Identity Management Services Research Articles

A secure, privacy-preserving, and cost-efficient decentralized cloud storage framework using blockchain

Cloud services benefit countless users worldwide due to notable features, such as on-demand self-service, scalability, easy maintenance, etc. Secure storage and access to data in the cloud is critical. Cloud Identity and Access Management (IAM) service, which acts in a centralized way to provide access requests to the authenticated users. Controlled access sometimes fails to preserve the privacy of the sensitive information stored in the cloud due to several reasons, such as insider attacks, breaches of data security, or any other types of unauthorized access. This paper suggests a blockchain-assisted secure storage and access mechanism to secure sensitive data. Here blockchain is used as a trust management entity that verifies the identity of the user. Along with this it issues the Access Control Lists (ACLs) and identity token, and at the same time, it records all the interactions between the users and service providers. Data transmission is transparent since transactions are recorded. Importance is given to user privacy and decryption keys security. Linear(t,n) secret sharing scheme is used for key share generation and distribution. For experimentation, in MetaMask cryptocurrency wallet Goerli test network is used. Results reveal that our model consumes less cost to execute than other existing works. The total execution cost to upload and download a data file is 0.00281392 and 0.02455307 GoerliETH. Where the all verification operations such as identity token, ACL, access_log, and data integrity are executed in Zero gas value. The proposed model maintains a constant gas cost regardless of transaction volume, with costs of 33.04 ETH and 32.24 ETH for data upload and download. Moreover, we present a comparison of execution time performance in three different system configurations.

The avatar law and (cyber) transnational contracts

Abstract The virtual world, often referred to as “Metaverse”, has recently emerged as the forum for people to communicate and socialise with each other. It will not be long before economic activities take place in the Metaverse, booming the Metaverse economy. To provide legal certainties to such activities, the law on the subjects of such activities, namely avatars, needs to be explored, besides the law on the objects in the virtual world, or digital assets, which have already been extensively discussed. There can be three possible approaches to the law of avatars. They are to treat an avatar either as a device (thing) deployed by a person or corporation in the real world, as an agent of the latter, or as an entity with distinct legal personality. Depending on which approach is to be followed, the existing laws of identity management and trust services, those of agency or those of mutual recognition of legal personalities may be useful in forming the law on avatars. When choosing the approach to the issue, law-makers have to make a policy decision, carefully examining the economic and social benefits and problems that each approach will entail. In doing so, the functional analysis of the corporate law will be helpful.

Identity and Access Management Workforce Planning

This article offers a practical approach to help identity and access management (IAM) practitioners and managers understand how to advise organization leadership on identity and access management workforce planning. While workforce planning is usually a Human Resources (HR) task, the IAM practitioner, their hiring managers, and their HR teams should know the tasks, knowledge, and skills expected across the IAM industry. By capturing the tasks, knowledge, and skills across the various identity and access management service areas, this competency model is tailorable to fit most organizations’ needs to include any sector-specific training. Using the U.S. Federal Government’s IAM frameworks as a working example, this article seeks to help mature the identity and access management profession and create a more consistent experience across organizations for identity and access management practitioners.

RETRACTED ARTICLE: Securing medical data by role-based user policy with partially homomorphic encryption in AWS cloud

