The adoption of cloud computing technologies has seen a great growth in recent years.
Cloud computing-based infrastructures present many advantages over traditional infrastructures (reduced costs, higher flexibility, on-demand services, rapid elasticity, etc.).
While cloud computing boasts other advantages it should be noted that the adoption of cloud-based services comes with disadvantages, such as: loss of governance, provider lock-in, technical and legal issues, security and privacy issues.
The purpose of this thesis is to investigate the Identity and Access Management (IAM) interactions between clients and cloud providers from a client-centric perspective and to propose solutions that would aid clients in using cloud-based services. With respect to IAM several issues were discovered: loss of control (the client no longer has control over where the data is stored and what the service provider does with it), the provider's need to control the customer experience (leading them to ask for more information than required), the competitive cloud markets and threat of provider lock-in (leading clients to use multiple providers), user provisioning and de-provisioning across several providers, managing sensitive data and password fatigue across multiple service providers and the increased thread of social engineering attacks.
The problems presented above can be mitigated by adopting a client-centric approach to IAM in cloud computing. To achieve this, the client-to-cloud interactions with respect to all aspects of IAM were studied and three distinct scenarios proposed:
the direct interaction scenario (where the user is restricted to using the cloud provider's IAM system), the obfuscated interaction scenario (where the client can choose between real identities and obfuscated or partially obfuscated ones which help protect sensitive identity information) and the protocol-based interaction scenario (which makes use of existing Federated Identity Management protocols to aid in authentication and authorization).
With these detailed interaction scenarios a client-centric IAM meta-system will be introduced.
The Identity Management Machine (IdMM) represents the main contribution of the thesis. The IdMM is a client-centric IAM meta-system, based on Abstract State Machines (ASMs). The system acts as a middleware between a client (represented by a company hosting a private identity directory) and the various cloud providers used.
The IdMM is a Single Sign-On (SSO) service that automatically authenticates and authorizes a user to a given service. The advantage of the SSO approach is that users are not aware of their credentials to the cloud services thus diminishing the risk of phishing attacks. In the protocol-based interaction the IdMM acts as an identity provider while in the direct case the IdMM synchronizes the information stored on cloud services with the data stored in the client's directory. User provisioning and de-provisioning (both on the cloud and on the client's side) is handled automatically by the system. Periodically the cloud-based credentials are reset for a more secure interaction.
Clients can also retrieve log activities for audit purposes. The IdMM is composed of several agents each responsible with the interaction between the system and the actors involved (users, the client's directory, the cloud's IAM system).
While the adoption of the IdMM will help clients with the IAM related aspects of using cloud services other aspects must also be taken into account. A more detailed look at the generic interaction between client and clouds has to be specified. Other issues, such as legal and contracting issues with respect to Service-Level Agreements (SLAs), adaptation to end devices and security monitoring must also be mitigated. As such, the IdMM functions as both an stand-alone system and as a system within a Client-Cloud Interaction Middleware (CCIM) solution. In the CCIM solution the IdMM represents one of the key components next to security and SLA monitoring components as well as content adaptation and service negotiation components.