Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to ensure the security of cloud computing". The content is simple and clear. I hope it can help you solve your doubts. Let me lead you to study and learn the article "how to ensure the security of cloud computing".

Companies are exploring extending devices to the cloud and providing some services to the market, such as IaaS, PaaS, SaaS. This article will discuss three challenges of information security: confidentiality, integrity, and availability. Most companies are concerned about the ownership of their data.

1 introduction

In order to understand what cloud computing is, we first need to get ideas about its evolution. Toffler believes that the three major waves of human civilization: agriculture, industry and the information age. There are several sub-waves in the information age, and we are moving in the direction of cloud computing. It refers to the provision of services over the Internet or cloud-based infrastructure. Cloud computing will bring several advantages to the market, of which the three most important are cost-effectiveness, security and scalability. Our main concern is to discuss some secure IAM protocols used to protect cloud users and summarize which protocols are most suitable for enterprises and which are moving in the direction of harming cloud services.

Recently, many enterprises have been analyzing the cost-saving application of cloud technology, ignoring the level of security provided by cloud service providers (CSP). It is difficult to measure returns through only one dimension, as Richard Mayo and Charles Perng discussed cloud computing Rate of Interest (Rol) in a study by IBM. Rol is based on five dimensions in the table.

Reduce the number of Saving FactorCost FactorHardware servers / save space costs / save electricity costs SofewareOS reduction / different implementation software support and maintenance costs reduce automatic configuration reduce the number of hours required to configure each task user-friendly, reduce staff waiting time for IT support system management to improve the productivity of administrators and support personnel, and provide more system support for each administrator

The following figure shows the result of a case where a bank needs a lot of server to manage its business, and their business is more suitable for the cloud.

In the near future, cloud computing spending will grow rapidly. "the U. S. government's projects from 2010 to 2015 will increase spending on cloud computing by 40%, with an annual compound interest rate of $7 million." Cost-effectiveness is one of the main motivations for using cloud computing. But we should consider other challenges, such as security. Enterprises will upload their databases, user-related information, and in some cases, the entire infrastructure will be hosted in the cloud. Is the enterprise satisfied with the security level of CSP?

In this article, we focus on data security, that is, IAM in the cloud. First, we will outline the current cloud computing architecture in section 2 and discuss security and privacy requirements in section 3. After understanding the requirements, we will discuss the IAM challenges in detail in section 4. In addition, the IAM life cycle and some protocols are discussed in sections 5 and 6, respectively. The seventh part is the best practices of IAM through cloud services, such as identity Management as a Service (IDaaS). Finally, it is summarized in section 8.

2 Cloud Computing Architecture

Cloud computing system type

There are three main system categories: IaaS, PaaS, and IaaS, which are described in detail below:

SaaS traditional software users install it to the hard drive and then use it. In the cloud, users do not need to buy software, but pay based on services. It supports multi-tenancy, which means that the back-end infrastructure is shared by multiple users, but logically not every user is unique. PaaSPaaS provides the development environment as a service. Developers will use vendor code blocks to create their own applications. The platform will be hosted in the cloud and will be accessed using a browser. IaaS in IaaS, suppliers provide infrastructure to customers as a service in the form of technology, data center and IT services, which is equivalent to traditional "outsourcing" in the business world, but with much less cost and effort. The main goal is to customize the solution for the customer according to the required application. Table 2 shows the cloud computing services currently used by several providers.

Examples of Cloud Service

Here are some examples of cloud service providers and representative cloud services. This article focuses on identity management and technologies that provide a secure environment. Specifically, IAM security can be achieved through the protocols and standards of the cave. To understand the security requirements of IAM in the cloud, this article will discuss the security and privacy of cloud computing in the next section.

3 CLOUD SECURITY AND PRIVACY

In cloud computing, user data is stored in the service provider's data center rather than on the user's computer. This will make users worry about their privacy. In addition, the shift to centralized cloud services will lead to privacy and security vulnerabilities for users. Security threats may occur during deployment; new threats may also arise. Cloud environments should maintain data integrity and user privacy while enhancing interoperability across multiple cloud service providers. Therefore, we want to discuss data integrity, confidentiality, and availability in the cloud. Three aspects related to data security:-Network Level cloud service providers will monitor, maintain, and collect information about firewalls, intrusion detection / prevention, and data flows within the network. -it is very important for Host Level to collect system log files to know when and where app has been logged in-Application Level audit app logs, the results may be used for event response or digital authentication

