Hybrid Cloud Federated Identity Solutions Supporting Public Sector
Hybrid Cloud Federated Identity Solutions Supporting Public Sector First Responders Comprehensive Examination Dissertation Proposal Randy E. Garcia University of Colorado at Colorado Springs February 24, 2017
Research Motivation • Public Sector first responders • Related research addresses require resilient, secure, and components of the three areas: dynamic solutions for cross • Public Sector organizational collaboration • Hybrid Cloud • Federated Identity • Current solutions are cumbersome and limit effectiveness of response to short-notice events • This research expands on the initial publication, areas above, • Time required to establish identity and creates a holistic, missionand service limits response focused solution to secure, cloudeffectiveness based, federated identity management for first responders 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 2
Identity Considerations for Public Sector Hybrid Cloud Computing Solutions Contributions Challenges related to research topic • Balances Security and Resilience in Mission Critical Operations • Federation and Policy approach for first responders • Architectural and Cybersecurity aspects of information sharing • Provides an identity management architectural model with high resilience and high security • Practical implementation candidates • Limitation of available use cases within solution space • Maturity of cloud providers • Continued use of the ad hoc model in practice Garcia, Chow 9/25/2021 Published and presented to the 2015 International Conference on Computer Communication and Informatics (ICCCI -2015), Jan. 08 – 10, 2015, Coimbatore, INDIA First Responder Federated Identity, Hybrid Cloud; R. Garcia 3
Survey Findings Federated Identity Hybrid Cloud First Responders 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 4
Related Works Yan: Cloud Security w/ Fed ID Hierarchical, security, privacy Prasanalakshmi: Secure Cred Fed SAML, federated, biometrics Celesti: Intercloud Distributed cloud framework Khan: Establishing Trust in Cloud Policy and human factors Sengupta: Cloud Computing Security Framework 9/25/2021 Chuan-Hao: National Auth Framework Focus on standards, authentication Zissis: Cloud Security Trusted third party, PKI plus SSO/LDAP Dreo: ICEMAN: Secure Fed Arch Cloud of clouds, m: n Idm for disaster Werner: Model for Identity Management Federation protecting privacy First Responder Federated Identity, Hybrid Cloud; R. Garcia 5
Objectives • Develop, implement, and assess architecture of proposed solution • Hybrid Cloud • Federated Identity • Security • Capture policy issues to ensure implementation success • Cybersecurity • Public Policy • Disaster Response Results will include the architecture, federation practices, assessment, and recommendations. 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 6
Dissertation Proposal 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 7
Proposed Approach and Tasks 1. Develop architecture 2. Develop federation 3. Build and assess solution Approach/Tasks Timeline Evaluate capabilities’ suitability (against cloud model), resilience (against user need), and cybersecurity (against threat model) 9/25/2021 0% First Responder Federated Identity, Hybrid Cloud; R. Garcia 20% Arch 40% Sites 60% 80% 100% Evaluate 8
1. Develop the Architecture • Research, develop, validate against historical use case and emerging needs • Propose initial disaster response scenario (e. g. wildfire) • Propose minimum two-node, hybrid architecture with cloud components • Notionally. gov, . com, . org • Architectural components • Identity components • Capture initial threat model • Validate “in” and “out” of scope architectural components for the build. 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 9
Private Cloud (user datacenter). gov. mil. state. org. com Hybrid Public Cloud (provider). gov. com. org Community Cloud Responder Mobile Location(s) . gov. mil. state. org. com
2. Develop Federated Identity Solutions • Principles: • Standards-based (OAuth, SAML, Open. ID) • Availability on premises and from cloud providers • Emphasize “come as you are” • Refine disaster response scenario • Create “home” private cloud/data center • Create community cloud site 9/25/2021 • Federate identity using ADFS • Document processes to connect (steps in the policy) • Assess initial suitability against original paper • Refine threat model First Responder Federated Identity, Hybrid Cloud; R. Garcia 11
RP Private Cloud (user datacenter) Id. P SP Id. P RP (1 … m) Parent Organizations with users SP: Service Provider(s) Id. P: Identity Provider(s) RP: Relying Parties (1 … n) Responder Organizations with users Public Cloud (provider) SP applications New users created only as required Responder Mobile Location(s) RP
