SlideShare uma empresa Scribd logo

Authorization for workloads in a dynamically scaling heterogeneous system

Pushpalanka Jayawardhana
Pushpalanka Jayawardhana

Defines a design based on SPIFFE and OPA standards to address authorization between workloads residing in multiple clouds and interacting with each other.

Software
1 de 35
Baixar para ler offline
FABRIKAM AUTHORIZATION FOR WORKLOADS IN A DYNAMICALLY SCALING HETEROGENEOUS SYSTEM M.K.P.R. Jayawardhana 158217G Supervised by Prof. Gihan Dias Mr. Prabath Siriwardena Master of Science in Computer Science and Engineering University of Moratuwa Sri Lanka
Dvaara Contribution of the Research Considering ‘Cloud’(eg: Amazon EC2, Azure, GCP) as the most common use case of a dynamically scaling, heterogeneous system, ● Design a solution for authorization among multi-cloud systems ● Implement the designed solution Re-use + implement lacking components + integration ● Implementation evaluation using a case study ● Performance evaluation 2
Dvaara 3 Introduction Ref : https://www.slideshare.net/ajessup/building-trust-between-modern-distributed-systems-with-spiffe 3 Modern Enterprise Systems, ● Mostly Distributed Systems ● Horizontal Scaling ● Avoid vendor lock-in ● Make use of external systems than having everything in-house, ○ Make use of SaaS providers ○ Make use of PaaS providers ○ Make use of IaaS providers ● High availability concerns ● Elasticity of the system is a concern with rapid growth and peak and off-peak times. ● Follows Micro Services Architecture(MSA)
Dvaara Why multi-cloud? ● Organizations are concerned on moving everything to the cloud → Security and Privacy concerns + Vendor lock-in ● Hybrid cloud to get started → Sensitive data residing on-premise and heavy computing delegated to an external cloud. ● Cost-effectiveness and reducing go-to-market time makes cloud appealing. Introduction 4 Ref: https://www.nutanix.com/enterprise-cloud-index/docs/enterprise-cloud-index.pdf, https://www.gartner.com/doc/3784664/building-identity-microservices “MSA(Microservice Architecture)-specific IAM(Identity and Access Management) is still in its infancy. The primary focus of the MSA community thus far has been authentication and, more narrowly, the use of OAuth 2.0, leaving other important questions, such as the authorization architecture, unaddressed”?? - Gartner
Dvaara Problem Problem Statement ● Enterprise systems are becoming a service mesh. ● Each component of the system needs to scale as required, while being able to interact with other services. ● Interaction needs to be secured. ● Authentication between these services is being addressed. 5Ref : https://azure.microsoft.com/en-us/blog/microservices-on-azure-kubernetes-guidance/ How do we define and implement an authorization system for a multi-cloud enterprise system?
Dvaara Use Case Problem Statement An e-commerce company has decided to start a cloud journey with below, considering the features supported by each CSP, cost and vendor lock-in. ● Keep the sensitive business operations in the on-premise cloud. ● Send data to be stored or archived to Amazon S3. Use EC2 analyse and summarize this data. ● Host a dashboard in GCP, that summarizes the details in Amazon S3 to identify the trends in the market. ● Need high elasticity (peak, off-peak seasons and times) To build the secure boundary, below interactions need to be secured - On-premise to Amazon - Amazon to GCP 6
Dvaara Use Case - Problem Problem Statement Service authentication between multi-clouds when dynamic scaling is in place, is already a concern being addressed by research community. - Shared secret based - Kerberos protocol - CSP provided privileged API - SPIFFE standard How to support ‘Service Authorization’ in this system? 7 What should he be allowed to do?
Dvaara Approach ● Study existing models, solutions and standards that support authorization between services. ● Study the other relevant aspects of authorization such as authentication and administration of access control policy as required by the authorization architecture for a cloud system. ● Build up the components of the architecture, that can coexist with the current enterprise systems, providing authorization capabilities across clouds. 8 Objectives
Dvaara Literature Review Literature Review 1. Classical Security Models 1.1. Authentication 1.2. Authorization 2. Future of Cloud Systems 3. Workloads 3.1. Workload Authentication 3.2. Workload Authorization 9
Dvaara Access Control Literature Review 10 Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
Dvaara Authentication Literature Review Identifying an entity such as a person, a group, a device or an application to be what they declare to be, - Something Known - Something Possessed - Something Inherent 11 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
Dvaara Authorization Literature Review ● DAC ● MAC ● Access Control Matrix ○ Access Control List ● RBAC ● ABAC ● XACML ● OPA 12 Image : https://image.slidesharecdn.com/350pmaxio-irmsummit2014gerry-140611105654-phpapp02/ 95/top-ten-reasons-why-developers-dont-adopt-abac-10-638.jpg Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
Dvaara Classical Security Models Literature Review ● Bell-La-Padula model - Confidentiality ● BIBA model - Integrity ● Chinese-Wall model - Conflict of Interest ● Clark-Wilson model - Integrity of commercial systems, Separation of duties ● Graham-Denning(GD) model - State transitions based on ACM ● Harrizon-Ruzzo-Ullman Model - Extending GD model ● Take-Grant Model - State transitions for confidentiality 13 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
Dvaara Cloud Literature Review - The most common, dynamically scaling, heterogeneous system - SaaS, PaaS, IaaS - Hyper-converged cloud to catalyze multi-cloud systems 14Ref: https://www.timetoast.com/timelines/cloud-computing-history
Dvaara Workload Literature Review “A highly cohesive and de-coupled capability or a unit of work that collectively builds up an enterprise application, which can be running on cloud or on-premise” Eg: ● a microservice ● a Kubernetes pod ● a process in a VM 15 Ref: https://siliconangle.com/wp-content/blogs.dir/1/files/2016/02/illumio.png Ref : M. C. Calzarossa, M. L. Della Vedova, L. Massari, D. Petcu, M. I. M. Tabash, and D. Tessera, “Workloads in the Clouds,”, Springer International Publishing, 2016, pp. 525–550
