5.4 Standards and Protocols for Cloud Services
5.4.7 Open AM (formerly known as Open SSO)
The project Open AM is the continuation of the Sun Microsystems' OpenSSO product after Oracle acquiring of Sun. It provides a set of different software products like ForgeRock OpenAM which is a web-based open source application that provides Authentication, Authorization, Entitlement and Federation services.
Open AM provides core identity services to simplify the implementation of transparent Single Sign-On (SSO) as a security component in a network infrastructure. OpenAM provides the foundation for integrating diverse web applications. Using Open AM such web applications can:
operate against a disparate set of identity repositories
be hosted on a variety of platforms such as web and application servers 5.4.8 Diameter/RADIUS
Diameter and RADIUS are two networking protocols providing AAA. RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. It's used to authenticate users or devices before granting them access to a network, to authorize those users or devices for certain network services and to account for usage of those services [Rig00].
Diameter is the natural evolution of RADIUS (in fact, the name was chosen because the diameter is twice the radius). Diameter base protocol is intended to provide an Authentication, Authorization and Accounting (AAA) framework for applications such as network access or IP mobility. Diameter is not directly backwards compatible but provides an upgrade path for RADIUS [Cal03].
5.4.9 Summary IAM protocols and standards
Cloud User requirements Cloud Platform requirements
SAML To support strong authentication and web SSO, avoid duplication of identity, and share only selected attributes to protect user privacy
To enable customers to delegate authentication and choose authentication methods (e.g., dual-factor authentication using corporate identity) that enable adoption of the cloud service OAuth To publish and interact with protected
data stored on one Cloud Platform and accessed from another Cloud Platform using a standard API and without disclosing credentials
To enable users to access their data hosted by another service provider while protecting their account and credential information
OpenID Not usually adopted due to trust issues
To support SSO for consumers participating in this federated identity service
OATH Not relevant Not relevant
Open AM To support authentication and authorization. Integrating diverse web applications.
Web applications can be hosted on a variety of platforms
Diameter/RADIUS AAA: Authentication, authorization
and accounting. To enable control over which users are allowed access to which services, and how much of the resources they have used
Table 15: Summary of IAM protocols and standards
6 Available Frameworks
The European Commission has evinced a special interest on reinforcing security and privacy over the Web. In fact, the Seventh Research Framework Programme contemplates objectives addressing explicitly reliable, smart and secure Internet of Things and trustworthy information and communication technologies. OPENi could use some of the publicly available frameworks provided as outcomes of this projects, as well as learn from the conclusions and lessons derived.
Regarding security, so far the most relevant Seventh Framework Programme projects have been:
TCLOUDS: The mission of TCLOUDS is to develop an advanced cloud infrastructure that can deliver computing and storage that achieves a new level of security, privacy, and resilience yet is cost-efficient, simple, and scalable. [
Tcl13
] TRESSCA: The TRESCCA project aims to lay the foundations of a secure and trustable cloud platform by ensuring strong logical and physical security on the edge devices, using both hardware security and virtualization techniques while considering the whole cloud architecture. The project proposes and demonstrates hardware/software solutions allowing stakeholders to delegate the processing of their sensitive data to a remote processing engine opening up whole new field of cloud services and applications [
Tre13]
CUMULUS: CUMULUS addresses these limitations by developing an integrated framework of models, processes and tools supporting the certification of security properties of infrastructure (IaaS), platform (PaaS) and software application layer (SaaS) services in cloud.
CUMULUS framework brings service users, service providers and cloud suppliers to work together with certification authorities in order to ensure security certificate validity in the ever-changing cloud environment.[
Cum13
]Some relevant Seventh Framework Programme projects on privacy and identities are:
PICOS: an open state-of-the-art platform for providing trust, privacy and identity management in mobile communities [Pic13].
PrimeLife: develop concepts and technologies to help individuals to protect their autonomy and retain control over personal information, irrespective of their activities. Several open source results [Pri13].
SWIFT: It focuses on extending identity functions and federation to the network while addressing usability and privacy concerns [Swi13].
Besides, other organizations and institutions have released open powerful open frameworks on privacy and security. Some of them are:
Apache Cocoon: is a flexible module for authentication, authorization and user management [Coc13].
Apache Shiro: powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management [Shi13].
Spring Security: powerful and highly customizable authentication and access-control framework [Spr13].
