SUNFISH ID1v1 – Identity Management and Access Control

SUNFISH WG

Research output: Other contributionResearch

Abstract

This deliverable ID1 builds on SUNFISH deliverables D3.1, D4.1, and D4.4. It mainly focuses on the detailed architecture of the Data Security module, as well as on relevant aspect of integrating identity management into the FaaS (Federation-as-a-service) solution. These focus points have been chosen, as the Data Security component and identity management are tightly connected and key for the security of SUNFISH federations.
The Data Security module is a core component in the FaaS solution and controls access to deployed service providers and service consumers. This controlling functionality is based on defined data security policies. The development of this model is driven by the information sharing governance model as defined in the previous deliverable D4.4, as well as by the overall use-case requirements and
threat model, as defined in the refined versions of deliverables D2.2 and D2.3. The overall component architecture and requirements on the underlying infrastructure have been already defined in the previous deliverables D4.1 and D4.4. This deliverable scrutinizes on the components and specifies concrete APIs.
Furthermore, it elaborates on the deployment of different types of application. In general, the SUNFISH project makes a great step towards secure cloud federations and therefore has requirements on deployed applications to utilize the full potentials of the FaaS solution. However, non-FaaS enabled applications should still be deployable. Therefore, two different integration approaches for applications have been developed. These approaches, which allow both FaaS-aware applications and legacy applications to be deployed in the federation, are described in this deliverable in detail.
The Data Security components used in the federation are based on the XACML enforcement model.
Still, large advancements are made focusing on easy integration, as well as on data security policy management aspects. The policy store employed in SUNFISH is integrated with the core FaaS Blockchain-enabled component. This way, integrity of stored policies is ensured. Furthermore, the management of policies for particular deployed service providers is guarded by a second level of so called administration policies, which are stored in the policy store at service deployment. This again requires a deep integration with the identity management system.
APIs of the components described in this deliverable are specified in detail using swagger files. In addition, this document contains the key information required to foster a deep understanding of the developed infrastructure and modules. Additionally, it links to the full versions of the specification.
Especially the field of identity management is well researched and various technical solutions targeted at identity federations are already available. Furthermore, national and international agreements are in place to foster the usage of national eID solutions in cross-border scenarios. Therefore,
the SUNFISH project targets at a broad re-usability of existing solutions and their integration into the federation, without redefining or reinventing identity-management solutions themselves. This is achieved by identifying all possible scenarios where identity management is involved in the FaaS solution. Following, runtime assumptions are combined with the possible scenarios, yielding four
unique scenarios involving identity management. These scenarios are described in detail and are further scrutinized, also involving existing technical solutions. This results in a FaaS solution, which can flexibly be adapted to the needs of participating clouds and partners in the federation that make use of existing identity-management components.
Original languageEnglish
TypeDeliverable for SUNFISH H2020 Project
Publication statusPublished - Jan 2017

Fingerprint

Access control
Security of data
Application programming interfaces (API)
International cooperation
Reusability
Concretes
Specifications

Cite this

SUNFISH ID1v1 – Identity Management and Access Control. / SUNFISH WG.

2017, Deliverable for SUNFISH H2020 Project.

Research output: Other contributionResearch

@misc{5adde3634e3b47d5b2c7aa780c38481e,
title = "SUNFISH ID1v1 – Identity Management and Access Control",
abstract = "This deliverable ID1 builds on SUNFISH deliverables D3.1, D4.1, and D4.4. It mainly focuses on the detailed architecture of the Data Security module, as well as on relevant aspect of integrating identity management into the FaaS (Federation-as-a-service) solution. These focus points have been chosen, as the Data Security component and identity management are tightly connected and key for the security of SUNFISH federations.The Data Security module is a core component in the FaaS solution and controls access to deployed service providers and service consumers. This controlling functionality is based on defined data security policies. The development of this model is driven by the information sharing governance model as defined in the previous deliverable D4.4, as well as by the overall use-case requirements andthreat model, as defined in the refined versions of deliverables D2.2 and D2.3. The overall component architecture and requirements on the underlying infrastructure have been already defined in the previous deliverables D4.1 and D4.4. This deliverable scrutinizes on the components and specifies concrete APIs.Furthermore, it elaborates on the deployment of different types of application. In general, the SUNFISH project makes a great step towards secure cloud federations and therefore has requirements on deployed applications to utilize the full potentials of the FaaS solution. However, non-FaaS enabled applications should still be deployable. Therefore, two different integration approaches for applications have been developed. These approaches, which allow both FaaS-aware applications and legacy applications to be deployed in the federation, are described in this deliverable in detail.The Data Security components used in the federation are based on the XACML enforcement model.Still, large advancements are made focusing on easy integration, as well as on data security policy management aspects. The policy store employed in SUNFISH is integrated with the core FaaS Blockchain-enabled component. This way, integrity of stored policies is ensured. Furthermore, the management of policies for particular deployed service providers is guarded by a second level of so called administration policies, which are stored in the policy store at service deployment. This again requires a deep integration with the identity management system.APIs of the components described in this deliverable are specified in detail using swagger files. In addition, this document contains the key information required to foster a deep understanding of the developed infrastructure and modules. Additionally, it links to the full versions of the specification.Especially the field of identity management is well researched and various technical solutions targeted at identity federations are already available. Furthermore, national and international agreements are in place to foster the usage of national eID solutions in cross-border scenarios. Therefore,the SUNFISH project targets at a broad re-usability of existing solutions and their integration into the federation, without redefining or reinventing identity-management solutions themselves. This is achieved by identifying all possible scenarios where identity management is involved in the FaaS solution. Following, runtime assumptions are combined with the possible scenarios, yielding fourunique scenarios involving identity management. These scenarios are described in detail and are further scrutinized, also involving existing technical solutions. This results in a FaaS solution, which can flexibly be adapted to the needs of participating clouds and partners in the federation that make use of existing identity-management components.",
author = "{SUNFISH WG} and Andreas Reiter and Bojan Suzic and Herbert Leitold and Alexander Marsalek and Bernd Pr{\"u}nster and Dominik Ziegler",
year = "2017",
month = "1",
language = "English",
type = "Other",

}

TY - GEN

T1 - SUNFISH ID1v1 – Identity Management and Access Control

AU - SUNFISH WG

AU - Reiter, Andreas

AU - Suzic, Bojan

AU - Leitold, Herbert

AU - Marsalek, Alexander

AU - Prünster, Bernd

AU - Ziegler, Dominik

PY - 2017/1

Y1 - 2017/1

N2 - This deliverable ID1 builds on SUNFISH deliverables D3.1, D4.1, and D4.4. It mainly focuses on the detailed architecture of the Data Security module, as well as on relevant aspect of integrating identity management into the FaaS (Federation-as-a-service) solution. These focus points have been chosen, as the Data Security component and identity management are tightly connected and key for the security of SUNFISH federations.The Data Security module is a core component in the FaaS solution and controls access to deployed service providers and service consumers. This controlling functionality is based on defined data security policies. The development of this model is driven by the information sharing governance model as defined in the previous deliverable D4.4, as well as by the overall use-case requirements andthreat model, as defined in the refined versions of deliverables D2.2 and D2.3. The overall component architecture and requirements on the underlying infrastructure have been already defined in the previous deliverables D4.1 and D4.4. This deliverable scrutinizes on the components and specifies concrete APIs.Furthermore, it elaborates on the deployment of different types of application. In general, the SUNFISH project makes a great step towards secure cloud federations and therefore has requirements on deployed applications to utilize the full potentials of the FaaS solution. However, non-FaaS enabled applications should still be deployable. Therefore, two different integration approaches for applications have been developed. These approaches, which allow both FaaS-aware applications and legacy applications to be deployed in the federation, are described in this deliverable in detail.The Data Security components used in the federation are based on the XACML enforcement model.Still, large advancements are made focusing on easy integration, as well as on data security policy management aspects. The policy store employed in SUNFISH is integrated with the core FaaS Blockchain-enabled component. This way, integrity of stored policies is ensured. Furthermore, the management of policies for particular deployed service providers is guarded by a second level of so called administration policies, which are stored in the policy store at service deployment. This again requires a deep integration with the identity management system.APIs of the components described in this deliverable are specified in detail using swagger files. In addition, this document contains the key information required to foster a deep understanding of the developed infrastructure and modules. Additionally, it links to the full versions of the specification.Especially the field of identity management is well researched and various technical solutions targeted at identity federations are already available. Furthermore, national and international agreements are in place to foster the usage of national eID solutions in cross-border scenarios. Therefore,the SUNFISH project targets at a broad re-usability of existing solutions and their integration into the federation, without redefining or reinventing identity-management solutions themselves. This is achieved by identifying all possible scenarios where identity management is involved in the FaaS solution. Following, runtime assumptions are combined with the possible scenarios, yielding fourunique scenarios involving identity management. These scenarios are described in detail and are further scrutinized, also involving existing technical solutions. This results in a FaaS solution, which can flexibly be adapted to the needs of participating clouds and partners in the federation that make use of existing identity-management components.

