My private cloud overview
- 1. My Private Cloud Overview David W Chadwick, Matteo Casenove, Stijn F Lievens, Jerry I den Hartog, Andreas Pashalidis, Joseph Alhadeff 5 July 2011 IEEE Cloud 2011 1
- 2. Project Objectives • Migrate the trust, security and privacy preserving infrastructure from the EC TAS3 project to cloud services. • The TSP infrastructure relies on trusted cloud providers to operate in good faith but this can be checked – trust but verify • Infrastructure is built from legal agreements and open source software services • Software services include: trust and reputation management, sticky policies with fine grained access controls, privacy preserving delegation of authority, federated identity management, different levels of assurance and configurable audit trails 5 July 2011 IEEE Cloud 2011 2
- 3. Legend IdP=Identity Provider Architectural Components AA=Attribute Authority IdP Service DS=Delegation Service Authn=Authentication Directory AA Service DS P/S=Publish-Subscribe Audit Service Authn Service CSP=Cloud Service P/S Provider PEP=Policy Enforcement Point Trust and Trust PDP= Policy Decision Reputation Network Point Service Authz=Authorisation CSP WSC Infrastructure Appln=Application Code Dash Appln P WSC=Web Services Audit E Authz Client P Infr Dash=User’s dashboard service TAAS PDP DS TAAS=Trusted Attribute Aggregation Service 5 July 2011 IEEE Cloud 2011 3
- 4. Progress To Date • Have defined and implemented APIs (in php) for • Federated Identity Management with different Levels of Assurance • Privacy Preserving Delegation of Authority • Granting of Access Rights to Other Account Holders • And built these into a front end Proxy Service to Amazon/Eucalyptus S3 service 5 July 2011 IEEE Cloud 2011 4
- 5. UK AMF Authz Database IdP 1 Account DB Authz API IdP 2 WAYF … Simple SAMLphp IdP n Authn Proxy API IdP Cloud (Simple Service SAML Other IdPs phpSP) CVS OpenID Facebook Google Twitter Org LDAP Delegation API LEGEND Delegation Issuing = Cloud API Security Services Web Service = External Services = Locally Provided Services
- 6. Welcome Screen 5 July 2011 IEEE Cloud 2011 6
- 7. Login Redirects to Proxy IdP 5 July 2011 IEEE Cloud 2011 7
- 8. User Logs In via chosen IdP 5 July 2011 IEEE Cloud 2011 8
- 9. User is shown all the Accounts that his Attributes give him Ownership of, and Opens (or Creates) one 5 July 2011 IEEE Cloud 2011 9
- 10. User is shown Account Details of Opened Account List of Your Delegates List of Buckets You Own List of Buckets and Files that other Account Owners have shared with you 5 July 2011 IEEE Cloud 2011 10
- 11. User Opens a Bucket Can view/alter Access Rights Can upload/download files 5 July 2011 IEEE Cloud 2011 11
- 12. Showing Permissions that You have Granted to Others Permissions given to other Account Holders Permissions given to Contacts Give New Permissions to Others 5 July 2011 IEEE Cloud 2011 12
- 13. Granting Permissions To Others Granting Public access Granting access to other Account Holders Granting access to Contacts/Delegates 5 July 2011 IEEE Cloud 2011 13
- 14. Adding a New Contact 5 July 2011 IEEE Cloud 2011 14
- 15. Next Steps • Define an API for secure auditing and integrate this into system • Implement existing APIs in other cloud services • Define APIs for trust and reputation management 5 July 2011 IEEE Cloud 2011 15
- 16. Acknowledgements • This research has received funding from • EC’s FP7 under grant agreement n° 216287 (Trusted Architecture for Securely Shared Services) and • UK’s EPSRC under grant ref. n° EP/1034181/1 (My Private Cloud) 5 July 2011 IEEE Cloud 2011 16