ArticlePDF Available

Privacy-preserving Identity Federations in the Cloud - A Proof of Concept

DOI:10.1504/IJSN.2014.059328
Authors:
Daniel Ricardo dos Santos at Forescout Technologies
Daniel Ricardo dos Santos
  • Forescout Technologies
Tiago Jaime Nascimento at Federal University of Santa Catarina
Tiago Jaime Nascimento
Carla Merkle Westphall at Federal University of Santa Catarina
Carla Merkle Westphall
Marcos Aurélio Pedroso Leandro
Marcos Aurélio Pedroso Leandro
Marcos Aurélio Pedroso Leandro
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Show all 5 authorsHide
Download full-text PDF
Read full-text
Download citation

Abstract

Because of the growth in the use of cloud computing and the migration of services to this paradigm, it becomes necessary to investigate security issues that might compromise its use. Identity and Access Management is among these issues and is related to the management of users and access to their data. Federated Identity Management is widely adopted in the cloud to provide useful features to identity management systems, but maintaining user privacy in those systems is still a challenge. This paper describes the implementation of a privacy-preserving identity federation in the cloud. Our motivation was to develop a proof of concept, in order to elucidate the identity federation setup of Shibboleth and the handling of private attributes performed by uApprove in a cloud computing environment. The paper shows a description of the deployment of the identity and service providers, their integration and a detailed analysis of the scenario.
Content uploaded by Carlos Becker Westphall
Author content
All content in this area was uploaded by Carlos Becker Westphall on Mar 10, 2014
Content may be subject to copyright.
3/10/14 2:07 PMInderscience Publishers
Page 1 of 1http://www.inderscience.com/info/inarticle.php?artid=59328
Help Sitemap
LOG IN
For Authors, Editors, Board Members
Username
••••••••
Int. J. of Security and Networks > 2014 Vol.9, No.1 > pp.1 - 11
Title: Privacy-preserving identity federations in the cloud: a proof of concept
Author: Daniel Ricardo Dos Santos; Tiago Jaime Nascimento; Carla Merkle Westphall; Marcos Aurélio
Pedroso Leandro; Carlos Becker Westphall
Address: Networks and Management Laboratory, Department of Informatics and Statistics, Federal
University of Santa Catarina Florianópolis, SC 88040-900, Brazil ' Networks and Management
Laboratory, Department of Informatics and Statistics, Federal University of Santa Catarina Florianópolis,
SC 88040-900, Brazil ' Networks and Management Laboratory, Department of Informatics and Statistics,
Federal University of Santa Catarina Florianópolis, SC 88040-900, Brazil ' Networks and Management
Laboratory, Department of Informatics and Statistics, Federal University of Santa Catarina Florianópolis,
SC 88040-900, Brazil ' Networks and Management Laboratory, Department of Informatics and Statistics,
Federal University of Santa Catarina Florianópolis, SC 88040-900, Brazil
Journal: Int. J. of Security and Networks, 2014 Vol.9, No.1, pp.1 - 11
Abstract: Because of the growth in the use of cloud computing and the migration of services to this
paradigm, it becomes necessary to investigate security issues that might compromise its use. Identity
and Access Management is among these issues and is related to the management of users and access
to their data. Federated Identity Management is widely adopted in the cloud to provide useful features to
identity management systems, but maintaining user privacy in those systems is still a challenge. This
paper describes the implementation of a privacy-preserving identity federation in the cloud. Our
motivation was to develop a proof of concept, in order to elucidate the identity federation setup of
Shibboleth and the handling of private attributes performed by uApprove in a cloud computing
environment. The paper shows a description of the deployment of the identity and service providers,
their integration and a detailed analysis of the scenario.
Keywords: cloud computing; privacy preservation; identity federations; shibboleth; federated identity
management; access management; cloud security.
DOI: 10.1504/IJSN.2014.059328
10.1504/14.59328
Purchase this article Comment on this article
Keep up-to-date
Our Blog
Follow us on Twitter
Visit us on Facebook
Join us on Google+
Our Newsletter (subscribe)
RSS Feeds
New issue alerts
Publishers of distinguished academic, scientific and professional journals
Article search
Go
Contact us | About Inderscience | OAI Repository | Privacy and Cookies Statement | Terms and Conditions | © 2014 Inderscience Enterprises Ltd.
Remember me Forgotten?
Home For Authors Orders News
... Although in other federation platforms, trust is achieved through the acceptance of contracts, manual key or metadata exchanges in an explicit way [19], in OpenID Connect this association occurs in a more simplified way, through the registration of RP in OP [14] [18]. ...
