SlideShare une entreprise Scribd logo

Authorization for workloads in a dynamically scaling heterogeneous system

Pushpalanka Jayawardhana
Pushpalanka Jayawardhana

Defines a design based on SPIFFE and OPA standards to address authorization between workloads residing in multiple clouds and interacting with each other.

Logiciels
1  sur  35
Télécharger pour lire hors ligne
FABRIKAM AUTHORIZATION FOR WORKLOADS IN A DYNAMICALLY SCALING HETEROGENEOUS SYSTEM M.K.P.R. Jayawardhana 158217G Supervised by Prof. Gihan Dias Mr. Prabath Siriwardena Master of Science in Computer Science and Engineering University of Moratuwa Sri Lanka
Dvaara Contribution of the Research Considering ‘Cloud’(eg: Amazon EC2, Azure, GCP) as the most common use case of a dynamically scaling, heterogeneous system, ● Design a solution for authorization among multi-cloud systems ● Implement the designed solution Re-use + implement lacking components + integration ● Implementation evaluation using a case study ● Performance evaluation 2
Dvaara 3 Introduction Ref : https://www.slideshare.net/ajessup/building-trust-between-modern-distributed-systems-with-spiffe 3 Modern Enterprise Systems, ● Mostly Distributed Systems ● Horizontal Scaling ● Avoid vendor lock-in ● Make use of external systems than having everything in-house, ○ Make use of SaaS providers ○ Make use of PaaS providers ○ Make use of IaaS providers ● High availability concerns ● Elasticity of the system is a concern with rapid growth and peak and off-peak times. ● Follows Micro Services Architecture(MSA)
Dvaara Why multi-cloud? ● Organizations are concerned on moving everything to the cloud → Security and Privacy concerns + Vendor lock-in ● Hybrid cloud to get started → Sensitive data residing on-premise and heavy computing delegated to an external cloud. ● Cost-effectiveness and reducing go-to-market time makes cloud appealing. Introduction 4 Ref: https://www.nutanix.com/enterprise-cloud-index/docs/enterprise-cloud-index.pdf, https://www.gartner.com/doc/3784664/building-identity-microservices “MSA(Microservice Architecture)-specific IAM(Identity and Access Management) is still in its infancy. The primary focus of the MSA community thus far has been authentication and, more narrowly, the use of OAuth 2.0, leaving other important questions, such as the authorization architecture, unaddressed”?? - Gartner
Dvaara Problem Problem Statement ● Enterprise systems are becoming a service mesh. ● Each component of the system needs to scale as required, while being able to interact with other services. ● Interaction needs to be secured. ● Authentication between these services is being addressed. 5Ref : https://azure.microsoft.com/en-us/blog/microservices-on-azure-kubernetes-guidance/ How do we define and implement an authorization system for a multi-cloud enterprise system?
Dvaara Use Case Problem Statement An e-commerce company has decided to start a cloud journey with below, considering the features supported by each CSP, cost and vendor lock-in. ● Keep the sensitive business operations in the on-premise cloud. ● Send data to be stored or archived to Amazon S3. Use EC2 analyse and summarize this data. ● Host a dashboard in GCP, that summarizes the details in Amazon S3 to identify the trends in the market. ● Need high elasticity (peak, off-peak seasons and times) To build the secure boundary, below interactions need to be secured - On-premise to Amazon - Amazon to GCP 6
Dvaara Use Case - Problem Problem Statement Service authentication between multi-clouds when dynamic scaling is in place, is already a concern being addressed by research community. - Shared secret based - Kerberos protocol - CSP provided privileged API - SPIFFE standard How to support ‘Service Authorization’ in this system? 7 What should he be allowed to do?
Dvaara Approach ● Study existing models, solutions and standards that support authorization between services. ● Study the other relevant aspects of authorization such as authentication and administration of access control policy as required by the authorization architecture for a cloud system. ● Build up the components of the architecture, that can coexist with the current enterprise systems, providing authorization capabilities across clouds. 8 Objectives
Dvaara Literature Review Literature Review 1. Classical Security Models 1.1. Authentication 1.2. Authorization 2. Future of Cloud Systems 3. Workloads 3.1. Workload Authentication 3.2. Workload Authorization 9
Dvaara Access Control Literature Review 10 Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
Dvaara Authentication Literature Review Identifying an entity such as a person, a group, a device or an application to be what they declare to be, - Something Known - Something Possessed - Something Inherent 11 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
Dvaara Authorization Literature Review ● DAC ● MAC ● Access Control Matrix ○ Access Control List ● RBAC ● ABAC ● XACML ● OPA 12 Image : https://image.slidesharecdn.com/350pmaxio-irmsummit2014gerry-140611105654-phpapp02/ 95/top-ten-reasons-why-developers-dont-adopt-abac-10-638.jpg Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
Dvaara Classical Security Models Literature Review ● Bell-La-Padula model - Confidentiality ● BIBA model - Integrity ● Chinese-Wall model - Conflict of Interest ● Clark-Wilson model - Integrity of commercial systems, Separation of duties ● Graham-Denning(GD) model - State transitions based on ACM ● Harrizon-Ruzzo-Ullman Model - Extending GD model ● Take-Grant Model - State transitions for confidentiality 13 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
Dvaara Cloud Literature Review - The most common, dynamically scaling, heterogeneous system - SaaS, PaaS, IaaS - Hyper-converged cloud to catalyze multi-cloud systems 14Ref: https://www.timetoast.com/timelines/cloud-computing-history
Dvaara Workload Literature Review “A highly cohesive and de-coupled capability or a unit of work that collectively builds up an enterprise application, which can be running on cloud or on-premise” Eg: ● a microservice ● a Kubernetes pod ● a process in a VM 15 Ref: https://siliconangle.com/wp-content/blogs.dir/1/files/2016/02/illumio.png Ref : M. C. Calzarossa, M. L. Della Vedova, L. Massari, D. Petcu, M. I. M. Tabash, and D. Tessera, “Workloads in the Clouds,”, Springer International Publishing, 2016, pp. 525–550
Dvaara Workload Authentication Literature Review ● Challenge-response authentication ○ Credentials stored with workload ○ Challenged to provide an inherent attribute based on the system ● Needham–Schroeder protocol ○ Use a symmetric key ○ Based on a third party ‘Authentication server’, building trust ● Kerberos Protocol ○ Based on KDC (Key Distribution Center) ○ Not relying on network security 16 Ref: B. C. Neuman and T. Ts’o, “Kerberos: an authentication service for computer networks,” IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994.
Dvaara Single Cloud Authentication Literature Review ● Platform provided privileged API based authentication ○ Amazon EC2 IID ○ Google Cloud Provider IIT ○ Microsoft Azure MSI 17 { "iss": "[TOKEN_ISSUER]", "iat": [ISSUED_TIME], "exp": [EXPIRED_TIME], "aud": "[AUDIENCE]", "sub": "[SUBJECT]", "azp": "[AUTHORIZED_PARTY]", "google": { "compute_engine": { "project_id": "[PROJECT_ID]", "project_number": [PROJECT_NUMBER], "zone": "[ZONE]", "instance_id": [INSTANCE_ID], "instance_name": "[INSTANCE_NAME]" "instance_creation_timestamp": [CREATION_TIMESTAMP] } } }
Dvaara Multi-Cloud Authentication Literature Review SPIFFE (Secure Production Identity Framework For Everyone) ● A common protocol based on ‘Platform Provided Privileged API’ for authentication. ● Extendable to work with CSPs. ● A standard accepted by the CNCF(Cloud Native Computing Foundation). 18
Dvaara Workload Authorization Literature Review ● RBAC ○ OAuth 2.0 with scopes - client_credentials grant ● ABAC ○ OAuth 2.0 with scopes - client_credentials grant ○ XACML ○ OPA ● Authorization Servers in the market ○ Based on OAuth2.0 MTLS standard ○ KeyCloak, Gluu, WSO2 IS, Ping Identity, IBM API Connect 19
Dvaara Solution Design 20
