integrity measurements for stronger cloud based
play

Integrity measurements for stronger cloud-based authentication John - PowerPoint PPT Presentation

Mar 13, 2024 •166 likes •371 views

Integrity measurements for stronger cloud-based authentication John Zic 1 Thomas Hardjono 2 1 CSIRO Computational Informatics 2 MIT Kerberos and Internet of Trust Trust in the Digital World: Enabling the Economies of Trust Zic and

  1. Integrity measurements for stronger cloud-based authentication John ˇ Zic 1 Thomas Hardjono 2 1 CSIRO Computational Informatics 2 MIT Kerberos and Internet of Trust Trust in the Digital World: Enabling the Economies of Trust ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  2. Motivation Strong enterprise push to outsource IT infrastructure and services to Cloud provider solutions Cost savings from reduced spend on infrastructure and maintenance Cost increases from impact on existing system security and privacy Restating: adopting Cloud provider services means a change to the Enterprise’s business model for handling information security and privacy, as well as how it controls information. Trust needs to extend beyond an enterprise to include a third party (Cloud) service providers. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  3. So how do we extend trust beyond the enterprise into a collaborative environment? ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  4. Three principles of trustworthy collaboration 1 Agreed upon contracts. 2 Demonstrable, verifiable adherance to the agreed contract. 3 Established methods for resolution of exceptions and disputes. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  5. Scenario 1 Enterprise employee accessing cloud-based applications Employees should not notice any difference in accessing cloud-based or enterprise-local services Authentication and authorisation information needs to be conveyed from the enterprise to the Cloud service provider Enterprise needs to remain the authoritative source ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  6. Scenario 2 Enterprise with in-bound institutional customers Enterprise-A and Enterprise-B share a cloud-based application Enterprise-A has a customer dealing with Enterprise-B employee accessing a cloud-based application Authentication and authorisation information needs to be conveyed from Enterprise-B into the cloud-based application within the domain or realm of Enterprise-A ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  7. Bootstrapping trust in cloud-based services Trust Frameworks require defined Levels of Assurance to raise confidence in the quality of authentication performed by an indentity-based service in the cloud Identity service providers base their access decisions on knowledge about the state of the computing platforms and devices that clients use to access remote cloud-based applications. Any solution proposed needs to have a high degree of interoperability with exisiting “enterprise” authentication and authorisation infrastructures. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  8. Our proposal Based on Cloud-based Integrity Measurement Service (cIMS) Use of a client-side trusted computing environment capable of performing integrity measurements used by the cIMS Use the classic SAML 2.0 ecosystem in order to maximise existing interoperability ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  9. Trust Extension Device (TED) A portable trustworthy computing system concept demonstrator Figure: TED hardware prototype, 2009 ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  10. TED Features USB sized embedded computer running Linux with integrated TPM cryptographic microcontroller TPM offers: integrity checks; crypto functions; keys and certificates storage Supports dedicated client applications and libraries. No user interface - only secure network connectivity and power ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  11. TED Software Stack Applica@on ¡ TSS ¡Server ¡ TSS ¡Library ¡ TPM ¡Library ¡ Embedded ¡OS ¡ TPM ¡driver ¡ I2C ¡device ¡driver ¡ USB ¡driver ¡ TPM ¡ USB ¡ ¡ Extension ¡ Embedded ¡CPU ¡ Extension ¡ ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  12. Cloud based integrity measurement architecture Authen7ca7on Service 2 SSO Enterprise SAML-A;ribute- Directory- 5 Provider Server 4 Integrity Measurement Iden+ty.Provider.(IdP) CIMS Server TED Client-App Client-App 3 Cloud8based.Integrity Measurement.Service. (cIMS) 6 Enterprise- User 1 App ENTERPRISE Cloud.Provider (Service.Provider.(SP)) ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  13. Architectural Entities EDS Standard directory services, under the control of the Enterprise. IdP as per SAML Core and SAML Profiles specifications. TED is issued to an employee of the Enterprise. Contains the Enterprise Client App. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  14. Architectural Entities (2) cIMS performs the Integrity measurement and evaluation of the Client App and associated platform (the TED). Returns an Trust Score based on agreed upon measurements. Cloud Provider corresponds to a SAML 2.0 Service Provider . Uses the signed SAML assertion that include LOA values from the IdP to control access to the User of resources or services. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  15. Protocol Overview 1 1 Client App requests access to Cloud Provider App Cloud Provider redirects Client to the IdP for authentication. Redirection includes signed SAML 2.0 integrity schema capturing the components of the Client’s platform that Cloud Provider needs integrity checked. 2 Client authenticates to IdP. Client redirected by CP to IdP for authentication (e.g. based on SAML 2.0 SSO profile) Client authenticated by IdP and redirected to the cIMS selected by the IdP. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  16. Protocol overview 2 3 The cIMS evaluates the integrity of the Client (including App). Client can the initiate integrity check on the TED, following the previously sent schema. TED attests its integrity in a signed report (this is done as part of the underlying TPM protocols) to the cIMS. 4 cMIS forwards a Trust Score to the IdP. cIMS generates the Trust Score based on the information from the TED’s signed report. Trust Score is then sent to the IdP. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  17. Protocol overview 3 5 IdP issues SAML 2.0 assertions with a newly calculated LOA. The IdP compares the Trust Score agains the access control policies stored by the IdP The IdP issues a signed assertion containing its calculated LOA value(s). Multiple LOA values are permitted since they could capture additional second factor authentication used (e.g. biometrics). 6 Client sends request to the Cloud Provider. Client forwards the received assertion containing the LOA to the Cloud Provider. The CP then evaluates the LOA values against the defined access policies to determine with access is permitted or not. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  18. Summary By putting in place: Defined statements of expected configurations of the client (and other critical entities within the system) Building on established protocols (such as the attestation protocol of TPM and SAML 2.0 profiles and protocols) we have met 2/3 requirements for trusted collaboration. The remaining requirement - to be able to handle exceptional conditons and disputes - needs to be met. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

