Cloud Computing Authentication Security Information Technology Essay
Cloud computing is the newest concepts in computer science world. Concept of providing computer power and computer based service in utility basis from the location other than the one from where user is computing, has change the IT world dramatically in past recent years. Therefore many people believe cloud computing is the next big thing in IT world.
Cloud computing provide many services to the people. Email is a one such service. According to the service, cloud computing could be also be categorized in to three main categorize, software as a service, platform as a service and Infrastructure as a service are those categorize. According to the deployment models cloud computing also could be categorize in to several areas Public cloud, Private cloud and Hybrid cloud are such areas.
Even though the cloud computing has considered as the next big thing in IT world, it has many challenges as well as benefits. Reduce organization hardware costs, software licensing cost and more mobility are some benefits of cloud computing. Network limitation such as low bandwidth and security problems are such challenges cloud computing should find answers.
1.2 Cloud computing Security
Security is a one of the main challenge cloud applications faces today. As a result most of the people are afraid to move to the cloud based solutions. In 2008 a survey was conducted by International Data Cooperation (IDC) using 244 IT executives and CIO and 74.6% of them have identified security as the main challenge in cloud computing. Following figure further illustrate this problem.
When you consider about the cloud security there are several security problems could be identified. Cloud Computing authentication security, cloud data storing security, disaster recovery policies are some mostly discussed security issues. And these security issues should be solved as much as possible for a better cloud computing environment.
1.3 Cloud computing Authentication Security
When you consider about the authentication security, we could see several security breaches were occurred during past few years. According to identity theft resource centre there were 498 total security breaches were reported in 2009 .But within first four months of the 2010 there were 245 security breaches were reported, and most of these security breaches occurred due to stolen password or hacking passwords. Therefore authentication security is more important to any kind of application
But when you consider about the cloud computing authentication with other normal web application authentication, you would find a little difference in cloud authentication. Other than the normal web application cloud computing application provides several numbers of unique services to the consumer. so it is difficult to use separate username and password for each service. Therefore cloud computing authentication process is done by mechanism called “Single Sign On”.
In single sign on consumer has given access to his all kinds of services using one username and a one password. Therefore consumer does not have to remember several passwords to get access to all their services
As earlier said in single sign on user is using a single user name and a password to access all his services and data in the cloud. As we know password could be easily be hacked or guessed by a third party, what happens if such kinds of problem occur in cloud application? Definitely all you confidential data would be expose to other parties. In early 2009 these kind of data breach occurred in organization called Monster.com.
We could clearly see that some kind of other approach should be need to solve this problem and cloud should be more secure. Therefore in our research we are going to address this problem and search for a better solution.
1.4 Objectives
In our project we will try to achieve strong authentication process for cloud computing. Therefore we would use mobile phones which guarantee that correct user has log into the system. Identify correct mobile phone wireless public key infrastructure based approach would be used. Here we have mentioned some steps for achieve our objectives
Create a prototype of a simple user friendly Authenticator which supports for Wireless public key infrastructure and Single Sign On
Creating a Mobile application which support WPKI based Authentication
Check the applicability and security risk of such kind solution
2. Review Chapter
2.0 Introduction
Cloud computing is the newest concept in modern world. Though there were several security problems regards to cloud based applications. Cloud authentication is a security problem people should find answers. As our project deals with creating better authentication mechanism using wireless public key infrastructure for cloud based application, we will describe some related works in this chapter
First we will describe about the existing authentication mechanism used in cloud based applications. Then we will describe about the wireless public key infrastructure model which has successfully used for several areas.
Existing cloud Authentication mechanism
Unlike to normal web based applications, cloud computing application provide many unique services to users. So the authentication process in cloud computing is much different than to a normal web application. Traditional approach where each application keeps track of its user names and password in different place is not feasible in cloud based approach. For instance just think about a cloud application which provide 10 unique services, if the authentication is achieved according to a normal web application user would have to remember 10 different passwords and user name. Therefore cloud based application uses different kind of authentication mechanism called Single Sign on (SSO).
Simply the single sign on means accessing several cloud based application using one user name and password. User can just log on to the system once and then they could access all the services they have registered. Single sign on is been used in several cloud based applications Google apps engine and Ping identity are some applications which provide Single sign on based approach to register users.
To achieve single sign on mainly two approaches are used
OpenID based Single Sign On
SAMAL based Single Sign On
OpenID is vulnerable for several risks like phishing attacks, so SAMAL based Single Sign On is the commonly used approach to achieve Cloud computing Identity security.
What is SAMAL
SAMAL stands for security assertion markup language which developed by OASIS. It is the most used xml based standard for exchanging authentication and authorization data in between two domains
Authentication Approaches According to cloud computing Deployment Model
In cloud authentication different approaches are been used. According to the cloud deployment model authentication methods gets little bit different for example authentication mean used in private cloud is little bit different than to authentication mean used in public clouds. Following we have mentioned some authentication approaches which are used in different cloud deployment models
Authentication procedure used in Private Cloud computing
This authentication pattern is called trusted IDM pattern Google APP Engine use this kind of pattern user submit their user credentials to IDM component IDM component encrypt the user credentials and then user credentials submit to the authenticator then decrypt user credentials and authenticate the user if the authentication successful via domain resolver IDP give access to the services provided by cloud
This approach is very secure approach though it’s not scalable and the number of request that handle simultaneously is very large.
