UNIT-III

Cloud Federation
Unit III: Cloud Federation: Federation in the Cloud, Presence in the Cloud, Privacy and
its Relation to Cloud Based Information System. The Open Cloud Consortium - The
Distributed Management Task Force - Standards for Application Developers, Standards
for Messaging. Security in the cloud: Cloud Security Challenges - Software-as-a-Service
Security, Standards for Security.
Federation is associated with the cloud. Federation means associating small
divisions to a single group for performing a common task. A Federated cloud is
formed by connecting the cloud environment of several cloud providers using a
common standard. Cloud federation requires one provider to wholesale or rent
computing resources to another cloud provider.

Interconnecting the cloud computing environments of two or more service

providers for load-balancing traffic and accommodating spikes in demand. It is a
multi-national cloud system that integrates private, community, and public clouds
into scalable computing platforms.

Federated Cloud

The architecture of Federated Cloud:

The architecture of Federated Cloud consists of three basic components:

1. Cloud Exchange
The Cloud Exchange acts as a mediator between the cloud coordinator and the
cloud broker. The demands of the cloud broker are mapped by the cloud exchange
to the available services provided by the cloud coordinator. The cloud exchange has
a track record of what is the present cost, demand patterns, and available cloud
providers, and this information is periodically reformed by the cloud coordinator.
2. Cloud Coordinator
The cloud coordinator assigns the resources of the cloud to the remote users based
on the quality of service they demand and the credits they have in the cloud bank.
The cloud enterprises and their membership are managed by the cloud controller.

3. Cloud Broker
The cloud broker interacts with the cloud coordinator, and analyses the Service-
level agreement and the resources offered by several cloud providers in cloud
exchange. Cloud broker finalizes the most suitable deal for their client.
Cloud Federation Properties
Cloud federation properties can be classified into two categories i.e. functional
cloud federation properties and usage cloud federation properties.

Functional Cloud Federation Properties

1. Authentication: Cloud federation has the involvement of several foreign

resources that have participated in the federation. To consume this foreign
resource customer must be provided with the access credential relevant to the
target foreign resource. However, the respective foreign resource must also have
the authentication information of the customer.

2. Integrity: Integrity in the federated cloud offers and demands consistent

resources by the providers participating in the federation. If the federated cloud
environment lacks in providing the resources its purpose becomes questionable.

To maintain the consistency of the environment management is needed by the

providers they can even designate a federation administrative board or the provider
can automate the process which will trigger the administrative action when any
irregularity is detected.

3. Monitoring: Federated cloud can be monitored in two ways global monitoring and
monitoring as a service (MaaS). Global monitoring aids in maintaining the federated
cloud. MaaS provides information that helps in tracking contracted services to the
customer.

4. Object: Marketing objects in cloud computing are infrastructure, software, and

platform that are offered to the customer as a service. These objects have to pass
through the federation when consumed in the federated cloud.

5. Contracts: In cloud computing, the agreement between provider and consumer

i.e. service level agreement (SLA) has both technical as well as administrative
commitments between provider and consumer. In addition, SLA federated cloud has
a federation level agreement that encloses commitment to the functional and usage
properties.

6. Provisioning: Allocating services and resources offered by the cloud provider to

the customer through federation. It can be done manually or automatically.
Automatically, the best provider is chosen to allocate the resources and services to
the customer. In the manual way entity in the federation selects the provider to
allocate the resources and services.

7. Service Management: Service management discovers and publishes the services

offered by the federated cloud.
8. Interoperability: Interoperability is a mechanism with which the customer’s
system can interact with the cloud service or a cloud service in the federation can
interact with other cloud services.

9. Commercialization: The providers that participated in the federation publish

their offers to a central entity. The customer interacts with this central entity to verify
the prices and propose an offer.

Usage Cloud Federation Properties

1.Interaction Architecture: In the federated cloud, the customers can interact with
the architecture either centrally or in a decentralized manner. In centralized
interaction, the customer has interacted with a broker to mediate between them and
the organization. Decentralized interaction allows the customer to interact directly
with the clouds in the federation.

