ArticlePDF Available

Abstract

With the rise of cloud computing, thousands of users and multiple applications have sought to communicate with each other, exchanging sensitive data. Thus, for effectively managing applications and resources, the use of models and tools is essential for the secure management of identities and to avoid compromising data privacy. There are models and tools that address federated identity management, and it is important that they use privacy mechanisms to assist in compliance with current legislation. Therefore, this article aims to present a survey of privacy in cloud identity management, presenting and comparing main features and challenges described in the literature. At the end of this work there is a discussion of the use of privacy and future research directions.
10/17/17, 11'21 PMCloud identity management: A survey on privacy strategies - ScienceDirect
Page 1 of 5http://www.sciencedirect.com/science/article/pii/S1389128617301664?via%3Dihub
Outline
Abstract
Keywords
1. Introduction
2. Privacy in identity management in the cloud
2.1. Identity management concepts
2.1.1. IdM Technologies
2.2. Cloud IdM challenges
2.3. Privacy challenges and characteristics
3. Privacy in cloud IdM models and techniques
3.1. Systematic mapping
3.2. IdM projects with privacy
3.3. Privacy proposals in the cloud
3.4. Privacy proposals in IdM
4. Challenges and directions for privacy-based IdM to cloud
4.1. Reliability assessment
4.2. Agreement of privacy options
4.3. Definition of interaction profiles
4.4. Grained control over the dissemination of data
4.5. Ensure the implementation of policies
5. Proposed solutions in progress
5.1. Sensitive data dissemination control
5.2. Privacy profiles on IdM
5.3. Dynamic registering with privacy
5.4. Model for IdM with privacy in cloud
6. Conclusion
Acknowledgment
References
Vitae
Outline
Purchase PDFPurchase
Export
Search ScienceDirect
Advanced
Journals Books Register Sign in
Register to receive personalized recommendationsRegister to receive personalized recommendations
based on your recent signed-in activitybased on your recent signed-in activity
×
Register now
10/17/17, 11'21 PMCloud identity management: A survey on privacy strategies - ScienceDirect
Page 2 of 5http://www.sciencedirect.com/science/article/pii/S1389128617301664?via%3Dihub
Hide outline
Figures (9)
Tables (3)
Table 1
Table 2
Table 3
Get rights and content
Computer Networks
Volume 122, 20 July 2017, Pages 29-42
Cloud identity management: A survey on privacy strategies
Jorge Werner , Carla Merkle Westphall, Carlos Becker Westphall
Show more
https://doi.org/10.1016/j.comnet.2017.04.030
Abstract
With the rise of cloud computing, thousands of users and multiple applications have sought
to communicate with each other, exchanging sensitive data. Thus, for effectively managing
applications and resources, the use of models and tools is essential for the secure
management of identities and to avoid compromising data privacy. There are models and
tools that address federated identity management, and it is important that they use privacy
10/17/17, 11'21 PMCloud identity management: A survey on privacy strategies - ScienceDirect
Page 3 of 5http://www.sciencedirect.com/science/article/pii/S1389128617301664?via%3Dihub
Check if you have access through your login credentials or your institution.
Check Access
or
Purchase
or
Check for this article elsewhere
mechanisms to assist in compliance with current legislation. Therefore, this article aims to
present a survey of privacy in cloud identity management, presenting and comparing main
features and challenges described in the literature. At the end of this work there is a
discussion of the use of privacy and future research directions.
Keywords
Privacy; Identity management; Cloud computing
Choose an option to locate/access this article:
Recommended articles Citing articles (0)
Vitae
Jorge Werner is doing his PhD degree in Computer Science at Federal University of Santa
10/17/17, 11'21 PMCloud identity management: A survey on privacy strategies - ScienceDirect
Page 4 of 5http://www.sciencedirect.com/science/article/pii/S1389128617301664?via%3Dihub
Catarina. He has received his Master in Computer Science from Federal University of Santa
Catarina (2011) and graduated from the Estacio de Sa University of Santa Catarina (2007)
as Computer Network Technology.