Cloud technology provides services for storing and accessing a large amount of data with ease of access and less cost. Sensitive data such as patients' electronic health information should be encrypted before outsourcing into the cloud. Many traditional encryption methods are used for protecting data in the cloud, but unable to perform computation on encrypted data. Homomorphic encryption operates directly on the ciphertext. In this study, a Secure Partially Homomorphic Encryption (SPHE) algorithm is proposed to secure the outsourced data and perform multiplication and division operations on the ciphertext. The access control policy in the cloud environment is more flexible. An attacker can easily collect sensitive data by abusing the access policy of another user. Therefore, the database privacy is compromised. Creating a role hierarchy and managing the session is difficult in the cloud environment. The above issues motivate us to develop a model which is the integration of the proposed scheme SPHE with role-based user policy. The model is implemented in Eclipse IDE (Integrated Development Environment) and AWS (Amazon Web Service) Toolkit for Eclipse and deployed in Amazon Elastic Beanstalk (EB) environment. This model is particularly used for securing the patient e-health details and performing computation on outsourced data. The patient details are encrypted by the algorithm SPHE and uploaded in AWS S3 (Simple Storage Service) bucket. The users are created by AWS Identity and Access Management (IAM) service and the access level policy is defined based on user roles in EB environment. The proposed model performance is studied by comparing with other partially homomorphic methods Elgamal, Pailler, and Benaloh. This model achieves data integrity and data confidentiality using the role-based user policy with SPHE.

Reference Service Model Framework for Identity Management

Each person on the Internet typically has several digital accounts, which are associated with different identity information. During the last years, various identity and access management (I&AM) approaches were established to help manage all these digital identities and operate online services within an organization and beyond. This development has led to heterogeneity, making it hard to differentiate between, comply with, and combine these approaches. In this paper, we describe a reference service model framework for different I&AM flavors by utilizing modern Enterprise Architecture Management using the framework ArchiMate. The proposed identity management service model framework (IMSMF) consists, on the one hand, of a meta-model and several models for various protocols and implementations, and, on the other hand, models, which were designed in a generic service-oriented way. These models lead to a universal model to indicate additional components for an enhanced I&AM. IMSMF has been evaluated through several rounds of expert interviews. IMSMF helps to establish, enhance, and change I&AM systems while also being a base for profound further research.

A Security Management and Control Solution of Smart Park Based on Sensor Networks

As a typical application of sensor networks, there exist many information security problems in smart parks, such as confusion of personnel access, lack of security management, disorderly data flow, insufficient collection of audit evidence, and so on. Aiming at the scenario of personnel and equipment moving in different areas of smart parks, the paper proposes a joint authorization and dynamic access control mechanism, which can provide unified identity management services, access control services, and policy management services, and effectively solve the problem of multi-authorization in user identity and authority management. The license negotiation interaction protocol is designed to prevent common network attack threats in the process of identity authentication and authority management. In order to realize the tamper-proof storage of personnel and equipment movement trajectory, the paper also designs a movement trajectory traceability protocol based on a Merkle tree, which solves the problems of internal personnel malicious attack, trusted third-party dependency bottleneck, high overheads of tracking algorithms, and so on. The experimental results show that compared with the current security control mechanisms for sensor networks, the joint authorization, and dynamic access control mechanism can support multi-party authorization and traceability, while the overhead it generates in initialization, encryption, decryption, and key generation steps are basically the same as other mechanisms do.

Computational Intelligence Approach for Municipal Council Elections Using Blockchain

Blockchain is an innovative technology that disrupts different industries and offers decentralized, secure, and immutable platforms. Its first appearance is connected with monetary cryptocurrency transactions, followed by adaptation in several domains. We believe that blockchain can provide a reliable environment by utilizing its unique characteristics to offer a more secure, costless, and robust mechanism suitable for a voting application. Although the technology has captured the interest of governments worldwide, blockchain as a service is still limited due to lack of application development experience, technology complexity, and absence of standardized design, architecture, and best practices. Therefore, this study aims to build an imperial example for a blockchain electronic voting (e-voting) application using digital identity management for fulfilling immutable, transparent, and secure distributed blockchain features. The paper reviews the current types of e-voting systems and discusses the standard processes. We propose a conceptual design for a blockchain providing a digital identity management service to secure the e-voting application results. The blockchain development process implemented in this study follows the Proof of Concept to verify the e-voting application’s function for illustrating the architecture and description of the application’s business process model. The development is based on the Ethereum platform, which allows the implementation of the Proof of Work consensus algorithm. The developed e-voting application saves time, requires fewer processes, and results in higher accuracy, more transparency, considerable voters’ privacy, and accountable system management. We expect that the e-voting blockchain application will impact governmental processes during the election, reduce spending, support digital transformation, and ensure fairness of results.

