Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

M1: Authentication & Authorization Standards for the Cloud

Monday, 3 December 2012
08:30 - 12:00

Windsor

This course aims to introduce different technologies available for single sign on and federated identity in cloud environments. We also cover existing and emerging authorization technologies in the cloud. Specifically, we will look at OAuth 2.0 as a lightweight approach for authorization for RESTful services and application. We review through some use cases what benefits it provides and how it can be integrated with other technologies like SAML 2.0 to provide integration, federation and interoperability in cloud computing environments. We will also introduce the Simple Cloud Identity Management (SCIM) specification which is an ongoing effort designed to make managing user identity in cloud based applications and services easier. Finally we will look at efforts undertaken by government agencies regarding authentication and authorization in the Cloud.

Prerequisites. No specific prerequisite is required. Being familiar with general security concepts, authentication, and authorization is enough.

Outline:

  1. Single Sign On (SSO) Technologies for cloud computing (30 min)

An introduction to various SSO technologies that are being used or are emerging as de facto standard will be provided.

  1. The Security Assertion Markup Language (SAML) 2.0 (30 min)

SAML is an XML-based framework for communicating user authentication, entitlement, and attribute information. A high-level overview of SAML will be given followed by a technical introduction to SAML concepts and capabilities

  1. The OAuth 2.0 Authorization Framework and Use Cases (30 min)

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. An overview of the OAuth 2.0 is given with details of various flows and a comparison between flows. We will also discuss some OAuth use cases to show its applicability in real world and demonstrate how enterprises can use OAuth for authorization and how to choose the best flow based on scenarios.

  1. SAML 2.0 Bearer Assertion Profiles for OAuth 2.0 and its integration with OAuth 2.0 (30 min)

We discuss the use of a SAML 2.0 Bearer Assertion as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication.

We will also discuss how to use SAML and OAuth 2.0 together to achieve best integration and management simplicity in identity and policy domains.

  1. Simple Cloud Identity Management (SCIM) (30 min)

The Simple Cloud Identity Management (SCIM) specification is designed to make managing user identity in cloud based applications and services easier. The specification suite seeks to build upon experience with existing schemas and deployments, placing specific emphasis on simplicity of development and integration, while applying existing authentication, authorization, and privacy models. An overview of the specification will be given along with benefits it provides and some use cases.

We will also discuss in detail how to bind the Simple Cloud Identity Management (SCIM) schema to the Security Assertion Markup Language (SAML).

  1. Government efforts (30 min)

We briefly review the cloud authentication & authorization approaches recommended by various agencies such as the Federal Risk and Authorization Management Program (FedRAMP), DoD’s Cloud Computing Strategy and NIST’s Guidelines on Security and Privacy in Public Cloud Computing.

About the Instructor:

Mr. Hassan Takabi is 5th year PhD student in the School of Information Sciences and a member of the Laboratory of Education and Research on Security Assured Information Systems (LERSAIS) at the University of Pittsburgh. His research interests include access control models; trust management; privacy and Web security; usable privacy and security; and security, privacy, and trust issues in cloud computing environments.

 

 

Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC