Abstract—Cloud computing is the next generation of computing paradigm. Along with cloud computing, many related problems come up. And these problems in turn slow the speed of the development of cloud computing down. Among these problems, e.g. interoperability and privacy, identity management and security are strong concerned. Many researchers and enterprises have already done a lot to optimize the identity management and strengthen the security in cloud computing. Most of these studies focus on the usability of identity management and various kinds of method to help improve security. But in this paper, we do some research from a new angle. While the federated solution of identity management helps relieve many problems, it’s adopted by many platforms and enterprises. The general approach for deploying identity management is a centralized component processing authentication and authorization requests. But with the cloud growing in scale and the increasing number of users,this centralized solution will be the bottleneck of the cloud. In this paper, we propose a decentralized approach for implementing identity management in service oriented architecture in cloud computing and a grouping algorithm as the deploy strategy. Security is another problem involved in this paper. Since many researchers have done many detailed and fruitful studies in security, the security solution illustrated in this paper is specific in the proposed architecture.
Trang 1A Decentralized Approach for Implementing Identity Management in Cloud
Computing
Jun Chen, Xing Wu*, Shilin Zhang, Wu Zhang
School of computer engineering and science
Shanghai University Shanghai, China e-mail: xingwu@shu.edu.cn
Yanping Niu ShanXi North Fenglei Industry Group Co Ltd
ShanXi, China
Abstract—Cloud computing is the next generation of
computing paradigm Along with cloud computing, many
related problems come up And these problems in turn slow
the speed of the development of cloud computing down
Among these problems, e.g interoperability and privacy,
identity management and security are strong concerned Many
researchers and enterprises have already done a lot to optimize
the identity management and strengthen the security in cloud
computing Most of these studies focus on the usability of
identity management and various kinds of method to help
improve security But in this paper, we do some research from
a new angle While the federated solution of identity
management helps relieve many problems, it’s adopted by
many platforms and enterprises The general approach for
deploying identity management is a centralized component
processing authentication and authorization requests But with
the cloud growing in scale and the increasing number of users,
this centralized solution will be the bottleneck of the cloud In
this paper, we propose a decentralized approach for
implementing identity management in service oriented
architecture in cloud computing and a grouping algorithm as
the deploy strategy Security is another problem involved in
this paper Since many researchers have done many detailed
and fruitful studies in security, the security solution illustrated
in this paper is specific in the proposed architecture
Keywords-cloud computing; identity management (IdM);
service oriented architecture (SOA); grouping algorithm;
security
I INTRODUCTION Cloud computing is the next generation of computing
paradigm It implies a service oriented architecture (SOA)
for computing resources Cloud computing is a quit new
computing paradigm and infrastructure and there is little
consensus on how to define the Cloud [1] Ian Foster et al in
[2] have defined it as:
A large-scale distributed computing paradigm that is
driven by economies of scale, in which a pool of abstracted,
virtualized, dynamically-scalable, managed computing
power, storage, platforms, and services are delivered on
demand to external customers over the Internet
The SOA is hierarchical and is usually organized as a
three level architecture The bottom level is Infrastructure as
a Service (IaaS) It supplies users with the usage of all
utilities, e.g process, storage, network and other basic
computing resources Users can deploy and run any kind of
software, including operating system and applications The Amazon AWS is a provider that provides IaaS The middle level is Platform as a Service (PaaS) In this service provided fashion, customers can deploy their application developed with a programming language or utility (Java, python, Net,
et al.) to the cloud infrastructure Google App Engine is a PaaS provider The top level is Software as a Service (SaaS) The services that provided to customers are applications running in cloud infrastructure Salesforce.com is a SaaS provider