Dvaara Workload Authentication Literature Review ● Challenge-response authentication ○ Credentials stored with workload ○ Challenged to provide an inherent attribute based on the system ● Needham–Schroeder protocol ○ Use a symmetric key ○ Based on a third party ‘Authentication server’, building trust ● Kerberos Protocol ○ Based on KDC (Key Distribution Center) ○ Not relying on network security 16 Ref: B. C. Neuman and T. Ts’o, “Kerberos: an authentication service for computer networks,” IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994.
Dvaara Single Cloud Authentication Literature Review ● Platform provided privileged API based authentication ○ Amazon EC2 IID ○ Google Cloud Provider IIT ○ Microsoft Azure MSI 17 { "iss": "[TOKEN_ISSUER]", "iat": [ISSUED_TIME], "exp": [EXPIRED_TIME], "aud": "[AUDIENCE]", "sub": "[SUBJECT]", "azp": "[AUTHORIZED_PARTY]", "google": { "compute_engine": { "project_id": "[PROJECT_ID]", "project_number": [PROJECT_NUMBER], "zone": "[ZONE]", "instance_id": [INSTANCE_ID], "instance_name": "[INSTANCE_NAME]" "instance_creation_timestamp": [CREATION_TIMESTAMP] } } }
Dvaara Multi-Cloud Authentication Literature Review SPIFFE (Secure Production Identity Framework For Everyone) ● A common protocol based on ‘Platform Provided Privileged API’ for authentication. ● Extendable to work with CSPs. ● A standard accepted by the CNCF(Cloud Native Computing Foundation). 18
Dvaara Workload Authorization Literature Review ● RBAC ○ OAuth 2.0 with scopes - client_credentials grant ● ABAC ○ OAuth 2.0 with scopes - client_credentials grant ○ XACML ○ OPA ● Authorization Servers in the market ○ Based on OAuth2.0 MTLS standard ○ KeyCloak, Gluu, WSO2 IS, Ping Identity, IBM API Connect 19
Dvaara Solution Design 20
Dvaara Dvaara Design Options Solution Design Enforcing authentication and authorization 21 Local authentication and authorization Local authorization and Global authentication Local authentication and Global Authorization Global authentication and authorization
Dvaara Dvaara Design Authentication Solution Design Comparison Authentication Mechanism 22 Mechanism Do not require to deploy credentials with the workload Single identity per workload API driven credentials rotation and distribution Cross-platform trust building Firewall Yes Yes No Yes Destination authentication No No No Yes Platform mediated identity Yes Yes Yes No SPIFFE Yes Yes Yes Yes
Dvaara Dvaara Design Authorization Solution Design ● DAC vs MAC ○ Governing authorization of information flow is not in the current scope ○ Hence DAC ● RBAC vs ABAC ○ Need to considered fine grained attributes of workloads 23 RBAC ABAC Simplicity Yes Can be Complex Fine-grained No Yes Standardized No Yes (XACML/OPA) Comparison Authorization Mechanism
Dvaara Dvaara Design - XACML or OPA Solution Design ● XACML vs OPA - policy comparison 24 XACML OPA Flexible ABAC support Yes Yes Extendability Yes Yes Complexity High Occasionally Verbose Yes No Required training Yes (Though it’s XML, have specific functions and behaviors to understand) Yes (Though it’s JSON like, have special meanings for symbols and ways of writing rules) Implementation Availability Axiomatics, Sun XACML engine, WSO2 Identity Server OPA Background Open standard by OASIS Open implementation, CNCF accepted.
Dvaara Overall Design 25 Solution Design
Dvaara Dvaara Architecture Solution Design 26
Dvaara Dvaara Implementation Solution Implementation 27
Dvaara Dvaara Implementation Ctd Solution Implementation 28
Dvaara Dvaara Implementation Contribution Solution Implementation Chain of Responsibility Pattern 29 TLS level validation on the SPIFFE X509 cert OPA based decision on allowed scopes, based on SPIFFE ID Token validation request ABAC, validating the workload attributes and context against OPA policy Using Java-SPIFFE lib New implementation of OPA based scope validation handler New implementation of OPA based token validation handler - Selected WSO2 IS authorization server was patched to support required parameters to be sent to OPA engine. WSO2 IS patched to enrich
Dvaara Evaluation Solution Evaluation 30 1 2 1 - Token Request 2 - Actual API consumption using token
Dvaara Demo 31
Dvaara Evaluation Solution Evaluation 32 Correctness - Considered the use case of an employee management solution - Authorized access to a salary mgt API - Fine grained authorization based on Infrastructure layer details and application layer details - Verified results against the expected results
Dvaara Conclusion 33 - What Dvaara can do? - Make authorization decisions based on infrastructure level and application level attributes - Understands the SPIFFE based authentication - Allow dynamic changes to authorization policy - Dvaara provides a viable solution for workload authorization in a multi-cloud system - Dvaara provides fine grained authorization in a dynamic manner - Dvaara bridges the existing authorization technology of OAuth 2.0 and TLS widely adopted open standard to the emerging cloud native standards of SPIFFE and OPA - Dvaara open doors for the existing enterprise systems to have benefits of hybrid or multi-cloud without compromising on service authorization policies.
Dvaara Future Work 34 - Make access token a JWT(JSON Web Token) that can carry attributes(advices) between the workloads - Federation between SPIRE server or Authorization servers to expand trust boundary in a seamless manner - Performance improvements - add caching improvements at token validation - Provide an administration portal for the system - Single view on policy available to issue SPIFFE IDs - Single view of policies active in OPA engine - CRUD operations on the policies and evaluating the effect - Current overview of the system (active workloads, tokens etc.) - OAuth 2.0 specification to bind the token to the TLS layer. (currently happening in Dvaara in an indirect way)
FABRIKAM THANK YOU https://medium.com/@Pushpalanka https://github.com/Dvaara/ Pushpalanka pushpalankajaya@gmail.com 35

