Detalhes bibliográficos
Ano de defesa: |
2016 |
Autor(a) principal: |
SETTE, Ioram Schechtman |
Orientador(a): |
FERRAZ, Carlos André Guimarães |
Banca de defesa: |
Não Informado pela instituição |
Tipo de documento: |
Tese
|
Tipo de acesso: |
Acesso aberto |
Idioma: |
eng |
Instituição de defesa: |
Universidade Federal de Pernambuco
|
Programa de Pós-Graduação: |
Programa de Pos Graduacao em Ciencia da Computacao
|
Departamento: |
Não Informado pela instituição
|
País: |
Brasil
|
Palavras-chave em Português: |
|
Link de acesso: |
https://repositorio.ufpe.br/handle/123456789/22436
|
Resumo: |
Multiple Cloud Service Providers (CSPs) coexist nowadays offering their services competitively. To avoid vendor lock-in, users hire many services from an outsourced heterogeneous multi-cloud environment. This way, data and system security usually depend on isolated mechanism existing in each provider. Access Control (AC) mechanisms are responsible for the authentication, identification and authorisation of users to resources. In the case of a multi-cloud environment, users often need to authenticate multiple times and also to define security policies for each CSP, which can possibly result in inconsistencies. The objective of this thesis is to provide a homogeneous access experience for users of heterogeneous multi-cloud services. Identity federations allow the Single Sign-On (SSO), i.e. users are identified and authenticated once by Identity Providers (IdPs) and gain access to trusted federated services. Nevertheless, authorisation federations or AC federations are not usual. Each cloud service uses to have its own AC mechanism, with their own policy definition languages. This work defines a solution that provides homogeneous authentication and authorisation to multiple heterogeneous Infrastructure as a Service (IaaS) platforms. This is possible through Identity Federations and Authorisation Policy Federations (APFs). In this solution, security policies are centrally stored in a “Disjunctive Normal Form (DNF)” and are semantically defined in terms of an Ontology. Therefore, cloud tenants can create APFs and bind their different accounts to them. Thus, global authorisation rules, defined and managed by the APF, can be enforced on all federated member accounts, providing a homogeneous access experience. A system prototype, composed of a central Policy Administration Point (PAP), called Federated Authorisation Policy Management Service (FAPManS), policy adaptors (translators) and a policy synchronization mechanism, was implemented for OpenStack and Amazon Web Services (AWS) cloud platforms. An ontology was also created based on their access control technologies. The “Level of Semantic Equivalence (LSE)” was defined as a metric that gives the percentage of policy rules that could be translated to the ontology terms. In the validation of this solution, authorization policies based on examples publicly provided by OpenStack and AWS were converted to ontology-based global rules and vice-versa with LSE above 80%. |