multi- tenan t access control for cloud services
DESCRIPTION
Multi- Tenan t Access Control for Cloud Services. PhD Dissertation Defense Bo Tang Committee Members: Dr . Ravi Sandhu , Chair Dr . Kay Robbins Dr. Gregory White Dr. Weining Zhang Dr. Jaehong Park. 07/31/2014. The Cloud. Anytime Anywhere. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/1.jpg)
World-Leading Research with Real-World Impact! 1
Institute for Cyber Security
Multi-Tenant Access Control for Cloud Services
PhD Dissertation Defense Bo Tang
Committee Members: Dr. Ravi Sandhu, Chair
Dr. Kay RobbinsDr. Gregory WhiteDr. Weining ZhangDr. Jaehong Park
07/31/2014
![Page 2: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/2.jpg)
The Cloud
World-Leading Research with Real-World Impact! 2
Anytime Anywhere
![Page 3: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/3.jpg)
Really? But where is my data?
World-Leading Research with Real-World Impact! 3
![Page 4: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/4.jpg)
Really? But where is my data?
World-Leading Research with Real-World Impact! 4
Multi-Tenancy
![Page 5: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/5.jpg)
Cloud & Multi-Tenancy
Shared infrastructure[$$$] -----> [$|$|$]
Multi-Tenancy Isolated workspace for customersVirtually temporarily dedicated resources
Problem:How to collaborate across tenants?
o Even if across my own tenants?
World-Leading Research with Real-World Impact! 5
![Page 6: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/6.jpg)
Define Tenant
All deployment models are multi-tenantE.g.: public cloud, private cloud and community cloud.
From Cloud Service Provider (CSP) perspectiveA billing customerManages its own users and cloud resources
The owner of a tenant can beAn individual, an organization or a department in an
organization, etc.
World-Leading Research with Real-World Impact! 6
![Page 7: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/7.jpg)
Characteristics of Cloud
Centralized FacilityResource pooling
Self-Service AgilityEach tenant manages its own authorizationTenants, users and resources are temporary
HomogeneityIdentical or similar architecture and system settings
Out-Sourcing TrustBuilt-in collaboration spirit
World-Leading Research with Real-World Impact! 7
![Page 8: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/8.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 8
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 9: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/9.jpg)
Motivation
World-Leading Research with Real-World Impact! 9
![Page 10: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/10.jpg)
Problem & Thesis
Problem Statement
Thesis Statement
World-Leading Research with Real-World Impact! 10
The fact that contemporary cloud services are intrinsically not designed to cultivate collaboration between tenants limits the development of the cloud. Fine-grained access control models in traditional distributed environments are not directly applicable.
The problem of multi-tenant access control in the cloud can be partially solved by integrating various types of unidirectional and unilateral trust relations between tenants into role-based and attribute-based access control models.