Beyond X.509: Token-based authentication and authorization in practice

One of the key challenges identified by the HEP R&D roadmap for software and computing is the ability to integrate heterogeneous resources in support of the computing needs of HL-LHC. In order to meet this objective, a flexible Authentication and Authorization Infrastructure (AAI) has to be in place, to allow the secure composition of computing and storage resources provisioned across heterogeneous providers (e.g., Grid, private and commercial Clouds, HPC centers). At CHEP 2018, we presented how a flexible AAI based on modern, standard Web technologies (OpenID Connect, OAuth and JSON Web Tokens) and centered on the INDIGO Identity and Access Management (IAM) service could support the transition of the WLCG infrastructure to a token-based AAI. In the meanwhile, INDIGO IAM has been selected by the WLCG Management Board as the solution that will be adopted by LHC experiments, and is also at the core of the AAI envisioned to support the computing needs of the ESCAPE project. In this contribution, which represents a follow up to last-year plenary talk, we describe the work done recently on the IAM service to support WLCG requirements.

Beyond X.509: token-based authentication and authorization for HEP

X.509 certificates and VOMS have proved to be a secure and reliable solution for authentication and authorization on the Grid, but also showed usability issues and required the development of ad-hoc services and libraries to support VO-based authorization schemes in Grid middleware and experiment computing frameworks. The need to move beyond X.509 certificates is recognized as an important objective in the HEP R&D roadmap for software and computing, to overcome the usability issues of the current AAI and embrace recent advancement in web technologies widely adopted in industry, but also to enable the secure composition of computing and storage resources provisioned across heterogeneous providers in order to meet the computing needs of HL-LHC. A flexible and usable AAI based on modern web technologies is a key enabler of such secure composition and has been a major topic of research of the recently concluded INDIGO-DataCloud project. In this contribution, we present an integrated solution, based on the INDIGO-DataCloud Identity and Access Management service that demonstrates how a next generation, token-based VO-aware AAI can be built in support of HEP computing use cases, while maintaining compatibility with the existing, VOMS-based AAI used by the Grid.

Identity and Access Management System: a Web-Based Approach for an Enterprise

Managing digital identities and access control for enterprise users and applications remains one of the greatest challenges facing computing today. An attempt to address this issue led to the proposed security paradigm called Identity and Access Management (IAM) service based on IAM standards. Current approaches such as Lightweight Directory Access Protocol (LDAP), Central Authentication Service (CAS) and Security Assertion Markup Language (SAML) lack comprehensive analysis from conception to physical implementation to incorporate these solutions thereby resulting in impractical and fractured solutions. In this paper, we have implemented Identity and Access Management System (IAMSys) using the Lightweight Directory Access Protocol (LDAP) which focuses on authentication, authorization, administration of identities and audit reporting. Its primary concern is verification of the identity of the entity and granting correct level of access for resources which are protected in either the cloud environment or on-premise systems. A phased approach methodology was used in the research where it requires any enterprise or organization willing to adopt this must carry out a careful planning and demonstrated a good understanding of the technologies involved. The results of the experimental evaluation indicated that the average rating score is 72.0 % for the participants involved in this study. This implies that the idea of IAMSys is a way to mitigating security challenges associated with authentication, authorization, data protection and accountability if properly deployed.