Recomendados

What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Presentation1
Presentation1Presentation1
Presentation1Manvendra Yadav
 
Advanced analytics
Advanced analyticsAdvanced analytics
Advanced analyticsShankar R
 
Visualising Data with Code
Visualising Data with CodeVisualising Data with Code
Visualising Data with CodeRi Liu
 
Hyperledger Fabric
Hyperledger FabricHyperledger Fabric
Hyperledger FabricMurughan Palaniachari
 
Decentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering PerspectiveDecentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering PerspectiveBambang Purnomosidi D. P.
 
Analyse des sentiments cas twitter - univ ghardaia algerie
Analyse des sentiments cas twitter - univ ghardaia algerieAnalyse des sentiments cas twitter - univ ghardaia algerie
Analyse des sentiments cas twitter - univ ghardaia algerieSoumia Elyakote HERMA
 
Blockchain Intro to Hyperledger Fabric
Blockchain Intro to Hyperledger Fabric Blockchain Intro to Hyperledger Fabric
Blockchain Intro to Hyperledger Fabric Araf Karsh Hamid
 

Recomendados

What is tokenization in blockchain?
What is tokenization in blockchain?What is tokenization in blockchain?
What is tokenization in blockchain?Ulf Mattsson
 
Presentation1
Presentation1Presentation1
Presentation1Manvendra Yadav
 
Advanced analytics
Advanced analyticsAdvanced analytics
Advanced analyticsShankar R
 
Visualising Data with Code
Visualising Data with CodeVisualising Data with Code
Visualising Data with CodeRi Liu
 
Hyperledger Fabric
Hyperledger FabricHyperledger Fabric
Hyperledger FabricMurughan Palaniachari
 
Decentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering PerspectiveDecentralized Application: A Software Engineering Perspective
Decentralized Application: A Software Engineering PerspectiveBambang Purnomosidi D. P.
 
Analyse des sentiments cas twitter - univ ghardaia algerie
Analyse des sentiments cas twitter - univ ghardaia algerieAnalyse des sentiments cas twitter - univ ghardaia algerie
Analyse des sentiments cas twitter - univ ghardaia algerieSoumia Elyakote HERMA
 
Blockchain Intro to Hyperledger Fabric
Blockchain Intro to Hyperledger Fabric Blockchain Intro to Hyperledger Fabric
Blockchain Intro to Hyperledger Fabric Araf Karsh Hamid
 
Building a Data Analytics Portfolio
Building a Data Analytics PortfolioBuilding a Data Analytics Portfolio
Building a Data Analytics PortfolioJamie Renehan, FCCA
 
StarkNet Intro
StarkNet IntroStarkNet Intro
StarkNet IntroTinaBregovi
 
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...gideonvbabu
 
Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and PrivacyAnil John
 
Data Architecture Best Practices for Advanced Analytics
Data Architecture Best Practices for Advanced AnalyticsData Architecture Best Practices for Advanced Analytics
Data Architecture Best Practices for Advanced AnalyticsDATAVERSITY
 
Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchainJorge Sebastiao
 
Introduction to predictive modeling v1
Introduction to predictive modeling v1Introduction to predictive modeling v1
Introduction to predictive modeling v1Venkata Reddy Konasani
 
블록체인 기술 적용 사례
블록체인 기술 적용 사례블록체인 기술 적용 사례
블록체인 기술 적용 사례ICON Foundation
 
Icsa2018 blockchain tutorial
Icsa2018 blockchain tutorialIcsa2018 blockchain tutorial
Icsa2018 blockchain tutorialLen Bass
 
Presentation on Sentiment Analysis
Presentation on Sentiment AnalysisPresentation on Sentiment Analysis
Presentation on Sentiment AnalysisRebecca Williams
 
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...Edureka!
 