Security requirements need to be met at every level to protect data security in the cloud, such as confidentiality, integrity and availability, as follows: A. Confidentiality ensures that user data in the cloud cannot be accessed without authorization. This can be achieved by considering encryption techniques: symmetric or asymmetric encryption algorithms, as well as key length and key management in the case of symmetric cryptography. This is all dependent on cloud service providers. EMC MozyEnterprise uses encryption to protect user data, while Amazon S3 does not use encryption, which also depends on customers realizing that they can encrypt the information before uploading it. CSP should ensure that the encryption technology conforms to NIST (American Bureau of Standards) standard B. Integrity in addition to data confidentiality, users are also concerned about data integrity. Encryption technology can provide confidentiality, and there are two main ways to provide integrity protection: message authentication code (MAC) and data signature (DS). In MAC, it provides a checksum of additional data based on a symmetric key. In the DS algorithm, it relies on asymmetric key pairs. Because the symmetric algorithm is much faster than the asymmetric algorithm, in this case, we think that MAC will provide the best solution for the integrity checking mechanism. Studies have shown that PaaS and SaaS do not provide any integrity protection, in which case ensuring data integrity is critical. c. Another issue with availability is the availability of data when requesting data through authorized users. The most powerful technology is prevention by avoiding threats that affect the availability of services or data. It is very difficult to monitor threats to availability. Threats targeting availability may be network attacks, such as DDoS attacks or CSP availability, such as AWS S3 suffering from a two-and-a-half-hour power outage in 2008 and an eight-hour blackout in July 2008.

In the next section, we will discuss IAM practices and come up with the best solution through protocols such as SAML,OAuth and a comparison between the two.

4 IAM

Identity and access management can be defined as methods that provide the appropriate level of protection for enterprise resources and data through rules and policies that are enforced by various technologies, such as forcing login passwords, assigning permissions to users and setting up user accounts. However, the definition is not limited to enterprise resources, but also provides privacy and protection for users' personal information and behavior. Most enterprises provide services based on different information systems, and it will be a challenge to manage this user information and provide privacy and protection.

Managing digital identities is not enough unless we can describe the two main user attributes related to a user's digital identity: presence (online) and location. These three features are used in today's technology. There are associations with real-time communication systems, such as IM and VoIP, which provide all necessary descriptions of the status of users during or after communication, whether they are idle or active, online or offline, and, in some cases, specific tasks they are performing, such as writing documents or emails. Location information refers to the geographic location of the user, such as longitude, latitude and height, which can be specified by the IP of the entity.

A. Challenges

The main challenge facing any enterprise in managing identity comes from the user group of an enterprise-customers, employers, partners, etc., according to the market business and its functions, adjust and maintain employee mobility within the organization to deal with user identities in the event of merger and spin-off to avoid duplication of identities, attributes and credentials

The above challenges and other challenges allow enterprises to seek several and automated identity management systems. This introduces us to the concept of federated users. It is a contract in which there is some kind of trust relationship between enterprise groups, so that users can use the same identity to get services from the credit group. The core responsibility is to manage service access control outside the organization's internal network. The federation supports single sign-on (SSO) technology, where users do not have to log in multiple times or remember registration information for each cloud-specific service.

Therefore, we would like to discuss the current practice of IAM, which is helpful for users who are using cloud computing in providing authentication, authorization, and auditing:-authentication cloud computing authentication is designed to verify the identity of the user or system, for example, service-to-service authentication involves verifying request information sent by another service. -once the authentication process is successful, the process of determining permissions can be provided to legitimate users. At this stage, the system will enforce the security policy. -Audit this is the process of reviewing and verifying authorization and certification records to check compliance with predefined security standards and policies. In addition, it will help to monitor system maintenance.

b. Cloud environment preparation

To prepare for the cloud, enterprises need to prepare IAM policies, structures, understand the IAM lifecycle, and define which device models will support federated identity, with the following requirements:-define the authorized source of identity information-define the necessary attributes for the user profile-define the current structure of the enterprise internal identity management system-implement identity providers that support SSO technology, such as OpenID Microsoft CardSpace and Microsoft Novell Digital Me- IDPs are compatible with the company's internal build directory

In order to manage digital identities, we should know which different stages digital identities will go through, thus providing an appropriate level of security for that phase. This discussion leads to a discussion of the IAM lifecycle. We will describe the life cycle of digital identity in the next section.

5 IAM Lifecycle

At this stage, we should consider the different stages of the identity life cycle. An important question is that we should focus on what happens after the user's identity is created, used, and terminated. According to Mather, Kumarasuamy and Latif, digital identity management should go through the following five stages:-configuration and de-configuration during this process, users will be assigned the necessary access to information according to their roles in the organization, and appropriate access roles will be assigned if user rights are upgraded or degraded. This process takes a lot of time, effort and staff to keep the identity assigned as fully as possible. However, cloud management using appropriate technologies such as identity Management as a Service (IDaaS) can reduce the burden on organizations. -Authentication and authorization will require a central authentication and authorization infrastructure to build a custom authentication and authorization model that meets the organization's business goals. Having such a model enforces security policies that should be followed to protect applications and databases. -self-service enabling self-service in identity management strengthens the identity management system. At this stage, users can reset their passwords, maintain and update their own information, and view their viewing capabilities. Organizational information from anywhere. Password management through the implementation of federated systems that support single sign-on (SSO) access to cloud-based services. Password management includes how to use MD5 or SHA1as to store passwords in the cloud database. -Inspection and audit during this process, access is monitored and tracked to ensure that there are no security vulnerabilities in the system. It will also help auditors verify the implementation of different access control policies, audit and report on a regular basis.

6 IAM standards and protocols

Previously, we discussed what the requirements for applying IAM structures are. Below, we will discuss some standards and protocols to manage identity in the cloud; however, it is worth mentioning here that IAM standards and protocols should be considered by both parties: organizations and consumers.

In this article, our main concern is to discuss how organizations use protocols to handle IAM. There are several protocols and standards that enterprises should consider, such as Security statement markup language (SAML) and Open Authentication (OAuth) protocols. The following will be described in detail, as follows:

A. SAML

SAML is based on the XML standard and is used as a tool for exchanging authorization and authentication attributes between two entities (in a cloud computing scenario, identity provider IdP and cloud service provider CSP). The main goal of SAML is to support SSO over the Internet. There are different versions of SAML that support digital signature and encryption. The following example helps understand the SAML-based SSO between the user, IdP and CSP. -1 Magi user requests the web page of CSP-2 Magi CSP returns to redirect the user browser to the idp website-3, the user browser handles the redirection, and accesses the authentication protocol between IDP- 4 Magi IDP and the user for authentication. -5 Magi IDP uses the encoded SAML to respond to the user. -6, the user browser sends the SAML response to CSP, accesses URL- 7 CSP, and returns the information to the user

B. OAuth

OAuth is a very interactive and interesting protocol that allows one CSP user to share their photos, files and other private resources with another CSP without exposing personally identifiable information such as usernames and passwords. Its main goal is to provide open standards for authorized access to secure API. From CSP's point of view, it provides a service that allows users to access programmable applications hosted at different service providers without revealing their identity. For example, if a consumer (a website or an application that accesses the stored file on behalf of the user) requests a printing service from the service provider that stores the file, the resulting printing will be performed without revealing the file owner certificate. The communication process between the user using OAuth protocol and the service provider is as follows:-1 the communication process between the user and the service provider using OAuth protocol is as follows:-1 OAuth request token- app visits the web account authentication service request OAuth request token- 2 Magi app returns an unauthorized request token- 3 redirect web app to the Google web authentication page, authorization request token- 4, the user accesses the Google authentication page to confirm whether web app is allowed to access user data-5, if the user refuses to access, the user will be redirected to Google page- 6 If the access is authorized, the user will be redirected to the web app page and include the authorized request token- 7, and the authorized request token will be exchanged between web app and Google authentication service-8 Magi Google confirm the request and send Access Token- 9 Magi web app with Access Token to access Google service user data-10 Magi Service validate Access Token, and return the data requested by the user after passing

7 WHICH IS BETTER SOLUTION

It is difficult to say which protocol is better, it depends entirely on the behavior of the organization to achieve its business goals. Due to the overlap of technologies, most CSP may prefer to use multiple authentication protocols to provide a better security model to control their user identity. SAML is often used in enterprises and schools, where users can authenticate with other websites internally or externally by logging in once. SAML is part of the "enterprise" group of digital identities, it has more experience, and its library has been developed for a long time. However, in OAuth, it belongs to the "open source" libraries, where these libraries are new, and more work needs to be done to improve the protocols of this category. From our point of view, OAuth will be a very competitive environment for researchers to improve it. However, SAML will be the best choice for deploying SSO and alliances in the cloud. SAML is mature and exposed to a variety of vulnerabilities and threats, so we recommend it as the best solution for deploying IAM security and maintaining user information privacy.

8 IDENTITY MANAGEMENT-AS-A-SERVICE

As the cloud environment reaches the level where service providers can provide any service (XaaS), this will lead us to consider outsourcing identity providers, such as services (IDaaS). However, most organizations may prefer to outsource partner and consumer identity management, but they have an obligation to manage their employee identity and internal resource access. The model is based on Software as a Service (SaaS) and supports a variety of services, such as account configuration, audit, password management and user self-service. By adopting this architecture, organizations can fully automate the provision and audit of user accounts. There are a variety of solutions on the market that provide identity management, such as simplification and Ping identity.

The main advantage of outsourced identity management is having a multi-protocol environment, including SAML,OAuth, and so on, to interact with different cloud service federation systems. IDaaS authenticates the user before accessing any cloud-based service through the browser SSO.

Like any cloud-based service, any organization can adopt this model with little or no change. The main disadvantage of IDaaS is that enterprises do not know the structure, implementation and service of CSP. In addition, the generated reports on users may not match the requirements of the organization, and even if you have the ability to edit the report, it will be limited to the CSP function.

The above is all the contents of the article "how to ensure the Security of Cloud Computing". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.