Cloud Storage Pluggable Access Control David Slik NetApp, Inc.

Similar documents
An Introduction to CDMI

Delegated Access Control Extension

CDMI for Cloud IPC David Slik NetApp, Inc.

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Mobile and Secure Healthcare: Encrypted Objects and Access Control Delegation

Lesson 13 Securing Web Services (WS-Security, SAML)

A Survey of Access Control Policies. Amanda Crowell

FPolicy Solution Guide for Clustered Data ONTAP: Veritas Data Insight

DocAve Online 3. User Guide. Service Pack 17, Cumulative Update 2

Operating system security models

HPE Enterprise Maps Security. HPE Software, Cloud and Automation

IBM Security Identity Manager Version Planning Topics IBM

User Directories. Overview, Pros and Cons

OnCommand Cloud Manager 3.2 Deploying and Managing ONTAP Cloud Systems

NFS Version 4.1. Spencer Shepler, Storspeed Mike Eisler, NetApp Dave Noveck, NetApp

Single Sign-On Showdown

Canadian Access Federation: Trust Assertion Document (TAD)

Identity, Authentication and Authorization. John Slankas

BMS Managing Users in Modelpedia V1.1

Partner Center: Secure application model

8.0 Help for Community Managers About Jive for Google Docs...4. System Requirements & Best Practices... 5

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Microsoft Graph API Deep Dive

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

AvePoint Governance Automation 2. Release Notes

New Paradigms of Digital Identity:

General Access Control Model for DAC

Vision deliver a fast, easy to deploy and operate, economical solution that can provide high availability solution for exchange server

Tutorial: Building the Services Ecosystem

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 7 Access Control Fundamentals

DocAve 6 Software Platform Service Pack 1

You can access data using the FTP/SFTP protocol. This document will guide you in the procedures for configuring FTP/SFTP access.

Towards Transparent Integration of Heterogeneous Cloud Storage Platforms

Computer Security. Access control. 5 October 2017

Cloud Computing /AWS Course Content

Week 10 Part A MIS 5214

SNIA Cloud Storage TWG

DefendX Software QFS for NetApp Installation Guide

Best Practices in Designing Cloud Storage based Archival solution Sreenidhi Iyangar & Jim Rice EMC Corporation

Office 365 and Azure Active Directory Identities In-depth

FPolicy Solution Guide for Clustered Data ONTAP: Veritas Enterprise Vault

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

API Security Management with Sentinet SENTINET

AvePoint Online Services 2

Policy Based Security

AvePoint Cloud Governance. Release Notes

Chapter 4: Access Control

Mozy. Administrator Guide

CS 356 Lecture 7 Access Control. Spring 2013

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

Technical Overview. Version March 2018 Author: Vittorio Bertola

9.0 Help for Community Managers About Jive for Google Docs...4. System Requirements & Best Practices... 5

HIPAA Compliance. with O365 Manager Plus.

Avanan for G Suite. Technical Overview. Copyright 2017 Avanan. All rights reserved.

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

Setting Access Controls on Files, Folders, Shares, and Other System Objects in Windows 2000

Module 4: Access Control

CDMI Support to Object Storage in Cloud K.M. Padmavathy Wipro Technologies

StorageGRID Webscale 11.0 Tenant Administrator Guide

70-742: Identity in Windows Server Course Overview

Discretionary Access Control (DAC)

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for SonicWALL Secure Remote Access

Post-Class Quiz: Access Control Domain

Nasuni Data API Nasuni Corporation Boston, MA

Architecting Microsoft Azure Solutions (proposed exam 535)

SAML-Based SSO Solution

FPolicy Solution Guide for Clustered Data ONTAP: PoINT Storage Manager

Hubs. A White Paper from Rebooting the Web of Trust III Design Workshop. by Daniel Buchner, Wayne Vaughan, and Ryan Shea

Storage Industry Resource Domain Model

Microsoft Unified Access Gateway 2010

Authentication. Katarina

Authentication and Authorization Issues For Multi-Hop Networks

DocAve. Release Notes. Governance Automation Service Pack 7. For Microsoft SharePoint

Nasuni Data API Nasuni Corporation Boston, MA

Canadian Access Federation: Trust Assertion Document (TAD)

Question No: 1 In which file should customization classes be specified in the cust-config section (under mds-config)?

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

DELL POWERVAULT NX3500 INTEGRATION WITHIN A MICROSOFT WINDOWS ENVIRONMENT

The benefits of synchronizing G Suite and Active Directory passwords

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Goal: Offer practical information to help the architecture evaluation of an SOA system. Evaluating a Service-Oriented Architecture

ONTAP 9. SMB/CIFS Reference. December _H0 Updated for ONTAP 9.3

SAML-Based SSO Solution

Oracle. Loyalty Cloud Securing Loyalty. Release 13 (update 18B)

[GSoC Proposal] Securing Airavata API

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

P1L5 Access Control. Controlling Accesses to Resources

Migrating a Business-Critical Application to Windows Azure

Exam : Implementing Microsoft Azure Infrastructure Solutions

DreamFactory Security Guide

? Resource. Announcements. Access control. Access control in operating systems. References. u Homework Due today. Next assignment out next week

Dell EMC Unity Family

Science-as-a-Service

StorageZones Controller 3.4

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

SQL Server Security Azure Key Vault

NTP Software QFS for NetApp

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

Why Active Directory Represents the Future of Physical Security

Access Control. Discretionary Access Control

Transcription:

Cloud Storage Pluggable Access Control David Slik NetApp, Inc. 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 1

Agenda Access Control The classic models: DAC, MAC & RBAC Emerging access control methodologies Access Control in Cloud Storage Systems What s wrong with where we are? Access Control in CDMI CDMI ACL Delegation Demo 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 2

What is Access Control? A subset of Authorization Determines WHAT the WHO can do to THIS WHAT Identity of the action (read, write, execute, delete, etc) WHO Identity of the subject (process, computer, human, etc) THIS Identity of the object (file, program, sensor, actuator, etc) Distinct from, but usually coupled with, authentication Authentication is the means by which to determine the WHO Storage system provides the WHAT (actions) and the THIS (objects) 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 3

What is Access Control? A client issues a request A protocol encapsulates the client s credentials and the operation that is to be performed A server verifies client s identity from the presented credentials, and determines the permissions for the referenced object 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 4

What is Access Control? Resolution of credentials to identity is often delegated. E.g. Active Directory Permissions have often been tightly coupled with the objects and actions themselves. 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 5

Access Control: The Classic Models DAC: Discretionary Access Control Control strictly defined by administrator-defined policy E.g. Classification (Secret, Top Secret, etc) MAC: Mandatory Access Control Control defined by object s owner (or member of a group) E.g. storage ACLs RBAC: Role-Based Access Control Control defined by organizational role (identity -> role -> access) ACL groups are often (ab)used for this purpose 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 6

Access Control: Emerging Methodologies ABAC: Attribute Based Access Control Refinement to RBAC to take into account attributes (e.g. XACML) GBAC: Graph Based Access Control Primarily found on social networks, e.g. Friend of a friend Declarative access rights based on semantic graphs Biometric Mixing of Identity and Access Control Location Based Access Control Geofencing, etc. 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 7

Access Control: Emerging Methodologies CBAC: Context Based Access Control Access allowed or disallowed based on context of surrounding operations E.g. disallowing whole file replacement with high Shannon Entropy (ransomware protection) Capability Based Access Control Operations allowed when an access token (capability) is possessed. E.g. S3 signed URLs Risk Based Access Control Takes into account risk of granting access. Deep learning, AI-based? 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 8

Access Control in Cloud Storage Systems Today s Cloud Storage Systems are built around the traditional storage model: A series of operations (Create, Read, Update, Delete, Copy, etc) Performed on objects With identity determined by verifying credentials included in the request (typically as HTTP headers) All major cloud storage systems support authentication delegation Active Directory, MFA, Social Networks, Customer systems, etc. No cloud storage system currently supports Access Control delegation 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 9

Access Control in Cloud Storage Systems Why is this a problem? What if the provided access control system isn t suitable or sufficiently expressive or extensible? (e.g. DoD use cases) What if the provided access control system isn t consistent across clouds? (e.g. Cross-cloud portability) What if the provided access control system isn t sufficiently unchanging? (e.g. Unexpected software upgrades) What if the provided access control system isn t functionality that should be in the cloud? (In-house decision making) 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 10