![Page 11: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/11.jpg)
Chapter 2: Related Work
Centralized ApproachesRBAC extensions: ROBAC, GB-RBACMulti-domain role mapping
Decentralized ApproachesRT, dRBAC: credential-based delegationDelegation models: PBDM, RBDM
Attribute-Based ApproachesNIST ABAC: application framework for collaborationABAC models: ABURA, RBAC-A, ABACα, ABACβ
Enforcement and ImplementationGrid: PERMIS, VOMS, CASWeb: ABAC for SOA systemsCloud: centralized authorization service with trust models
World-Leading Research with Real-World Impact! 11
![Page 12: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/12.jpg)
Scope and Assumptions
Standardized APIsCross-tenant accesses are functionally available
Properly authenticated usersOne Cloud Service
Of a kind: IaaS, PaaS or SaaS.Two-Tenant Trust (rather than community trust)Unidirectional Trust Relations
“I trust you” does not mean “you trust me”Unilateral Trust Relations (trustor trusts trustee)
Trustee cannot control the trust relation
World-Leading Research with Real-World Impact! 12
![Page 13: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/13.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 13
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 14: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/14.jpg)
MTAS
World-Leading Research with Real-World Impact! 14
Formalizing Calero et al work
![Page 15: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/15.jpg)
Tenant Trust
Tenant Trust (TT) relation is not partial orderReflexive: A ⊴ ABut not transitive: A ⊴ B ∧ B ⊴ C ⇏ A ⊴ CNeither symmetric: A ⊴ B ⇏ B ⊴ A Nor anti-symmetric: A ⊴ B ∧ B ⊴ A ⇏ A ≡ B
World-Leading Research with Real-World Impact! 15
![Page 16: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/16.jpg)
Administrative MTAS
Tenants are managed by CSPon self-service basis
Each tenant administer:Trust relations with other tenantsEntity components:
ousers, roles and permissionsUA, PA and RH assignments
o Cross-tenant assignments are issued by the trustee (t1) UA: trustor (t2) users to trustee (t1) roles PA: trustee (t1) permissions to trustor (t2) roles RH: trustee (t1) roles junior to trustor (t2) roles
World-Leading Research with Real-World Impact! 16
Tenant t2
R2
Tenant t1
P2
u2
R1
P1
u1
t2 β-trusts t1
RH
UA
PA
![Page 17: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/17.jpg)
Fine-grained Trust Extensions
Problem of MTAS trust model Over exposure of trustor’s authorization information
Trustor-Centric Public Role (TCPR) Expose only the trustor’s public roles
o E.g.: OS expose only the dev.OS role to all the trusteesRelation-Centric Public Role (RCPR)
Expose public roles specific for each trust relationo E.g.: OS expose only the dev.OS role to E when OS trusts E
World-Leading Research with Real-World Impact! 17
![Page 18: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/18.jpg)
Trust Types Between Tenants
Intuitive Trust (Type-α)Delegations: RT, PBDM, etc.Trustor gives access to trustee
o Trustor has full controlMTAS trust (Type-β)
Trustee gives access to trustorOther Types?
Trustee takes access from trustor (Type-γ)Trustor takes access from trustee (Type-δ)And more?
World-Leading Research with Real-World Impact! 18
![Page 19: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/19.jpg)
Example of Cross-Tenant Trust
Example:Type-α: E trusts OS so that E can say [$].Type-β: OS trusts E so that E can say [$].Type-γ: E trusts OS so that OS can say [$].Type-δ: OS trusts E so that OS can say [$].
World-Leading Research with Real-World Impact! 19
OS E
Dev.ECharlie
[$]: grant the access
![Page 20: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/20.jpg)
Example of Cross-Tenant Trust
Example:Type-α: E trusts OS so that E can say [$].Type-β: OS trusts E so that E can say [$].Type-γ: E trusts OS so that OS can say [$].Type-δ: OS trusts E so that OS can say [$].
World-Leading Research with Real-World Impact! 20
OS E
Dev.ECharlie
[$]: grant the access
![Page 21: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/21.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 21
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 22: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/22.jpg)
MT-RBAC
World-Leading Research with Real-World Impact! 22
Issuers: Real-world Owners
e.g. E and OS
Type-γ Trust
![Page 23: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/23.jpg)
Administrative MT-RBAC
Issuers administer tenantsEach issuer administer:
Trust relations from owned tenantsEntity components:
o tenants, users, roles and permissionsUA, PA and RH assignments
o Cross-tenant assignments are issued by the trustee’s (t2’s) issuer UA: trustee (t2) users to trustor (t1) roles RH: trustor (t1) roles junior to trustee (t2) roles
o Cross-tenant PA assignments are intentionally banned PA: trustee (t2) assign trustor (t1) permissions to trustee (t2) roles Problem:
» Trustor cannot revoke PA other than remove the trust
World-Leading Research with Real-World Impact! 23
Tenant t2
R2
Tenant t1
P2
u2
R1
P1
u1
t1 γ-trusts t2
RH
UA
![Page 24: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/24.jpg)
Finer-grained Trust Models
MT-RBAC0: Base ModelTrustor exposes all the roles to trustees
MT-RBAC1: Trustee-Independent Public Role (TIPR)Expose only the trustor’s public roles
o E.g.: E expose only the dev.E role to all the trusteesMT-RBAC2: Trustee-Dependent Public Role (TDPR)
Expose public roles specific for each trusteeo E.g.: E expose only the dev.E role to OS when E trusts OS
World-Leading Research with Real-World Impact! 24
![Page 25: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/25.jpg)
Constraints
Cyclic Role Hierarchy: lead to implicit role upgrades in the role hierarchy
SoD: conflict of dutiesTenant-level
o E.g.: SOX compliant companies may not hire the same company for both consulting and auditing.