AB - This deliverable ID1 builds on SUNFISH deliverables D3.1, D4.1, and D4.4. It mainly focuses on the detailed architecture of the Data Security module, as well as on relevant aspect of integrating identity management into the FaaS (Federation-as-a-service) solution. These focus points have been chosen, as the Data Security component and identity management are tightly connected and key for the security of SUNFISH federations.The Data Security module is a core component in the FaaS solution and controls access to deployed service providers and service consumers. This controlling functionality is based on defined data security policies. The development of this model is driven by the information sharing governance model as defined in the previous deliverable D4.4, as well as by the overall use-case requirements andthreat model, as defined in the refined versions of deliverables D2.2 and D2.3. The overall component architecture and requirements on the underlying infrastructure have been already defined in the previous deliverables D4.1 and D4.4. This deliverable scrutinizes on the components and specifies concrete APIs.Furthermore, it elaborates on the deployment of different types of application. In general, the SUNFISH project makes a great step towards secure cloud federations and therefore has requirements on deployed applications to utilize the full potentials of the FaaS solution. However, non-FaaS enabled applications should still be deployable. Therefore, two different integration approaches for applications have been developed. These approaches, which allow both FaaS-aware applications and legacy applications to be deployed in the federation, are described in this deliverable in detail.The Data Security components used in the federation are based on the XACML enforcement model.Still, large advancements are made focusing on easy integration, as well as on data security policy management aspects. The policy store employed in SUNFISH is integrated with the core FaaS Blockchain-enabled component. This way, integrity of stored policies is ensured. Furthermore, the management of policies for particular deployed service providers is guarded by a second level of so called administration policies, which are stored in the policy store at service deployment. This again requires a deep integration with the identity management system.APIs of the components described in this deliverable are specified in detail using swagger files. In addition, this document contains the key information required to foster a deep understanding of the developed infrastructure and modules. Additionally, it links to the full versions of the specification.Especially the field of identity management is well researched and various technical solutions targeted at identity federations are already available. Furthermore, national and international agreements are in place to foster the usage of national eID solutions in cross-border scenarios. Therefore,the SUNFISH project targets at a broad re-usability of existing solutions and their integration into the federation, without redefining or reinventing identity-management solutions themselves. This is achieved by identifying all possible scenarios where identity management is involved in the FaaS solution. Following, runtime assumptions are combined with the possible scenarios, yielding fourunique scenarios involving identity management. These scenarios are described in detail and are further scrutinized, also involving existing technical solutions. This results in a FaaS solution, which can flexibly be adapted to the needs of participating clouds and partners in the federation that make use of existing identity-management components.

UR - http://www.sunfishproject.eu

M3 - Other contribution

ER -