Blockchain Digital Transformation Presentation
Blockchain Digital Transformation PresentationBlockchain Digital Transformation Presentation
Blockchain Digital Transformation Presentation101 Blockchains
 
Blockchain Tokenization
Blockchain TokenizationBlockchain Tokenization
Blockchain TokenizationBellaj Badr
 
Ibm data governance framework
Ibm data governance frameworkIbm data governance framework
Ibm data governance frameworkkaiyun7631
 
BI-Analytics-Overview.pptx
BI-Analytics-Overview.pptxBI-Analytics-Overview.pptx
BI-Analytics-Overview.pptxPerumalPitchandi
 
Applying Big Data Analytics on the Manufacturing Industry
Applying Big Data Analytics on the Manufacturing IndustryApplying Big Data Analytics on the Manufacturing Industry
Applying Big Data Analytics on the Manufacturing IndustryCantier Systems
 
Intro to Web3
Intro to Web3Intro to Web3
Intro to Web3asasdasd5
 
Identifying customer segments using machine learning
Identifying customer segments using machine learningIdentifying customer segments using machine learning
Identifying customer segments using machine learningKnoldus Inc.
 
Data Quality
Data QualityData Quality
Data Qualityjerdeb
 
Big Data and Advanced Analytics
Big Data and Advanced AnalyticsBig Data and Advanced Analytics
Big Data and Advanced AnalyticsMcKinsey on Marketing & Sales
 
Cloud Testing : An Overview
Cloud Testing : An OverviewCloud Testing : An Overview
Cloud Testing : An OverviewQA InfoTech
 
Cloud Computing Presentation
Cloud Computing PresentationCloud Computing Presentation
Cloud Computing PresentationMohammed Kharma
 

Mais conteúdo relacionado

Mais procurados

Building a Data Analytics Portfolio
Building a Data Analytics PortfolioBuilding a Data Analytics Portfolio
Building a Data Analytics PortfolioJamie Renehan, FCCA
 
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...gideonvbabu
 
Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and PrivacyAnil John
 
Data Architecture Best Practices for Advanced Analytics
Data Architecture Best Practices for Advanced AnalyticsData Architecture Best Practices for Advanced Analytics
Data Architecture Best Practices for Advanced AnalyticsDATAVERSITY
 
Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchainJorge Sebastiao
 
Introduction to predictive modeling v1
Introduction to predictive modeling v1Introduction to predictive modeling v1
Introduction to predictive modeling v1Venkata Reddy Konasani
 
블록체인 기술 적용 사례
블록체인 기술 적용 사례블록체인 기술 적용 사례
블록체인 기술 적용 사례ICON Foundation
 
Icsa2018 blockchain tutorial
Icsa2018 blockchain tutorialIcsa2018 blockchain tutorial
Icsa2018 blockchain tutorialLen Bass
 
Presentation on Sentiment Analysis
Presentation on Sentiment AnalysisPresentation on Sentiment Analysis
Presentation on Sentiment AnalysisRebecca Williams
 
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...Edureka!
 
Blockchain Digital Transformation Presentation
Blockchain Digital Transformation PresentationBlockchain Digital Transformation Presentation
Blockchain Digital Transformation Presentation101 Blockchains
 
Blockchain Tokenization
Blockchain TokenizationBlockchain Tokenization
Blockchain TokenizationBellaj Badr
 
Ibm data governance framework
Ibm data governance frameworkIbm data governance framework
Ibm data governance frameworkkaiyun7631
 
BI-Analytics-Overview.pptx
BI-Analytics-Overview.pptxBI-Analytics-Overview.pptx
BI-Analytics-Overview.pptxPerumalPitchandi
 
Applying Big Data Analytics on the Manufacturing Industry
Applying Big Data Analytics on the Manufacturing IndustryApplying Big Data Analytics on the Manufacturing Industry
Applying Big Data Analytics on the Manufacturing IndustryCantier Systems
 
Intro to Web3
Intro to Web3Intro to Web3
Intro to Web3asasdasd5
 
Identifying customer segments using machine learning
Identifying customer segments using machine learningIdentifying customer segments using machine learning
Identifying customer segments using machine learningKnoldus Inc.
 
Data Quality
Data QualityData Quality
Data Qualityjerdeb
 

Mais procurados (20)

Building a Data Analytics Portfolio
Building a Data Analytics PortfolioBuilding a Data Analytics Portfolio
Building a Data Analytics Portfolio
 
StarkNet Intro
StarkNet IntroStarkNet Intro
StarkNet Intro
 
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
Magento 2 Database Tables, Schema, Main tables for main features of Magento 2...
 
Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and Privacy
 
Data Architecture Best Practices for Advanced Analytics
Data Architecture Best Practices for Advanced AnalyticsData Architecture Best Practices for Advanced Analytics
Data Architecture Best Practices for Advanced Analytics
 
Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchain
 
Introduction to predictive modeling v1
Introduction to predictive modeling v1Introduction to predictive modeling v1
Introduction to predictive modeling v1
 
블록체인 기술 적용 사례
블록체인 기술 적용 사례블록체인 기술 적용 사례
블록체인 기술 적용 사례
 
Icsa2018 blockchain tutorial
Icsa2018 blockchain tutorialIcsa2018 blockchain tutorial
Icsa2018 blockchain tutorial
 
Presentation on Sentiment Analysis
Presentation on Sentiment AnalysisPresentation on Sentiment Analysis
Presentation on Sentiment Analysis
 
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
Data Science Tutorial | What is Data Science? | Data Science For Beginners | ...
 
Blockchain Digital Transformation Presentation
Blockchain Digital Transformation PresentationBlockchain Digital Transformation Presentation
Blockchain Digital Transformation Presentation
 
Blockchain Tokenization
Blockchain TokenizationBlockchain Tokenization
Blockchain Tokenization
 
Ibm data governance framework
Ibm data governance frameworkIbm data governance framework
Ibm data governance framework
 
BI-Analytics-Overview.pptx
BI-Analytics-Overview.pptxBI-Analytics-Overview.pptx
BI-Analytics-Overview.pptx
 
Applying Big Data Analytics on the Manufacturing Industry
Applying Big Data Analytics on the Manufacturing IndustryApplying Big Data Analytics on the Manufacturing Industry
Applying Big Data Analytics on the Manufacturing Industry
 
Intro to Web3
Intro to Web3Intro to Web3
Intro to Web3
 
Identifying customer segments using machine learning
Identifying customer segments using machine learningIdentifying customer segments using machine learning
Identifying customer segments using machine learning
 
Data Quality
Data QualityData Quality
Data Quality
 
Big Data and Advanced Analytics
Big Data and Advanced AnalyticsBig Data and Advanced Analytics
Big Data and Advanced Analytics
 

Semelhante a Authorization for workloads in a dynamically scaling heterogeneous system

Cloud Testing : An Overview
Cloud Testing : An OverviewCloud Testing : An Overview
Cloud Testing : An OverviewQA InfoTech
 
Cloud Computing Presentation
Cloud Computing PresentationCloud Computing Presentation
Cloud Computing PresentationMohammed Kharma
 
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Manoj Kumar
 
Cloud management
Cloud managementCloud management
Cloud managementsurbhi jha
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloadsRuncy Oommen
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGEditor IJMTER
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...IJMER
 
Introduction to Google Cloud & GCCP Campaign
Introduction to Google Cloud & GCCP CampaignIntroduction to Google Cloud & GCCP Campaign
Introduction to Google Cloud & GCCP CampaignGDSCVJTI
 
Cloud computing intro
Cloud computing introCloud computing intro
Cloud computing introSridhara T V
 
Google Cloud Study Jam | GDSC NCU
Google Cloud Study Jam | GDSC NCUGoogle Cloud Study Jam | GDSC NCU
Google Cloud Study Jam | GDSC NCUShivam254129
 
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudInterop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudSusan Wu
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringKevin Hakanson
 
Netscaler for mobility and secure remote access
Netscaler for mobility and secure remote accessNetscaler for mobility and secure remote access
Netscaler for mobility and secure remote accessCitrix
 
1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architectureCloud Genius
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesMitchell Pronschinske
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 

Semelhante a Authorization for workloads in a dynamically scaling heterogeneous system (20)

Cloud Testing : An Overview
Cloud Testing : An OverviewCloud Testing : An Overview
Cloud Testing : An Overview
 
Cloud Computing Presentation
Cloud Computing PresentationCloud Computing Presentation
Cloud Computing Presentation
 
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
Cloud Computing – Opportunities, Definitions, Options, and Risks (Part-1)
 
Cloud management
Cloud managementCloud management
Cloud management
 
Serverless security for multi cloud workloads
Serverless security for multi cloud workloadsServerless security for multi cloud workloads
Serverless security for multi cloud workloads
 
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARINGSURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
SURVEY ON KEY AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING
 
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
Cooperative Schedule Data Possession for Integrity Verification in Multi-Clou...
 
Introduction to Google Cloud & GCCP Campaign
Introduction to Google Cloud & GCCP CampaignIntroduction to Google Cloud & GCCP Campaign
Introduction to Google Cloud & GCCP Campaign
 
Cloud computing intro
Cloud computing introCloud computing intro
Cloud computing intro
 
Google Cloud Study Jam | GDSC NCU
Google Cloud Study Jam | GDSC NCUGoogle Cloud Study Jam | GDSC NCU
Google Cloud Study Jam | GDSC NCU
 
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-CloudInterop ITX: Moving applications: From Legacy to Cloud-to-Cloud
Interop ITX: Moving applications: From Legacy to Cloud-to-Cloud
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State Monitoring
 
Netscaler for mobility and secure remote access
Netscaler for mobility and secure remote accessNetscaler for mobility and secure remote access
Netscaler for mobility and secure remote access
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Enterprise Cloud Transformation
Enterprise Cloud TransformationEnterprise Cloud Transformation
Enterprise Cloud Transformation
 