Role-leveloChecks across tenants
Chinese Wall: conflict of interests among tenantso E.g.: never share resources with competitors.
World-Leading Research with Real-World Impact! 25
Tenant 2
M1 M2
Tenant 1
E1 E2
![Page 26: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/26.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 26
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 27: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/27.jpg)
CTTM Trust Types
Four potential trust types:Type-α: trustor can give access to trustee. (e.g. RT)Type-β: trustee can give access to trustor. (e.g. MTAS)Type-γ: trustee can take access from trustor. (e.g. MT-
RBAC)Type-δ: trustor can take access from trustee.
oNo meaningful use case, since the trustor holds all the control of the cross-tenant assignments of the trustee’s permissions.
World-Leading Research with Real-World Impact! 27
![Page 28: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/28.jpg)
Formalized CTTM Model
World-Leading Research with Real-World Impact! 28
![Page 29: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/29.jpg)
Role-Based CTTM
World-Leading Research with Real-World Impact! 29
![Page 30: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/30.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 30
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 31: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/31.jpg)
MT-ABAC
World-Leading Research with Real-World Impact! 31
γ-trustee: {t2}tid: t1
uid: u2utid: t2
oid: o1otid: t1
sowner: u2sid: s2
![Page 32: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/32.jpg)
Multi-Tenant Access Example
World-Leading Research with Real-World Impact! 32
![Page 33: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/33.jpg)
Real-World Clouds
AWSCollaboration between accounts
o E.g.: E trusts OSUnilateral trust relation (Type-α)
o The trustor needs to map the rolesOpenStack
User-level delegation (trust) can be establishedCross-domain assignments bear no control
World-Leading Research with Real-World Impact! 33
![Page 34: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/34.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 34
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 35: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/35.jpg)
MTAaaS Platform Prototype
Centralized (Chosen)Centralized PDP with distributed PEP
oPros: easy managementoCons: volume of requests may be high
DecentralizedDistributed PDP and PEP
oPros: requests handlingoCons: keep decision
consistent
World-Leading Research with Real-World Impact! 35
![Page 36: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/36.jpg)
Example MTAS policy structure
World-Leading Research with Real-World Impact! 36
OS β-trusts E
![Page 37: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/37.jpg)
MT-RBAC2 Policy Example
World-Leading Research with Real-World Impact! 37
tr γ-trusts te
![Page 38: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/38.jpg)
Experiment Environment
World-Leading Research with Real-World Impact! 38
FlexCloud TestbedPEP×8: SmartOS 1.8.1 / CPU Cap=350 / 256MB RAMPDP: 64-bit CentOS 6 / 1-, 2-, 4-, 8-, 16-Units ATC: SmartOS 1.8.4 / CPU Cap=350 / 1GB RAMPEPs in a same network which is different with PDP’s
1 unit = 1CPU/1GB RAM
![Page 39: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/39.jpg)
Evaluation: Performance
MT-RBAC vs RBACMore policy references incur more decision time
MT-RBAC2 introduces 12 ms authz. overhead.