With the requirements of e-business, and the development of cloud computing, a stronger mechanism for authentication is needed It is known as identity management (IdM) [3]
Researchers around the world have done a lot studies about IdM and technologies related Here we do some introduction and comb these knowledge And the details are stated in section II
The IdM does some specific jobs In [3], the authors state that the need for IdM for the cloud is a trust model that handles (i) various trust relationships, (ii) access control policies based on roles and attributes, (iii) real-time provisioning, (iv) authorization, and (v) auditing and accountability In [4], the authors state that an IdM system supports the management of multiple digital identities It also decides how to best disclose personally identifiable information to obtain a particular service
The deployment of IdM has multiple models, such as the isolated IdM, the centralized IdM, the federated IdM and also personal authentication management [5]
With the recent shift in identity solutions, from being organization centric to user centric [6], Single-sign-on (SSO)
is becoming an important experience for user With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them [7] Almost all of the state of the art IdM support SSO and it’s also the adopted property in this paper
Security is one of the largest concerns for the adoption of cloud computing And also security is a big issue related to many aspects What talked in this paper is about intrusion detection, including the deployment strategy and measuring algorithm
2012 Second International Conference on Cloud and Green Computing
Trang 2II RELATED WORKS
In this section, some related works are discussed, e.g
IdM technology, security We also present problems in
present IdM solutions
A Identity Management
There are several solutions for deploying IdM, as
introduced above In the isolated IdM model, services are
owned and managed by separate service providers and each
provider provides service-specific identifiers and does
identity management by themselves So an entity has an
identity in every service In the centralized IdM model, a
new entity called identity provider (IDP) is introduced which
is responsible for identity management in its domain The
federated IdM model and the centralized IdM looks
somewhat alike, but they focus on different aspects The
federated IdM also manages attributes and credentials and
authenticates and authorizes for entities in its domain The
main feature of the federated IdM is that it’s capable of
providing cross-domain identity service for different services
which may take incompatible identity technology and
attributes and credentials In personal IdM (Personal
Authentication Management), an entity manages identities
by itself.[8]
In [4], the authors collect three known solutions for IdM,
Privacy and Identity Management for Europe (PRIME),
Windows CardSpace, and OpenID Also they propose an
entity-centric approach for IdM in the cloud that based on
active bundles and anonymous identification These are all
specific solutions for IdM and use many related technologies
and can be adopted by many cloud computing IdM
deployment In this paper, these detailed things are not
discussed
In [9], the authors build a distributed identity
management model for digital ecosystems Digital ecosystem
is a collection of institutions that compete, collaborate and
form stable or unstable federations In a single institution,
there are several technologies and standards used for
managing distributed identities The most mature and widely
deployed solutions for federated identity are the SAML and
Liberty Alliance standards But institutions are impossible to
be always the same and they may be heterogeneous To help
these institutions set up a federated IdM and work as an
integrated one especially for small and medium-size
enterprises, a flexible and simple solution is needed to realize
the requirement When service revoking happens inside an
institution, there are multiple choices to deploy IdM and it’s
easy to implement relatively In a service composition
scenario, the service provider aggregating services from
other service providers needs to run the services on the name
of the user and as so he has to authenticate the user to the
other providers To solve this problem, the authors adopt the
use of Proxy Certificate (PC) that the client issues to the
provider of the composite service When a user requests a
composite service from the service provider, the user
identifies itself to the certificate authority (SSO use case) and
a PC is issued to this service provider A service that the user
requests is contained in another institution which is another
trust context and has its own service provider and certificate