1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
cc.pptx
cc.pptxcc.pptx
cc.pptx
 

Mais de Pushpalanka Jayawardhana

The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand Pushpalanka Jayawardhana
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity busPushpalanka Jayawardhana
 
Threads and Concurrency Identifying Performance Deviations in Thread Pools
Threads and Concurrency Identifying Performance Deviations in Thread PoolsThreads and Concurrency Identifying Performance Deviations in Thread Pools
Threads and Concurrency Identifying Performance Deviations in Thread PoolsPushpalanka Jayawardhana
 
Approximate Protocol for Privacy Preserving Associate Rule Mining
Approximate Protocol for Privacy Preserving Associate Rule MiningApproximate Protocol for Privacy Preserving Associate Rule Mining
Approximate Protocol for Privacy Preserving Associate Rule MiningPushpalanka Jayawardhana
 
Leveraging federation capabilities of identity server for api gateway
Leveraging federation capabilities of identity server for api gatewayLeveraging federation capabilities of identity server for api gateway
Leveraging federation capabilities of identity server for api gatewayPushpalanka Jayawardhana
 
Feedback queuing models for time shared systems
Feedback queuing models for time shared systemsFeedback queuing models for time shared systems
Feedback queuing models for time shared systemsPushpalanka Jayawardhana
 

Mais de Pushpalanka Jayawardhana (11)

The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand The role of IAM in OpenBanking and where do we stand
The role of IAM in OpenBanking and where do we stand
 
Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2Frictionless Adaption of PSD2 with WSO2
Frictionless Adaption of PSD2 with WSO2
 
Identity mediation for enterprise identity bus
Identity mediation for enterprise identity busIdentity mediation for enterprise identity bus
Identity mediation for enterprise identity bus
 
Threads and Concurrency Identifying Performance Deviations in Thread Pools
Threads and Concurrency Identifying Performance Deviations in Thread PoolsThreads and Concurrency Identifying Performance Deviations in Thread Pools
Threads and Concurrency Identifying Performance Deviations in Thread Pools
 
Approximate Protocol for Privacy Preserving Associate Rule Mining
Approximate Protocol for Privacy Preserving Associate Rule MiningApproximate Protocol for Privacy Preserving Associate Rule Mining
Approximate Protocol for Privacy Preserving Associate Rule Mining
 
Leveraging federation capabilities of identity server for api gateway
Leveraging federation capabilities of identity server for api gatewayLeveraging federation capabilities of identity server for api gateway
Leveraging federation capabilities of identity server for api gateway
 
Feedback queuing models for time shared systems
Feedback queuing models for time shared systemsFeedback queuing models for time shared systems
Feedback queuing models for time shared systems
 
Big Data CDR Analyzer - Kanthaka
Big Data CDR Analyzer - KanthakaBig Data CDR Analyzer - Kanthaka
Big Data CDR Analyzer - Kanthaka
 
Kanthaka - High Volume CDR Analyzer
Kanthaka - High Volume CDR AnalyzerKanthaka - High Volume CDR Analyzer
Kanthaka - High Volume CDR Analyzer
 
Experience at WSO2 as an Intern
Experience at WSO2 as an InternExperience at WSO2 as an Intern
Experience at WSO2 as an Intern
 
Cosmology in general
Cosmology in generalCosmology in general
Cosmology in general
 

Último

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfCionsystems
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Último (20)

Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Active Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdfActive Directory Penetration Testing, cionsystems.com.pdf
Active Directory Penetration Testing, cionsystems.com.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

