Mechanisms of ensuring security in Keystone service
DOI:
https://doi.org/10.30837/pt.2019.2.06Keywords:
Security, Mechanism, Identification, Keystone, VulnerabilityAbstract
User authentication is one of the most important aspects in the area of cloud services, followed by the storing of sensitive information about customers. A number of solutions exist for authentication, security, and privacy provisioning in cloud, while cloud identity management systems aim to simplify and harmonise access. This paper presents an investigation into the security problems associated with cloud identity and access management system (IAMS), using the Keystone identity service within OpenStack as an example. In order to analyse the existing challenges, the paper expands security provisioning into authentication management, authorization management, personal data protection, privacy and confidentiality, as well as logging and auditing and considers the security mechanisms required for any cloud IAMS for each one of these categories. The paper also investigates some of the existing and potential attacks against the Keystone service, then follows with recommendations and mechanisms for enhancing the security. The vulnerabilities in cloud IAMS show that most systems support at most a subset of security provisioning mechanisms or have their own flaws; in addition, there are no unified international standards in this cloud identity systems area for cloud and service providers. The identified list of attacks and the associated mitigation mechanisms will help to provide the identity and access management system with the protection of identity credentials in the cloud system. The provided results can help with further researching mechanisms aiming to ensure personal data confidentiality and integrity.References
Habiba, U., Masood, R., Shibli, M. and Niazi, M. Cloud identity management security issues & solutions: a taxonomy. Complex Adaptive Systems Modeling, 2(1). DOI: 10.1186/s40294-014-0005-9
Nexia International. Global Cybersecurity Report 2017, 50p. URL: https://www.nexiabt.com/wp-content/uploads/2018/01/file-28.pdf
Cisco. 2017 Annual Cybersecurity Report. 2017, 110 p. URL: https://www.cisco.com/c/dam/m/digital/1198689/Cisco_2017_ACR_PDF.pdf
Cisco. 2018 Annual Cybersecurity Report. URL: https://www.cisco.com/c/en/us/products/security/security-reports.html
Willis Towers Watson. Willis Towers Watson Cyber Risk Survey. 2017. 38 p. URL: https://www.willistowerswatson.com/-/media/WTW/PDF/Insights/2017/06/WTW-Cyber-Risk-Survey-UK-2017.pdf?la=en&hash=EC5D9C3C2888B4D4C7BF1476AF319D4E344984C3
McAfee Labs. 2017 Threats Predictions. 2016, 56 p. URL: https://www.mcafee.com/de/resources/reports/rp-threats-predictions-2017.pdf
Ponemon Institute LLC and Accenture. Cost of Cyber Crime Study. Insights on the Security Investments that Make a Difference. 2017, 56 p. URL: https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
Ponemon Institute LLC and Hewlett Packard Enterprise. Cost of Cyber Crime Study & the Risk of Business Innovation. 2016. 37 p. URL: https://www.ponemon.org/local/upload/file/2016%20HPE%20CCC%20GLOBAL%20REPORT%20FINAL%203.pdf
Symantec. Internet Security Threat Report. 2017, 77 p. URL: https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf
Kaspersky Lab. Measuring Financial Impact of IT Security on Businesses. IT Security Risks Report. 2016, 12 p. URL: https://media.kaspersky.com/en/business-security/kaspersky-it-security-risks-report-2016.pdf
Kaspersky Lab. A global survey into attitudes and opinions on IT security. 2017, 11 p. URL: https://media.kaspersky.com/documents/business/brfwn/en/The-Kaspersky-Lab-Global-IT-Risk-Report_Kaspersky-Endpoint-Security-report.pdf
PwC UK and BAE Systems. Operation Cloud Hopper. Technical Annex. 2017, 30 p. URL: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
PwC UK and BAE Systems. Operation Cloud Hopper. 2017, 25 p. URL: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
Aviram N., Schinzel S. et al. DROWN: Breaking TLS using SSLv2. USENIX Security Symposium. 2016. 18 p.
Mott N. Drown attack: how weakened encryption jeopardizes 'secure' sites. The Guardian, 2017. URL: https://www.theguardian.com/technology/2016/mar/02/secure-https-connections-data-passwords-drown-attack
Konoth R.K. van der Veen V., Bos H. How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Financial Cryptography and Data Security FC 2016. Lecture Notes in Computer Science, vol 9603. Springer, Berlin, Heidelberg. DOI: https://doi.org/10.1007/978-3-662-54970-4_24
RedLock CSI Team. Lessons from the Cryptojacking Attack at Tesla. URL: https://blog.redlock.io/cryptojacking-tesla
Tripware. The WADA Hack of Olympic Athletes’ Medical Data – A Timeline. URL: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/the-wada-hack-of-olympic-athletes-medical-data-a-timeline/
WADA. Cyber Security Update: WADA’s Incident Response URL: https://www.wada-ama.org/en/media/news/2016-10/cyber-security-update-wadas-incident-response
Hackers steal McDonald's customer data URL: https://www.computerworld.com/article/2511778/security0/hackers-steal-mcdonald-s-customer-data.html
Epsilon breach: hack of the century? URL: https://www.computerworld.com/article/2471044/cloud-computing/epsilon-breach--hack-of-the-century-.html
A Hacker Claims to Have Leaked 80,000 Amazon Users' Passwords and Personal Information. URL: https://mic.com/articles/148207/a-hacker-claims-to-have-leaked-80-000-amazon-users-passwords-and-personal-information#.YreVcSQqr
Nearly 7 Million Dropbox Account Passwords Allegedly Hacked. URL: https://thehackernews.com/2014/10/nearly-7-million-dropbox-account.html
Kaspersky Lab. How to protect yourself from cloud service leaks. URL: https://www.kaspersky.com/blog/celebrity-photos-leaked/5895/
After Celebrity Photo Hack, How Safe Is the Cloud? URL: https://mashable.com/2014/08/31/how-safe-is-icloud/#NugtDdlkTuqt
How I Hacked My Own iCloud Account, for Just $200 URL: https://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/#i.Uzn2JLoGqw
Ahmadi V., Tutschku K. Privacy and Trust in Cloud-Based Marketplaces for AI and Data Resources. IFIPTM, 2017: proceedings. IFIP AICT 505: Springer International Publishing AG. DOI:10.1007/978-3-319-59171-1
Pearson S., Benameur A., Pearson S. Privacy, security and trust issues arising from cloud computing. IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom): proceedings, 2010. Indianapolis, IN, USA: IEEE. P.693- 702. DOI: 10.1109/CloudCom.2010.66
British Airways cancels all flights from Gatwick and Heathrow due to IT failure. URL: https://www.theguardian.com/world/2017/may/27/british-airways-system-problem-delays-heathrow
Verizon originally asked for $925M discount following Yahoo breach disclosures URL: https://www.ciodive.com/news/verizon-originally-asked-for-925m-discount-following-yahoo-breach-disclosu/438014/
Saakov V. Khakery zlamaly novyy sayt minenerhovuhillya Ukrayiny. Deutsche Welle, 2018 URL: http://www.dw.com/uk/хакери-зламали-новий-сайт-міненерговугілля-україни/a-43507063
Ukrainian Cyber Alliance. Ministerstvo sotsialʹnoyi polityky Ukrayiny…[Facebook post]. URL:https://www.facebook.com/photo.php?fbid=435547163560314&set=pcb.435547266893637&type =3&theater
Ukrainian Cyber Alliance. Vot eshchë smeshnoe ot Kirovohradsʹka Oblasna Derzhavna Administratsiya… [Facebook post]. URL: https://www.facebook.com/photo.php?fbid=435633553551675&set=p.435633553551675&type=3&theater
Ukrainian Cyber Alliance. Upovnovazhenyy Verkhovnoyi Rady Ukrayiny z prav lyudyny… [Facebook post]. URL: https://www.facebook.com/photo.php?fbid=435557056892658&set=a.130395897408777.1073741828.100013151020465&type=3&theater
RedHat. Identity Management. Cloud Administrator Guide. Red Hat Enterprise Linux OpenStack Platform. URL: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Cloud_Administrator_Guide/index.html
Rhoton J. The Identity component Keystone. URL: https://www.ibm.com/developerworks/cloud/library/cl-openstack-keystone/index.html
Keystone Installation Tutorial. OpenStack. URL: https://docs.openstack.org/keystone/pike/install/
Garg P., Singh Y. SSO (Single Sign On) Implementation. International Journal of Science and Research (IJSR), 2016. Vol.5, Is.6. P.988-990. DOI: 10.21275/v5i6.nov164426
Housley R. Cryptographic Message Syntax (CMS): IETF RFC 5652. September 2009. 56 p.
PKI – OpenStack. URL: https://wiki.openstack.org/wiki/PKI
Luo S., Hu J., Chen Z. An identity-based one-time password scheme with anonymous authentication. International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC), 2009: proceedings. Wuhan, Hubei, China: IEEE, 2009. P.864-867. DOI:10.1109/NSWCTC.2009.287
Olden E. Architecting a cloud-scale identity fabric. Computer. 2011. Vol. 44, Is. 3. P.52-59. DOI:10.1109/MC.2011.6011.
Choudhury A.J., Kumar P., Sain M., Lim H., Jae-Lee H. A strong user authentication framework for cloud computing. Services Computing Conference (APSCC), 2011: proceedings. Jeju Island, South Korea: IEEE, 2011. P.110-115. DOI:10.1109/APSCC.2011.14.
Wang G., Yu J., Xie Qi. Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks. IEEE Transactions on Industrial Informatics. 2013. Vol. 9 (1). P. 294- 302.
Cigoj P., Blai B.J. An Authentication and Authorization Solution for a Multiplatform Cloud Environment. Information Security Journal: A Global Perspective. 2015. Vol. 24 (4-6). P. 146-156.
Chadwick D., Casenove M., Siu K. My private cloud--granting federated access to cloud resources. Journal of Cloud Computing. 2013. Vol.2. P.1-16. DOI:10.1186/2192-113X-2-3.
Wazan A.S., Laborde R., et al. Trust Management for Public Key Infrastructures: Implementing the X.509 Trust Broker. Security and Communication Networks. 2017. Vol. 2017. P.1-23. DOI:10.1155/2017/6907146.
Jansen W., Grance T. Guidelines on Security and Privacy in Public Cloud Computing. NIST: Special Publication 800-144, 2011. 80 p.
Information Technology – Role Based Access Control: ANSI INCITS 359, 2012.
Kuhn D.R., Coyne E.J., Weil T.R. Adding Attributes to Role Based Access Control. Computer. 2010. Vol.43, Is. 6. P. 79-81.DOI:10.1109/mc.2010.155.
Hardt D. The OAuth 2.0 Authorization Framework: IETF RFC 6749. October 2012, 76p.
OpenStack: Barbican. URL: https://wiki.openstack.org/wiki/PKI.
Downloads
Published
Issue
Section
License
Copyright (c) 2019 Ievgeniia Kuzminykh, Maryna Fliustikova
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Authors who publish with this journal agree to the following terms:- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).