Carla M. Westphall is a professor in the Department of Informatics and Statistics at the
Federal University of Santa Catarina, Brazil. Her research interests include distributed
security, identity management, and grid and cloud security. Westphall received her PhD in
electrical engineering from the Federal University of Santa Catarina.
Carlos B. Westphall is a full professor in the Department of Informatics and Statistics at the
Federal University of Santa Catarina, where he is the leader of the Networks and
Management Laboratory. His research interests include network and service management,
security, and cloud computing. He received his D.Sc. in computer science at Paul Sabatier
University, France. He was the founder of LANOMS. In 2011 he was named an IARIA
Fellow. He has served as Technical Program and/or Organizing Committee member (since
1994) of IFIP/IEEE IM, IEEE/IFIP NOMS, IEEE/IFIP DSOM, IEEE LANOMS, and IEEE
APNOMS. He has been on the Board of Editors (since 1995) and Senior Technical Editor
(since 2003) of the Journal of Network and Systems Management of Springer and an
Editorial Board member (since 2004) of the Computer Networks Journal of Elsevier. He has
also been an Associate Editor (since 2006) of the Journal of Communication and Information
Systems of IEEE ComSoc/SBrT. Since 1993 he has been a member of IFIP TC6 Working
Group 6.6 (Management of Networks and Distributed Systems), and since 2003 a member
of the core team of the TeleManagementForum Universities Program (TMF UP). Since 2008
10/17/17, 11'21 PMCloud identity management: A survey on privacy strategies - ScienceDirect
Page 5 of 5http://www.sciencedirect.com/science/article/pii/S1389128617301664?via%3Dihub
he has been Latin America International Academy, Research, and Industry Association
(IARIA) Liaison Board Chair. He was a member (2004–2005 and 2006–2007) of the IEEE
ComSoc Membership Programs Development Board. From May 2000 to May 2005 he acted
as Secretary of the IEEE Committee on Network Operation and Management (CNOM).
From May 2005 to May 2009 he acted as Vice- Chair of IEEE CNOM. He has been a
member of IEEE CNOM since 1994.
© 2017 Elsevier B.V. All rights reserved.
A novel queue-length-based CSMA algorithm with improved delay characteristics
Computer Networks, Volume 122, 2017, pp. 56-69
Download PDF View details
Variable-weight topology-transparent scheduling
Computer Networks, Volume 122, 2017, pp. 16-28
Download PDF View details
FTRS: A mechanism for reducing flow table entries in software defined networks
Computer Networks, Volume 122, 2017, pp. 1-15
Download PDF View details
View more articles
Recommended articles
Citing articles (0)
About ScienceDirect Remote access Shopping cart
Contact and support Terms and conditions Privacy policy
Cookies are used by this site. For more information, visit the cookies
page.
Copyright © 2017 Elsevier B.V. or its licensors or contributors.
ScienceDirect ® is a registered trademark of Elsevier B.V.
... Twenty-nine percent of the reviewed studies, as shown in Figure 3, proposed taxonomies and categorizations for different aspects of the HIoT BC-IdM. They showed classifications and taxonomies for security risk-related topics, such as BC classifications for adoption barriers where security and privacy are considered as one of the main barriers to adopting BC in electronic health record systems and operation management systems [1,81], such as taxonomies for SSI members [20], risk classifications, attack vectors, risk-contributing factors in IdM systems [82], evaluation metrics, cloud IdM security services [83], consequence categories of IdM cyberattacks [84], the privacy characteristics taxonomy in cloud IdM [85], and risk metrics categorizations [86]. These taxonomies were important sources for developing the taxonomy in this research work. ...
... [S51] Cloud identity management: A survey on privacy strategies [85] Survey showing a taxonomy for privacy features and properties in IdM systems. ...