Authorization for workloads in a dynamically scaling heterogeneous system

  • 1. FABRIKAM AUTHORIZATION FOR WORKLOADS IN A DYNAMICALLY SCALING HETEROGENEOUS SYSTEM M.K.P.R. Jayawardhana 158217G Supervised by Prof. Gihan Dias Mr. Prabath Siriwardena Master of Science in Computer Science and Engineering University of Moratuwa Sri Lanka
  • 2. Dvaara Contribution of the Research Considering ‘Cloud’(eg: Amazon EC2, Azure, GCP) as the most common use case of a dynamically scaling, heterogeneous system, ● Design a solution for authorization among multi-cloud systems ● Implement the designed solution Re-use + implement lacking components + integration ● Implementation evaluation using a case study ● Performance evaluation 2
  • 3. Dvaara 3 Introduction Ref : https://www.slideshare.net/ajessup/building-trust-between-modern-distributed-systems-with-spiffe 3 Modern Enterprise Systems, ● Mostly Distributed Systems ● Horizontal Scaling ● Avoid vendor lock-in ● Make use of external systems than having everything in-house, ○ Make use of SaaS providers ○ Make use of PaaS providers ○ Make use of IaaS providers ● High availability concerns ● Elasticity of the system is a concern with rapid growth and peak and off-peak times. ● Follows Micro Services Architecture(MSA)
  • 4. Dvaara Why multi-cloud? ● Organizations are concerned on moving everything to the cloud → Security and Privacy concerns + Vendor lock-in ● Hybrid cloud to get started → Sensitive data residing on-premise and heavy computing delegated to an external cloud. ● Cost-effectiveness and reducing go-to-market time makes cloud appealing. Introduction 4 Ref: https://www.nutanix.com/enterprise-cloud-index/docs/enterprise-cloud-index.pdf, https://www.gartner.com/doc/3784664/building-identity-microservices “MSA(Microservice Architecture)-specific IAM(Identity and Access Management) is still in its infancy. The primary focus of the MSA community thus far has been authentication and, more narrowly, the use of OAuth 2.0, leaving other important questions, such as the authorization architecture, unaddressed”?? - Gartner
  • 5. Dvaara Problem Problem Statement ● Enterprise systems are becoming a service mesh. ● Each component of the system needs to scale as required, while being able to interact with other services. ● Interaction needs to be secured. ● Authentication between these services is being addressed. 5Ref : https://azure.microsoft.com/en-us/blog/microservices-on-azure-kubernetes-guidance/ How do we define and implement an authorization system for a multi-cloud enterprise system?
  • 6. Dvaara Use Case Problem Statement An e-commerce company has decided to start a cloud journey with below, considering the features supported by each CSP, cost and vendor lock-in. ● Keep the sensitive business operations in the on-premise cloud. ● Send data to be stored or archived to Amazon S3. Use EC2 analyse and summarize this data. ● Host a dashboard in GCP, that summarizes the details in Amazon S3 to identify the trends in the market. ● Need high elasticity (peak, off-peak seasons and times) To build the secure boundary, below interactions need to be secured - On-premise to Amazon - Amazon to GCP 6
  • 7. Dvaara Use Case - Problem Problem Statement Service authentication between multi-clouds when dynamic scaling is in place, is already a concern being addressed by research community. - Shared secret based - Kerberos protocol - CSP provided privileged API - SPIFFE standard How to support ‘Service Authorization’ in this system? 7 What should he be allowed to do?
  • 8. Dvaara Approach ● Study existing models, solutions and standards that support authorization between services. ● Study the other relevant aspects of authorization such as authentication and administration of access control policy as required by the authorization architecture for a cloud system. ● Build up the components of the architecture, that can coexist with the current enterprise systems, providing authorization capabilities across clouds. 8 Objectives
  • 9. Dvaara Literature Review Literature Review 1. Classical Security Models 1.1. Authentication 1.2. Authorization 2. Future of Cloud Systems 3. Workloads 3.1. Workload Authentication 3.2. Workload Authorization 9
  • 10. Dvaara Access Control Literature Review 10 Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
  • 11. Dvaara Authentication Literature Review Identifying an entity such as a person, a group, a device or an application to be what they declare to be, - Something Known - Something Possessed - Something Inherent 11 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
  • 12. Dvaara Authorization Literature Review ● DAC ● MAC ● Access Control Matrix ○ Access Control List ● RBAC ● ABAC ● XACML ● OPA 12 Image : https://image.slidesharecdn.com/350pmaxio-irmsummit2014gerry-140611105654-phpapp02/ 95/top-ten-reasons-why-developers-dont-adopt-abac-10-638.jpg Ref : R. S. Sandhu and P. Samarati, “Access control: principle and practice,” IEEE Commun. Mag., vol. 32, no. 9, pp. 40–48, 1994
  • 13. Dvaara Classical Security Models Literature Review ● Bell-La-Padula model - Confidentiality ● BIBA model - Integrity ● Chinese-Wall model - Conflict of Interest ● Clark-Wilson model - Integrity of commercial systems, Separation of duties ● Graham-Denning(GD) model - State transitions based on ACM ● Harrizon-Ruzzo-Ullman Model - Extending GD model ● Take-Grant Model - State transitions for confidentiality 13 Ref: D. Gollmann, “Computer security,” WIREs Comp Stat, vol. 2, no. 5, Sep. 2010
  • 14. Dvaara Cloud Literature Review - The most common, dynamically scaling, heterogeneous system - SaaS, PaaS, IaaS - Hyper-converged cloud to catalyze multi-cloud systems 14Ref: https://www.timetoast.com/timelines/cloud-computing-history
