A Metric-Based Approach to Assess Risk for “On Cloud” Federated Identity Management

The cloud computing paradigm is set to become the next explosive revolution on the Internet, but its adoption is still hindered by security problems. One of the fundamental issues is the need for better access control and identity management systems. In this context, Federated Identity Management (FIM) is identified by researchers and experts as an important security enabler, since it will play a vital role in allowing the global scalability that is required for the successful implantation of cloud technologies. However, current FIM frameworks are limited by the complexity of the underlying trust models that need to be put in place before inter-domain cooperation. Thus, the establishment of dynamic federations between the different cloud actors is still a major research challenge that remains unsolved. Here we show that risk evaluation must be considered as a key enabler in evidence-based trust management to foster collaboration between cloud providers that belong to unknown administrative domains in a secure manner. In this paper, we analyze the Federated Identity Management process and propose a taxonomy that helps in the classification of the involved risks in order to mitigate vulnerabilities and threats when decisions about collaboration are made. Moreover, a set of new metrics is defined to allow a novel form of risk quantification in these environments. Other contributions of the paper include the definition of a generic hierarchical risk aggregation system, and a descriptive use-case where the risk computation framework is applied to enhance cloud-based service provisioning.

[1]  Andrés Marín López,et al.  Enabling SAML for Dynamic Identity Federation Management , 2009, WMNC/PWC.

[2]  R. Mesiar,et al.  Aggregation operators: properties, classes and construction methods , 2002 .

[3]  Siani Pearson,et al.  Privacy, Security and Trust Issues Arising from Cloud Computing , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[4]  Dimitrios Katsaros,et al.  Architectural Requirements for Cloud Computing Systems: An Enterprise Cloud Approach , 2011, Journal of Grid Computing.

[5]  Antonio Puliafito,et al.  Security and Cloud Computing: InterCloud Identity Management Infrastructure , 2010, 2010 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[6]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[7]  Max Mühlhäuser,et al.  Cloud Computing Landscape and Research Challenges Regarding Trust and Reputation , 2010, 2010 7th International Conference on Ubiquitous Intelligence & Computing and 7th International Conference on Autonomic & Trusted Computing.

[8]  Andrés Marín López,et al.  Trust management for multimedia P2P applications in autonomic networking , 2011, Ad Hoc Networks.

[9]  Patricia Arias Cabarcos Risk assessment for better Identity Management in pervasive environments , 2011, 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops).

[10]  Wayne A. Jansen,et al.  Directions in Security Metrics Research , 2009 .

[11]  C. Yeun,et al.  Cloud computing security management , 2010, 2010 Second International Conference on Engineering System Management and Applications.

[12]  Andrés Marín López,et al.  Context awareness in network selection for dynamic environments , 2006, PWC.

[13]  Beatrice Gralton,et al.  Washington DC - USA , 2008 .

[14]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[15]  T. V. Gopal,et al.  Assessing the risks and opportunities of Cloud Computing — Defining identity management systems and maturity models , 2010, Trendz in Information Sciences & Computing(TISC2010).

[16]  George J. Klir,et al.  Fuzzy sets and fuzzy logic - theory and applications , 1995 .

[17]  Siddharth Bajaj,et al.  Web Services Federation Language (WS- Federation) , 2003 .

[18]  Félix Gómez Mármol,et al.  TRIMS, a privacy-aware trust and reputation model for identity management systems , 2010, Comput. Networks.

[19]  Thomas L. Saaty,et al.  How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[20]  Frank Gens,et al.  Cloud Computing Benefits, risks and recommendations for information security , 2010 .

[21]  Rajkumar Buyya,et al.  Cloud Computing Principles and Paradigms , 2011 .

[22]  Shubhashis Sengupta,et al.  Cloud Computing Security--Trends and Research Directions , 2011, 2011 IEEE World Congress on Services.

[23]  David Bernstein,et al.  Intercloud Security Considerations , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[24]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[25]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[26]  Gaspar Mayor,et al.  Aggregation Operators , 2002 .

[27]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[28]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .

[29]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[30]  Eve Maler,et al.  The Venn of Identity: Options and Issues in Federated Identity Management , 2008, IEEE Security & Privacy.

[31]  Jacques Fayolle,et al.  An Identity-Centric Internet: Identity in the Cloud, Identity as a Service and Other Delights , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[32]  Valentina Casola,et al.  Identity federation in cloud computing , 2010, 2010 Sixth International Conference on Information Assurance and Security.