authority The user delegates the original service provider to request the service to the second service provider The second service provider redirects the origin to its certificate authority Then the origin authenticates the user in this certificate authority using the PC obtained previously
The paper [10] aims to introduce new concepts in cloud computing and security, focusing on heterogeneous and federated scenarios It’s somewhat similar to [9] The main thought is adopting the “IdM/SP model” allows to solve the SSO authentication problem using a global approach and integrating many security technologies They implement a new SAML profile defining the interaction among the home cloud authentication module(s), the foreign cloud authentication module(s) and the Identity Providers (IdP) to define the message exchange flow between the entities in their model
As showed in [9][10], it’s possible to implement IdM between service groups For some reasons, people may want
to divide the cloud into parts to meet their requirement and compared to the discussed scenarios, the service groups that come from a cloud is more homogeneous The characteristics, e.g the type of secure token, are often the same So it’s easy
to implement federated IdM for a distributed architecture
B Security
Security is one of the largest concerns for the adoption
of Cloud Computing In [2], the paper outlines seven risks a cloud user should raise with vendors before committing: 1) Privileged user access; 2) Regulatory compliance; 3) Data location; 4) Data segregation; 5) Recovery; 6) Investigative support; 7) Long-term viability In [3], the paper describes the security of cloud computing in a layered framework, including: 1) Secure Hypervisors; 2) Secure Cloud Storage Management; 3) Secure Cloud Data Management; 4) Secure Cloud Network Management; 5) Security Policy Management for Cloud Computing; 6) Cloud Monitoring
In this paper, we adopt the idea of [3]’s layered framework and focus on the cloud monitoring layer A widely used method for cloud monitoring is intrusion detection
In [11], the paper introduces the history of the development of intrusion detection, the technology itself overview and other related open issues There are two basic categories of intrusion detection techniques: anomaly detection and misuse detection Anomaly detection uses models of the intended behavior of users and applications, interpreting deviations from normal behavior Misuse detection systems essentially define what’s wrong The main advantage of anomaly detection systems is that they can detect previously unknown attacks, but it’s difficult to distinguish between anomaly and normal behavior While today’s intrusion detection systems primarily rely on misuse detection techniques, many researchers advocate using a hybrid misuse-anomaly detection approach to take advantage of anomaly detection’s ability to detect new attacks, but without the approach’s accompanying high rate
of false positives
There are some strategies for implementing intrusion detection In [12], the authors propose a set of requirements
Trang 3to be included in the Service-Level-Agreement (SLA) for
cloud computing contracts In [13], the authors proposed the
Grid and Cloud Computing Intrusion Detection System
(GCCIDS) which is designed as an audit system for attacks
that the networks and hosts cannot detect This means that
each nodes has its own job of intrusion detection and they
also alert the other nodes So the system can detect
intrusions against the cloud In [14], the authors proposed an
intrusion detection Web Service based on the VM-based
Intrusion Detection System
There are also some methods for analyzing the detected
datum In [15], the authors demonstrated the effectiveness
of the proposed relevance feature selection approach with
the data mining technique and the machine learning
technique
C Problem area
As demonstrated in [5], current approaches to IdM are
often implemented as user-centric, service-centric and
network-centric solutions User-centric aims at providing
users such mechanisms like user consent and SSO
Service-centric perspective focuses on service
provider-related aspects and network-centric perspective is
concerned with network provider-related issues We can see
the analysis result as a hierarchical architecture from
abstraction to physical While many IdMs are deployed in a
SOA environment, it means that IdMs are deployed in a
service-centric, abstraction perspective And when services
invoke each other, one sends a request together with a token
to another service IdM is inserted into the procedure as a
middleware dealing with authentication and authorization as
shown in Figure 1 Considering the physical layer, when all
the services in a cloud need a single IdM to handle
