also in the Cloud Security
Alliance (CSA) IAM is highlighted as an important issue [1].
In addition, IAM is considered as an important mechanism in
many other documents published by the standardization
organizations and research institutions.
Compared to traditional IT systems, cloud has a store of
vast amounts of important user’s data, so the attacker has a
greater temptation. Cloud systems provide users with an
open access interface, so that cloud end users can directly
use operating software, operating systems or even
programming environment and network infrastructure in
cloud, therefore, the destruction of cloud resources than
currently used internet resource sharing is more serious.
978-1-4799-7005-6/14 $31.00 © 2014 IEEE
DOI 10.1109/ISCID.2014.221
Downloaded from http://www.elearnica.ir
200
II.
RELATED WORK
Identity and Access Management (IAM) is used to
manage access to resources by assuring that the identity of an
entity is verified, then granting the correct level of access
based on the protected resource.
The following are the main functions:
• Identity Provisioning: The provisioning of identities
within an organization addresses the provisioning
and revocation of user accounts.
• Authentication: Authentication is to ensure that the
individual is who he claims to be, and is identified
through various mechanisms, such as password,
certification, biometrics, etc.
• Authorization: The authorization module provides an
interface to enforce authorization rules as clients
attempt operations in the system. These rules apply
to accessing data within the system, as well as to
operations that can be applied to the system data.
• Policy Management: The policy management
module enforces the policies that associate users
with resources. It resolves the appropriate policies
that apply to a user and determines the resources for
which that user is authorized.
There is a wide range of research works lead in the
investigation of IAM problems in the cloud computing
environments. In the CSA the IAM architecture has been
proposed [4]. In the architecture data security and user access
management to separate, there is no mention of an integrated
solution that can be implemented [3].
Many solutions to this have been proposed in the Cloud
and currently no one standard has been widely adopted [5-9].
At present, the world leading organizations have developed
some identity management systems, such as McAfee Cloud
Identity Manager, Microsoft Identity & Access, Novell
Identity Manager, IdM4Cloud, etc [10].
Most of the existing framework aimed at user identity
information management and authentication, authentication
and access control combined with a comprehensive system
involves less. In addition, the existing framework mainly for
access management of cloud resources provided, but users
upload resources rarely involved.
Therefore, this paper presents an Identity and Access
Management Architecture to achieve a comprehensive
identity information management, authentication and access
control mechanisms. The architecture also considering the
cloud resources and users upload resources, to better meet
the needs of the cloud environment identity and access
management.
III.
Figure 1 The Identity and Access Management Architecture
(1) Cloud Resource Provider (CRP)
CRP provides two resource types, including cloud
resources and users upload resources. Cloud resources
involve software, operating systems or even programming
environment and network infrastructure. User upload
resources are mainly user-generated resources and upload
their own resources to the cloud, which provide the data
access to the users. The resource provider is responsible for
providing access to resources based on user’s asserted
identity and privilege.
(2)Identity Management (IDM)
IDM is responsible for managing users and their
identities issuing credentials vouching for the user's
identity and identity assertion. IDM is the authoritative site
responsible for authenticating an end user and asserting an
identity for that user in a trusted fashion. Depending on the
different authentication methods, IDM provides different
ways, such as password-based, certificate-based, biometrics-
based and token-based, etc.
As the advantage of Security as a Service, IDM provides
two external services: Multi-factor Authentication Service
and Identity Information Inquiry Service.
• Multi-factor Authentication Service
Multi-factor Authentication Service is the interface
provided by IDM to validates the asserted identity
information. The authentication services provide the
functionality required to evaluate and validate user-provided
credentials. The authentication services evaluate credentials
such as user name and password, secure ID token pass
phrases, X.509 certifications, and so on, directly provided by
the user. IDM is able to invoke identity management
databases to validate these credentials.
• Identity Information Inquiry Service
Identity information inquiry service is the interface
provided by IDM to check the identity information when
policy management for user authorization.
(3)Policy Management (PM)
Policy management enforces access rules that associate
users with resources. This module ensures that provisioning
requests conform to the policies that are defined. Policy
management
supports
four
functions:
attribute
management user authorization resource management
and access policy management.