2. Expansion: The expansion of the federation depends on how the resources and
services in the federation are used.

3. Centric: The federated cloud focuses on the implementation and usability of

elements in the federated cloud architecture. The four centric of the federated cloud
are customer, business, provider, and service. The federated cloud architecture and
mechanism are designed to prioritize the customer. Business-centric focuses on
monetization. Provider centric focuses on maximizing the use of resources and
services. Service-centric focus on the services and their specialties.

4. Practice Niche: Federated cloud can be practiced with different niches like
commercial and non-commercial.

5. Volunteer: The providers must voluntarily involve in the federation and must be
able to decide to leave the federation when require.

6. Visibility: The visibility of a federated cloud helps the customer to interpret the
organization of multiple clouds in the federated environment.

Benefits of Federated Cloud:

1. It minimizes the consumption of energy.

2. It increases reliability.
3. It minimizes the time and cost of providers due to dynamic scalability.
4. It connects various cloud service providers globally. The providers may
buy and sell services on demand.
5. It provides easy scaling up of resources.

Challenges in Federated Cloud:

 1. In cloud federation, having more than one provider for processing
incoming demands is common. In such cases, a scheme must be needed
to distribute the incoming demands equally among the cloud service
providers.
2. The increasing requests in cloud federation have resulted in more
heterogeneous infrastructure, making interoperability an area of
concern. It becomes a challenge for cloud users to select relevant cloud
service providers and therefore, it ties them to a particular cloud service
provider.
3. A federated cloud means constructing a seamless cloud environment that
can interact with people, different devices, several application interfaces,
and other entities.

Four Levels of Federation

1. Permissive federation
Permissive federation allows the interconnection of the cloud environment of
two service providers without the verifying identity of the peer cloud using
DNS lookups. This raises the chances of domain spoofing.
2. Verified Federation
Verified federation allows interconnection of the cloud environment, two
service providers, only after the peer cloud is identified using the information
obtained from DNS. Though the identity verification prevents spoofing the
connection is still not encrypted and there are chances of a DNS attack.
3. Encrypted Federation
Encrypted federation allows interconnection of the cloud environment of two
services provider only if the peer cloud supports transport layer security
(TSL). The peer cloud interested in the federation must provide the digital
certificate which still provides mutual authentication. Thus, encrypted
federation results in weak identity verification.
4. Trusted Federation
Trusted federation allows two clouds from different provider to connect only
under a provision that the peer cloud support TSL along with that it provides
a digital certificate authorized by the certification authority (CA) that is
trusted by the authenticating cloud.
 PRESENCE IN CLOUD
Presence in the Cloud At the most fundamental level, understanding presence is
simple It provides true-or-false answers to queries about the network availability of
a person, device, or application. Presence is a core component of an entity’s Real-
time identity. Presence serves as a catalyst for

Understanding the power of presence is crucial to unlocking the real potential of the
Internet. Presence data enables organizations to deploy innovative real-time services
and achieve significant revenue opportunities and productivity improvements.

• Presence is a core component of an entity’s real-time identity. Presence serves

as a catalyst for communication. Its purpose is to signal availability for
interaction over a network.

• It is being used to determine availability for phones, conference rooms,

applications, web-based services, routers, firewalls, servers, appliances,
buildings, devices, and other applications.

• The management of presence is being extended to capture even more

information about availability, or even the attributes associated with such
availability, such as a person’s current activity, mood, location (e.g., GPS
coordinates), or preferred communication method (phone, email, IM, etc.).

• Presence is an enabling technology for peer-to-peer interaction. It first

emerged as an aspect of communication systems, especially IM systems such
as ICQ, which allowed users to see the availability of their friends.

• The huge role that IM has had in establishing a presence is evident with the
protocols available today, such as Instant Messaging and Presence Service
(IMPS),

• Session Initiation Protocol (SIP) for Instant Messaging and Presence

Leveraging Extensions (SIMPLE), the Extensible Messaging and Presence
Protocol (XMPP), first developed in the Jabber open source community and
subsequently ratified as an Internet standard by the IETF.