Resources • On Premises / Azure Lab • LDAP or Active Directory identity establishment • O 365 Cloud Lab • Link test groups from Azure • Notional collaboration application • (Federated Skype call and collaboration) Response site (Community cloud) . gov. com. org 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 13
Resources • Application infrastructure • Establish federated app samples (Skype conference and shared document) • Build application servers (premises/cloud) with basic collaboration • Power. Shell scripts for service configuration • Machine start / stop for cost savings • Reservation of public virtual IP addresses • Instantiate Visual Studios 2015 for Azure interface • Capture federation standards and configuration • Azure AD, ADFS, LDAP connectors, OAuth 2. 0 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 14
3. Build and Assess Solution • Codify operational architecture • Complete prototype, analyze problems, capture performance • Capture final architecture • Document key processes • Refine threat model • Validate other cloud provider (Amazon Web Services) • Assess suitability, resilience, and cybersecurity • Capture results: architecture, federation practices, assessment, and recommendations. 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 15
• Azure / EAS lab (on premises) • • • Build server architecture Create public certificates Domain establishment Develop Iaa. S Establish domain footprint • Cloud lab (O 365) (community cloud) • Directory establishment • Synchronization of identity • Create SSO architecture 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 16
Evaluate capabilities, resilience, and cybersecurity suitability • Assess against sample scenario • Architecture + processes support real-world environment. • Evaluate resilience of solution • Apply stresses to architecture and measure scalability and resilience • Assess suitability through the entire scenario • Evaluate cybersecurity against the cloud security model • Update threat model 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 17
Address policy components • Cybersecurity • Public • Disaster Response • Leverage the scenario to focus candidate organizations: e. g. , DHS, FEMA, NIFC, state, county, local, nonprofit. 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 18
• Standards-based Test Criteria Key outcomes include the ability to quickly connect and provide secure and resilient information sharing in a trusted environment. 9/25/2021 • NIST model • Federation • Adoption probability • Federation techniques • FEDRAMP and IA Checklists • Security First Responder Federated Identity, Hybrid Cloud; R. Garcia 19
Summary • Solution to a recurring disasters • • 2004 Tsunami in Indonesia 2005 Hurricane Katrina 2010 Haiti Earthquake 2013 Colorado Wildfires • Direct applicability to current and emerging cloud environments 9/25/2021 • Excellent potential for future research funding and solutions • • • Cloud Mobility Policy Critical Infrastructure Protection Cybersecurity DHS/FEMA/State First Responder Federated Identity, Hybrid Cloud; R. Garcia 20
Backup material 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 22
Comprehensive Examination The purpose of the comprehensive examination is to ensure that the student possesses the following: • Sufficient grasp of the fundamentals of the chosen dissertation area to begin research, normally achieved through a thorough study of the current literature on the topic • Ability to conduct innovative research • Ability to exchange ideas and information with members of the Advisory Committee 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 23
Support requested • AWS Account • Dream. Spark Account üAzure • Visual Studio • Engineering (EAS) accounts • Travel as required 9/25/2021 • Update • 1/11/2017 Azure Research Grant $5000 First Responder Federated Identity, Hybrid Cloud; R. Garcia 24
Advisory Committee üDr. Edward Chow üDr. Sang-Yoon Chang üDr. Yanyan Zhuang üDr. Richard White üDr. Edin Mujkic “Three of the members must be from the EAS College with at least one member of the committee being from outside…” “A minimum of two members from outside the college of EAS may serve on the committee. They must be members of the graduate faculty. ” 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 25
I. Literature Survey 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 26
![[1] Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Contributions](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-26.jpg "[1] Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Contributions")