  19. Future work Introduction of an accountability service, which keeps, securely and irrefutably, records of critical transactions. This service can be used to handle the system exceptions, failures and disputes. Carry out trials of the concepts presented here in extending the standard Kerberos protocol to give higher levels of assurance to identity claims made to cloud service providers. Hardjono, Greenwood and Pentland have proposed using the techniques here in assuring that the security requirements of the MIT OpenPDS (Open Personal Data Store) are fully met. ˇ Zic and Hardjono Integrity measurements for stronger cloud-based authentication

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Any Time, Any Place Manage Risk with innovative Cloud- based application What is RiskPoynt?

Any Time, Any Place Manage Risk with innovative Cloud- based application What is RiskPoynt?

Visualize Integrity, Gain Control, Operate Safely Any Time, Any Place Manage Risk with innovative Cloud- based application What is RiskPoynt? RiskPoynt is a Cloud based application developed and used for 10 year to visualise and manage

310 views • 10 slides
AIRS SST Measurements Using RTG.SST in support of validation, cloud filtering and finding marine

AIRS SST Measurements Using RTG.SST in support of validation, cloud filtering and finding marine

AIRS SST Measurements Using RTG.SST in support of validation, cloud filtering and finding marine aerosol. George Aumann 25 February 2003 Why use the ocean surface for validation? The buoy measurements are the primary standard at the 0.1K

624 views • 27 slides
Cloud based systems that can help you grow your business Some of the cloud based tools we use at

Cloud based systems that can help you grow your business Some of the cloud based tools we use at

Cloud based systems that can help you grow your business Some of the cloud based tools we use at Business Connected Dashlane Crunchboards Trello icloud Adobe Creative Cloud Proposify Receipt Bank Maxmail Dropbox Go to Meeting Mailchimp