  • 15. Dvaara Workload Literature Review “A highly cohesive and de-coupled capability or a unit of work that collectively builds up an enterprise application, which can be running on cloud or on-premise” Eg: ● a microservice ● a Kubernetes pod ● a process in a VM 15 Ref: https://siliconangle.com/wp-content/blogs.dir/1/files/2016/02/illumio.png Ref : M. C. Calzarossa, M. L. Della Vedova, L. Massari, D. Petcu, M. I. M. Tabash, and D. Tessera, “Workloads in the Clouds,”, Springer International Publishing, 2016, pp. 525–550
  • 16. Dvaara Workload Authentication Literature Review ● Challenge-response authentication ○ Credentials stored with workload ○ Challenged to provide an inherent attribute based on the system ● Needham–Schroeder protocol ○ Use a symmetric key ○ Based on a third party ‘Authentication server’, building trust ● Kerberos Protocol ○ Based on KDC (Key Distribution Center) ○ Not relying on network security 16 Ref: B. C. Neuman and T. Ts’o, “Kerberos: an authentication service for computer networks,” IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994.
  • 17. Dvaara Single Cloud Authentication Literature Review ● Platform provided privileged API based authentication ○ Amazon EC2 IID ○ Google Cloud Provider IIT ○ Microsoft Azure MSI 17 { "iss": "[TOKEN_ISSUER]", "iat": [ISSUED_TIME], "exp": [EXPIRED_TIME], "aud": "[AUDIENCE]", "sub": "[SUBJECT]", "azp": "[AUTHORIZED_PARTY]", "google": { "compute_engine": { "project_id": "[PROJECT_ID]", "project_number": [PROJECT_NUMBER], "zone": "[ZONE]", "instance_id": [INSTANCE_ID], "instance_name": "[INSTANCE_NAME]" "instance_creation_timestamp": [CREATION_TIMESTAMP] } } }
  • 18. Dvaara Multi-Cloud Authentication Literature Review SPIFFE (Secure Production Identity Framework For Everyone) ● A common protocol based on ‘Platform Provided Privileged API’ for authentication. ● Extendable to work with CSPs. ● A standard accepted by the CNCF(Cloud Native Computing Foundation). 18
  • 19. Dvaara Workload Authorization Literature Review ● RBAC ○ OAuth 2.0 with scopes - client_credentials grant ● ABAC ○ OAuth 2.0 with scopes - client_credentials grant ○ XACML ○ OPA ● Authorization Servers in the market ○ Based on OAuth2.0 MTLS standard ○ KeyCloak, Gluu, WSO2 IS, Ping Identity, IBM API Connect 19
  • 21. Dvaara Dvaara Design Options Solution Design Enforcing authentication and authorization 21 Local authentication and authorization Local authorization and Global authentication Local authentication and Global Authorization Global authentication and authorization
  • 22. Dvaara Dvaara Design Authentication Solution Design Comparison Authentication Mechanism 22 Mechanism Do not require to deploy credentials with the workload Single identity per workload API driven credentials rotation and distribution Cross-platform trust building Firewall Yes Yes No Yes Destination authentication No No No Yes Platform mediated identity Yes Yes Yes No SPIFFE Yes Yes Yes Yes
  • 23. Dvaara Dvaara Design Authorization Solution Design ● DAC vs MAC ○ Governing authorization of information flow is not in the current scope ○ Hence DAC ● RBAC vs ABAC ○ Need to considered fine grained attributes of workloads 23 RBAC ABAC Simplicity Yes Can be Complex Fine-grained No Yes Standardized No Yes (XACML/OPA) Comparison Authorization Mechanism
  • 24. Dvaara Dvaara Design - XACML or OPA Solution Design ● XACML vs OPA - policy comparison 24 XACML OPA Flexible ABAC support Yes Yes Extendability Yes Yes Complexity High Occasionally Verbose Yes No Required training Yes (Though it’s XML, have specific functions and behaviors to understand) Yes (Though it’s JSON like, have special meanings for symbols and ways of writing rules) Implementation Availability Axiomatics, Sun XACML engine, WSO2 Identity Server OPA Background Open standard by OASIS Open implementation, CNCF accepted.
  • 29. Dvaara Dvaara Implementation Contribution Solution Implementation Chain of Responsibility Pattern 29 TLS level validation on the SPIFFE X509 cert OPA based decision on allowed scopes, based on SPIFFE ID Token validation request ABAC, validating the workload attributes and context against OPA policy Using Java-SPIFFE lib New implementation of OPA based scope validation handler New implementation of OPA based token validation handler - Selected WSO2 IS authorization server was patched to support required parameters to be sent to OPA engine. WSO2 IS patched to enrich
  • 30. Dvaara Evaluation Solution Evaluation 30 1 2 1 - Token Request 2 - Actual API consumption using token
  • 32. Dvaara Evaluation Solution Evaluation 32 Correctness - Considered the use case of an employee management solution - Authorized access to a salary mgt API - Fine grained authorization based on Infrastructure layer details and application layer details - Verified results against the expected results
  • 33. Dvaara Conclusion 33 - What Dvaara can do? - Make authorization decisions based on infrastructure level and application level attributes - Understands the SPIFFE based authentication - Allow dynamic changes to authorization policy - Dvaara provides a viable solution for workload authorization in a multi-cloud system - Dvaara provides fine grained authorization in a dynamic manner - Dvaara bridges the existing authorization technology of OAuth 2.0 and TLS widely adopted open standard to the emerging cloud native standards of SPIFFE and OPA - Dvaara open doors for the existing enterprise systems to have benefits of hybrid or multi-cloud without compromising on service authorization policies.
  • 34. Dvaara Future Work 34 - Make access token a JWT(JSON Web Token) that can carry attributes(advices) between the workloads - Federation between SPIRE server or Authorization servers to expand trust boundary in a seamless manner - Performance improvements - add caching improvements at token validation - Provide an administration portal for the system - Single view on policy available to issue SPIFFE IDs - Single view of policies active in OPA engine - CRUD operations on the policies and evaluating the effect - Current overview of the system (active workloads, tokens etc.) - OAuth 2.0 specification to bind the token to the TLS layer. (currently happening in Dvaara in an indirect way)