Article
Full-text available
Blockchain (BC) has recently paved the way for developing Decentralized Identity Management (IdM) systems for different information systems. Researchers widely use it to develop decentralized IdM systems for the Health Internet of Things (HIoT). HIoT is considered a vulnerable system that produces and processes sensitive data. BC-based IdM systems have the potential to be more secure and privacy-aware than centralized IdM systems. However, many studies have shown potential security risks to using BC. A Systematic Literature Review (SLR) conducted by the authors on BC-based IdM systems in HIoT systems showed a lack of comprehensive security and risk management frameworks for BC-based IdM systems in HIoT. Conducting a further SLR focusing on risk management and supplemented by Grey Literature (GL), in this paper, a security taxonomy, security framework, and cybersecurity risk management framework for the HIoT BC-IdM systems are identified and proposed. The cybersecurity risk management framework will significantly assist developers, researchers, and organizations in developing a secure BC-based IdM to ensure HIoT users’ data privacy and security.
... Grid implements a secure infrastructure called the Grid Security Interface (GSI) (Werner & Westphall, 2017). Which facilitates the implementation of the three system security pillars (i.e., privacy, integrity, and authentication). ...
... Web service secure conversation facilitates the preliminary exchange of communication to create a security setting which can formerly be used to protect succeeding messages. On the other hand, transport level security (i.e. based on SSL and X.509) is currently the most commonly used security mechanism in GSI layer (Werner & Westphall, 2017) (The Globus Security Team, 2005). ...
Article
Full-text available
In any multi–device / party systems supporting GRID and cloud-based applications, an essential constraint of these systems is the need of all tools and participants to interconnect with each other as members of a group in a secure approach. Group key management method is an essential functional element for any protected distributed communication setting. Key distribution method is a crucial factor in securing communication in grid computing. After the secure key management is executed, messages will be able to be securely exchanged between the grid units. A number of protocols have been proposed to maintain secure group key management. In this paper we present a new password base protocol for secure group key management in Grid computing environment, which is organized in two dynamic servicing layers: the grid application that needs grid services, and the grid services that act on behalf of the user.
... It is done by a role-based access policy (RBAC) or attributes-based access policy (ABAC). An identity repository has the following sub-components, structured data storage where identity information is stored, attribute storage that stores the additional attributes, and service to make the data available to network users and administrators [10]. ...
Article
Information security is shifting from a traditional perimeter-based approach to an identity-based approach where the organization’s boundaries are where their digital identities exist. The organization has multiple stakeholders having access to various organization resources. Systems and applications are part of organization resources that help them achieve their business goals. These systems and applications are internally or externally exposed to allow all stakeholders to have seamless access, thus making identity and access management a big challenge. Identity and Access Management (IAM) is a fundamental part of information security. It plays a critical role in keeping the organization’s information security posture resilient to cyber attacks. This paper will identify various components of an IAM solution that are essential and should be considered while implementing and assessing the IAM solution and provides a high-level IAM framework that will allow information security professionals to assess the IAM security posture of an organization.
... Cloud services allow users easy access to their personal or private information from related databases and ensure the availability of services processed under linked devices and privacy machines distributed over the internet [1,2]. Cloud services are reliable for the users, but security is required to keep the identity of the data and users. ...
Chapter
Full-text available
Cloud computing can provide unlimited computing resources according to demand because of having high scalability as per its nature, which removes the requirements for the Cloud services providers in the planning of far-ahead on the provisioning of hardware. Security is a prime challenge for promoting cloud computing in the present period. Trust is proved as a most essential and adequate substitute means to paradigm security in distributed computing systems. Artificial Intelligence (AI) is one field that provide efficient cloud services for achieving more secure infrastructure by providing enhanced security features. Multi-placed data storage and available services of the cloud cause privacy issues worse. To safely and efficiently construct entities trusty relation in the cloud and the cross-cloud environments, the identity management services stand crucial in the infrastructure of cloud computing for authenticating of users and to support a flexible access control towards available services, based on user's Identity Properties (also called the attributes) and all past interactions of histories. AI can keep the best user authentication features for user security on the cloud. These services should maintain the users' privacy while enhancing interoperability among various domains and simplifying the process of identity verification. To integrate the AI, cloud security should be improved with an effective solution for data storage. Here, the security and privacy issues of the data stored in the cloud for cloud computing are deeply investigated and proposed an enhanced framework to encounter the same problems. The effectiveness of the newly proposed architecture was found fruitful by the users.
