Page 1035 - Cloud computing: From paradigm to operation

P. 1035

Security 7

5) The unified account audit should mainly focus on the assignment of identity account, and the
behaviour of log-in and log-out according to the access control modules, which can help to dig out
the illegal accounts and overdue accounts, detect the account of over-authorization and lack of
authorization, and prevent log-in attempts with abandoned accounts or faked accounts. It should
submit the security events of accounts to the security audit module or systems to carry out a wider
range of audit function, such as intrusion detection, fault monitoring audit, and so on.
6) It should support user password management, which includes the unified sets of user password
policies based on the security policy of cloud platform, such as cryptographic algorithms, the length
of a password, the complexity of a password and the cycle of password updating. It should support
various types of passwords, such as graphical passwords, sound-based passwords and so on.
Furthermore, it should support the functions of password synchronization and password reset.
7) It should provide self-service for tenants in account management. Some management work can be
done by the tenants themselves, such as the modification of some simple user properties and
password updating, which can lighten the maintenance burden of the management staff.
8.1.2 Access control management
CSPs should establish a unified, centralized authentication and authorization system to improve the security
of access control in daily operation. Operational logs for access control to cloud computing systems should
be recorded for later audit.
1) Unified authentication should support the functions below:
• Support single sign-on (SSO): It should support the parameters setting of SSO, such as the
maximum session time, maximum idle time and maximum cache exist time.
• Support mainstream authentication technology, such as LDAP authentication, digital
certification authentication, token authentication, biometric authentication, multifactor
authentication and so on.
• Provide detailed authentication logs. It includes system identifications, logging users, log-in
time, log-out time, log-in Internet protocol (IP) address, log-in terminal, logging results records
(success or failure).
• Provide differentiated, optional authentication methods according to various systems and
services. It can meet the balance between the security level and ease of use and even cost.
2) Unified authorization should support the functions below:
• Provide authorization to access cloud resources, according to the predefinition of users, user
groups, and users' privileged level.
• Support the mechanisms of centralized authorization and hierarchical authorization, and the
authorization range of hierarchical authorized administrators should be restricted by the
authorization administrator.

• Support fine-grained authorization policy and coarse-grained authorization policy.
• Provide detailed authorization logs, including IP addresses, operator, authorization time, as well
as granted and cancelled permissions.
3) Other requirements

• Control on accessing logs. CSPs should ensure that when administrators can access the logs,
they have granted privileges to do so. The tenants should have privileges granted by the
administrators to view the logs related to them appropriately through a self-service portal
website or other client tools.
• Mechanisms of encryption. The sensitive data such as authentication data, authorization data,
etc. should be encrypted in the procedure of storage and transmission.
• All the operational logs related to CSC should be visible appropriately.

1027

1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040