The following is an excerpt from Security in Network Functions Virtualization by authors Zonghua Zhang and Ahmed Meddahi and published by Syngress. This section from chapter 4 explores Identity and Access Management in NFV.
IAM (Identity and Access Management) is widely accepted as the first defense line of today's ICT infrastructures and services. Some of the major functions include authentication, authorization, accounting and access control. In this chapter, we first present the basic functions and basic implementations of IAM and then discuss their NFV-based implementations. We finally provide a comparative analysis between these two variants.
IAM is a very broad topic that covers both technical and non-technical areas, involving business processes, technologies, and policies for managing digital identities, monitoring network access and controlling access to company assets. In other words, IAM is about how to enable the right individuals to access the right resources at the right time for the right reasons. Technically speaking, IAM is used to initiate, capture, record and manage user identities and their related access permissions to information assets in an automated way. As a result, access privileges are granted to the users according to the interpretation of policy rules, which are then enforced by a sequence of authentication, authorization and auditing functions.
The implication of IAM has two independent elements: identity management and access management. Identity management describes the process of authentication, authorization and user privileges across system boundaries, whereas access management is more focused on the access control to verify whether users are granted privileges to access particular services or resources. The decision result is evaluated based on policy rules, user's roles and other elements that are predefined by the administrators.
4.1. Major functions
More specifically, the IAM framework is composed of the following functions [IDE 12], which are briefly explained as follows:
- Authentication: a process of determining whether the user credentials are authentic. Authentication is activated only when the users intend to access information in the system. Then, the users are required to prove their right and identity, basically through the username and password or biometric identities. The system verifies user identity by matching the provided credentials with a specific abstract user object that is stored in the system. Once the two objects match, the access is authenticated. To date, there are several types of authentication that have been widely used in the current ICT context such as tokens, public keys, certificates and biometric authentication [CLO 12, HAV 07].
- Authorization: a process of allowing users to perform an action with the resource that they are granted, i.e. preventing users from accessing the resources that they are not allowed to access [HAV 07]. For example, if a user tries to write a file with only read permission, then the authorization fails and the requested operation for writing could be rejected. Furthermore, the users can be authenticated using a certain identity but they can be authorized to access a specific resource under a different identity. Many authorization functions are built upon the four following methods:
- Discretionary Access Control (DAC): which allows users or administrators to define an access control list (ACL) in regards to specific resources, such as which users can access the resource and what privileges they are granted. An example of DAC was proposed by [WAN 11] to mitigate user privacy and data leakage problems in collaboration clouds.
- Mandatory access control (MAC): which is defined by the administrator to manage the access control based on policy and cannot be modified or changed by users. The policy specifies the access rules for the requested services/resources. Some examples of MAC are used for end-to-end access control in Web applications [HIC 10] and in commodity OS to support intrusion detection [SHA 11].
- Role-base-access control (RBAC): which is based on defining a list of business roles and permissions and privileges are then granted to each role. Some concrete examples related to RBAC were discussed in [KER 03, KER 05].
- Attribute-based access control (ABAC): which uses attributes as the policy building blocks to define access control rules and describe access requests. Authorization-based ABAC typically relies on the evaluation of attributes (users), targeted resources, desired action (read, write), and access control/policy rules to verify whether access right are granted. The ABAC is widely used in various domains such as authorization services [LEE 08], Web services [CAP 14] and data protection services [IRW 05, IRW 09].
- Auditing: it is a process of recording security events related to the accounting and traceability process. It can provide historic information about when and how a user accessed the assets, and whether there were any attempts to violate authentication policies. The historic information of user status is stored in the log files for further analysis.
- User management: the area of user management in the IAM context is not only related to user management but also covers password management, role management and user provisioning. User management is one of the authentication features that provides administrators with the ability to identify and control the state of users when logged into the system. It encompasses a set of administrative functions such as identity creation, propagation, and maintenance of user identity and privileges. This enables the administrator to have better granularity to control the user authentication and manage the lifespan of user accounts through user lifecycle management, thus ranging from the initial stage of authentication to the final stage when the user logs out of the system. The flexibility provided by user management allows administrators to implement IAM efficiently with a closer match to the security policy.
In addition, user management incorporates the central user repository, providing storage for user data and data delivery to other services when it is required. The aggregation of data is kept and maintained in the repository. The user repository can be located either in a distribution network composed of multiple databases/files or a local area directly accessible by the user without having to travel across the network. An example of a central user repository is the lightweight directory access protocol (LDAP) [YEO 95] that is an industry standard application protocol for accessing and maintaining distributed directory information over the IP network. The concept of LDAP is based on a hierarchical information structure (a simple tree hierarchy) in order to deal with several kinds of information stored in the directories. Starting from the root directory (the source of the tree), it branches out to, for example but not limited to, countries, organizations, organizational units (e.g. divisions and department) and individuals (e.g. users, files and shared resources).