Towards Privacy in Identity Management Dynamic Federations
Conference Paper
Full-text available
  • Feb 2016
Dynamic federations allow users to access new service providers on demand. This dynamic access adds risks to personally identifiable information (PII) of users, since there are untrusted service providers. The federated identity management is essential to preserve privacy of users while performing authen-tication and access control in dynamic federations. This paper discusses characteristics to improve privacy in the dissemination of sensitive data of users in dynamic federations, proposing privacy scopes to be agreed in dynamic associations (federation time) among service providers and identity providers. A prototype of the dynamic federation and scopes agreement was developed using OpenID Connect.
... A digital identity is a representation of an entity (or group of entities) in the form of one or more elements of information (attributes) that allows the recognition of an entity in a specific context [4]. A identity management system aggregates a collection of tools to manage individual identities in a digital environment [4] [11]. A feature largely utilized on these systems includes SSO, so the user does not need to authenticate every time to access different applications. ...
Towards Scalability for Federated Identity Systems for Cloud-Based Environments
Conference Paper
Full-text available
  • Mar 2014
As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using CAS. This alternative, compared with the recommended shared memory approach, shown improved efficiency and less overall infrastructure complexity.
Outsourced Data Modification Algorithm with Assistance of Multi-assistants in Cloud Computing
Conference Paper
The rapid development of cloud storage in these years has caused a wave of research craze. To improve the cloud user experience, a large amount of schemes are proposed with various practical performances, for instance, long term correct data storage and dynamic data modification. In most works, however, the authors seem to completely ignore the hard fact that data owner alone could not have enough energy to discover and correct all the inappropriate data outsourced in cloud. Others did consider it, and gave more than one user both read and write permissions, which leads to chaotic management of multiusers. In this paper, we propose a novel algorithm, in which the data owner and several authenticated assistants form a team to support dynamic data modification together. Assistants are in charge of detecting problems in cloud data and discussing a corresponding modification suggestion, while data owner is responsible for the implementation of the modification. In addition, our algorithm supports identity authentication, efficient malicious assistant revocation, as well as lazy update. Sufficient numerical analysis validates the performance of our algorithm.
Towards Scalability for Federated Identity Systems for Cloud-Based Environments
Article
  • Dec 2015
As multi-tenant authorization and federated identity management systems for cloud computing matures, the provisioning of services using this paradigm allows maximum efficiency on business that requires access control. However, regarding scalability support, mainly horizontal, some characteristics of those approaches based on central authentication protocols are problematic. The objective of this work is to address these issues by providing an adapted sticky-session mechanism for a Shibboleth architecture using JASIG CAS. This alternative, compared with the recommended distributed memory approach, shown improved efficiency and less overall infrastructure complexity, as well as demanding less 58% of computational resources and improving throughput (requests per second) by 11%.
An Accountable Framework for Sensing-Oriented Mobile Cloud Computing
Article
  • Sep 2014
Recent trends in Cloud Computing have further stimulated the popularization of mobile device industry, creating a novel computing paradigm called Mobile Cloud Computing (MCC). MCC takes advantage of the powerful computation and storage capability of cloud servers by offloading heavy computing or storing tasks from mobile devices to cloud servers to keep a thin frontend on the mobile devices. Such benefit is important to MCC leveraging various sensors equipped in modern mobile devices. We explore the sensing capability of MCC and design an application framework that enables a class of exciting mobile applications to be developed in the sensingoriented MCC environment. A critical issue in such an environment is accountability. We provide a comprehensive analysis of the accountability issues in this new computing context and show how the accountability function is integrated into the application framework.
Federated Identity Management
Chapter
Full-text available
  • Aug 2009
This paper addresses the topic of federated identity management. It discusses in detail the following topics: what is digital identity, what is identity management, what is federated identity management, Kim Cameron’s 7 Laws of Identity, how can we protect the user’s privacy in a federated environment, levels of assurance, some past and present federated identity management systems, and some current research in FIM.
User-controlled Privacy Protection with Attribute-filter Mechanism for a Federated SSO Environment Using Shibboleth
Conference Paper
Full-text available
  • Dec 2010
Shibboleth is a well-known software package for web single sign-on (SSO) based on several federated identity standards, including the Organization for the Advancement of Structured Information Standards (OASIS)' security assertion markup language (SAML) version 1.1 and 2.0. This paper describes uApprove.jp, a user consent acquisition system (UCAS) with an attribute-filter mechanism for a Shibboleth-based SSO system. uApprove.jp requests the user's consent for the release of his/her personal information from an identity provider (IdP) to a service provider (SP) and allows him/her to determine which attributes will be sent. uApprove.jp is an extension of approve, a UCAS for Shibboleth. Our development is for universities participating in GakuNin (a Japanese academic federation), but it can be utilized in other Shibboleth-based federations.