Dvaara Dvaara Design Options Solution Design Enforcing authentication and authorization 21 Local authentication and authorization Local authorization and Global authentication Local authentication and Global Authorization Global authentication and authorization
Dvaara Dvaara Design Authentication Solution Design Comparison Authentication Mechanism 22 Mechanism Do not require to deploy credentials with the workload Single identity per workload API driven credentials rotation and distribution Cross-platform trust building Firewall Yes Yes No Yes Destination authentication No No No Yes Platform mediated identity Yes Yes Yes No SPIFFE Yes Yes Yes Yes
Dvaara Dvaara Design Authorization Solution Design ● DAC vs MAC ○ Governing authorization of information flow is not in the current scope ○ Hence DAC ● RBAC vs ABAC ○ Need to considered fine grained attributes of workloads 23 RBAC ABAC Simplicity Yes Can be Complex Fine-grained No Yes Standardized No Yes (XACML/OPA) Comparison Authorization Mechanism
Dvaara Dvaara Design - XACML or OPA Solution Design ● XACML vs OPA - policy comparison 24 XACML OPA Flexible ABAC support Yes Yes Extendability Yes Yes Complexity High Occasionally Verbose Yes No Required training Yes (Though it’s XML, have specific functions and behaviors to understand) Yes (Though it’s JSON like, have special meanings for symbols and ways of writing rules) Implementation Availability Axiomatics, Sun XACML engine, WSO2 Identity Server OPA Background Open standard by OASIS Open implementation, CNCF accepted.
Dvaara Overall Design 25 Solution Design
Dvaara Dvaara Architecture Solution Design 26
Dvaara Dvaara Implementation Solution Implementation 27
Dvaara Dvaara Implementation Ctd Solution Implementation 28
Dvaara Dvaara Implementation Contribution Solution Implementation Chain of Responsibility Pattern 29 TLS level validation on the SPIFFE X509 cert OPA based decision on allowed scopes, based on SPIFFE ID Token validation request ABAC, validating the workload attributes and context against OPA policy Using Java-SPIFFE lib New implementation of OPA based scope validation handler New implementation of OPA based token validation handler - Selected WSO2 IS authorization server was patched to support required parameters to be sent to OPA engine. WSO2 IS patched to enrich
Dvaara Evaluation Solution Evaluation 30 1 2 1 - Token Request 2 - Actual API consumption using token
Dvaara Demo 31
Dvaara Evaluation Solution Evaluation 32 Correctness - Considered the use case of an employee management solution - Authorized access to a salary mgt API - Fine grained authorization based on Infrastructure layer details and application layer details - Verified results against the expected results
Dvaara Conclusion 33 - What Dvaara can do? - Make authorization decisions based on infrastructure level and application level attributes - Understands the SPIFFE based authentication - Allow dynamic changes to authorization policy - Dvaara provides a viable solution for workload authorization in a multi-cloud system - Dvaara provides fine grained authorization in a dynamic manner - Dvaara bridges the existing authorization technology of OAuth 2.0 and TLS widely adopted open standard to the emerging cloud native standards of SPIFFE and OPA - Dvaara open doors for the existing enterprise systems to have benefits of hybrid or multi-cloud without compromising on service authorization policies.
Dvaara Future Work 34 - Make access token a JWT(JSON Web Token) that can carry attributes(advices) between the workloads - Federation between SPIRE server or Authorization servers to expand trust boundary in a seamless manner - Performance improvements - add caching improvements at token validation - Provide an administration portal for the system - Single view on policy available to issue SPIFFE IDs - Single view of policies active in OPA engine - CRUD operations on the policies and evaluating the effect - Current overview of the system (active workloads, tokens etc.) - OAuth 2.0 specification to bind the token to the TLS layer. (currently happening in Dvaara in an indirect way)
FABRIKAM THANK YOU https://medium.com/@Pushpalanka https://github.com/Dvaara/ Pushpalanka pushpalankajaya@gmail.com 35

