Cloud services implementing security: a case study

Abstract

In this paper we describe the developing of a security framework that implements a centralized access control. The idea of such a framework was born from the need to use a unique login for providing authentication and authorization services to a wide range of Web applications and services deployed in the cloud. To this end, we decided to leverage the Public Digital Identity System (SPID - Sistema Pubblico di Identità Digitale), a security infrastructure that ensures to citizens and enterprises to be uniquely recognized by identifiers issued by certified identity providers. Thus, our framework does not provide users' management, but it authenticates users through the federation, in other words, the framework stands as an interface between the remote Identity Providers SPID compliant, and the Web applications/services provided by several organizations and public administrations. The security framework is made up of two main modules based on the OpenAM platform: the Access Manager, for handling users' authentication and authorization, and the IdP Proxy and Finder, for driving the users to the proper IdP. In addition, the framework provides three different approaches for interacting with and integrating Web applications and services: (i) the Policy Agent, when applications and services are compatible, (ii) the reverse proxy, that is suitable for outdated or not updatable applications and services, (iii) the OAuth2/OpenID Connect protocol, if supported by applications or for implementing the integration according to a recognized standard.