... The authentication process is used to ensure that the end-users are authentic, while the authorization process is based on granting or denying cloud resources based on the user authorities. As presented in [6], an overall evaluation for IAM was proposed with different evaluation. ...
... Privacy by Design 1 [9] and Privacy by Evidence 2 [10] techniques recommend. Since it is difficult to address all the privacy aspects at the development process, like the Privacy by Design approach proposes, the privacy settings are usually left to the user [6], [11]. The privacy sphere is then defined as the network and all IoT devices that a user owns and trusts to preserve sensitive data [6]. ...
Article
Full-text available
Trusted Execution Environments have been applied to improve data security in many distinct application scenarios since they enable data processing in a separate and protected region of memory. To investigate how this technology has been applied to the different IoT scenarios, which commonly deal with specific characteristics such as device resource constraints, we carried out a systematic literature review. For this, we selected and analyzed 58 papers from different conferences and journals, identifying the main IoT solutions and scenarios in which TEE has been employed.We also gathered the mentioned TEE advantages and disadvantages as well as the suggestions for future works. This study gives a general overview of the use of TEEs for cloud/fog-based IoT applications, bringing some challenges and directions.
... Werner et al. [ 119 ] presented a survey with works related to cloud identity management and strategies on how to achieve good levels of privacy, listing main features and challenges. ...
Thesis
Full-text available
The “Internet of Things” (IoT) is a term used, for the first time, in 1999, by Kevin Ashton, when speaking about the possibility of a connection between physical devices and the Internet. RFID (Radio Frequency Identification) was one of the main technologies used in that time, allowing objects tracking and identification, among other applications. Since then, the advances in many technologies, and the arising of many others, have enabled the cost lowering of devices and components, arousing, even more, the industry and academy interest in exploring the many possibilities of IoT applications. As the use of these applications is continuously increasing, it becomes necessary for the most different scenarios to standardize architectures, communication protocols, and security mechanisms to ease the development of such solutions and improve the confidence of final users. The lack of standardization is still a challenge, and, in this sense, many companies and open source communities have proposed middleware, frameworks, and other kinds of solutions. However, there is no “de facto” standard, well defined and accepted, yet. Thus, companies and people interested in using such solutions have some concerns and doubts about which of them to choose or how to model a specific solution. These concerns are even greater when the application deals with sensitive data, such as Personal Identifiable Information (PII) or Personal Health Information (PHI), that demand protection and requires well-established security mechanisms. This work intends to provide a Trusted IoT Architecture (TIoTA) to implement secure IoT applications according to it. The proposed architecture considers authentication, authorization, cryptography, and Trusted Execution Environments (TEEs) to make this possible. A TEE is a technology provided by some modern processors that enable secure processing in a protected memory region. The TIoTA proposed is validated with a formal method (Coloured Petri Net) and an experiment that measures an implemented application’s performance. This application considers some FIWARE components for authentication and authorization, and some Intel Software Guard Extensions (SGX) applications, for protected processing. With the proposed architecture, good protection levels are achieved when considering integrity, confidentiality, privacy, authentication, authorization, and secure communication.
Chapter
Patient data is very valuable and must be protected from misuse by the third parties. Also, the rights of patient like privacy, confidentiality of medical information, information about possible risks of medical treatment, to consent or refuse a treatment are very much important. Individuals should have the right to access their health records and get these deleted from hospital records after completing the treatment. Traditional ways of keeping paper-based health records are being replaced by electronic health records as they increase portability and accessibility to medical records. Governments and hospitals across the world and putting huge efforts to implement the electronic health records. The present work explores the different aspects of health privacy and health records. Most important stakeholders, technological and legal aspects have been presented from both the Indian and international perspectives. A comparative analysis has been presented for the available EHR standards with a focus on their roles and implementation challenges.