7 Data Privacy and Legal Issues
The concept of OPENi cloudlets involves managing personal information in some cloud infrastructure.
This approach rises many legal issues that have to be considered, specifically those around how cloudlet data are collected, stored and processed. Please notice that the physical location of storage and computing resources of the Cloudlet platform may vary, and may not necessary be under the same jurisdiction. Awareness must be drawn to the many existing national and international laws for sake of legal compliance. These laws will reference to where the data are stored as well as the data protection from a confidentiality aspect.
Legislation makes fundamental distinction between data processor and data controller (as party that defines the purpose and the means of the processing). European laws are substantially more restrictive than the ones applied in other countries, particularly the United States. One of the most important principles around the European legislation is that data are not transferrable to countries outside the European boundaries that don’t offer the “adequate level of protection”. In fact, only Switzerland, Argentina and Canada meet the European requirements for such information exchange.
Although, this legislation is not consistent with the philosophy of Cloud Computing. However, many cloud computing providers are deploying data centres inside Europe boundaries in order to achieve legal compliance. For example, many vendors like Amazon EC2 allow their users to choose the zone where their resources will be allocated, and therefore the legislation applied to their data.
The seven principles governing the Organisation for Economic Co-operation and Development’s recommendations for protection of personal data were [OEC13]:
Notice — whenever data is about to be collected, the user should be notified if he agrees or not.
Security — any collected data should be stored carefully in order to be protected from any harmful purposes.
Purpose — the data that is received should only be used for the purpose pre-agreed and not for any other reason.
Consent — data should not be disclosed without the data subject’s consent;
Disclosure — it should be clear, who is the one collecting the corresponding data.
Access — data subjects should be allowed to access their data and make corrections to any inaccurate data;
Accountability — anyone providing data should have a method available to them to hold data collectors accountable for following the above principles.
In Europe and the countries of the OPENi consortium the following laws are currently in force:
EU Directive 95/46/EC: is the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the European Union. To do so, the Directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data [Eur11] [Eur95] .
National transpositions#:
o Germany: Federal Data Protection Act (Bundesdatenschutzgesetz -BDSG) 2001 o Greece: Law 2472/1997 on the Protection of Individuals with regard to the
Processing of Personal Data - as amended by Laws 2819/2000 and 2915/2000 o Ireland: Data protection act 1998
o Spain: Organic Law 15/1999 on the Protection of Personal Data. (LOPD) o UK: Data protection act 1998
8 Cloudlet Audit and Compliance
Audit and compliance refer to the external and internal processes that an organization implements to:
1. identify all kind of requirements to be fulfilled
2. put into practice policies, procedures, systems and processes to satisfy such requirements 3. check or monitor whether the above mechanisms are satisfied.
OPENi users usually will require external audits from the OPENi solution to verify its security and privacy controls. As we have stated in the previous section, management of sensitive information is subject to different legal issues. A simple way to ensure compliance with regulations is ask a valid third party to perform some of the standardized audits described below.
8.1 Audit Standards
8.1.1 SAS 70
The acronym stands for Statement on Auditing Standards 70 (SAS 70). It’s an internationally accepted auditing standard, developed by AICPA13 (American Institute of Certified Public Accountants). It emerged in response to a growing trend of outsourcing services. Companies have to be able to trust third parties accessing their information; and the other way round: data provided by third parties have to be trustworthy. Many organization expressed a strong concern to maintain compliance with Sabarnes Oxley law and other regulations and laws. Notice that in a cloud computing scenario, data may be off-site and can not be audited directly. As a result, audit firms provide SAS 70 certification, which consists in a centralized revision by and auditor, non dependent of the outsourcing services. An organization holding a SAS 70 certification demonstrates compliance with all current data protection regulations.
Organizations that successfully complete SAS 70 audit have passed an in-depth study of their control activities, including controls over IT resources and related processes. Hence, it allows companies to provide and external certification about their internal control to their customers. Data centers fulfilling SAS 70 certification, have to maintain prescribed levels of data security and redundancy, as well as staff controls.
All access and activities are registered and all physical accesses are highly controlled. Moreover, data center staff are not allowed to access servers or data without a specific protocol, either by accomplishing a successful authentication process or any other security mechanism.
SAS 70 certification provides an important strategic advantage to outsourcers over the ones who don’t own one. Furthermore, it is cost-saving for customers, as they don’t have to perform resource allocation and processes documentation themselves.
