Streamlining Python Development: A Guide to a Modern Project Setup
My private cloud overview
1. My Private Cloud Overview
David W Chadwick, Matteo Casenove,
Stijn F Lievens, Jerry I den Hartog,
Andreas Pashalidis, Joseph Alhadeff
5 July 2011 IEEE Cloud 2011 1
2. Project Objectives
• Migrate the trust, security and privacy preserving
infrastructure from the EC TAS3 project to cloud
services.
• The TSP infrastructure relies on trusted cloud
providers to operate in good faith but this can be
checked – trust but verify
• Infrastructure is built from legal agreements and open
source software services
• Software services include: trust and reputation
management, sticky policies with fine grained access
controls, privacy preserving delegation of authority,
federated identity management, different levels of
assurance and configurable audit trails
5 July 2011 IEEE Cloud 2011 2
3. Legend
IdP=Identity Provider
Architectural Components
AA=Attribute Authority
IdP Service
DS=Delegation Service
Authn=Authentication Directory
AA
Service DS
P/S=Publish-Subscribe Audit
Service Authn Service
CSP=Cloud Service P/S
Provider
PEP=Policy
Enforcement Point Trust and
Trust
PDP= Policy Decision Reputation
Network
Point Service
Authz=Authorisation CSP
WSC
Infrastructure
Appln=Application Code Dash Appln
P
WSC=Web Services Audit
E Authz
Client
P Infr
Dash=User’s dashboard
service TAAS
PDP DS
TAAS=Trusted Attribute
Aggregation Service
5 July 2011 IEEE Cloud 2011 3
4. Progress To Date
• Have defined and implemented APIs (in php)
for
• Federated Identity Management with different
Levels of Assurance
• Privacy Preserving Delegation of Authority
• Granting of Access Rights to Other Account
Holders
• And built these into a front end Proxy Service
to Amazon/Eucalyptus S3 service
5 July 2011 IEEE Cloud 2011 4
5. UK AMF
Authz Database
IdP 1
Account
DB
Authz API IdP 2
WAYF …
Simple
SAMLphp IdP n
Authn Proxy
API IdP
Cloud
(Simple
Service
SAML Other IdPs
phpSP)
CVS OpenID Facebook Google Twitter
Org
LDAP
Delegation API
LEGEND
Delegation Issuing = Cloud API Security Services
Web Service = External Services
= Locally Provided Services
8. User Logs In via chosen IdP
5 July 2011 IEEE Cloud 2011 8
9. User is shown all the Accounts that his Attributes give
him Ownership of, and Opens (or Creates) one
5 July 2011 IEEE Cloud 2011 9
10. User is shown Account Details of Opened Account
List of Your Delegates
List of Buckets You Own
List of Buckets and Files that other
Account Owners have shared with you
5 July 2011 IEEE Cloud 2011 10
11. User Opens a Bucket
Can view/alter Access Rights Can upload/download files
5 July 2011 IEEE Cloud 2011 11
12. Showing Permissions that You have Granted to Others
Permissions given to other Account Holders
Permissions given to Contacts
Give New Permissions to Others
5 July 2011 IEEE Cloud 2011 12
13. Granting Permissions To Others
Granting Public access
Granting access to other
Account Holders
Granting access
to Contacts/Delegates
5 July 2011 IEEE Cloud 2011 13
14. Adding a New Contact
5 July 2011 IEEE Cloud 2011 14
15. Next Steps
• Define an API for secure auditing and
integrate this into system
• Implement existing APIs in other cloud
services
• Define APIs for trust and reputation
management
5 July 2011 IEEE Cloud 2011 15
16. Acknowledgements
• This research has received funding from
• EC’s FP7 under grant agreement n° 216287
(Trusted Architecture for Securely Shared
Services) and
• UK’s EPSRC under grant ref. n° EP/1034181/1
(My Private Cloud)
5 July 2011 IEEE Cloud 2011 16