Conference Paper
User identity linkage (UIL) refers to linking users’ assets and identities across social networks. With the rapid growth of social media in our day-to-day life, UIL’s importance has gone beyond being just a research topic, and it has become a necessary precondition for critical tasks like fraud detection.However, only a few models have been proposed to tackle UIL in different domains than social networks. This limitation becomes even more evident in academic federated identity management (FIM) domains. Service providers (SP) deal with restricted users’ data in these environments, and often data related to connections between entities and resources (i.e., network-based information) such as friends associations or the clients’ inclinations is not available.This research addresses the account linkage (AL) problem for organizations inside federated environments with limited or no access to users’ data. In the proposed model, we focus on analyzing users’ habits and behavior during login processes by utilizing a Variational Autoencoder’s (VAE) latent space. The learned structure in this space is used to derive related accounts owned by one user.To the best of our knowledge, the proposed model is the first approach attempting to solve the AL problem inside an academic FIM domain with its high requirements regarding data security and limited users’ information. Preliminary results show that the proposed model could achieve almost 90% accuracy in linking accounts possessed by one user.
Article
Information security is shifting from a traditional perimeter-based approach to an identity-based approach where the organization's boundaries are where their digital identities exist. The organization has multiple stakeholders having access to various organization resources. Systems and applications are part of organization resources that help them achieve their business goals. These systems and applications are internally or externally exposed to allow all stakeholders to have seamless access, thus making identity and access management a big challenge. Identity and Access Management (IAM) is a fundamental part of information security. It plays a critical role in keeping the organization's information security posture resilient to cyber attacks. This paper will identify various components of an IAM solution that are essential and should be considered while implementing and assessing the IAM solution and provides a high-level IAM framework that will allow information security professionals to assess the IAM security posture of an organization.
Article
Full-text available
During his tenure in the Lu Xun Academy in Yan'an, the center of the Chinese Revolution, the novelist Zhou Libo ran a seminar on world literature. While teaching masterpieces of European novelists, Zhou developed a theory of the novel that inherited themes of liberal humanism and appropriated them for a burgeoning revolutionary culture. In his teaching notes, Zhou upholds the people as the transformative engine for social progress: they are authors of their own culture, the political subjects of popular democracy, and in solidarity with the working classes of the world. This essay considers Zhou's fiction theory as a part of the transition from the old democratic revolution led by the Chinese bourgeoisie to the new democratic cultural initiative carried out by the enlightened intelligentsia and progressive working people.
Conference Paper
Full-text available
Cloud computing is an emerging paradigm shifting the shape of computing models from being a technology to a utility. However, security, privacy and trust are amongst the issues that can subvert the benefits and hence wide deployment of cloud computing. With the introduction of omnipresent mobile-based clients, the ubiquity of the model increases, suggesting a still higher integration in life. Nonetheless, the security issues rise to a higher degree as well. The constrained input methods for credentials and the vulnerable wireless communication links are among factors giving rise to serious security issues. To strengthen the access control of cloud resources, organizations now commonly acquire Identity Management Systems (IdM). This paper presents that the most popular IdM, namely OAuth, working in scope of Mobile Cloud Computing has many weaknesses in authorization architecture. In particular, authors find two major issues in current IdM. First, if the IdM System is compromised through malicious code, it allows a hacker to get authorization of all the protected resources hosted on a cloud. Second, all the communication links among client, cloud and IdM carries complete authorization token, that can allow hacker, through traffic interception at any communication link, an illegitimate access of protected resources. We also suggest a solution to the reported problems, and justify our arguments with experimentation and mathematical modeling.
Article
Addressing privacy and data protection systematically throughout the process of engineering information systems is a daunting task. Although the research community has made significant progress in theory and in labs, meltdowns in recent years suggest that we're still struggling to address systemic privacy issues. Privacy engineering, an emerging field, responds to this gap between research and practice. It's concerned with systematizing and evaluating approaches to capture and address privacy issues with engineering information systems. This article serves to illuminate this nascent field. The authors provide a definition of privacy engineering and describe encompassing activities. They expand on these with findings from the First International Workshop on Privacy Engineering (IWPE), and conclude with future challenges.
