Identity Manager in Cloud with Openflow Switches
•Als PPTX, PDF herunterladen•
0 gefällt mir•378 views
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (9)
Ähnlich wie Identity Manager in Cloud with Openflow Switches
Ähnlich wie Identity Manager in Cloud with Openflow Switches (20)
Identity Manager in Cloud with Openflow Switches
- 1. Identity Manager in Software Defined Net Mohammad Faraji Email: ms.faraji@utoronto.ca
- 2. SAVI Identity Manager Design Requirements SAVI is a federation of autonomous systems: Testbeds Cloud Datacenters Information Providers (e.g. Identity providers) Researcher needs a fine-grained Access Control to have flexibility: Policy negotiation Attribute Assertion
- 3. SAVI Federation Architecture SAVI Federation SAVI Core Oversight node Trust Anchor Domain (Keystone) Admin User User User Service Accounting 1 2 3 SAVI edge (Beacon) node Repository Testbed Identity Providers Remote Datacenter s
- 4. Authentication Interoperability Standard Security Assertion Markup Language - SAML Policy Policy Policy Credentials Authentication Attribute Policy Decision Collector Authority Authority Point SAML Authentication Attribute Authorization Assertion Assertion Decision Assertion System Application Policy Enforcement Entity Request Point Source: OASIS SAML Standard
- 5. 5 Authorization Interoperability Standards eXtensible Access Control Markup Language – XACML XACML Policy Policy Serve in SAVI XML XML XML XML XACML XACML XACML XACML Federation Layer Virtualizatio Openflow Firewall n Switch Policy server distributes policy changes to all network elements using XACML
- 6. 6 SAVI Access Control Technologies Access-control lists (ACL) Lists of specific users and groups and permissions Role-Based Access Control - (RBAC) Access based on users roles. Role assignment. Role authentication. Action authorization Empty Role Contains just roles without any associated role Explicit Capability Mapping Under Developm Roles have capabilities not in the context of any given resource Restricted Roles The role, capability, resource collection will be complete Attribute-Based Access Control - (ABAC) On user attributes and object metadata
- 7. Attribute Based Access Control (ABAC) Subject Attributes Related to a subject (e.g. user, application, process) that defines the identity and characteristics of the subject E.g. identifier, name, job title, role Resource Attributes Associated with a resource (web service, system function, or data) E.g. Dublin Core metadata elements Environment Attributes Describes the operational, technical, or situational environment or context in which the information access occurs E.g. current date time, current threat level, network security classification
- 8. ABAC Policy Formulation 1. S, R, and E are subjects, resources, and environments, respectively; 2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre- defined attributes for subjects, resources, and environments, respectively; 3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively: ATTR( s) SA1 SA2 ... SAK ATTR(r ) RA1 RA2 ... RAM ATTR(e) EA1 EA2 ... EAN
- 9. ABAC in SAVI Researcher SA Edge Node SOAP Msg 1 3 Resources Control Service APIs Web 1 SA 2 RA Access Service Catalog Trust Anchor EA Control (Beacon) SA Policy Attribute Admin. Policy Unit Service & Policy Identity Services Provider