Recommandé

Headaches of Blocking, Locking, and Deadlocking
Headaches of Blocking, Locking, and DeadlockingHeadaches of Blocking, Locking, and Deadlocking
Headaches of Blocking, Locking, and Deadlocking
Brent Ozar
 
Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation
Shubham Tomar
 
Distributed information system
Distributed information systemDistributed information system
Distributed information system
District Administration
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
limsh
 
Replication in Distributed Systems
Replication in Distributed SystemsReplication in Distributed Systems
Replication in Distributed Systems
Kavya Barnadhya Hazarika
 
Relational databases vs Non-relational databases
Relational databases vs Non-relational databasesRelational databases vs Non-relational databases
Relational databases vs Non-relational databases
James Serra
 
Locks In Disributed Systems
Locks In Disributed SystemsLocks In Disributed Systems
Locks In Disributed Systems
mridul mishra
 
Software engineering: design for reuse
Software engineering: design for reuseSoftware engineering: design for reuse
Software engineering: design for reuse
Marco Brambilla
 

Recommandé

Headaches of Blocking, Locking, and Deadlocking
Headaches of Blocking, Locking, and DeadlockingHeadaches of Blocking, Locking, and Deadlocking
Headaches of Blocking, Locking, and Deadlocking
Brent Ozar
 
Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation Sql vs NoSQL-Presentation
Sql vs NoSQL-Presentation
Shubham Tomar
 
Distributed information system
Distributed information systemDistributed information system
Distributed information system
District Administration
 
BAIT1103 Chapter 7
BAIT1103 Chapter 7BAIT1103 Chapter 7
BAIT1103 Chapter 7
limsh
 
Replication in Distributed Systems
Replication in Distributed SystemsReplication in Distributed Systems
Replication in Distributed Systems
Kavya Barnadhya Hazarika
 
Relational databases vs Non-relational databases
Relational databases vs Non-relational databasesRelational databases vs Non-relational databases
Relational databases vs Non-relational databases
James Serra
 
Locks In Disributed Systems
Locks In Disributed SystemsLocks In Disributed Systems
Locks In Disributed Systems
mridul mishra
 
Software engineering: design for reuse
Software engineering: design for reuseSoftware engineering: design for reuse
Software engineering: design for reuse
Marco Brambilla
 
management of distributed transactions
management of distributed transactionsmanagement of distributed transactions
management of distributed transactions
Nilu Desai
 
SQL vs. NoSQL Databases
SQL vs. NoSQL DatabasesSQL vs. NoSQL Databases
SQL vs. NoSQL Databases
Osama Jomaa
 
Cloud service lifecycle management
Cloud service lifecycle managementCloud service lifecycle management
Cloud service lifecycle management
Animesh Chaturvedi
 
Multimedia cloud computing
Multimedia cloud computingMultimedia cloud computing
Multimedia cloud computing
munny92
 
Cloud File System with GFS and HDFS
Cloud File System with GFS and HDFS Cloud File System with GFS and HDFS
Cloud File System with GFS and HDFS
Dr Neelesh Jain
 
1. GRID COMPUTING
1. GRID COMPUTING1. GRID COMPUTING
1. GRID COMPUTING
Dr Sandeep Kumar Poonia
 
NIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureNIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference Architecture
Thanakrit Lersmethasakul
 
Testing under cloud
Testing under cloudTesting under cloud
Testing under cloud
gaurav jain
 
load balancing in public cloud ppt
load balancing in public cloud pptload balancing in public cloud ppt
load balancing in public cloud ppt
Krishna Kumar
 
NOSQL vs SQL
NOSQL vs SQLNOSQL vs SQL
NOSQL vs SQL
Mohammed Fazuluddin
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
Syed Mustafa
 
Migration into a Cloud
Migration into a CloudMigration into a Cloud
Migration into a Cloud
Divya S
 
Cloud Computing Architecture
Cloud Computing ArchitectureCloud Computing Architecture
Cloud Computing Architecture
Animesh Chaturvedi
 
Comet Cloud
Comet CloudComet Cloud
Comet Cloud
pradeepas7
 
OLAP
OLAPOLAP
OLAP
Slideshare
 
4.file service architecture
4.file service architecture4.file service architecture
4.file service architecture
AbDul ThaYyal
 
Crash recovery in database
Crash recovery in databaseCrash recovery in database
Crash recovery in database
Prof.Nilesh Magar
 
Message oriented middleware
Message oriented middlewareMessage oriented middleware
Message oriented middleware
Coforge (Erstwhile WHISHWORKS)
 
Types of Load distributing algorithm in Distributed System
Types of Load distributing algorithm in Distributed SystemTypes of Load distributing algorithm in Distributed System
Types of Load distributing algorithm in Distributed System
DHIVYADEVAKI
 
Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)
WSO2
 
Cloud Testing : An Overview
Cloud Testing : An OverviewCloud Testing : An Overview
Cloud Testing : An Overview
QA InfoTech
 
Cloud Computing Presentation
Cloud Computing PresentationCloud Computing Presentation
Cloud Computing Presentation
Mohammed Kharma
 

Contenu connexe

Tendances

management of distributed transactions
management of distributed transactionsmanagement of distributed transactions
management of distributed transactions
Nilu Desai
 