Security and Privacy Challenges in Cloud Computing Environments
Article
Full-text available
The cloud computing paradigm is still evolving, but has recently gained tremendous momentum. However, security and privacy issues pose as the key roadblock to its fast adoption. In this article, the authors present security and privacy challenges that are exacerbated by the unique aspects of clouds and show how they're related to various delivery and deployment models. They discuss various approaches to address these challenges, existing solutions, and future work needed to provide a trustworthy cloud computing environment.
Federated Identity Management Challenges
Conference Paper
  • Aug 2012
Federated Identity Management is considered a promising approach to facilitate secure resource sharing between collaborating partners. The adoption rate of identity federation technologies in the industrial domain, however, has not been as expected. A structured survey provides the basis for this paper, which reports on challenges related to Federated Identity Management. This paper presents a narrative of the main challenges that are reported in existing FIdM research, and provide a starting point to those who seek to learn more about these concepts.
A privacy preserving authorisation system for the cloud
Article
  • Sep 2012
In this paper we describe a policy based authorisation infrastructure that a cloud provider can run as an infrastructure service for its users. It will protect the privacy of usersʼ data by allowing the users to set their own privacy policies, and then enforcing them so that no unauthorised access is allowed to their data. The infrastructure ensures that the usersʼ privacy policies are stuck to their data, so that access will always be controlled by the policies even if the data is transferred between cloud providers or services. This infrastructure also ensures the enforcement of privacy policies which may be written in different policy languages by multiple authorities such as: legal, data subject, data issuer and data controller. A conflict resolution strategy is presented which resolves conflicts among the decisions returned by the different policy decision points (PDPs). The performance figures are presented which show that the system performs well and that each additional PDP only imposes a small overhead.
Opengate on Cloud
Article
  • Mar 2012
Open gate is an access control system of the captive portal type for mobile LAN users. Open gate has benefits such as simple user interface, easy administration and so on. It supports IPv6 and Shibboleth single-sign-on authentication. We have been operating Open gate over 10 years without serious problems. Open gate is running on virtual machine environments. Virtual machine environments enable Open gate to be a cloud system for user authentication. The cloud Open gate provides opportunities for small organizations to have their own access control systems without self-operations.
Taking Account of Privacy When Designing Cloud Computing Services
Article
  • Jan 2009
Cloud computing, privacy, design Privacy is an important issue for cloud computing, both in terms of legal compliance and user trust, and needs to be considered at every phase of design. In this paper the privacy challenges that software engineers face when targeting the cloud as their production environment to offer services are assessed, and key design principles to address these are suggested. Abstract Privacy is an important issue for cloud computing, both in terms of legal compliance and user trust, and needs to be considered at every phase of design. In this paper the privacy challenges that software engineers face when targeting the cloud as their production environment to offer services are assessed, and key design principles to address these are suggested.
Enhancing Privacy and Dynamic Federation in IdM for Consumer Cloud Computing
Article
Consumer cloud computing paradigm has emerged as the natural evolution and integration of advances in several areas including distributed computing, service oriented architecture and consumer electronics. In this complex ecosystem, security and identity management challenges have cropped up, given their dynamism and heterogeneity. As a direct consequence, dynamic federated identity management with privacy improvements has arisen as an indispensable mechanism to enable the global scalability and usability that are required for the successful implantation of Cloud technologies. With these requirements in mind, we present an IdM architecture based on privacy and reputation extensions compliance with the SAMLv2/ID-FF standards1.
Criteria for Evaluating the Privacy Protection Level of Identity Management Services
Conference Paper
  • Jul 2009
Identity management is the one of Web services that manages the digital identity and the personally identifiable information of the user who subscribed for various Web services in Internet. It was developed to provide user with an easy way to use and manage various user's digital identities that were provided from each Web service. If the user subscribes to an identity management service, the user can access the other Web sites affiliated with the identity management service and use their Web services by using the identity issued by the identity management service. And the user can manage the user's personally identifiable information distributed among various Web sites in an integrated way through this service. However, if the identity provider, which provides this identity management service, discloses the user's identity and personal identifiable information, identity theft can happen throughout the entire affiliated web sites. As a result, the privacy protection level of the identity provider, that is, the level of protection for personally identifiable information, is the critical factor of successful identity management service. Therefore, identity provider should provide an easy way to the internal or external auditor of them for assessing the privacy protection level. This paper describes privacy threats for each identity life cycle, such as identity provision, propagation, use and maintain, and destruction, and proposes the criteria that evaluate the privacy protection level provided by the identity provider as a countermeasure against these threats. The internal or external auditor can use the criteria described in this paper, as a way of assessing the privacy protection level of identity provider.
Inside the Identity Management Game
Article
Techniques for managing authentication and authorization are critical to the next round of Internet innovation. Cloud-based services, the social Web, and rapidly expanding mobile platforms will depend on identity management to provide a seamless user experience. Although a number of standards have been advanced, an Internet scale identity solution remains elusive.