• Implementation of presence follows the software design pattern known as

publish-and-subscribe (pub-sub). This means that a user or application
publishes information about its network availability to a centralized location
and that information is broadcast to all entities that are authorized to receive
it. The authorization usually takes the form of a subscription.
Presence protocol
Presence Protocols Standard presence protocol, SIMPLE or XMPP, is an instant
messaging and presence protocol suite based on SIP and managed by the Internet
Engineering Task Force (IETF). The modern, reliable method to determine another
entity’s capabilities is called service discovery, where in applications and devices
exchange information about their capabilities directly, without human involvement.
Even though no framework for service discovery has been produced by a standards
development organization such as the IETF, a capabilities extension for SIP/SIMPLE
and a robust, stable service discovery extension for XMPP do exist.

• Proprietary, consumer-oriented messaging services do not enable enterprises

or institutions to leverage the power of presence.

• A smarter approach is to use one of the standard presence protocols, SIMPLE

or XMPP. is an instant messaging and presence protocol suite based on SIP
and managed by the

• Internet Engineering Task Force (IETF). XMPP is the IETF’s formalization of

the core XML messaging and presence protocols originally developed by the
open source Jabber community in 1999.

• The modern, reliable method to determine another entity’s capabilities is

called service discovery, wherein applications and devices exchange
information about their capabilities directly, without human involvement.

• Even though no framework for service discovery has been produced by a

standards development organization such as the IETF, a capabilities
extension for SIP/SIMPLE and a robust, stable service discovery extension for
XMPP does exist

• The SIMPLE Working Group is developing the technology to embed capabilities

information within broadcasted presence information.

• A capability already exists in a widely-deployed XMPP extension. Together,

service discovery and capabilities broadcasts enable users and applications to
gain knowledge about the capabilities of other entities on the network,
providing a real-time mechanism for additional use of presence-enabled
systems

Presence Engine
Presence Engine Providing presence data through as many avenues as possible is in
large measure the responsibility of a presence engine. The presence engine acts as a
broker for presence publishers and subscribers. As presence becomes more prevalent
in Internet communications, presence engines need to provide strong authentication,
channel encryption, explicit authorization and access control policies, high
reliability, and the consistent application of aggregation rules.
Presence Engine should be able to operate using multiple protocols such as IMPS,
SIMPLE, and XMPP. It is a basic requirement in order to distribute presence
information as widely as possible. Aggregating information from a wide variety of
sources requires presence rules that enable subscribers to get the right information
at the right time.

The Interrelation of Identity, Presence, and Location

in the Cloud
The Interrelation of Identity, Presence, and Location in the Cloud Identity, presence,
and location are three characteristics that lie at the core of some of the most critical
emerging technologies in the market today: real-time communications (including Vo.
IP, IM, and mobile communications), cloud computing, collaboration, and identity-
based security.

The Interrelation of Identity, Presence, and Location in the Cloud Digital identity
refers to the traits, attributes, and preferences on which one may receive
personalized services. Identity traits might include government-issued IDs, corporate
user accounts, and biometric information. Two user attributes that may be
associated with identity are presence and location.

• Over the last few years, there has been an aggressive move toward the
convergence of identity, location, and presence. This is important because a
standard framework tying identity to presence and location creates the ability
to develop standards-based services for identity management that incorporate
presence and location.

• Identity, presence, and location are three characteristics that lie at the core of
some of the most critical emerging technologies in the market today: real-time
communications (including VoIP, IM, and mobile communications), cloud
computing, collaboration, and identity-based security.

• Presence is most often associated with real-time communications systems

such as IM and describes the state of a user’s interaction with a system, such
as which computer they are accessing, whether they are idle or working, and
perhaps also which task they are currently performing.

• Location refers to the user’s physical location and typically includes latitude,
longitude, and (sometimes) altitude.

• Authentication and authorization mechanisms generally focus on determining

the “who” of identity, location defines the “where,” and presence defines the
“what”—all critical components of the identity-based emerging technologies
listed above, including cloud computing.
Privacy and Its Relation to Cloud-Based Information
Systems
Privacy and Its Relation to Cloud-Based Information Systems Privacy is an important
business issue focused on ensuring that personal data is protected from
unauthorized and inappropriate collection, use, and disclosure, ultimately
preventing the loss of customer trust and inappropriate fraudulent activity such as
identity theft, email spamming, and phishing.