Access Control in Cloud Storage Systems NetApp has had access control delegation for file system operations since 2002: create, open, rename, delete, read, write, create_dir, rename_dir, delete_dir, getattr, setattr Sends additional details (file info, user info, etc) Support for synchronous blocking calls and asynchronous notifications Fpolicy has enabled many different third-party integrations: File screening, File access reporting, User and directory quotas, HSM, Archiving, File replication, Data governance 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 11

CDMI Access Control CDMI Client CDMI GET + Credentials + Object GET Response CDMI Server AD Lookup + Credentials AD Result + Principle Active Directory ACL Evaluation 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 12

CDMI Access Control Delegation CDMI introduced a form of Delegated Access Control in 2015/2016, known as the Delegated Access Control (DAC) Extension Primarily intended to be used with encrypted objects Specifies metadata indicating how to submit a DAC request to a DAC provider, which returns a DAC response Assumes asynchronous responses Assumes moderate to high latency Complements ACLs More details can be found by searching for CDMI DAC Extension Need a simpler approach that replaces ACLs altogether 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 13

CDMI Access Control Delegation Originating Client Originating CDMI Server Key Management System Intermediary CDMI Server Remote CDMI Server Requesting Client ACL Provider CDMI Server Requesting Client 1. Create Object (with DAC Metadata) 2. Encrypt Object value 3. CDMI PUT Request 5. CDMI PUT Response 4. Federate Object 1. Request Object Contents (plaintext) 1. Request Object Contents 6. Store Keys 7. Store Keys 3. Check for DAC Metadata 4. Create DAC Request 5. Extract Request URI 2. GET Request 3. Check for ACL Delegation 4. Create ACL Request 2. GET Request 6. Determine if Intermediary 5. PUT ACL Request 8. Determine destination based on DACR Request URI 7. PUT DAC Request VS 6, Receive ACL Response 10. Decrypt and Verify DAC Request 11. Make access control decision 9. PUT DAC Request 7. Use provided access control indication 12. Get Key 14. Create DAC Response 15. Determine if Intermediary 13. Receive Key 16. PUT DAC Response 17. Determine destination based on DACI Response URI 18. PUT DAC Response 19. Decrypt and Verify DAC Response 20. Extract Key 21. GET Response (Decrypt, send plaintext) 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 14

CDMI ACL Delegation CDMI Client CDMI GET + Credentials + Object GET Response CDMI Server ACLs AD Lookup + Credentials AD Result + Principle Active Directory Access Control Response ACL Provider Access Control Request + Principle + Operation + Identifier 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 15

CDMI ACL Delegation With CDMI Authentication Delegation, delegation is controlled by the CDMI domain Each CDMI Object belongs to a domain Domain configuration indicates if, and to which external system, authentication is delegated This approach can also work for Access Control Delegation But Access Control Delegation and Authentication Delegation can be orthogonal, and can require different granularities 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 16

CDMI Access Control Delegation Option 1: Domain specifies an ACL delegation provider, similar to how an authentication delegation provider is configured: access control 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 17

CDMI Access Control Delegation Option 2: A new ACE type field DELEGATE, which instructs the server to delegate to the system specified in the ACE identifier field. This makes the delegation sticky, as it survives data movement and archiving, even if the domain changes. This also allows fallback permissions when the delegation is unavailable or unsupported. "cdmi_acl": [ { "acetype": DELEGATE", "identifier": https://127.0.0.1/delegate/", "aceflags": "OBJECT_INHERIT, CONTAINER_INHERIT", "acemask": "ALL_PERMS" }, { "acetype": DENY", "identifier": EVERYONE@", "aceflags": "OBJECT_INHERIT, CONTAINER_INHERIT", "acemask": "ALL_PERMS" } ] 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 18

CDMI Access Control Delegation Simple proof of concept was implemented in a CDMI testing server to demonstrates that these concepts work The following gaps were identified that would need to be addressed if standardized: Support for fallback and load balancing across multiple delegation servers Using CDMI scopes for restricting delegations when specified in domains 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 19

Live Demo CDMI 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 20

Concluding Thoughts This is a simple approach This can be standardized into any system that uses ACLs S3 ACLs Google Cloud storage NFSv4, CIFS, etc Provides portable Access control delegation * Azure blobs only support ACLs at a container granularity 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 21

Questions? Contact Details: David Slik dslik@netapp.com 2018 Storage Developer Conference. NetApp, Inc. All Rights Reserved. 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback