Identity as a Service: An adaptive security infrastructure and privacy-preserving user identity for the cloud environment

Abstract

In recent years, enterprise applications have begun to migrate from a local hosting to a cloud provider and may have established a business-to-business relationship with each other manually. Adaptation of existing applications requires substantial implementation changes in individual architectural components. Existing work has focused on migrating the applications with functional and non-functional aspects. However, none of them has focused so far on the adaptation of the required security infrastructure. On the other hand, users may store their Personal Identifiable Information (PII) in the cloud environment so that cloud services may access and use it on demand. Although cloud services specify their privacy policies, it is not possible to guarantee that they will follow their policies and will not (accidentally) transfer PII to another party. To solve the aforementioned issues, this thesis presents Identity-as-a-Service (IDaaS) as a trusted Identity and Access Management with two new requirements:

Firstly, IDaaS adapts the required security infrastructures of cloud services to complete a business-to-business transaction on demand. The thesis decouples the security infrastructures from the business logic of the applications and models them as a security topology. When the business comes up with a new e-commerce scenario, IDaaS uses the security topology to adapt the security infrastructures of cloud services and propagate PII from the original caller via intermediaries to the end service on demand. Also, when cloud services migrate to other cloud providers, the trust relationship between them is adapted and preserved during the migration. As a result, developers do not need to re-implement their applications upon each change. The security infrastructure is portable across cloud providers as well as interoperable with the protected cloud services in the backend.

Secondly, the thesis proposes a novel Purpose-based Encryption to protect the confidentiality of PII in federated security domains. Unlike prior research, the thesis involves the least user interaction to prevent identity theft via the human link. By using Purpose-based Encryption, users encrypt PII with their intended purposes and in a given period and disseminate the ciphertext in federated security domains. To complete a business transaction, cloud services can decrypt the ciphertext for the right purposes and in the given time, but nothing more. As a result, the encryption protects the disclosure of PII over intermediaries in a business transaction and against untrusted hosts. The solution is compliant with the General Data Protection Regulation of the European Union. The implementation can be easily adapted to existing Identity Management systems, and the performance is fast.