Privacy Acts Many countries have enacted laws to protect individuals’ right to have
their privacy respected. Canada’s Personal Information Protection and Electronic
Documents Act (PIPEDA) European Commission’s directive on data privacy Swiss
Federal Data Protection Act (DPA) and Swiss Federal Data Protection Ordinance
United States, Health Insurance Portability and Accountability Act (HIPAA), The
Gramm-Leach-Bliley Act (GLBA), and the FCC Customer Proprietary Network
Information (CPNI) rules.

Security issue in cloud computing: There are many security issues with cloud
computing because it is comprised of several technologies like databases, operating
systems, different networks, transaction management, virtualization, etc. Therefore,
security issues related to this system and applications are also applicable to cloud
computing. According to Gardner, before making a choice of cloud vendors, users
should ask the vendors for seven specific safety issues: Privileged user access,
regulatory compliance, data location, data segregation, recovery, investigative
support, and long-term viability. Wikipedia defines cloud computing security as an
evolving sub–domain of computer security, network security, and more broadly
information security.

It also refers to a broad set of policies, technologies, and controls deployed to

protect data, applications, and the associated infrastructure of cloud computing. The
following are the main security issues related to cloud computing. Administrative
access & Data ownership – In cloud computing administrative access is done through
the internet, increasing the risk. it is very important to control administrative access
to data and monitor the access to maintain protocols.

Data in the cloud is globally distributed which brings the issue of jurisdiction
and privacy. Organizations stand a risk of not complying with government policies.
Privacy of data – Data in the cloud is globally distributed. The user doesn’t have
information about the location of data and they don’t have any control over the
physical access mechanism to that data. The concept of privacy is very different in
different countries, cultures, and jurisdictions. There is also the question of whose
jurisdiction the data falls under when an investigation occurs. In a distributed
system, there are multiple databases and multiple applications

Information privacy or data privacy is the relationship between the collection

and dissemination of data, technology, the public expectation of privacy, and the
legal issues surrounding them. The challenge in data privacy is to share data while
protecting personally identifiable information. The fields of data security and
information security design and utilize software, hardware, and human resources to
address this issue. The ability to control what information one reveals about oneself
over the Internet, and who can access that information, has become a growing
concern. These concerns include whether email can be stored or read by third parties
without consent, or whether third parties can track the websites someone has visited.
Another concern is whether websites that are visited collect, store, and possibly share
personally identifiable information about users. Personally identifiable information
(PII), as used in information security, refers to information that can be used to
uniquely identify, contact, or locate a single person or can be used with other sources
to uniquely identify a single individual.

Privacy is an important business issue focused on ensuring that personal data

is protected from unauthorized and inappropriate collection, use, and disclosure,
ultimately preventing the loss of customer trust and inappropriate fraudulent activity
such as identity theft, email spamming, and phishing.

Customer information may be “user data” and/or “personal data.” User data is
information collected from a customer, including:

• Any data that is collected directly from a customer (e.g., entered by the
customer via an application’s user interface)
• Any data about a customer that is gathered indirectly (e.g., metadata in
documents)
• Any data about a customer’s usage behaviour (e.g., logs or history)
• Any data relating to a customer’s system (e.g., system configuration, IP
address)

Personal data (sometimes also called personally identifiable information) is any

piece of data that can potentially be used to uniquely identify, contact, or locate
a single person or can be used with other sources to uniquely identify a single
individual. Not all customer/user data collected by a company is personal data.
Examples of personal data include:

• Contact information (name, email address, phone, postal address)

• Forms of identification (Social Security number, driver’s license, passport,
fingerprints)
• Demographic information (age, gender, ethnicity, religious affiliation,
sexual orientation, criminal record)
• Occupational information (job title, company name, industry)
• Health care information (plans, providers, history, insurance, genetic
information
• Financial information (bank and credit/debit card account numbers,
purchase history, credit records)
• Online activity (IP address, cookies, flash cookies, log-in credentials)

A subset of personal data is defined as sensitive and requires a greater level of

controlled collection, use, disclosure, and protection. Sensitive data includes some
forms of identification such as Social Security numbers, some demographic
information, and information that can be used to gain access to financial accounts,
such as credit or debit card numbers and account numbers in combination with any
required security code, access code, or password. Finally, it is important to
understand that user data may also be personal data

The Open Cloud Consortium

OCC is an organization it supports the development of standards for cloud computing
and frameworks for interoperating between clouds. They develop benchmarks for
measuring cloud computing performance. Benchmark is simply a test that is used
to compare similar products.