Security in Network Functions Virtualization
Zonghua Zhang and Ahmed Meddahi
Learn more about Identity and Access Management in NFV from publisher Syngress
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
4.2. Case studies
We exemplify the applications of IAM in several typical scenarios, illustrating their implementation, deployment and management, so that NFV-based implementations can be compared.
IT scenario. In [RAN 07], the authors reported the problems that were experienced by the South African Social Security Agency (SASSA), which is responsible for distributing grants to underprivileged citizens. It has been estimated that approximately 187.5 million dollars are lost annually due to fraud.
According to the social grant distribution in the South Africa, the organization consists of four main components: (1) South African Department of Home Affairs (SADHA), which is responsible for issuing to South African citizens; (2) South African Social Security Agency (SASSA), which is formed by the Ministry of Social Development to distribute grants; (3) distribution companies, which are responsible for the actual payment of the social grants to the eligible recipients; and (4) social grant recipient. In particular, there are two types of processes related to the social grant recipient: the registration process and authentication process. In the registration process, all the recipients must be registered with a payment system. Four good fingerprints from the recipient and the recipient's information (e.g. recipient's photograph, biometric data, type of grant they are eligible to receive and history of payment) are stored in the databases. This personnel information is also replicated and encoded onto the smart card before issuing the smart card to the recipients. Once enrollment into the company's database is complete, the recipient can be paid the grant. The authentication process is activated when receiving grants, the smart card is swiped and the beneficiary places their fingers onto a biometric reader. The fingerprints are verified with the fingerprint's information stored in the database and those encoded in the smart card. If the authentication is successful, the recipients can receive the financial grant.
4.2.1. Telco scenarios: mobile devices and networks
In [ARD 06], location-based access control policies were proposed for telco scenarios by considering both users' location and their credentials. Compared with the conventional access control systems, more parties are involved: requesters, the access control engine (ACE) and the location service, as shown in Figure 4.1:
- Requesters: whose access request to a service must be authorized by a location-based access control (LBAC) system.
- Access control engine (ACE): if the evaluation result of access requests is matched to LBAC policies, then the ACE enforces access control to the available services.
- Location service: which provides the location information to ACE, by measuring position as well as the environmental condition of requester.
Technically, ACE receives access requests, evaluates policies and returns answers. It communicates with the location service to acquire the location information of the requester. To describe how the access control has been operated, the authors define an access control rule with 4-tuples of request form (user_id, SIM, action, object_id), where: User_id is an optional identifier of the requester who makes the request; SIM is the optional SIM card number; action is an action being requested; object_id is the identifier of the object on which the user wishes to perform the action. Thus, access is granted if the subject expression evaluates to 'true' for every applicable rule.
However, user privacy in location-based services remains an important issue [CHO 09]. With an untrustworthy location service provider, the revealed private location information of the requester could be abused by adversaries. Therefore, location privacy-based anonymity solutions for the purpose of blinding user's requests/queries were proposed by [TEE 10], allowing requesters to send requests or queries to the LBS servers without revealing their personal information.
The proposed framework is classified into two major parts: authentication and querying processes; both the processes are done via anonymity (trusted third party) as described in [MAL 08].
- Authentication process: during the authentication process, a one way hash function technique has been applied to provide better privacy authentication. In addition, location blurring (or K-anonymity) is used to hide the actual location when the requester needs to interact with an untrusted service provider.
- Querying process: in the querying processes, time fuzzy logic is used to examine the degree of confidence about whether the requester is requesting the service under the right privileges.
Read an excerpt
Download the PDF of chapter 4 in full to learn more!
About the authors:
Zonghua Zhang is a faculty member of IMT Lille Douai, Institut Mines-Télécom in France. He holds a PhD in information science and an HDR (accreditation for research supervision) diploma in computer science. He has more than 15 years of academic and research experience in cybersecurity.
Affiliations and Expertise
IMT Lille Douai, Institut Mines-Télécom, France
Ahmed Meddahi is Professor at IMT Lille Douai, Institut Mines-Télécom in France. He holds a PhD from Evry University with Institut National des Télécom and an HDR from UPMC-Paris 6 University. He has over 20 years of academic and research experience in network protocols and architecture.
Affiliations and Expertise
IMT Lille Douai, Institut Mines-Télécom, France
Reprinted with permission from Elsevier/ISTE Press Ltd, Copyright © 2017