[1] Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Contributions • Federated identity with hierarchical identity based cryptography for mutual authentication and key distribution • Captures security and privacy as key issues in cloud computing • Simplifies key distribution and mutual authentication in a hybrid cloud Liang Yan, Chunming Rong, Gansen Zhao 9/25/2021 Challenges related to research topic • Identity-based cryptographic solutions contrary to public sector policies and de facto solutions • Highly centralized (use of master Public Key Generator) Cloud Computing, 2009 First Responder Federated Identity, Hybrid Cloud; R. Garcia 27
![[2] Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-27.jpg "[2] Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using")
[2] Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics Contributions Challenges related to research topic • Hybrid Cloud internal/external • Relies on multimodal biometric single sign on (SSO) via Security catalog of users a priori Assertion Markup Language • Primary application is secure • Federated identity management hybrid cloud infrastructure multifactor authentication federation vice mobility including biometrics • Leverages prevalence of SAML B. Prasanalakshmi, A. Kannammal 9/25/2021 International Journal of Computer Applications (0975 – 8887) Volume 53– No. 18, September 2012 First Responder Federated Identity, Hybrid Cloud; R. Garcia 28
![[3] Security and Cloud Computing: Inter. Cloud Identity Management Infrastructure Contributions Challenges related to](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-28.jpg "[3] Security and Cloud Computing: Inter. Cloud Identity Management Infrastructure Contributions Challenges related to")
[3] Security and Cloud Computing: Inter. Cloud Identity Management Infrastructure Contributions Challenges related to research topic • Distributed cloud information sharing framework with federated identity as a foundation • Introduces concepts in cloud computing and security, focusing on heterogeneous and federated scenarios • Employs “home cloud” and “foreign cloud” concepts counter to standard cloud frameworks • Very cursory architectural discussion with no implementation results • Requires broad trust agreements which may not be practical • Proposes third party Id. M not palatable to public sector Antonio Celesti, Francesco Tusa, Massimo Villari and Antonio Puliafito 2010 Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (IEEE) 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 29
![[4] Establishing trust in cloud computing Contributions Challenges related to research topic • Discusses](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-29.jpg "[4] Establishing trust in cloud computing Contributions Challenges related to research topic • Discusses")
[4] Establishing trust in cloud computing Contributions Challenges related to research topic • Discusses trust issues and technologies to solve cloud computing security concerns • Captures policy and human factors • Primarily a catalog of issues and approaches KM Khan, Q Malluhi IT professional, 2010 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 30
![[5] Cloud Computing Security - Trends and Research Directions Contributions Challenges related to research](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-30.jpg "[5] Cloud Computing Security - Trends and Research Directions Contributions Challenges related to research")
[5] Cloud Computing Security - Trends and Research Directions Contributions Challenges related to research topic • Provides a framework and methodology for assessing cloud security issues. • Helps organizations adopt cloud computing. • Sets conditions of success and roadmap for most cloud security considerations to include identity and access control. • Provides a framework but no specific solutions. Researchers plan to develop detailed framework and tools to aid migration to the cloud. Shubhashis Sengupta, Vikrant Kaulgud, Vibhu Saujanya Sharma, Accenture 2011 IEEE World Congress on Services 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 31
![[6] National Authentication Framework Implementation Study Contributions Challenges related to research topic • Details](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-31.jpg "[6] National Authentication Framework Implementation Study Contributions Challenges related to research topic • Details")
[6] National Authentication Framework Implementation Study Contributions Challenges related to research topic • Details and compares various token types and identity frameworks (PKI, SAML, WS-F, Open. ID, and Infocard) • Recommends best combination of technologies, protocols, and standards • Less focused on cloud solution sets • Presses authentication standards versus federation Mok Chuan-Hao 2009 NPS Thesis 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 32