World-Leading Research with Real-World Impact! 39
PDP Performance Client-End Performance when downloading 1KB file
![Page 40: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/40.jpg)
Evaluation: Performance
MTAS introduces 12 ms authz. overhead.
World-Leading Research with Real-World Impact! 40
PDP Response Delay with various PEP amount
PDP Response Delay with various hardware capability and 1k tenants
![Page 41: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/41.jpg)
Evaluation: Scalability
Scalable in terms of bothPDP hardware capacityPolicy complexity
World-Leading Research with Real-World Impact! 41
Policy Complexity Scalability Results Policy Complexity Scalability Results
![Page 42: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/42.jpg)
Multi-Tenant Access Control (MTAC)
World-Leading Research with Real-World Impact! 42
Top-Down Approach
Chapter 3
Chapter 4
Chapter 5
![Page 43: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/43.jpg)
OSAC
World-Leading Research with Real-World Impact! 43
![Page 44: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/44.jpg)
AOSAC
World-Leading Research with Real-World Impact! 44
Cloud Admin
Domain A Admin
Project A1 Admin Project A2 Admin
Domain B Admin
Project B1 Admin Project B2 Admin
Source: https://wiki.openstack.org/wiki/Domains
![Page 45: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/45.jpg)
Trust Framework
World-Leading Research with Real-World Impact! 45
![Page 46: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/46.jpg)
Prototype & Evaluation
Sequential request handling (Queuing)Domain trust introduces 0.7% authz. OverheadScalability changes little with domain trust
World-Leading Research with Real-World Impact! 46
Performance Scalability
![Page 47: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/47.jpg)
Chapter 6: Conclusion
PolicyMTAS: role-based Type-β trustMT-RBAC: role-based Type-γ trustCTTM: trust type taxonomy for role-based modelsMT-ABAC: attribute-based model trusts
EnforcementMTAaaS: centralized PDP with distributed PEP
ImplementationDomain Trust in OpenStack
World-Leading Research with Real-World Impact! 47
![Page 48: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/48.jpg)
Chapter 6: Future Work
MT-ABACFiner-grained extensions Administration, enforcement and implementation.
More and finer-grained trust modelsTrust negotiation and graded trust relations
More MTAC modelsMT-PBAC, MT-RAdAC, etc.
Attribute-based MTAC models in OpenStack
World-Leading Research with Real-World Impact! 48
![Page 49: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/49.jpg)
Publications
Bo Tang and Ravi Sandhu. Extending OpenStack Access Control with Domain Trust. In Proceedings 8th International Conference on Network and System Security (NSS), Xi’an China, October 2014.
Bo Tang, Ravi Sandhu and Qi Li. Multi-Tenancy Authorization Models for Collaborative Cloud Services. Concurrency and Computation: Practice & Experience (CCPE), WILEY, 2014. (under review)
Bo Tang and Ravi Sandhu. Cross-Tenant Trust Models in Cloud Computing. In Proceedings 14th IEEE Conference on Information Reuse and Integration (IRI), San Francisco, California, August 2013.
Bo Tang, Qi Li and Ravi Sandhu. A Multi-Tenant RBAC Model for Collaborative Cloud Services. In Proceedings 11th IEEE Conference on Privacy, Security and Trust (PST), Tarragona, Spain, July 2013.
Bo Tang, Ravi Sandhu and Qi Li. Multi-Tenancy Authorization Models for Collaborative Cloud Services. In Proc. 14th IEEE Conference on Collaboration Technologies and Systems (CTS), San Diego, California, May 2013.
World-Leading Research with Real-World Impact! 49
![Page 50: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/50.jpg)
Institute for Cyber Security
Q & A
World-Leading Research with Real-World Impact! 50
![Page 51: Multi- Tenan t Access Control for Cloud Services](https://reader036.vdocument.in/reader036/viewer/2022081603/56815c36550346895dca2077/html5/thumbnails/51.jpg)
Institute for Cyber Security
Thank You!
World-Leading Research with Real-World Impact! 51