328 views • 21 slides
Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of

Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of

XIV International Conference on Hadron Spectroscopy Measurements of BB Angular Correlations Measurements of BB Angular Correlations Measurements of BB Angular Correlations based on based on based on Secondary Vertex Reconstruction Secondary

521 views • 23 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain & Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
Development and Implementation of a Variational Cloud Retrieval Scheme for the Measurements of

Development and Implementation of a Variational Cloud Retrieval Scheme for the Measurements of

Development and Implementation of a Variational Cloud Retrieval Scheme for the Measurements of the SURFRAD Observation System May 15, 2008 Steven Cooper, Joseph Michalksy, Ellsworth G. Dutton, John Augustine, Gary Hodges Acknowledgements

644 views • 46 slides
Enabling Efficient Batch Verification Enabling Efficient Batch Verification on Data Integrity for

Enabling Efficient Batch Verification Enabling Efficient Batch Verification on Data Integrity for

Enabling Efficient Batch Verification Enabling Efficient Batch Verification on Data Integrity for Cloud on Data Integrity for Cloud ChinLaung Lei Department of Electrical Engineering National Taiwan University 1 Outline Introduction

641 views • 41 slides
Crosscomparison of AIRS Cloud Products with ARM and A-train Measurements by Brian Kahn 1 , Amy

Crosscomparison of AIRS Cloud Products with ARM and A-train Measurements by Brian Kahn 1 , Amy

National Aeronautics and Space Administration Jet Propulsion Laboratory California Institute of Technology AIRS Science Team Meeting, March 79, 2006 Crosscomparison of AIRS Cloud Products with ARM and A-train Measurements by Brian Kahn

620 views • 59 slides
Cloud Management Chapter 5 eBook: Cloud Compu5ng: Web-Based

Cloud Management Chapter 5 eBook: Cloud Compu5ng: Web-Based

Cloud Management Chapter 5 eBook: Cloud Compu5ng: Web-Based Dynamic IT Services ENGR 5770 / CSCI 5700 Service Compu5ng Winter 2013 1 Cloud

673 views • 21 slides
Ensuring data integrity with asynchronous programming in a cloud IoT core Europython 2020

Ensuring data integrity with asynchronous programming in a cloud IoT core Europython 2020

Ensuring data integrity with asynchronous programming in a cloud IoT core Europython 2020 George Python Enthusiast, Angular addicted. Currently working as a Zisopoulos Full-Stack Engineer at Veturilo.io Theofanis Python Fanatic, Elixir and

348 views • 31 slides
Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans ,

Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans ,

Remote Measurements of Greenhouse Gases Under Cloud With The AERI FTS Instrument W.F.J. Evans , NorthWest Research Associates, Redmond, Henry L. Buijs and Claude B. Roy ABB Bomem, Quebec City The Measurement Concept . gases The new AERI

329 views • 20 slides
Using Collocated AVHRR Imager Background and Motivation Measurements to Constrain Cloud Cleared

Using Collocated AVHRR Imager Background and Motivation Measurements to Constrain Cloud Cleared

AVHRR IASI E. Maddy et al. Using Collocated AVHRR Imager Background and Motivation Measurements to Constrain Cloud Cleared Collocation Radiances from IASI Cloud Clearing E. S. Maddy 1 , 2 , T. S. King 1 , 2 ,H. Sun 1 , 2 , W. W. Wolf 2 ,

682 views • 25 slides
Satellite measurements of CCN and cloud properties at the cloudy boundary layer: The Holy Grail

Satellite measurements of CCN and cloud properties at the cloudy boundary layer: The Holy Grail

Satellite measurements of CCN and cloud properties at the cloudy boundary layer: The Holy Grail is it achievable? C 1 1 Daniel Rosenfeld , The Hebrew University of Jerusalem Bull. Amer. Met. Soc. CHASER The Scientific Basis Daniel

615 views • 12 slides
Cloud WorkBench A Web-Based Framework for Benchmarking Cloud Services Joel Scheuner University

Cloud WorkBench A Web-Based Framework for Benchmarking Cloud Services Joel Scheuner University

Cloud WorkBench A Web-Based Framework for Benchmarking Cloud Services Joel Scheuner University of Zurich, Switzerland software evolution & architecture lab 14.08.2014 Cloud Computing - Essential Characteristics 1. On-demand Self-service

508 views • 28 slides
FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert

FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert

FAST (Harder Better) FAster STronger Cryptography 2020/02/19 Bordeaux Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Goal Cryptology: Encryption; Authenticity; Integrity. asymmetric encryption, signatures, zero-knowledge

225 views • 20 slides
FAST (Harder Better) FAster STronger Cryptography 2018/09/18 LIRIMA Meeting, Paris, France

FAST (Harder Better) FAster STronger Cryptography 2018/09/18 LIRIMA Meeting, Paris, France

FAST (Harder Better) FAster STronger Cryptography 2018/09/18 LIRIMA Meeting, Paris, France Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Goal Cryptology: Encryption; Authenticity; Integrity. asymmetric encryption, signatures,

683 views • 31 slides
+ Scyld

+ Scyld

+ Scyld Cloud Workstation Shailesh Shenoy

486 views • 13 slides
Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop Jan 22nd, 2006 Toyko, Japan Von Welch vwelch@ncsa.uiuc.edu Outline GridShib MyProxy Future plans: Shibboleth/MyProxy/GridShib

473 views • 28 slides
Cayuse 424 Training 1. Entering Applications in Cayuse 424 2. Open Discussion/Questions Cayuse

Cayuse 424 Training 1. Entering Applications in Cayuse 424 2. Open Discussion/Questions Cayuse

Cayuse 424 Training 1. Entering Applications in Cayuse 424 2. Open Discussion/Questions Cayuse 424 Entering Application Updated: July 25, 2018 Training Outline Overview of Cayuse 424 Cayuse 424 Hands-on Lab Professional Profiles

331 views • 9 slides
The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of

The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of

The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of Informatics University of Edinburgh The Good Old Days UID text file or similar /etc/passwd Username Make it up or ask the user Today LDAP

345 views • 18 slides
Introduction to PDC environment Xin Li PDC Center for High Performance Computing KTH Royal

Introduction to PDC environment Xin Li PDC Center for High Performance Computing KTH Royal

Introduction to PDC environment Xin Li PDC Center for High Performance Computing KTH Royal Institute of Technology SF2568, January 2019 Xin Li (PDC) Introduction to PDC environment 15 Jan 2019 1 / 36 PDC Overview Outline PDC Overview 1

710 views • 36 slides
IHE: A Proven Process IHE: A Proven Process for HL7 Standards for HL7 Standards Implementation

IHE: A Proven Process IHE: A Proven Process for HL7 Standards for HL7 Standards Implementation

IHE: A Proven Process IHE: A Proven Process for HL7 Standards for HL7 Standards Implementation Implementation Glen F. Marshall, Glen F. Marshall, Co- -chair, IHE IT Infrastructure Planning chair, IHE IT Infrastructure Planning Co 1 What

457 views • 17 slides
Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team /

Status of SMB2 and SMB3 development in Samba SDC 2012 Michael Adam obnox@samba.org Samba Team / SerNet 2012-09-17 Hi there! Oh ... ... please interrupt with questions! Michael Adam SMB2+ in Samba (3 / 20) SMB2 in Samba Only SMB 2.0

1.35k views • 75 slides
GatorLink Authentication Using Shibboleth Peer 2 Peer August 6, 2010 UF INFORMATION TECHNOLOGY

GatorLink Authentication Using Shibboleth Peer 2 Peer August 6, 2010 UF INFORMATION TECHNOLOGY

GatorLink Authentication Using Shibboleth Peer 2 Peer August 6, 2010 UF INFORMATION TECHNOLOGY Shibboleth Warren Curry Associate Director and Lead, Core IT ES Alan Cook Interim Director, Student Information Systems ES Eli

627 views • 13 slides

More recommend