• supports open-source software for cloud computing;(PYTHON, PHP, MOZILLA,

VLC PLAYER).on demand they will provide service to the public.
manages a testbed for cloud computing called the Open Cloud Testbed.

• They support the development of open-source implementation for cloud

computing. Map reduce is Google patented software framework that supports
large distributed data sets organized by the Google file system (GFS ) accessed
by clusters of computers.

• They support the management of cloud computing infrastructure for scientific

research and also Provide on-demand computing services.

The OCC presents:

i) the consortium and mission control

ii) the prison agreements and governance shape
iii) Manages and operates the cloud computing infrastructure
iv) Manages the security and compliance required.
 Open cloud let customers freely choose which combination of services and
providers will best meet their needs overtime

The Distributed Management Task Force

The distributed management taskforce is a computer software trade group
that works to simplify the manageability of network-accessible technologies.

DMTF (formerly known as the Distributed Management Task Force) creates

open manageability standards spanning diverse emerging and traditional IT
infrastructures including cloud, virtualization, network, servers, and storage.
Member companies and alliance partners worldwide collaborate on standards to
improve the interoperable management of information technologies.

DMTF is a 501(c)(6) standards organization led by a diverse board of directors

from Broadcom Inc.; Cisco; Dell Technologies; Hewlett Packard Enterprise; Intel
Corporation; Lenovo; NetApp; Positivo Tecnologia S.A.; and Verizon.

• It is a Standards Development Non-profit Organization

• purpose: Develop management standards

• Enable more effective management of millions of it systems worldwide by

bringing the IT industry together to collaborate on the development,
validation, and promotion of systems management standards.

• The DMTF started the virtualization management initiative(VMAN)

Open virtualization format is an open-source standard for packaging and

distributing software applications for virtual machines(VM).more generally
software is to be run in virtual machines.

-Standards

* Standards for application developers

* Standards for messaging

* Standards for security

Standards for application developers
1. Browsers (Azax)

-Azax is a technique, not a programming language. when we use Azax

on the website there is no need to use refresh the page.

-having small code

2. Data(XML,JSON)

-XML stands for extensible markup language.

-XML is designed to store and transport the data.

-XML is designed for both machine and human-readable

JSON (javascript object notation) is a lightweight data interchange format. It is easy

for humans to read and write .it is easy for machines to parse and generate.

3. Solution stacks (LAMP AND LAPP)

LAMP is a popular open-source solution commonly used to run dynamic websites

and servers. The acronym derives from the fact that it includes.

L-Linux

A-Apache

M-MySQL

P-PHP(Perl or Python)

It is considered by many to be the platform of choice for the development of high-

performance web applications which require a solid and reliable foundation
Standards for messaging
1. Simple Message Transfer Protocol (SMTP)
2. Post Office Protocol
3. Internet Messaging Access Protocol(IMAP)
4. Syndication (Atom, Atom Publishing Protocol and RSS)
5. Atom and Atom Publishing Protocol (APP)
6. Web Services(REST)
7. SOAP

Communications(HTTP,SIMPLE and XMPP)

1. Post Office Protocol(POP):

Post office protocol (pop) is a type of computer networking and internet

standard protocol that extract and retrieves emails from a remote mail server
for access by the host machine.

Pop is an application layer protocol in the OSI(open system internet

connection) model that provides end users the ability to fetch and receive
email

Suppose sender wants to send the mail to receiver. First mail is transmitted
to the sender's mail server. Then, the mail is transmitted from the sender's
mail server to the receiver's mail server over the internet. On receiving the mail
at the receiver's mail server, the mail is then sent to the user. The whole
process is done with the help of Email protocols. The transmission of mail
from the sender to the sender's mail server and then to the receiver's mail
server is done with the help of the SMTP protocol. At the receiver's mail server,
the POP or IMAP protocol takes the data and transmits to the actual user.

2. Simple Message Transfer Protocol (SMTP):

Simple Mail Transfer Protocol (SMTP) is a TCP/IP protocol used in sending

and receiving e-mail. It is typically used with POP3 or Internet Message Access
 Protocol to save messages in a server mailbox and download them periodically
from the server for the user.

SMTP is an application layer protocol. The client who wants to send the mail
opens a TCP connection to the SMTP server and then sends the mail across
the connection. The SMTP server is an always-on listening mode. As soon as
it listens for a TCP connection from any client, the SMTP process initiates a
connection through port 25. After successfully establishing a TCP connection
the client process sends the mail instantly.

The SMTP model is of two types:

1. End-to-end method
2. Store-and- forward method

3. Internet Messaging Access Protocol(IMAP)

Internet Message Access Protocol (IMAP) is an application layer protocol

that operates as a contract for receiving emails from the mail server. It was
designed by Mark Crispin in 1986 as a remote access mailbox protocol, the
current version of IMAP is IMAP4. It is used as the most commonly used
protocol for retrieving emails. This term is also known as Internet mail
access protocol, Interactive mail access protocol, and Interim mail access
protocol.
Features of IMAP :
• It is capable of managing multiple mailboxes and organizing them
into various categories.
• Provides adding of message flags to keep track of which messages
are being seen.
• It is capable of deciding whether to retrieve email from a mail server
before downloading.
• It makes it easy to download media when multiple files are
attached.
4.Really Simple Syndication(RSS):

RSS is a family of web feed formats used to publish frequently updated works–
such as blog entries, news headlines, as blog entries, news headlines, audio,
and video– in a standardized format.

examples: GEO News Headlines Links

RSS is an open method for delivering regularly changing web content. Many news-
related sites, weblogs, and other online publishers syndicate their content as an RSS
Feed to whoever wants it.
Any time you want to retrieve the latest headlines from your favorite sites, you can
access the available RSS Feeds via a desktop RSS reader. You can also make an RSS
Feed for your own site if your content changes frequently.

In brief:

• RSS is a protocol that provides an open method of syndicating and

aggregating web content.
• RSS is a standard for publishing regular updates to web-based content.
• RSS is a Syndication Standard based on a type of XML file that resides
on an Internet server.
• RSS is an XML application, which conforms to the W3C's RDF
specification and is extensible via XML.
• You can also download RSS Feeds from other sites to display the
updated news items on your site, or use a desktop or online reader to
access your favorite RSS Feeds.

5.Atom and Atom Publishing Protocol (APP):

ATOM is an XML-based document format that describes lists of related information

known as feeds. Feeds are composed of a number of items called entries, each with
an extensible set of attached metadata.

The name Atom applies to a pair of related standards:

 • the Atom Syndication Format is an XML language used for web feeds and
entries
• the Atom Publishing Protocol (also referred to as AtomPub or APP) is a HTTP-
based protocol for creating and updating ATOM web resources.

6. Web Services(REST)

Representational State Transfer (REST) is an architectural style that specifies

constraints, such as the uniform interface, that if applied to a web service induce
desirable properties, such as performance, scalability, and modifiability, that enable
services to work best on the Web.

7. Simple Object Access Protocol(SOAP)

SOAP, originally defined as simple object Access Protocol, is a specification

for exchanging structured information in the implementation of web services
in computer networks

It relies on XML as its message format and usually relies on other application-
layer protocols, most notably remote procedure Call (RPC) and HTTP for
message negotiation and transmission.

SOAP provides the Messaging Protocol layer of a web services protocol

stack for web services. It is an XML-based protocol consisting of three parts:

• an envelope, which defines the message structure[1] and how to

process it
• a set of encoding rules for expressing instances of application-
defined datatypes
• a convention for representing procedure calls and responses
SOAP has three major characteristics:

1. extensibility (security and WS-Addressing are among the

extensions under development)
2. neutrality (SOAP can operate over any protocol such
as HTTP, SMTP, TCP, UDP)
3. independence (SOAP allows for any programming model)
Standards for Security
1. Security Assertion Markup Language(SAML)
Security Assertion Markup Language is a language protocol for handling
authentication and authentication in network .It is one of various XML-based mark
up languages available to help with aspects of web development and use.