![[7] Addressing cloud computing security issues Contributions • Identifies cloud security requirements • Proposes](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-32.jpg "[7] Addressing cloud computing security issues Contributions • Identifies cloud security requirements • Proposes")
[7] Addressing cloud computing security issues Contributions • Identifies cloud security requirements • Proposes a Trusted Third Party which assures specific security characteristics in a cloud environment • Proposes PKI solution which interfaces with SSO and LDAP • Applies standard systems engineering processes Dimitrios Zissis, Dimitrios Lekkas 9/25/2021 Challenges related to research topic • Trusted Third Party concept not palatable to Government Cloud • Adds layer of third party PKI to an already complex architecture 2012 Future Generation Computing Systems First Responder Federated Identity, Hybrid Cloud; R. Garcia 33
![[8] ICEMAN: An Architecture for Secure Federated Inter. Cloud Identity Management Contributions Challenges related](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-33.jpg "[8] ICEMAN: An Architecture for Secure Federated Inter. Cloud Identity Management Contributions Challenges related")
[8] ICEMAN: An Architecture for Secure Federated Inter. Cloud Identity Management Contributions Challenges related to research topic • Proposes “cloud of clouds” model • Addresses identity management in a “disastrous event” • IP to SP relationship moves from 1: 1 to m: n • Addresses access, incident management, and security reporting • Proposed architecture and approach still to be implemented • Relies on proprietary Inter. Cloud Key Management and identity data exchange protocols Gabi Dreo; Mario Golling; Wolfgang Hommel; Frank Tietze 2013 Future Generation Computing Systems 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 34
![[9] Managed Attributes, Not Standards, Lead to Interoperability Contributions • Aligns “identity attributes” to](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-34.jpg "[9] Managed Attributes, Not Standards, Lead to Interoperability Contributions • Aligns “identity attributes” to")
[9] Managed Attributes, Not Standards, Lead to Interoperability Contributions • Aligns “identity attributes” to meet the demand of aligning personnel and skills, certifications, licensure, medical records, etc. • Provides identity credential interoperability • Catalogs disparate issues across federal, state, and local standards • Leverages trusted identity as foundation and attach attributes Thomas W. Connell, II 9/25/2021 Challenges related to research topic • Does not address federation or connection of distributed identity attributes • Not a scalable solution for reasons mentioned (local, state, federal) 2011 IEEE International Conference on Technologies for Homeland Security (HST) First Responder Federated Identity, Hybrid Cloud; R. Garcia 35
![[10] A Model for Identity Management with Privacy in the Cloud Contributions Challenges related](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-35.jpg "[10] A Model for Identity Management with Privacy in the Cloud Contributions Challenges related")
[10] A Model for Identity Management with Privacy in the Cloud Contributions Challenges related to research topic • Exposes threat to PII in the cloud • Prototypes federation agreement protecting privacy • Develops solution based on common standard (Open. ID Connect) • Potential alignment to privacy issues • Orthogonal to first responder architecture use case • Issues aligning to public policy Jorge Werner, Carla Merkle Westphall 2016 IEEE Symposium on Computers and Communication (ISCC) 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 36
![[11] Secured Cloud Architecture for Cloud Service Provider Contributions Challenges related to research topic](http://slidetodoc.com/presentation_image_h2/c0a83552c620beb1a0e6de1f5111256d/image-36.jpg "[11] Secured Cloud Architecture for Cloud Service Provider Contributions Challenges related to research topic")
[11] Secured Cloud Architecture for Cloud Service Provider Contributions Challenges related to research topic • Proposes updated secure architecture for the cloud (2016) • Captures authentication approach for cloud using simplicity of One Time Password • Hashing algorithm for data integrity • Limited components of cloud security (authentication) • Unrelated to scenario • Scalability issues with multiple participants and federation Nilesh R. Patil, Rajesh Dharmik 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’ 16) 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 37
Consider: • Federation process and handshake • Minimum standards • Test against three nodes • • Private Cloud Mobile Public Cloud Notional collaboration example • Security 9/25/2021 First Responder Federated Identity, Hybrid Cloud; R. Garcia 38
- Slides: 37