authentication and authorization, it’s not a small overhead
And with the scale of cloud and the number of users surging,
the predicament becomes apparent This will be the
bottleneck of the performance of the cloud
III PROPOSED DECENTRALIZED IDENTITY MANAGEMENT
ARCHITECTURE
As explained in [2], the cloud is seen as a container full
of various kinds of services
Virtualization as an indispensable ingredient for almost every cloud realizes the abstraction that all the applications appear to the users as if they were running simultaneously and users use all the available resources in the Cloud [2] These available resources can be seen as services in SOA So
in the granularity of services, it’s possible to organize services in groups
According to our analysis, it’s not a good solution for implementing IdM in a centralized way with the scale of cloud and the number of users surging
With the computing paradigm of cloud computing, it’s convenient for users to get resources they want in a flexible, ease way These resources can be computing power, storage and VM(virtual machine), etc To the users’ point of view, these services have tight relationships They may will to integrate these services working for them if they can But inside cloud, it’s different from users’ view Some services communicate with each other frequently e.g the creating
VM service always invokes the service of retrieving image And also there are still many services that have little communication with each other e.g the invocation between the service that provides users the GUI interface and the service of retrieving image happens seldom or never
Nowadays, it’s very popular to enforce a federated IdM
to offer users the SSO (Single-Sign-On) experience We will also adopt this solution for our implementation But we do some changes according to the above analysis Services that have tight relationships meaning they communicate with each other frequently are divided into a group We call the group TC (Trust Context) If there are still some invocations between TCs, we’ll create another TC in higher level until
we get TCs that meet our criterion We’ll talk about the criterion right away The abstract implementation is shown
in Figure2
Next, we’ll describe our works in detail, including a grouping algorithm, security issues and other performance improvement advice
A Grouping Algorithm
We do some abstraction and get a big graph with many connected components These connected components are weighted undirected acyclic graphs (WUAG) Each Figure 1 centralized IdM in cloud computing
Figure 2 decentralized IdM in cloud computing
Trang 4connected component is a subgraph of the origin Since
subgraphs have already been separated from each other and
services included in one subgraph have been grouped in a
group, we describe our algorithm in one subgraph, a
WUAG
Though IdMs act as middleware between services, the
request and response travel between services and is dealt
with in service nodes So we ignore IdM components while
taking the grouping algorithm And when all of the
processes finish, IdM will be deployed
The vertexes in graph represent services in cloud when
executing the grouping algorithm first time And the
vertexes also represent these already grouped service groups
(TC)
If services or TCs communicate with each other, there
will be an edge between them And the weight applied to an
edge is come from the statistical data
1) grouping algorithm
Datum that used in grouping algorithm should be
counted in real cloud computing environment All statistical
data is the number of times that services communicate with
each other While services are running all the time, a time
interval is set to get statistical datum
The first quality is called THRESHOLD If the number
of times that services communicate through one IdM is
more than the THRESHOLD, the performance will be
affected The cloud computing performance is actually
difficult to measure It may be the waiting time for a service
or something else But it’s not the main idea of this paper,
we won’t discuss it next
The second quality is called WEIGHT and every edge in
a UWAG has a WEIGHT It’s the number of times that
services adjoining the edge communicate in the set time
interval
Symbol used:
G: a graph
vx: the vertex x in graph
ex: the edge x in graph
P(G): the number of connected components of the graph
G
w(ex): the weight of the edge ex in graph
w(G): the digit sum of all the weights in graph G
n(G): the number of vertexes in graph G
Next, the grouping algorithm will be demonstrated
Initial state:
THRESHOLD
G
v[1, 2, 3, …]
e[1, 2, 3, …]
P(G) = 1
w(e[1,2, 3, …]) (>0)
w(G) (>0)
n(G) (>0)
Pseudo code:
G0 = G
//G0: a graph that has not changed
//G1: a graph that has already changed
a) if w(G0) <= THRESHOLD then