Security Assertion Markup Language (SAML) is an open standard that allows identity
providers (IdP) to pass authorization credentials to service providers (SP). What that
jargon means is that you can use one set of credentials to log into many different
websites. It’s much simpler to manage one login per user than it is to manage
separate logins to email, customer relationship management (CRM) software, Active
Directory, etc.

SAML transactions use Extensible Markup Language (XML) for standardized

communications between the identity provider and service providers. SAML is the
link between the authentication of a user’s identity and the authorization to use a
service.

2. Open Authentication(OAuth):

OAuth is an open standards authorization protocol or framework that

describes how unrelated servers and services can safely allow authenticated access
to their assets without actually sharing the initial , related, single logon credentials
.In authentication parlance , this is known as secure , third party , user-agent ,
delegated authorization.

OAuth (Open Authorization) is an open standard protocol for authorization of

an application for using user information, in general, it allows a third-party
application access to user-related info like name, DOB, email or other required data
from an application like Facebook, Google, etc. without giving the third party app the
user password. It is pronounced as oh-auth.

You might have seen a “login with Google” or “login with Facebook” button on
the login/signup page of a website that makes easier to get using the service or
website by simply logging into one of the services and grant the client application
permission to access your data without giving Password. This is done with the
OAuth.

There are 3 Components in OAuth Mechanism–

1. OAuth Provider – This is the OAuth provider Eg. Google, FaceBook etc.
2. OAuth Client – This is the website where we are sharing or authenticating
the usage of our information. Eg. GeeksforGeeks etc.
3. Owner – The user whose login authenticates sharing of information.

OAuth can be implemented via google console for “Login/Sign Up with Google” on a
web app.

OAuth is a method for publishing and interacting with protected data.For developers,
OAuth provides users access to their data while protecting account credentials. It
allows users to grant access to their information, which is shared by the service
provider and consumers without sharing all of their identity.

The Core designation is used to stress that this is the baseline, and other extensions
and protocols can build on it.

3. OpenID:

OpenID is an open , decentralized standard for user authentication and access

control that allows user to log onto many services using the same digital identity.

It is a single-sign-on (SSO) method of access control. As such , it replaces the

common log-in process(ie ., a log in name and password) by allowing users to log in
once and gain access to resources across participating systems

An OpenID is in the form of a unique URL and is authenticated by the entity hosting
the OpenID URL. The OpenID protocol does not rely on a central authority to
authenticate a user’s identity.

A typical scenario for using OpenID might be something like this: A user visits a web
site that displays an OpenID log-in form somewhere on the page. Unlike a typical
log-in form, which has fields for user name and password, the OpenID log-in form
has only one field for the OpenID identifier (which is an OpenID URL).

This form is connected to an implementation of an OpenID client library. A user will

have previously registered an OpenID identifier with an OpenID identity provider.
The user types this OpenID identifier into the OpenID log-in form.

With OpenID 2.0, the client discovers the identity provider service URL by requesting
the XRDS document (also called the Yadis document) with the content type
application/xrds+xml, which may be available at the target URL but is always
available for a target XRI.

There are two modes by which the relying party can communicate with the identity
provider: checkid_immediate and checkid_setup.

In checkid_immediate, the relying party requests that the provider

not interact with the user. All communication is relayed through the
user’s browser without explicitly notifying the user.

In checkid_setup, the user communicates with the provider server

directly using the same web browser as is used to access the relying
party site. The second option is more popular on the web.

4.Secure Socket Layer (SSL)

It provides security to the data that is transferred between web browser and
server. SSL encrypts the link between a web server and a browser which ensures
that all data passed between them remain private and free from attack.
SSL and TLS are both cryptographic protocols used to increase security by
encrypting communication over the computer network Secure sockets Layer (SSL) is
a standard protocol used for the secure transmission of documents over a network.
Developed by Netscape, SSL technology creates a secure private and integral data
transmission. SSL uses Transport Control Protocol (TCP) for communication

Secure Socket Layer Protocols:

• SSL record protocol
• Handshake protocol
• Change-cipher spec protocol
• Alert protocol

TLS (transport layer security)

Transport layer security (TLS)is a protocol that provides communication

security between client/server applications that communicate with each other over
the internet. It enables privacy, integrity, and protection for the data that’s
transmitted between different nodes on the Internet. TLS is a successor to the secure
socket layer (SSL) protocol.
Transport Layer Security, or TLS, is a widely adopted
security protocol designed to facilitate privacy and data security for communications
over the Internet. A primary use case of TLS is encrypting the communication
between web applications and servers, such as web browsers loading a website. TLS
can also be used to encrypt other communications such as email, messaging,
and voice-over. In this article, we will focus on the role of TLS in web application
security.
 ➢ TLS provides endpoint authentication and data confidentiality by using
cryptography.
➢ TLS authentication is oneway— the server is authenticated, because
the client already knows the server’s identity.
➢ In this case, the client remains unauthenticated. At the browser level,
this means that the browser has validated the server’s certificate—
more specifically, it has checked the digital signatures of the server
certificate’s issuing chain of Certification Authorities (CAs).
TLS involves three basic phases:
1. Peer negotiation for algorithm support
2. Key exchange and authentication
3. Symmetric cipher encryption and message authentication

Cloud Security Challenges

1.Authentication: Authentication refers to digitally confirming the identity of the

entity requesting access to some protected information .In a traditional in-house IT
environment authentication polices are under the control of the organization.
However, in cloud computing environments, where applications and data are
accessed over the internet, the complexity of digital authentication mechanisms
increases rapidly.

2. Authorization: Authorization refers to digitally specifying the access rights to

the protected resources using access policies. In a traditional in-house IT
environment, access policies are controlled by the organization and can be altered
at their convenience. Authorization in a cloud computing environment requires the
use of the cloud service providers’ services for specifying the access policies

3. Security of data at rest

Due to the multi-tenant environments used in the cloud, the application and
database servers of different applications belonging to different organizations can be
provisioned side-by-side increasing the complexity of securing the data. Appropriate
separation mechanisms are required to ensure the isolation between applications
and data from different organizations.

4. Security of data in motion

In traditional in-house IT environments, all the data exchanged between the

applications and users remain within the organization’s control and geographical
boundaries. With the adoption of the cloud model, the applications and the data are
moved out of the in-house IT infrastructure to the cloud provider.

Therefore, appropriate security mechanisms are required to ensure the security of

data in, and while in, motion.
5.Data Integrity

Data integrity ensures that the data is not altered in an unauthorized manner after
it is created, transmitted or stored. Due to the outsourcing of data storage in cloud
computing environments, ensuring integrity of data is important.

6. Auditing

Auditing is very important for applications deployed in cloud computing

environments. In traditional in-house IT environments, organizations have complete
visibility of their applications and accesses to the protected information.

For cloud applications appropriate auditing mechanisms are required to get

visibility into the application, data accesses and actions performed by the application
users, including mobile users and devices such as wireless laptops and smartphones

Software-as-a-Service Security

cloud computing are creating not only new technologies and business operational
processes but also new security requirements and challenges as described
previously.

As the most recent evolutionary step in the cloud service model (see Figure 6.2),
SaaS will likely remain the dominant cloud service model for the foreseeable future
and the area where the most critical need for security practices and oversight will
reside.
The technology analyst and consulting firm Gartner lists seven security issues which
one should discuss with a cloud-computing vendor:

1. Privileged user access —Inquire about who has specialized access to data, and
about the hiring and management of such administrators.

2. Regulatory compliance—Make sure that the vendor is willing to undergo external

audits and/or security certifications.

3. Data location —Does the provider allow for any control over the location of data?

4. Data segregation—Make sure that encryption is available at all stages, and that
these encryption schemes were designed and tested by experienced professionals.

5. Recovery —Find out what will happen to data in the case of a disaster. Do they
offer complete restoration? If so, how long would that take?

6. Investigative support —Does the vendor have the ability to investigate any
inappropriate or illegal activity?

7. Long-term viability —What will happen to data if the company goes out of
business? How will data be returned, and in what format?