According to SAS 70, there are two report types. The main difference between them is the depth and completeness of applied procedures:
SAS 70 type I:. The auditor is presented the security controls and mechanisms as well as a detailed description of the objectives addressed by such mechanisms. Afterwards, the auditor
makes sure that these controls exist and reviews them. Then, the auditor expresses an opinion on whether description of control objectives shows all the relevant aspects, and whether controls have been properly designed to achieve such objectives above. At the end a report is issued describing current security controls at a specific date and bear witness that such controls exist and that they cover the addressed risks.
SAS 70 type II: It’s a deeper version of SAS 70 Type I. It describes current controls and detailed tests applied on this controls’ efficiency. Controls are tested no less than six months in order to assess their behaviour in that period. The auditor plays the same role as is SAS 70 Type I. But additionally, the auditor provides his expert opinion about effectiveness of controls to achieve compliance with objectives. Organizations should pass a SAS 70 type II review at least once a year.
Initially, SAS 70 was designed as a way to to support the financial audits of customers contracting a cloud service. Given the success of SAS 70, the audit was later applied to other domains less sensitive than the financial one. Nowadays, SAS 70 is usually applied when a cloud service provider plays a significant role in transaction, processing or financial reporting in their consumers business model.
8.1.2 ISO 27001
ISO 27001 is the best known standard for information security. It was approved and published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission. It’s predecessor was the BS 7799-2:2000 standard by the British Standards Institution (BSI). ISO 27001 specifies necessary requirements to establish, implement, maintain and improve a Management System of Information Security based on the PDCA Cycle (Plan-Do-Check-Act). This approach is compliant with the best practices shown at ISO/IEC 17799 (the current ISO 27002).
ISO 27001 address the following objectives:
Security policy of the organization
Security infrastructure, security of third-party access and outsourcing.
Asset classification and control
Staff safety referring to:
o security in the job definition and resource allocation,
o worker training and response to incident and security anomalies
Physical and environmental safety
Communications and operations management
Accesses control
Systems development and maintenance
Business continuity Management
Legal requirements, security policy, system audit, etc. fulfilment
Fulfilment of legal requirements, security policy, system audit, etc.
ISO 27001 was designed to provide a mechanism for organizations to demonstrate that they have an adequate information security management system. It’s much like ISO 9001 is used to demonstrate that organizations have quality management systems in place. ISO 27001 certification is generally applied when global customers and prospects seek comfort with the cloud service provider overall security program.
8.1.3 HIPPA (US)
The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. #
8.1.4 Other desiderable Standards
There are other standards which could be applied by Cloud Services Suppliers. ISO 27002, 27003, 27004, 27005, 27006, 29361, 29361 and 29363 are standards oriented to security at information systems area and interoperability of web services. Furthermore, ISO has created subcommittee 38 to work on standardization of web services, service oriented architectures and and Cloud Computing.
9 Conclusions and Recommendations
As a result of task "T2.3 Security and Privacy considerations" this deliverable reflects the outcome of having analysed several publications, papers, articles and book chapters. A general set of considerations for the OPENi solution has been derived from a state-of-the-art on privacy and security on cloud computing.
The OPENi Cloudlet platform is the most delicate component of the environment because it stores sensitive information about end users. It also manages access to users' contracted Cloud-based services registered in the Cloudlet platform. It's not clear which service model will be used to expose the Cloudlet platform to the API framework:
Advantages Disadvantages platform vendor must provide users mechanisms to
The Cloudlet platform provides all required functionalities to the end user in a way that he's not required to be aware of low-level infrastructure security mechanisms
Limited monitoring capability is offered to users. Some audit may be required to ensure the Cloudlet platform is secure.
SaaS: End users are just offered applications running on the cloud infrastructure.
Users are fully agnostic
regarding security mechanisms Some functionalities like cloudlet storage and registry may not be able to implement under this service model Table 16: Evaluation of Service Models for OPENi Cloudlet Platform
It's up to future tasks of OPENi project to decide which option is the best based on the requirements delivered by "T2.5 Requirements Specification" and the considerations provided in this document.
However, previous analysis evidence that PaaS is the most proper delivery model for the Cloudlet platform.