Blockchain Technology the Identity Management and Authentication Service Disruptor: A Survey

The Internet today lacks an identity protocol for identifying people and organizations. As a result, service providers needed to build and maintain their own databases of user information. This solution is costly to the service providers, inefficient as much of the information is duplicated across different providers, difficult to secure as evidenced by recent large-scale personal data breaches around the world, and cumbersome to the users who need to remember different sets of credentials for different services. Furthermore, personal information could be collected for data mining, profiling and exploitation without users' knowledge or consent. The ideal solution would be self-sovereign identity, a new form of identity management that is owned and controlled entirely by each individual user. This solution would include the individual's consolidated digital identity as well as their set of verified attributes that have been cryptographically signed by various trusted issuers. The individual provides proof of identity and membership by sharing relevant parts of their identity with the service providers. Consent for access may also be revoked hence giving the individual full control over its own data. This survey critically investigates different blockchain based identity management and authentication frameworks. A summary of the state-of-the-art blockchain based identity management and authentication solutions from year 2014 to 2018 is presented. The paper concludes with the open issues, main challenges and directions highlighted for future work in this area. In a nutshell, the discovery of this new mechanism disrupted the existing identity management and authentication solutions and by providing a more promising secure platform.

Technology blokchein as an industrial property object: patent activity characteristic

The article gives an assessment of the current state and technological profile of blockchain in the global innovation space. Com­parison of the level of inventive activity in the global scale of the blockchain development sector made it possible to identify countries with higher efficiency of scientific and techni­cal activities — the USA and China. An increased patent activity of world corporations was noted, which indicates the use of patenting as a tool for creating a temporary mo­nopoly on the market and for creating new markets based on the principle of «primacy» of access to the consumer. The active patenting of blockchain in the international PCT system, more than 30 %, indicates its high importance and prospects. The race of corporations for leadership changes the patent landscape every month. Today, IBM, nChain Holdings Limited, takes the first place, and MasterCard International Incorporated has moved to the third place. The structure of the technological profile of blockchain in the global innovation space is defined, which includes: a hybrid blockchain; methods and sys­tems of blockchain using digital signatures; software testing, computerized scoring based on text and visual feedback; integration of market exchange and processing of issuers of transactions; blockchain security; identity management service to ensure the certifica­tion of transactions, etc. Conclusions are made about the high patentability of blockchain, its prospects and the need to further highlight specific aspects in the legal and technological field of the blockchain. However, understanding the existing limita­tions and disadvantages of the approach, the analysis of patent information can be ac­tively used to understand the key trends in technological development, providing the necessary information basis for the formation of effective evidence-based scientific, tech­nical and innovation policies.

2545

OBJECTIVES/SPECIFIC AIMS: This research project envisions the integration of Homeless Management Information System (HMIS) and UI Health Cerner electronic medical record (EMR) system with the following goals: (1) enable sharing of data about the status of the housing insecure and homeless. (2) Identify and match patient record accurately. (3) Record housing insecurity or homelessness information with structured data elements in the EMR. METHODS/STUDY POPULATION: We created a Master Person Index (MPI) of the homeless individuals from HMSI using OpenEMPI software package, which is an open source implementation of an Enterprise Master Patient Index (EMPI). An entity model was generated based on the selective data elements from HMIS database, which were relevant for the patient identity management and healthcare service management. An automated script was implemented to extract data from HMIS and load it into OpenEMPI to build the MPI. Once the MPI is setup, the Emergency Department users were able to perform patient identity matching and confirm housing insecure or homeless status of their patients by querying the index using the web-based tool. We developed structured data elements to record homelessness information, which will allow us to measure the prevalence of this risk among patients. We are also exploring the possibility to integrate the systems the using the IHE PIX/PDQ profile, which provides ways for healthcare applications to query a patient information server for a patient based on user-defined search criteria, and retrieve a patient’s information directly into the application. RESULTS/ANTICIPATED RESULTS: We implemented a MPI of homeless individuals, which would allow the emergency department users to perform patient identity matching of housing insecure or homeless patients, without undue privacy intrusions. We are confident that IHE PIX/PDQ profile is able to support the integration of healthcare and housing and homeless services systems and enable the data sharing in an efficient way. DISCUSSION/SIGNIFICANCE OF IMPACT: The project addressed the gap in the sharing of data about housing insecure or homeless persons between healthcare and housing and social services that will result in improvements in coordination of care, reduce the cycle time from recognition of risk to the referral to housing and services and improve health outcomes and residential stability. Successful completion of this integration project will give us a model that we can scale to many other communities.