return;
else
if n(G0) <= 2 then return;
else goto b);
end if end if b) list[ex, ey, ez, …] according to the list[w(ex), w(ey), w(ez), …] from small to large
c) delete ex and get a new graph G1 //delete edges weights from small to large, one edge a time
if P(G1) = P(G0) then goto c);
else { now two new graphs form, list[G’, G”];
//make sure there isn’t a new graph with a single vertex that forms
for Gt in list[G’, G”]
if n(Gt) < 2 then undo delete operation of this time and continue c) with the next edge;
end if end for //do the same operation for each new graph just like what’ve been done to the origin graph
for Gt in list[G’, G”]
goto a);
end for } Though the grouping algorithm has been used one time
in the cloud environment, it doesn’t finish We abstract another WUAG But in this WUAG, a vertex is a TC, a group grouped in the previous steps, and an edge means that there is communication between the vertexes adjoining it and the number of times is applied to the edge as its weight Next the grouping algorithm will be enforced to the new WUAG
The above flow may be enforced several times until all
of service nodes or TCs meet the algorithm’s requirement Each TC deploys an IdM in it to handle identity service for services or low-level TCs that are strong coupling The result with IdMs is a hierarchical tree structure
In next section, a simple example will be used to help illustrate the grouping algorithm
2) algorithm demonstration
We come up with a simple example to demonstrate how the grouping algorithm works
A WUAG is shown in figure 3 and the meaning of a symbol is illustrated above and the number attached to an edge is the weight of the edge
Initial state:
figure 4; THRESHOLD = 25; w(G) = 110; P(G) = 1; n(G)
= 10
Demonstration:
w(G) > THRESHOLD P(G) = 1
Trang 5Table 1 edges from small to large
z delete e2; P(G1) = 1
z delete e5; P(G2) = 1
z delete e4; P(G3) = 2; two subgraphs G31, G32;
n(G31) = 1, n(G32) = 10; n(G31) < 2, undo delete
e4
z delete e7; P(G4) = 2; two subgraphs G41, G42;
n(G41) = 5, n(G42) = 5; w(G41) = 56, W(G42) =
42; w(G41) > THRESHOLD, w(G42) >
THRESHOLD
z delete e11; P(G5) = 3; three subgraphs G51, G52,
G53; n(G51) = 1, n(G52) = 4; n(G53) = 5; n(G51) <
2, undo delete e11
z delete e6; P(G6) = 3; three subgraphs G61, G62,
G63; n(G61) = 1, n(G62) = 4, n(G63) = 5; n(G61) <
2, undo delete e6
z delete e3; P(G7) = 3; three subgraphs G71, G72,
G73; n(G71) = 2, n(G72) = 3, n(G73) = 5; w(G71)
= 30, w(G72) = 16, w(G73) = 42; n(G71) == 2, OK;
w(G72) <= THRESHOLD, OK
To make the demo simple, only subgraph G73 is
token into examination next
P(G73) = 1
z delete e8, e8 not ę G73, undo delete e8
z delete e9, P(G731) = 2; two subgraphs G7311,
G7312; n(G7311) = 2, n(G7312) = 3; w(G7311) = 9,
w(G7312) = 24; w(G7311) <= THRESHOLD, OK;
w(G7312) <= THRESHOLD, OK
The original graph is grouped into four TCs and each TC
is a vertex and the number applied to each edge is the
number of communication between TCs in the new graph as
shown in figure 5 As the new graph doesn’t meet the
Figure 3 WUAG1
Figure 4 WUAG1 grouped
Figure 5 WUAG2
Trang 6algorithm’s requirement, the grouping algorithm should
execute again
Initial state:
figure 5; THRESHOLD = 25; w(G) = 34; P(G) = 1; n(G)
= 4
Demonstration:
w(G) > THRESHOLD
P(G) = 1
Table 2 edges from small to large
z delete e4, P(G1) = 1;
z delete e2, P(G2) = 2; two subgraphs G21, G22;
n(G21) = 2, n(G22) = 2; w(G21) = 10, w(G22) = 12;
w(G21) <= THRESHOLD, OK; w(G22) <=
THRESHOLD, OK
In the previous step, we get two new TCs and further
work needs to do to check if the current architecture has met
the algorithm’s requirement As the figure 7 shown: n(G) = 2
and w(G) < THRESHOLD The entire algorithm has
finished and the result of the architecture is shown in figure 2
with IdM deployed
B Security Issues
In [14], the authors have already proposed an intrusion
detection Web Service based on the VM-based intrusion
detection system It’s not complicated to adopt this solution
in our proposed architecture
As talked above, there are two basic categories of
intrusion detection techniques: anomaly detection and
misuse detection While the anomaly detection system has
the advantage of detecting previously unknown attacks,
determining anomaly from normal behavior is a tough job
This paper imports the idea of a preventing fraud trust model
in P2P networks [16] and the useful part to this paper in [16]
is the basic trust model of the direct trust
Assume that in the SOA cloud computing environment,
U is service request node, and S is service provide node We define that TUė S is the trust of U to S And the calculating formula of TUė Sis:
(1)
Evn is the evaluation of current trade When a normal trade happens, Evn is a positive number And on the contrary,
Evn is a negative number, when an anomaly trade happens
is the trust before the current trade And α is the aggregation weight of current evaluation and historical trust The value of α can be changed according to whether there is
an anomaly behavior or not
As demonstrated in [11], a basic assumption of anomaly detection is that attacks differ from normal behavior But the definition of what’s normal and what’s abnormal is ambiguous For example, a particular user typically logs in around 10 am But one day, the user logged in at 3 am This activity can be flagged as suspicious So the technology of data mining is needed to do analysis before the formula (1) applied
IV CONCLUSION
In this paper, we research identity management in cloud computing and propose a decentralized approach for IdM, considering with the scale of cloud and the number of users surging, the traditional federated IdM will be the bottleneck
of the cloud computing This paper demonstrates the architecture of the proposed approach and the algorithm for implementing the architecture At last, this paper also involves security issues This makes the paper integrated
With the development of cloud computing, issues related with the core of cloud are coming into notice heavily Considering and completing every aspects of cloud computing is the prerequisite for the new paradigm widely accepted
V FUTURE WORK The grouping algorithm is rough and not flexible enough
So the next job is optimizing the algorithm Also a prototype implementation is needed
This work is supported by the project of the Science and Technology Commission of Shanghai Municipality:
10510500600, by Shanghai Leading Academic Discipline Project [J50103]
REFERENCES [1] ͆Twenty Experts Define Cloud Computing”, SYS-CON Media Inc, http://cloudcomputing.sys-con.com/read/612375_p.htm, 2008
[2] Foster, I and Yong Zhao and Raicu, I and Lu, S., "Cloud Computing and Grid Computing 360-Degree Compared," in Grid Computing Environments Workshop, 2008 GCE '08, November 2008, pp 1 - 10 [3] K Hamlen, and Peng Liu and M Kantarcioglu, and B Thuraisingham, and Ting Yu, “IDENTITY MANAGEMENT FOR CLOUD COMPUTING:DEVELOPMENTS AND DIRECTIONS,” in CSIIRW '11 Proceedings of the Seventh Annual Workshop on Cyber Figure 1 WUAG2 grouped
Figure 7 WUAG3
Trang 7Security and Information Intelligence Research, ACM New York, USA 2011, Article No 32, pp 1 - 5.
[4] P Angin, B Bhargava, R Ranchal, N Singh, L B Othmane, L Lilien, and M Linderman, “An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing,” Proc 29th IEEE Intl Symp on Reliable Distributed Systems (SRDS 10), pp 177–183, doi: 10.1109/SRDS.2010.28
[5] M Dabrowski, and P Pacyna, "Generic and complete three-level identity management model, " In 2nd International Conference on Emerging Security Information, Systems and Technologies, Cap Esterel 2008
[6] R H Khan and J Ylitalot and A S Ahmed, “OpenID Authentication
As A Service in OpenStack,” Information Assurance and Security (IAS), 2011 7th International Conference on, 5-8 Dec 2011, pp 372
- 377
[7] Wikipedia, “Single sign-on”, [Online], http://en.wikipedia.org/w/index.php?title=Single_sign-on&oldid=4925
85709, Last Accessed: May 24, 2012
[8] A Jøsang, J Fabre, B Hay, J Dalziel, S Pope1, “Trust Requirements in Identity Management”, Proceedings of the 2005 Australasian workshop on Grid computing and e-research - Volume 44,
2005
[9] H Koshutanski, M Ion, and L Telesca, "Distributed Identity Management Model for Digital Ecosystems" in International Conference on Emerging Security Information, Systems and Technologies (Securware'07) Valencia, 2007
[10] A Celesti, F Tusa, M Villari, A Puliafito, "Security and Cloud Computing: InterCloud Identity Management Infrastructure", 19th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE), 2010, Pp 263-265
[11] R A Kemmerer and G Vigna, “Intrusion detection: a brief history and overview,” Computer, vol 35, no 4, pp 27–30, 2002
[12] B R Kandukuri, R Paturi, and A Rakshit, "Cloud Security Issues,"
in IEEE International Conference on Services Computing, 2009, pp 517-520
[13] K Vieira, A Schulter, C B Westphall, and C M Westphall,
"Intrusion Detection for Grid and Cloud Computing," IT Professionals,
pp 38-43, July/August 2010
[14] S Roschke, F Cheng, and Ch Meinel, "Intrusion Detection in the Cloud," in Eighth IEEE International Conference on Dependable, Autonomic, and Secure Computing, 2009, pp 729-734
[15] S Suthaharan, T Panchagnula, “Relevance Feature Selection with Data Cleaning for Intrusion Detection System”, in IEEE SoutheastCon
2012 conference on Innovating For A Better Tomorrow, March 15-18,
2012
[16] S Liu, Y Yu, J Xu, Z Huang, “A Preventing Fraud Trust Model in P2P Networks”, in IEEE 26th International Parallel and Distributed Processing Symposium Workshops & PhD Forum, 2012, pp 2299-2305