Another decision that falls out of the scope of task "T2.3 Security and Privacy Considerations" is whether the Cloudlet platform has to be deployed into its owner’s premises or into a contracted cloud infrastructure. Along the document, both options have been discussed. The first one implies the Cloudlet platform owner to take care of security at all infrastructure levels. The second option implies relying these aspects to the cloud provider. A periodic payment may be demanded in exchange of such service. Not only hosting of the Cloudlet platform can be relied on a external cloud provider:
several vendors offer Security-as-a-Service (SecaaS) which lets the Cloudlet platform legate many security mechanisms. In any case compliance to standards prevent future issues in case of migration from one cloud vendor to another.
The Cloudlet platform and the API framework have to provide end users capabilities to manage privacy over personal data. But in turn, applying regulations and legislation must be observed at any time. Some standardised audits ensure that such legal requirements are met. One of the approaches that meets an agreement between access control flexibility and confidentiality requirements is Identity and Access Control Management (IAM). IAM enhanced with Identity federation enables easy interaction and collaboration between Cloud-based services. There are many standard protocols available, but SAML 2.0 seems to fit better for OPENi purposes.
Annex I: References
[Mat09]
T. Mather, S Kumaraswamy, S. Latif “Cloud Security and Privacy. An Enterprise Perspective on Risks and Compliance”. O’Reilly. ISBN 978-0-5-596-802769. 2009
[Ssl11]
A. Freier, P. Karlton P. Kocher "The Secure Sockets Layer (SSL) Protocol Version 3.0" Internet Engineering Task Force (IETF). ISSN: 2070-1721. August 2011
http://tools.ietf.org/html/rfc6101 [Tls08]
T. Dierks, E. Rescorla "The Transport Layer Security (TLS) Protocol Version 1.2" Network Working Group. August 2008.
http://tools.ietf.org/html/rfc5246 [Kan08]
E. Kangas "SSL versus TLS – What’s the difference?" luxsci.com. November 10th, 2008. Retrieved December 2012.
http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html [Sft06]
J. Galbraith, O. Saarenmaa "SSH File Transfer Protocol" (Internet-Draft) Secure Shell Working Group.
July 10, 2006
http://tools.ietf.org/html/draft-ietf-secsh-filexfer-13 [Ips11]
S. Frankel, S. Krishnan "IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap"
Internet Engineering Task Force (IETF). ISSN:2070-1721. February 2011 https://tools.ietf.org/html/rfc6071
[Wyl11]
J. Wylkop "RUB Researchers break W3C standard. XML Encryption is insecure: Large companies affected" Press Office Ruhr University Bochum. No. 330 - Bochum, 19.10.2011
http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.en [Ima02]
T. Imamura, B.Dillaway, E. Simon "XML Encryption Syntax and Processing" W3C Recommendation. 10 December 2002
http://www.w3.org/TR/xmlenc-core/
[Res99]
E. Rescorla, A. Schiffman "The Secure HyperText Transfer Protocol". Network Working Group. August 1999
http://tools.ietf.org/html/rfc2660 [CSA11]
Cloud Security Alliance “Security as a Service” Version 1.0. 2011 https://cloudsecurityalliance.org/research/secaas/
[Zha07]
Z. Zhang, Y. Zhang, Y. Hu, Z. Mao "Practical defenses against BGP prefix hijacking" Proceeding CoNEXT '07 Proceedings of the 2007 ACM CoNEXT conference. Article No. 3. 2007
http://web.eecs.umich.edu/~zmao/Papers/conextDefendHijack07.pdf [CSA11_2]
Cloud Security Alliance “Security Guidance for critical areas on focus in Cloud Computing v3.0”. 2011 [Win12]
V. Winkler “Cloud Computing: Virtual Network Security Concerns” Technet Magazine, Microsoft.
Retrieved 12 February 2012.
http://technet.microsoft.com/en-us/magazine/hh641415.aspx [Mel11]
P. Mell, T. Grance “The NIST Definition of Cloud Computing” NIST 800-145. 2011 http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
[Hic12]
K. Hickey. "Dark Cloud: Study finds security risks in virtualization". Government Security News.
Retrieved 12 February 2012.
http://gcn.com/articles/2010/03/18/dark-cloud-security.aspx [Rut09]
R. Wojtczuk; J. Rutkowska. "Attacking Intel® Trusted Execution Technology" Black Hat DC, February 18-19, 2009. Washington, DC, USA.
R. Wojtczuk; J. Rutkowska. "Attacking Intel® Trusted Execution Technology" Black Hat DC, February 18-19, 2009. Washington, DC, USA.