Show simple item record

dc.contributor.supervisorFuhrmann, Woldemar
dc.contributor.authorVo, Hoang Tri
dc.contributor.otherSchool of Engineering, Computing, and Mathematicsen_US

In recent years, enterprise applications have begun to migrate from a local hosting to a cloud provider and may have established a business-to-business relationship with each other manually. Adaptation of existing applications requires substantial implementation changes in individual architectural components. Existing work has focused on migrating the applications with functional and non-functional aspects. However, none of them has focused so far on the adaptation of the required security infrastructure. On the other hand, users may store their Personal Identifiable Information (PII) in the cloud environment so that cloud services may access and use it on demand. Although cloud services specify their privacy policies, it is not possible to guarantee that they will follow their policies and will not (accidentally) transfer PII to another party. To solve the aforementioned issues, this thesis presents Identity-as-a-Service (IDaaS) as a trusted Identity and Access Management with two new requirements:

Firstly, IDaaS adapts the required security infrastructures of cloud services to complete a business-to-business transaction on demand. The thesis decouples the security infrastructures from the business logic of the applications and models them as a security topology. When the business comes up with a new e-commerce scenario, IDaaS uses the security topology to adapt the security infrastructures of cloud services and propagate PII from the original caller via intermediaries to the end service on demand. Also, when cloud services migrate to other cloud providers, the trust relationship between them is adapted and preserved during the migration. As a result, developers do not need to re-implement their applications upon each change. The security infrastructure is portable across cloud providers as well as interoperable with the protected cloud services in the backend.

Secondly, the thesis proposes a novel Purpose-based Encryption to protect the confidentiality of PII in federated security domains. Unlike prior research, the thesis involves the least user interaction to prevent identity theft via the human link. By using Purpose-based Encryption, users encrypt PII with their intended purposes and in a given period and disseminate the ciphertext in federated security domains. To complete a business transaction, cloud services can decrypt the ciphertext for the right purposes and in the given time, but nothing more. As a result, the encryption protects the disclosure of PII over intermediaries in a business transaction and against untrusted hosts. The solution is compliant with the General Data Protection Regulation of the European Union. The implementation can be easily adapted to existing Identity Management systems, and the performance is fast.

dc.publisherUniversity of Plymouth
dc.subjectPurpose-based Encryptionen_US
dc.subjectIdentity Managementen_US
dc.subjectGeneral Data Protection Regulationen_US
dc.subjectcloud adaptationen_US
dc.titleIdentity as a Service: An adaptive security infrastructure and privacy-preserving user identity for the cloud environmenten_US
dc.rights.embargoperiodNo embargoen_US

Files in this item


This item appears in the following Collection(s)

Show simple item record

All items in PEARL are protected by copyright law.
Author manuscripts deposited to comply with open access mandates are made available in accordance with publisher policies. Please cite only the published version using the details provided on the item record or document. In the absence of an open licence (e.g. Creative Commons), permissions for further reuse of content should be sought from the publisher or author.
Theme by 
Atmire NV