Multimedia cloud computing
Multimedia cloud computingMultimedia cloud computing
Multimedia cloud computing
munny92
 
load balancing in public cloud ppt
load balancing in public cloud pptload balancing in public cloud ppt
load balancing in public cloud ppt
Krishna Kumar
 
4.file service architecture
4.file service architecture4.file service architecture
4.file service architecture
AbDul ThaYyal
 

Tendances (20)

management of distributed transactions
management of distributed transactionsmanagement of distributed transactions
management of distributed transactions
 
SQL vs. NoSQL Databases
SQL vs. NoSQL DatabasesSQL vs. NoSQL Databases
SQL vs. NoSQL Databases
 
Cloud service lifecycle management
Cloud service lifecycle managementCloud service lifecycle management
Cloud service lifecycle management
 
Multimedia cloud computing
Multimedia cloud computingMultimedia cloud computing
Multimedia cloud computing
 
Cloud File System with GFS and HDFS
Cloud File System with GFS and HDFS Cloud File System with GFS and HDFS
Cloud File System with GFS and HDFS
 
1. GRID COMPUTING
1. GRID COMPUTING1. GRID COMPUTING
1. GRID COMPUTING
 
NIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference ArchitectureNIST Cloud Computing Reference Architecture
NIST Cloud Computing Reference Architecture
 
Testing under cloud
Testing under cloudTesting under cloud
Testing under cloud
 
load balancing in public cloud ppt
load balancing in public cloud pptload balancing in public cloud ppt
load balancing in public cloud ppt
 
NOSQL vs SQL
NOSQL vs SQLNOSQL vs SQL
NOSQL vs SQL
 
Service Oriented Architecture
Service Oriented ArchitectureService Oriented Architecture
Service Oriented Architecture
 
Migration into a Cloud
Migration into a CloudMigration into a Cloud
Migration into a Cloud
 
Cloud Computing Architecture
Cloud Computing ArchitectureCloud Computing Architecture
Cloud Computing Architecture
 
Comet Cloud
Comet CloudComet Cloud
Comet Cloud
 
OLAP
OLAPOLAP
OLAP
 
4.file service architecture
4.file service architecture4.file service architecture
4.file service architecture
 
Crash recovery in database
Crash recovery in databaseCrash recovery in database
Crash recovery in database
 
Message oriented middleware
Message oriented middlewareMessage oriented middleware
Message oriented middleware
 
Types of Load distributing algorithm in Distributed System
Types of Load distributing algorithm in Distributed SystemTypes of Load distributing algorithm in Distributed System
Types of Load distributing algorithm in Distributed System
 
Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)Service-Oriented Architecture (SOA)
Service-Oriented Architecture (SOA)
 

Similaire à Authorization for workloads in a dynamically scaling heterogeneous system

SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
Editor IJMTER
 

Similaire à Authorization for workloads in a dynamically scaling heterogeneous system (20)

Cloud Testing : An Overview
Cloud Testing : An OverviewCloud Testing : An Overview
Cloud Testing : An Overview
 
Cloud Computing Presentation
Cloud Computing PresentationCloud Computing Presentation
Cloud Computing Presentation
 
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
 
Cloud management
Cloud managementCloud management
Cloud management
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloads
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
 
Introduction to Google Cloud & GCCP Campaign
Introduction to Google Cloud & GCCP CampaignIntroduction to Google Cloud & GCCP Campaign
Introduction to Google Cloud & GCCP Campaign
 
Cloud computing intro
Cloud computing introCloud computing intro
Cloud computing intro
 
Google Cloud Study Jam | GDSC NCU
Google Cloud Study Jam | GDSC NCUGoogle Cloud Study Jam | GDSC NCU
Google Cloud Study Jam | GDSC NCU
 
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudInterop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State Monitoring
 
Netscaler for mobility and secure remote access
Netscaler for mobility and secure remote accessNetscaler for mobility and secure remote access
Netscaler for mobility and secure remote access
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Enterprise Cloud Transformation
Enterprise Cloud TransformationEnterprise Cloud Transformation
Enterprise Cloud Transformation
 
1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
cc.pptx
cc.pptxcc.pptx
cc.pptx
 

Plus de Pushpalanka Jayawardhana

Plus de Pushpalanka Jayawardhana (11)

The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand
 
Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity bus
 
Threads and Concurrency Identifying Performance Deviations in Thread Pools
Threads and Concurrency Identifying Performance Deviations in Thread PoolsThreads and Concurrency Identifying Performance Deviations in Thread Pools
Threads and Concurrency Identifying Performance Deviations in Thread Pools
 
Approximate Protocol for Privacy Preserving Associate Rule Mining
Approximate Protocol for Privacy Preserving Associate Rule MiningApproximate Protocol for Privacy Preserving Associate Rule Mining
Approximate Protocol for Privacy Preserving Associate Rule Mining
 
Leveraging federation capabilities of identity server for api gateway
Leveraging federation capabilities of identity server for api gatewayLeveraging federation capabilities of identity server for api gateway
Leveraging federation capabilities of identity server for api gateway
 
Feedback queuing models for time shared systems
Feedback queuing models for time shared systemsFeedback queuing models for time shared systems
Feedback queuing models for time shared systems
 
Big Data CDR Analyzer - Kanthaka
Big Data CDR Analyzer - KanthakaBig Data CDR Analyzer - Kanthaka
Big Data CDR Analyzer - Kanthaka
 
Kanthaka - High Volume CDR Analyzer
Kanthaka - High Volume CDR AnalyzerKanthaka - High Volume CDR Analyzer
Kanthaka - High Volume CDR Analyzer
 
Experience at WSO2 as an Intern
Experience at WSO2 as an InternExperience at WSO2 as an Intern
Experience at WSO2 as an Intern
 
Cosmology in general
Cosmology in generalCosmology in general
Cosmology in general
 

Dernier

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Dernier (20)

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 

Authorization for workloads in a dynamically scaling heterogeneous system

  • 1. FABRIKAM AUTHORIZATION FOR WORKLOADS IN A DYNAMICALLY SCALING HETEROGENEOUS SYSTEM M.K.P.R. Jayawardhana 158217G Supervised by Prof. Gihan Dias Mr. Prabath Siriwardena Master of Science in Computer Science and Engineering University of Moratuwa Sri Lanka
  • 2. Dvaara Contribution of the Research Considering ‘Cloud’(eg: Amazon EC2, Azure, GCP) as the most common use case of a dynamically scaling, heterogeneous system, ● Design a solution for authorization among multi-cloud systems ● Implement the designed solution Re-use + implement lacking components + integration ● Implementation evaluation using a case study ● Performance evaluation 2
  • 3. Dvaara 3 Introduction Ref : https://www.slideshare.net/ajessup/building-trust-between-modern-distributed-systems-with-spiffe 3 Modern Enterprise Systems, ● Mostly Distributed Systems ● Horizontal Scaling ● Avoid vendor lock-in ● Make use of external systems than having everything in-house, ○ Make use of SaaS providers ○ Make use of PaaS providers ○ Make use of IaaS providers ● High availability concerns ● Elasticity of the system is a concern with rapid growth and peak and off-peak times. ● Follows Micro Services Architecture(MSA)
  • 4. Dvaara Why multi-cloud? ● Organizations are concerned on moving everything to the cloud → Security and Privacy concerns + Vendor lock-in ● Hybrid cloud to get started → Sensitive data residing on-premise and heavy computing delegated to an external cloud. ● Cost-effectiveness and reducing go-to-market time makes cloud appealing. Introduction 4 Ref: https://www.nutanix.com/enterprise-cloud-index/docs/enterprise-cloud-index.pdf, https://www.gartner.com/doc/3784664/building-identity-microservices “MSA(Microservice Architecture)-specific IAM(Identity and Access Management) is still in its infancy. The primary focus of the MSA community thus far has been authentication and, more narrowly, the use of OAuth 2.0, leaving other important questions, such as the authorization architecture, unaddressed”?? - Gartner
  • 5. Dvaara Problem Problem Statement ● Enterprise systems are becoming a service mesh. ● Each component of the system needs to scale as required, while being able to interact with other services. ● Interaction needs to be secured. ● Authentication between these services is being addressed. 5Ref : https://azure.microsoft.com/en-us/blog/microservices-on-azure-kubernetes-guidance/ How do we define and implement an authorization system for a multi-cloud enterprise system?
  • 6. Dvaara Use Case Problem Statement An e-commerce company has decided to start a cloud journey with below, considering the features supported by each CSP, cost and vendor lock-in. ● Keep the sensitive business operations in the on-premise cloud. ● Send data to be stored or archived to Amazon S3. Use EC2 analyse and summarize this data. ● Host a dashboard in GCP, that summarizes the details in Amazon S3 to identify the trends in the market. ● Need high elasticity (peak, off-peak seasons and times) To build the secure boundary, below interactions need to be secured - On-premise to Amazon - Amazon to GCP 6
  • 7. Dvaara Use Case - Problem Problem Statement Service authentication between multi-clouds when dynamic scaling is in place, is already a concern being addressed by research community. - Shared secret based - Kerberos protocol - CSP provided privileged API - SPIFFE standard How to support ‘Service Authorization’ in this system? 7 What should he be allowed to do?
  • 8. Dvaara Approach ● Study existing models, solutions and standards that support authorization between services. ● Study the other relevant aspects of authorization such as authentication and administration of access control policy as required by the authorization architecture for a cloud system. ● Build up the components of the architecture, that can coexist with the current enterprise systems, providing authorization capabilities across clouds. 8 Objectives
  • 9. Dvaara Literature Review Literature Review 1. Classical Security Models 1.1. Authentication 1.2. Authorization 2. Future of Cloud Systems 3. Workloads 3.1. Workload Authentication 3.2. Workload Authorization 9
  • 10. Dvaara Access Control Literature Review 10 Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
  • 11. Dvaara Authentication Literature Review Identifying an entity such as a person, a group, a device or an application to be what they declare to be, - Something Known - Something Possessed - Something Inherent 11 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
  • 12. Dvaara Authorization Literature Review ● DAC ● MAC ● Access Control Matrix ○ Access Control List ● RBAC ● ABAC ● XACML ● OPA 12 Image : https://image.slidesharecdn.com/350pmaxio-irmsummit2014gerry-140611105654-phpapp02/ 95/top-ten-reasons-why-developers-dont-adopt-abac-10-638.jpg Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
  • 13. Dvaara Classical Security Models Literature Review ● Bell-La-Padula model - Confidentiality ● BIBA model - Integrity ● Chinese-Wall model - Conflict of Interest ● Clark-Wilson model - Integrity of commercial systems, Separation of duties ● Graham-Denning(GD) model - State transitions based on ACM ● Harrizon-Ruzzo-Ullman Model - Extending GD model ● Take-Grant Model - State transitions for confidentiality 13 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
  • 14. Dvaara Cloud Literature Review - The most common, dynamically scaling, heterogeneous system - SaaS, PaaS, IaaS - Hyper-converged cloud to catalyze multi-cloud systems 14Ref: https://www.timetoast.com/timelines/cloud-computing-history
  • 15. Dvaara Workload Literature Review “A highly cohesive and de-coupled capability or a unit of work that collectively builds up an enterprise application, which can be running on cloud or on-premise” Eg: ● a microservice ● a Kubernetes pod ● a process in a VM 15 Ref: https://siliconangle.com/wp-content/blogs.dir/1/files/2016/02/illumio.png Ref : M. C. Calzarossa, M. L. Della Vedova, L. Massari, D. Petcu, M. I. M. Tabash, and D. Tessera, “Workloads in the Clouds,”, Springer International Publishing, 2016, pp. 525–550
  • 16. Dvaara Workload Authentication Literature Review ● Challenge-response authentication ○ Credentials stored with workload ○ Challenged to provide an inherent attribute based on the system ● Needham–Schroeder protocol ○ Use a symmetric key ○ Based on a third party ‘Authentication server’, building trust ● Kerberos Protocol ○ Based on KDC (Key Distribution Center) ○ Not relying on network security 16 Ref: B. C. Neuman and T. Ts’o, “Kerberos: an authentication service for computer networks,” IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994.
  • 17. Dvaara Single Cloud Authentication Literature Review ● Platform provided privileged API based authentication ○ Amazon EC2 IID ○ Google Cloud Provider IIT ○ Microsoft Azure MSI 17 { "iss": "[TOKEN_ISSUER]", "iat": [ISSUED_TIME], "exp": [EXPIRED_TIME], "aud": "[AUDIENCE]", "sub": "[SUBJECT]", "azp": "[AUTHORIZED_PARTY]", "google": { "compute_engine": { "project_id": "[PROJECT_ID]", "project_number": [PROJECT_NUMBER], "zone": "[ZONE]", "instance_id": [INSTANCE_ID], "instance_name": "[INSTANCE_NAME]" "instance_creation_timestamp": [CREATION_TIMESTAMP] } } }
  • 18. Dvaara Multi-Cloud Authentication Literature Review SPIFFE (Secure Production Identity Framework For Everyone) ● A common protocol based on ‘Platform Provided Privileged API’ for authentication. ● Extendable to work with CSPs. ● A standard accepted by the CNCF(Cloud Native Computing Foundation). 18
  • 19. Dvaara Workload Authorization Literature Review ● RBAC ○ OAuth 2.0 with scopes - client_credentials grant ● ABAC ○ OAuth 2.0 with scopes - client_credentials grant ○ XACML ○ OPA ● Authorization Servers in the market ○ Based on OAuth2.0 MTLS standard ○ KeyCloak, Gluu, WSO2 IS, Ping Identity, IBM API Connect 19
  • 21. Dvaara Dvaara Design Options Solution Design Enforcing authentication and authorization 21 Local authentication and authorization Local authorization and Global authentication Local authentication and Global Authorization Global authentication and authorization
  • 22. Dvaara Dvaara Design Authentication Solution Design Comparison Authentication Mechanism 22 Mechanism Do not require to deploy credentials with the workload Single identity per workload API driven credentials rotation and distribution Cross-platform trust building Firewall Yes Yes No Yes Destination authentication No No No Yes Platform mediated identity Yes Yes Yes No SPIFFE Yes Yes Yes Yes
  • 23. Dvaara Dvaara Design Authorization Solution Design ● DAC vs MAC ○ Governing authorization of information flow is not in the current scope ○ Hence DAC ● RBAC vs ABAC ○ Need to considered fine grained attributes of workloads 23 RBAC ABAC Simplicity Yes Can be Complex Fine-grained No Yes Standardized No Yes (XACML/OPA) Comparison Authorization Mechanism
  • 24. Dvaara Dvaara Design - XACML or OPA Solution Design ● XACML vs OPA - policy comparison 24 XACML OPA Flexible ABAC support Yes Yes Extendability Yes Yes Complexity High Occasionally Verbose Yes No Required training Yes (Though it’s XML, have specific functions and behaviors to understand) Yes (Though it’s JSON like, have special meanings for symbols and ways of writing rules) Implementation Availability Axiomatics, Sun XACML engine, WSO2 Identity Server OPA Background Open standard by OASIS Open implementation, CNCF accepted.
  • 29. Dvaara Dvaara Implementation Contribution Solution Implementation Chain of Responsibility Pattern 29 TLS level validation on the SPIFFE X509 cert OPA based decision on allowed scopes, based on SPIFFE ID Token validation request ABAC, validating the workload attributes and context against OPA policy Using Java-SPIFFE lib New implementation of OPA based scope validation handler New implementation of OPA based token validation handler - Selected WSO2 IS authorization server was patched to support required parameters to be sent to OPA engine. WSO2 IS patched to enrich
  • 30. Dvaara Evaluation Solution Evaluation 30 1 2 1 - Token Request 2 - Actual API consumption using token
  • 32. Dvaara Evaluation Solution Evaluation 32 Correctness - Considered the use case of an employee management solution - Authorized access to a salary mgt API - Fine grained authorization based on Infrastructure layer details and application layer details - Verified results against the expected results
  • 33. Dvaara Conclusion 33 - What Dvaara can do? - Make authorization decisions based on infrastructure level and application level attributes - Understands the SPIFFE based authentication - Allow dynamic changes to authorization policy - Dvaara provides a viable solution for workload authorization in a multi-cloud system - Dvaara provides fine grained authorization in a dynamic manner - Dvaara bridges the existing authorization technology of OAuth 2.0 and TLS widely adopted open standard to the emerging cloud native standards of SPIFFE and OPA - Dvaara open doors for the existing enterprise systems to have benefits of hybrid or multi-cloud without compromising on service authorization policies.
  • 34. Dvaara Future Work 34 - Make access token a JWT(JSON Web Token) that can carry attributes(advices) between the workloads - Federation between SPIRE server or Authorization servers to expand trust boundary in a seamless manner - Performance improvements - add caching improvements at token validation - Provide an administration portal for the system - Single view on policy available to issue SPIFFE IDs - Single view of policies active in OPA engine - CRUD operations on the policies and evaluating the effect - Current overview of the system (active workloads, tokens etc.) - OAuth 2.0 specification to bind the token to the TLS layer. (currently happening in Dvaara in an indirect way)