Article
A strong factor in the early development of computers was security – the computations that motivated their development, such as decrypting intercepted messages, generating gunnery tables, and developing weapons, had military applications. But the computers themselves were so big and so few that they were relatively easy to protect simply by limiting physical access, to them to their programmers and operators. Today, computers have shrunk so that a web server can be hidden in a matchbox and have become so common that few people can give an accurate count of the number they have in their homes and automobiles, much less the number they use in the course of a day. Computers constantly communicate with one another; an isolated computer is crippled. The meaning and implications of “computer security” have changed over the years as well. This paper reviews major concepts and principles of computer security as it stands today. It strives not to delve deeply into specific technical areas such as operating system security, access control, network security, intrusion detection, and so on, but to paint the topic with a broad brush.
Article
Identity management is an almost indispensable component of today’s organizations and companies, as it plays a key role in authentication and access control; however, at the same time, it is widely recognized as a costly and time-consuming task. The advent of cloud computing technologies, together with the promise of flexible, cheap and efficient provision of services, has provided the opportunity to externalize such a common process, shaping what has been called Identity Management as a Service (IDaaS). Nevertheless, as in the case of other cloud-based services, IDaaS brings with it great concerns regarding security and privacy, such as the loss of control over the outsourced data. In this paper, we analyze these concerns and propose BlindIdM, a model for privacy-preserving IDaaS with a focus on data privacy protection. In particular, we describe how a SAML-based system can be augmented to employ proxy re-encryption techniques for achieving data confidentiality with respect to the cloud provider, while preserving the ability to supply the identity service. This is an innovative contribution to both the privacy and identity management landscapes.
Article
Identity Management systems cannot be centralized anymore. Nowadays, users have multiple accounts, profiles and personal data distributed throughout the web and hosted by different providers. However, the online world is currently divided into identity silos forcing users to deal with repetitive authentication and registration processes and hindering a faster development of large scale e-business. Federation has been proposed as a technology to bridge different trust domains, allowing user identity information to be shared in order to improve usability. But further research is required to shift from the current static model, where manual bilateral agreements must be pre-configured to enable cooperation between unknown parties, to a more dynamic one, where trust relationships are established on demand in a fully automated fashion. This paper presents IdMRep, the first completely decentralized reputation-based mechanism which makes dynamic federation a reality. Initial experiments demonstrate its accuracy as well as an assumable overhead in scenarios with and without malicious nodes.
Conference Paper
Federated Identity Management is considered a promising approach to facilitate secure resource sharing between collaborating partners. The adoption rate of identity federation technologies in the industrial domain, however, has not been as expected. A structured survey provides the basis for this paper, which reports on challenges related to Federated Identity Management. This paper presents a narrative of the main challenges that are reported in existing FIdM research, and provide a starting point to those who seek to learn more about these concepts.
Conference Paper
Privacy in the cloud is still a strong issue for the large adoption of cloud technologies by enterprises which fear to actually put their sensitive data in the cloud. There is indeed a need to have an efficient access control on the data stored and processed in the cloud infrastructure allowing to support the various business and country-based regulation constraints (e.g., on data location and co-location, data retention duration, data processing, node security level, tracing and audit). In this perspective, this paper presents a novel approach of end-to-end privacy policy enforcement over the cloud infrastructure and based on the sticky policy paradigm (a policy being bound to each sensitive data). In our approach the data protection is performed within the cloud nodes (e.g., within the internal file system of a VM or its attached volume) and is completely transparent for the applications (no need to modify the applications). This paper describes the concept and the proposed end-to-end architecture (from the client to the cloud nodes) as well as an implementation based on the FUSE (Filesystem in Userspace) technology. This implementation is executed on a scenario of data access and transfer control, and is also used to achieve performance evaluations. These evaluations show that, with a reasonable additional computation cost, this approach offers a flexible and transparent way to enforce various privacy constraints within the cloud infrastructure.
Article
Identity management systems store attributes associated with users and employ these attributes to facilitate authorization. The authors analyze existing systems and describe a privacy-driven taxonomy of design choices, which can help technical experts consulting on public policy relating to identity management. The US National Strategy for Trusted Identities in Cyberspace initiative is discussed to illustrate how this taxonomy helps analyze public policy options.