| Resumo: | For a handful of years, cloud computing has been a hot catchphrase. The industry has massively adopted it and the academia is focusing on improving the technology, which has been evolving at a quick pace. The cloud computing paradigm consists in adopting solutions provisioned by some cloud providers that are hosted on data centers. Customers are therefore tied to those third-party entities, since they becomes involved in their businesses for being responsible for the Information Technologies (IT) infrastructures outsourced to the clouds. This implies that customers have to totally or partially migrate their on-premises infrastructures to off-premises clouds, including, but not limited to, email, web applications, storage databases, and even complete servers that become wrapped in services accessed via the Internet. Clouds deliver scalable and elastic networking, storage, and processing capabilities in an on-demand and self-provisioned manner adopting the pay-as-you-go business model. This bene ts the customers signi cantly, allowing them to promote their businesses without worrying about inherent IT infrastructures. The services supplied by clouds are basically encapsulated by one of the three main service delivery models: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). They are the building blocks for unfolding Anything-as-a-Service (XaaS) solutions speci cally customized to customer requirements. IaaS mixes novel virtualization techniques with current technologies that allow to run Operating Systems (OSes) or even build entire virtual data centers. PaaS allows to develop applications in a consistent manner via the cloud platforms to run remotely, while SaaS enables enjoying pre-built software with little control over the application ow. These models can run on public or private clouds, or on a hybrid version of the two. Adopting the public model means accessing the subscribed services through the Internet from anywhere in the globe. IaaS clouds usually have some management interface to control Virtual Machines (VMs) and to arrange a virtual data center, while VMs are accessed via standard remote connection protocols. The authentication to those interface is, therefore, of utmost importance, mostly because they are exposed to Internet dangers, contrarily to traditional management tools that are deeply within the trusted perimeter of a company on conventional networks. This dissertation rst identi es such problems by reviewing authentication approaches and pointing out their advantages and weaknesses. For example, a single compromised cloud account constitutes an inherently more dangerous threat when compared to traditional website accounts, because an attacker gains control over VMs and potentially over security-related con gurations as well. This can result in data and money losses for both customers and providers, since the malicious attacker can terminate VM instances running crucial business applications. The problem also resides on the fact that the security of authentication by means of a static password has been decreasing over time, and it is now a method considered unsafe. Data breaches in the past have provided key understanding over user password habits, allowing crackers to build huge password lists and devise ef cient cracking algorithms. Current threats that are inherent to the Internet technologies aggravate this problem further. The cyberspace is increasingly getting more violent with cyberwarfare, cybercriminality, and mass surveillance affecting everyone. For instance, malware writers are focusing on mobile platforms since that is a eld where technology is rapidly evolving, sometimes in an uncontrolled manner, and that users are widely adopting. As a reaction to some of those problems, both the industry and the academia have turned their attention to alternative authentication schemes based on Single Sign-On (SSO) and Multi-Factor Authentication (MFA). SSO is used to alleviate the burden associated with the management of multiple credentials for cloud applications, while MFA adds authentication layers for additional security, in exchange for a drop in usability and an increase to the cost. Such new approaches implement authentication schemes resorting to both public-key and symmetric cryptography mechanisms and to new technologies, namely associated to mobile. Several contributions on this research line can be found in the recent literature. Nonetheless, they still do not pay particular attention to the underlying infrastructure and threats. The scope of this dissertation is con ned to the topics of cloud computing and authentication, studying how that new computing model works, with particular emphasis on the security, and reviewing authentication methods orthogonally to cloud computing and to the security perspective. Because cloud management interfaces are inherently more riskier for being exposed in the Internet and starting from the previously mentioned study, this dissertation proposes a new security model, suitable to deploy on the frontend edges of cloud networks, mediating the access of users to the subscribed services, while patching security threats inherited from the Internet. It is envisaged as a centralized point for enforcing several types of security controls and its main advantage derives from the fact that it resorts to the usage of technology speci c to cloud computing, namely virtualization, from which it inherits robustness and elasticity. A prototype showing how the model can be deployed is also described in this dissertation. It uses the Portuguese identity card to achieve strong and mutual authentication by means of public-key certi cates, in a way that is simple and transparent. to the user. The prototype demonstrates the functionality of the proposed model and how it can be deployed using cloud computing technology, so as to conceal the internal interface from outside threats. Recommendations for implementing authentication methods are also described, owing the discussion from classical authentication to trendy authentication approaches.
|
|---|