Authentication procedure used in public cloud computing
Above authentication pattern is called External IDM Pattern these kind of authentication procedures are mainly used in public clouds when a user want to get access to the cloud user first send their credentials to external authenticator via SSL connection then the authenticator checks the user credentials in LDAP servers and if the user is correctly validated it sends valid attributes via SAMAL to the IDM .then the IDM does the domain resolution and give access to the necessary services in public cloud. Ping Identity is a kind of example for external authenticators.
Unlike to the private cloud public cloud has large number of users because public clouds are mainly exposed to a larger crowd, maintaining username password will need more space and number of authentication request handle simultaneously also gets higher. Therefore public cloud authentications are mainly handled by external authenticator.
Following figure further illustrate a use case which describe the authentication process in a public cloud
1 The user attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service.
2 Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner’s SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection
3 Google sends a redirect to the user’s browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partner’s SSO service
4 The partner decodes the SAML request and extracts the URL for both Google’s ACS (Assertion Consumer Service) and the user’s destination URL (RelayState parameter). The partner then authenticates the user. Partners could authenticate users by either asking for valid login credentials or by checking for valid session cookies
5 The partner generates a SAML response that contains the authenticated user’s username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner’s public and private DSA/RSA keys.
6 The partner encodes the SAML response and the RelayState parameter and returns that information to the user’s browser. The partner provides a mechanism so that the browser can forward that information to Google’s ACS. For example, the partner could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to Google. The partner could also include JavaScript on the page that automatically submits the form to Google
7 Google’s ACS verifies the SAML response using the partner’s public key. If the response is successfully verified, ACS redirects the user to the destination URL.
8The user has been redirected to the destination URL and is logged in to Google Apps
Authentication procedure used in Hybrid cloud computing
Hybrid cloud is a combination of two or more clouds (private cloud+ public cloud or public cloud+ Community cloud). Authentication in such kind of cloud there should be a procedure for communicate in between those clouds. As hybrid cloud is a combination of several cloud there want be a clear authentication pattern. Authentication pattern will be changed according to the implementation.
Problems of existing cloud Authentication process
Existing cloud authentication procedure has exposed for several problems. Today most of the cloud authentication processes use a single user name and password to authenticate user. Therefore cloud application could be exposed several security problems. Below we have mentioned some of the authentication security problems which exist in cloud authentication.
Cloud computing applications could be accessible from any device; private (e.g., laptop) or public (e.g., Internet café). And this has been a greater burden for most IT managers and CEO’s alike: “If you are not in control of the device that is accessing the data held within your network, then how can you surely identify the actual person that is using the device
User name and the password gives very little protection to the user certain password could be easily hacked, stolen or guessed or gained using phishing attacks. During past few years several such security breaches were reported.
All the user credentials are stored in a central location if somehow sever which stores the username and password get accessed by a third party they will gain the users credentials they will easily access user services
If these single sign on is used by organization then the employee should be trained for creating stronger password which couldn’t easily guessed or hacked this will be extra cost for a organization
Better authentication procedure is very much in needed for cloud computing and there should be a better way to identify and guarantee the user.
Wireless public key Infrastructure
Wireless public key infrastructure is kind of security protocol which is widely been used for better authentication. Some countries like Estonia has used wireless public key infrastructure for voting systems. It has also been proposed to use in M Commerce applications such banking payments systems.
The main device used for wireless public key infrastructure is mobile phone. User is identified by his mobile and then he will able to access the service which he desires. Wireless public key infrastructure also little bit similar to public key infrastructure. We will describe it further more in following topics.
2.5Main component in wireless public key infrastructure
Client: client is the person who access the service he would have a mobile phone equipped with a pin code public key and a private key pair
Registration authority: Manage user registration and acts for customer care
Certification Authority: certification authorities manage certification revocation lists certification activation and certification suspension
Mobile Operator: Authentication requests and other verification are sending to the user via mobile operator
Service Provider: Responsible of providing service which user wish. User must be authenticated before he should access the service.
Trusted Service Provider: Authentication process will occur at here. According to the users mobile phone number and hash will be generated and forward to the user’s phone. Then the user will signed the hash with his mobile phones private key and again send that to the trusted service provider trusted service provider will decrypt the users public key and check user with necessary certification authority. If all the process is ok trusted provider will ask service provider to provide their services.
2.6Wireless public key infrastructure Advantages
Fast operation time taken for operation is more like to be the time taken for sending and receiving SMS
Secure operation, mobile phone has a pin code without pin user would not be able to sign the challenge
No need to find other hardware and therefore no extra cost
Very simple operation any person could simply understand the signing process used in the phone
Easy for the user he has the phone in his hand therefore he could easily do the operation
Order Now