• Attribute Management
IDENTITY AND ACCESS MANAGEMENT
ARCHITECTURE
A.
System Components
The Identity and Access Management Architecture we
propose is presented in Figure1. As it can be seen from the
figure, the architecture involves four parts: Cloud Resource
Provider Identity Management Policy Management
Resources Engine and Access Decision-making.
201
IDM takes on the bulk of the user's life cycle
management issues. Attribute management relies on the IDM
to manage only those user attributes that are relevant to the
policy.
• User Authorization
User authorization enforces the user to grant the
corresponding attributes, completes the user to map attributes
to generate user-attribute mapping table. User authorization
is responsible for issuing attributes to users and determining
privilege for users.
• Resource Management
Resource management is primarily responsible for
organization and management of resources, resource
registration, update, and delete. Resource management
manages cloud resources and users upload resources.
• Access Policy Management
Access Policy Management defines access rules of cloud
resources and users own resources. Access Policy
Management completes attribute to map resources to
generate attribute-resource mapping table. Access Policy
Management consists of two parts: management of cloud
resources and users upload resources.
The policy of cloud resources developed by the cloud
provider, based on user attributes and resource access
policies.
The policy of users upload resources is defined by the
user. Users upload their own data resources and set access
rights of resources. Users can access these resources based
on their access rights authorized. Users define policies
according to cloud service provider's credibility and their
own data privacy requirements. If the cloud service
provider's credibility is relatively high and privacy of user
data is not very strong, you can only use attribute-based
access policies. If privacy of user data is strong, do not want
to be known by cloud service providers, the data may be
encrypted for processing and more complex strategies to
manage.
• Policy Inquiry Service
Policy Inquiry Service is the interface provided by Policy
Management. Policy Inquiry Service is available to query the
user privileges and according to resource access policies,
decide whether to allow users to access.
(4)Resources Engine and Policy Decision-making(REPD)
REPD involves two parts: Resources Engine and Policy
Decision-making.
• Resources Engine (RE)
Resources Engine implements scheduling of resources
within cloud. This component is responsible for finding
resources that meets the requirements of the user among the
list of resource.
• Policy Decision-making (PD)
Policy Decision-making determines whether to allow
users to access appropriate resources by assuring security.
When users access the resource, first locate the REPD,
REPD submits the authentication request to the IDM. IDM
based on user-supplied credentials, offers a variety of factors
certification. If authenticated, and then submit a query to the
Policy Management. Policy Management based on user’s
privileges and access policies of resources, decide whether to
allow users to access appropriate resources.
The Workflow
With the security architecture in above, any user who
needs to access resources must go through the security
enforcement–authentication first, followed by access control
according to his privileges which is authorized.
A user must have authentication and authorization
information before access resource. The security architecture
supports different authentication mechanisms that
authentication information maybe password, certificate, etc.
Attribute-based mechanism is adopted by authorization.
The general process of accessing resources is showed in
the figure 2, and can be described as follows:
(1) When a user logs on to the REPD to access resource,
REPD first redirected the request to the IDM.
(2) The user is authenticated by Multi-factor
Authentication Service which provided by IDM to validate
the asserted identity information. According to different
authentication mechanisms, IDM invokes identity
management databases to validate these credentials, then, the
assertion is return to REPD.
(3) REPD would receive the assertion. The user is denied
access to the resource if he isn’t be authenticated. Once the
user is authenticated, then an initial set of user identity is
returned to REPD, which is recommended for the REPD that
can subsequently use for authorization decisions to access
the resources.
(4) REPD will use the user identity information as
specified in the assertion to redirect to the Policy
Management and render a policy decision request. The
request is to query the user privileges by Policy Inquiry
Service which provided by Policy Management.
(5) Policy Management make access decisions depended
on user identity, user privilege and resource access policy.
REPD would receive the access decision result to decide
whether to allow users to access.
(6) If the user is granted and access to the resources, then
user access the resources from CRP.
B.
Figure 2 Workflow of user access resources
IV.
CONCLUSIONS AND FUTURE WORK
To enable users to access resources of cloud in a secure
way, we propose an Identity and Access Management
Architecture. The security architecture has followed
advantages:
202
• Systematic and comprehensive
The architecture in this paper achieves a comprehensive
identity management, authentication and access control
mechanisms. The architecture also takes into account the
secure access to cloud resources and users upload resources.
• Standardization
Main function modules of architecture are provided in
the form of services, including Multi-factor Authentication
Service, Identity Information Inquiry Service and Policy
Inquiry Service. The architecture makes full use of the
advantages of service-oriented architecture to achieve the
standardization and service-oriented of security mechanism.
• Scalability
The architecture supports multiple authentication
mechanisms and the expansion of new authentication
mechanisms to achieve strong authentication requirements
for any combination of multiple authentication mechanisms.
Depending on different resource security requirements,
implement corresponding access policy mechanisms.
• Autonomy
User authorization is performed by Policy Management
based on user’s attributes that have been passed to it, and
privileges of attribute is depend on the advices of the
resource providers, access control is implemented by the
destination resources. The access control mechanisms reflect
resource owners’ privileges, and protect resources by only
allowing authorized accesses. Besides, the resource owners
can flexibility to define their access control policy (be it
coarse-grain or fine grain policy), as well as modify or
extend their current policy with ease.
On the whole, the work we present in this paper is a
comprehensive Identity and Access Management
Architecture which solves some new security requirements
of cloud. The security architecture is still a number of issues
to be further considered.
If privacy of user data is strong, the data may be
encrypted for processing and more complex strategies to
define and manage. The architecture also need to consider
the federated identity management, development and
implementation of access management strategies among
various domains when access across multiple trust domains.
We want to propose a more comprehensive and detailed
cross-domain architecture.
Furthermore, we will implement the security architecture,
and conduct experiments on the tested and investigate the
scalability and performance of the architecture. This will
help to optimize and enhance the security architecture.
[2]
Wayne Jansen, Timothy Grance. Guidelines on Security and Privacy
in Public Cloud Computing. NIST, NIST Special Publication 800-
144, 2011, 70 p.
[3] SecaaS Implementation Guidance Category 1 Identity and Access
Management. Cloud Security Alliance, 2012, 43 p, https://cloudSecur
ityalliance.org/research/working-groups/security-as-a-service/ SecaaS
_Cat_1_IAM_Implementation_Guidance.pdf.
[4] SecaaS | DEFINED CATEGORIES OF SERVICE 2011. Cloud
Security Alliance, 2011, 27 p https://downloads.cloudsecurityallian
ce.org/initiatives/secaas/SecaaS_V1_0.pdf.
[5] Corinne S. Irwin, Dennis C. Taylor. Identity, Credential, and Access
Management at NASA, from Zachman to Attributes. Proceedings of
the 8th Symposium, 2009, 1-14.
[6] Abdul Ghafoor, Misbah Irum, Muhammad Qaisar. User Centric
Access Control Policy Management Framework for Cloud
Applications. 2013 2nd National Conference on Information
Assurance (NCIA), 2013, 135-140.
[7] Regina N. Hebig, Christoph Meinel, Michael Menzel, Ivonne Thomas
and Robert Warschofsky. A Web Service Architecture for
Decentralised Identity- and Attribute-based Access Control. 2009
IEEE International Conference on Web Services, 2009, 551-558.
[8] Mohit Kohli. Transformation from Identity Stone Age to Digital
Identity. International Journal of Network Security & Its Applications
(IJNSA), 2011, 121-136.
[9] Waldemar Hummer, Patrick Gaubatz, Mark Strembeck, Uwe Zdun
and Schahram Dustdar. An Integrated Approach for Identity and
Access Management in a SOA Context. Proceedings of the 16th
ACM symposium, 2011, 21-30.
[10] R.M. lguliev, F.C. Abdullayeva. Identity management based security
architecture of cloud computing on multi-agent systems. 2013 Third
International Conference on Innovative Computing Technology
(INTECH), 2013, 123-126
ACKNOWLEDGMENT
This work is supported by the National High Technology
Research and Development Program of China (863 Program)
2012AA012704 and the Basic Research Program of Henan
Province (No. 142300410093).
References
[1]
Security Guidance for Critical Areas of Focus in Cloud Computing
V3.0. Cloud Security Alliance, 2011, 176 p, https://cloudsecurityalli
ance.org/initiatives/guidance/csaguide.v3.0.pdf.
203