A Blockchain-based Identity Management Service Supporting Robust Identity Recovery

A Blockchain-based Identity Management Service Supporting Robust Identity Recovery

Integrating an AAA‐based federation mechanism for OpenStack—The CLASSe view

SummaryIdentity federations enable users, service providers, and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper, we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an authentication, authorization, and accounting infrastructure. Specifically, we analyse how this type of authentication, authorization, and accounting–based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the Internet Engineering Task Force (IETF) Application Bridging for Federated Access Beyond web specification for authentication and authorization. We provide details of the implementation undertaken in GÉANT's CLASSe project and show its validation in a real testbed.

TECHNOLOGY OF FEDERATED IDENTITY AND SECURE LOGGINGS IN CLOUD COMPUTING

Federated services are becoming widely implemented at many sites in multiple domain networks for cloud computing across many industry segments. New technology is required not only for federated authentication, but also for services operating distributed attributes, which are both static and dynamic. In addition to the technology, the sites that provide services across multiple domain networks are required to store every log as audit trails. This paper focuses on SAML and ID-WSF, which are the technology and the architecture for identity management and secure web services, discusses deployments and problems in the real world, then proposes a fast and safe technology that extends the ID-WSF for services and logs. To verify the effectiveness of the proposed technology and architecture, the latencies of SAML SSO that exchange SOAP messages are measured and considered in a cloud computing environment.

Identity management practices in cloud computing environments

The increased global connectivity has increased the number of identities taking part in the digital world, as well as their interactions. In such an environment, the identity management becomes a superset of all corresponding issues in establishing trust and reputation among customers. This paper presents identity management problem as a whole, with specific identity breach incidents. Composition of the identities and their attributes has also been discussed in detail. Best practices for identity management and access control services like Active Directory Federation Services (ADFS) for intra-organisation services, as well as services such as Windows Live ID, Google, Yahoo, Facebook and OpenID for worldwide control across internet have been presented. Each application has a choice to accept an identity provider it trusts. The paper further addresses future identity management problems, which will be more complex in nature and will deal with interconnected devices, machines, software components and addresses along with the user identities.

From the Enterprise Perimeter to a Mobility-Enabled Secure Cloud

The enterprise perimeter has exhibited gradual trust degradation owing to a succession of connectivity decisions involving Web, email, virtual private networking, exceptions, and mobile networks as well as a succession of threats including malware and advanced persistent threats (APTs). The author proposes restoring trust to the enterprise by focusing protection strategies on a set of prioritized assets. The protections center on three zones: a client zone, a network zone with network-based carrier protection services, and a cloud zone with third-party attested security heavily indexed toward identity and access management services. The resultant enterprise network is more resilient to leakage attacks such as APTs.

The Research of Identity Management Services and its Key Devices for Mobile Internet

This paper presents an eID based solution to use for mobile internet, namely a platform structure and some key devices to realize the solution, in order to bring us an approach more secure and convenience to access online banking services and avoids some privacy leaking and online banking fishing problems.

Enhancing the Security Framework Securecloud with the Swift Identity Management Framework

SecureCloud is a comprehensive security framework for cloud computing environments consisting of different modules that handle the security and trust issues of key components. One of the modules is responsible for authentication and identity management (IDM). In SecureCloud, the author suggest, to implement the security solution for the Authentication and IDM module, it is important to ensure IDM services in the cloud can be integrated with the existing IDM framework. Existing techniques for use of pseudonyms and accommodating multiple identities to protect users’ privacy can help build a desired usercentric federated IDM for clouds. Motivated by attempting to find a solution from the suggestion, this paper proposes the integration of SWIFT identity management framework into the module using the existing trust relationships in SecureCloud to enhance the security of the SecureCloud framework. SWIFT provides a set of advanced security features such as identity aggregation, privacy protection, advanced access control and single sign-on (SSO) to help enhance the security of IDM module in SecureCloud.