Identity Management Framework for CloudNetworking Infrastructure

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

60

61

Identity Management Framework for Cloud

Networking Infrastructure

Rajya Deep Dhungana, Alam Mohammad,

Sathyanarayanan Rangarajan

Fraunhofer AISEC

Parkring 4, 85748 Garching, Germany

Email: firstname.lastname

@aisec.fraunhofer.de

Ayush Sharma, Ingmar Schoen

Fraunhofer AISEC

Parkring 4, 85748 Garching, Germany

Email: firstname.lastname

@aisec.fraunhofer.de

Abstract—The Cloud Networking(CloNe) infrastructure pro￾visions elastic, secure, and on-demand virtualized network re￾sources to the end user. It incorporates the Network-as-a￾Service(NaaS) provisioning model, which enhances network-level

scalability, throughput, and performance. In this paper, we extend

the CloNe architecture by designing, deploying, and integrating

an identity management framework, customized for the CloNe

infrastructure. The identity management framework proposed

in this paper, is based on the User Managed Access(UMA)

protocol. The framework supports authentication, authorization,

and identity management of entities in the CloNe infrastructure.

Furthermore it enables federated identity management and man￾agement of access control policies across different infrastructure

providers.

Index Terms—Identity management, Cloud networking, Next￾Generation networks

I. INTRODUCTION

The advancements in cloud computing and the development

of different cloud provisioning models, namely, Software￾as-a-Service(SaaS), Platform-as-a-Service(PaaS), and

Infrastructure-as-a-Service(IaaS) have greatly influenced

Information Technology during the recent past. Cloud

computing enables hosting of multiple tenants on a shared

pool of resources, faster development times with elastic

and on-demand services, minimal capital expenditure, and

usage-based maintenance cost [1]. However, the current

cloud computing models lack support for virtualized network

resource provisioning, which leads to dependability and

reliability issues along the network connecting the cloud user

and the cloud provider [2].

The Cloud Networking(CloNe) infrastructure proposed in

[2], addresses the above concerns. The CloNe infrastructure in￾tegrates virtualized network resource provisioning capabilities

into existing IaaS provisioning models. However, the CloNe

infrastructure is still in its nascent stages, and suffers from its

own set of inherent security challenges. Schoo et al. [3] and

Fusenig et al. [4] describe the security challenges of the CloNe

infrastructure, which include identity management, authentica￾tion, authorization and access control policy management of

entities in the CloNe infrastructure.

These security challenges can be addressed with the intro￾duction of a tightly integrated identity management frame￾work into the CloNe architecture. Identity management frame￾works enable users to specify their credentials [5] in order

to authenticate themselves to a service provider. In cloud

ecosystems, cloud-provider controlled access is not viable,

because the cloud provider is responsible for managing user

identities. If different cloud providers share the credentials of

a user, a malicious cloud provider can exploit user identity

credentials leading to information misuse [6], [7]. Therefore,

it is important to secure and manage identity information of

users, by using a well defined cloud-provider independent

identity management framework. The main contribution of this

paper is the design, deployment, and integration of an identity

management framework into the CloNe architecture. The iden￾tity management framework is based on the UMA protocol.

The framework supports authentication, authorization, and

identity management of entities in the CloNe infrastructure.

Additionally, it enables federated identity management and

management of access control policies across different cloud

providers.

This paper is organized as follows. Section II describes the

related work regarding identity management solutions relevant

for the CloNe infrastructure. Section III gives an overview

of the CloNe service provisioning infrastructure. Section IV

covers the design, deployment, and integration details of the

identity management framework into the CloNe architecture.

Section V concludes the work and describes future work.

II. RELATED WORK

There are three primary identity management solutions

which can be integrated into the CloNe architecture, namely,

OpenID Connect [8], [9], OAuth [10], and UMA [11]. In

OAuth 2.0, there is a single authorization manager (AM)

associated with one or more resource server(s). The resource

server is used to host the resources requested by the users.

The AM manages the access control policies for different

resources stored at a single or multiple resource server(s).

During the authentication and authorization process, a resource

server accepts access tokens only from its own AM. However,

the resource servers must be co-located(within the same ad￾IIT'13 1569698969

1