Journal of Network and Systems Management

, Volume 20, Issue 4, pp 513–533 | Cite as

A Metric-Based Approach to Assess Risk for “On Cloud” Federated Identity Management

  • Patricia Arias-CabarcosEmail author
  • Florina Almenárez-Mendoza
  • Andrés Marín-López
  • Daniel Díaz-Sánchez
  • Rosa Sánchez-Guerrero


The cloud computing paradigm is set to become the next explosive revolution on the Internet, but its adoption is still hindered by security problems. One of the fundamental issues is the need for better access control and identity management systems. In this context, Federated Identity Management (FIM) is identified by researchers and experts as an important security enabler, since it will play a vital role in allowing the global scalability that is required for the successful implantation of cloud technologies. However, current FIM frameworks are limited by the complexity of the underlying trust models that need to be put in place before inter-domain cooperation. Thus, the establishment of dynamic federations between the different cloud actors is still a major research challenge that remains unsolved. Here we show that risk evaluation must be considered as a key enabler in evidence-based trust management to foster collaboration between cloud providers that belong to unknown administrative domains in a secure manner. In this paper, we analyze the Federated Identity Management process and propose a taxonomy that helps in the classification of the involved risks in order to mitigate vulnerabilities and threats when decisions about collaboration are made. Moreover, a set of new metrics is defined to allow a novel form of risk quantification in these environments. Other contributions of the paper include the definition of a generic hierarchical risk aggregation system, and a descriptive use-case where the risk computation framework is applied to enhance cloud-based service provisioning.


Trust management Cloud computing Risk assessment metrics SAML Federation 



This work was supported in part by the Spanish Ministry of Science and Innovation under the project CONSEQUENCE (TEC2010-20572-C02-01). The authors would like to thank the anonymous reviewers for their valuable comments and suggestions to improve the quality of this paper.


  1. 1.
    Mell, P., Grance, T.: The NIST definition of cloud computing. National Institute of Standards and Technology (NIST). (2009). Accessed 15 June 2012
  2. 2.
    Jensen, M., Schwenk, J., Gruschka, N., Iacono, L.L.: On technical security issues in cloud computing. In: Proceedings of the IEEE International Conference on Cloud Computing, pp. 109–116. Bangalore, India (2009)Google Scholar
  3. 3.
    Harauz, J., Kaufman, L.M., Potter, B.: Data security in the world of cloud computing. IEEE Secur. Priv. 7(4), 61–64 (2009)CrossRefGoogle Scholar
  4. 4.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)CrossRefGoogle Scholar
  5. 5.
    Gopalakrishnan, A.: Cloud computing identity management. SETLabs Brief 7(7), 45–55 (2009)Google Scholar
  6. 6.
    Hardjono, T., Rutkowski, M. (eds.): Identity in the Cloud—Use Cases Version 1.0, Draft Version 0.1q. (2011). Accessed 15 June 2012
  7. 7.
    Cloud Computing Use Case Discussion Group: Cloud computing use cases, Tech. Rep. Version 4.0. (2010). Accessed 15 June 2012
  8. 8.
    Cloud Computing Use Case Discussion Group: Moving to the Cloud, Version 1.0. (2010). Accessed 15 June 2012
  9. 9.
    Open Cloud Manifesto: Open Cloud Manifesto. (2009). Accessed 15 June 2012
  10. 10.
    Arias, P., Almenárez, F., Marín, A., Díaz., D.: Enabling SAML for dynamic identity federation management. In.: Proceedings of Wireless and Mobile Networking Conference, pp. 173–184. Gdansk, Poland (2009)Google Scholar
  11. 11.
    Cabarcos, P.A.: Risk assessment for better identity management in pervasive environments. In: Proceedings of IEEE International Conference on Pervasive Computing and Communications Workshops, pp. 389–390 (2011)Google Scholar
  12. 12.
    Buyya, R., Broberg, J., Goscinski, A.: Cloud Computing: Principles and Paradigms. Wiley, New York, NY, USA (2011)CrossRefGoogle Scholar
  13. 13.
    Boehm, B.W.: Software risk management: principles and practices. IEEE Softw. 8(1), 32–42 (1991)CrossRefGoogle Scholar
  14. 14.
    Jansen, W.: Directions in security metrics research. National Institute of Standards and Technology (NIST) Interagency Report, NISTIR 7564 (2009)Google Scholar
  15. 15.
    Maler, E., Reed, D.: The venn of identity: options and issues in federated identity management. IEEE Secur. Priv. 6(2), 16–23 (2008)CrossRefGoogle Scholar
  16. 16.
    OpenID: OpenID Authentication 2.0. (2007). Accessed 15 June 2012
  17. 17.
    Cantor, S., Kemp, J., Philpott, R., Maler, E.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  18. 18.
    Liberty Alliance: Liberty Alliance ID-FF 1.2 Specifications. Accessed 15 June 2012
  19. 19.
    Cantor, S., Moreh, J., Philpott, R. Maler, E. (eds.): Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, March 2005Google Scholar
  20. 20.
    Kantara Initiative. Accessed 15 June 2012
  21. 21.
    Terena TF-EMC2: REFEDs Federation Survey. Accessed 15 June 2012
  22. 22.
    Hirsch, F., Philpott, R., Maler, E. (eds.): Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (2005)Google Scholar
  23. 23.
    Gómez, F., Girao, J., Martínez, G.: TRIMS, a Privacy-aware Trust and Reputation Model for Identity Management Systems. Comput. Netw. Special Issue Manag. Emerg. Comput. Environ. 54(16), 2899–2912 (2010)Google Scholar
  24. 24.
    Díaz-Sánchez, D., Marín López, A., Almenárez Mendoza, F., Campo Vázquez, C., García-Rubio, C.: Context awareness in network selection for dynamic environments. Telecommun. Syst. 36(1), 49–60 (2007)CrossRefGoogle Scholar
  25. 25.
    Burr, W.E., Dodson, D.F., Polk, W.T.: NIST Special Publication 800-63 Version 1.0.2, Electronic Authentication Guidelines. National Institute of Standards and Technology (NIST) (2006)Google Scholar
  26. 26.
    Tiffany, E., Madsen, P., Cantor, S. (eds.): Level of Assurance Authentication Context Profiles for SAML 2.0. Working Draft 01 (2008)Google Scholar
  27. 27.
    Kemp, J., Cantor, S., Mishra, P., Philpott, R., Maler, E. (eds.): Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (2005)Google Scholar
  28. 28.
    Saaty, T.L.: How to make a decision: the analytic hierarchy process. Eur. J. Oper. Res. 48(1), 9–26 (1990)zbMATHCrossRefGoogle Scholar
  29. 29.
    Calvo, T., Kolesárová, A., Komorníková, M., Mesiar, R.: Aggregation operators: properties, classes and construction methods. In: Calvo, T., Mayor, G., Mesiar, R. (eds.) Aggregation Operators. New Trends and Applications, pp. 3–104. Physica-Verlag, Heidelberg (2001)Google Scholar
  30. 30.
    Zadeh, L.A.: Fuzzy sets. Inform. Control 8(3), 338–353 (1965)MathSciNetzbMATHCrossRefGoogle Scholar
  31. 31.
    Klir, G.J., Yuan, B.: Fuzzy Sets and Fuzzy Logic—Theory and Applications. Prentice-Hall, Inc., Englewood Cliffs, NJ, USA (1995)zbMATHGoogle Scholar
  32. 32.
    Cantor, S. (ed.): SAML V2.0 Metadata Profile for Algorithm Support Version 1.0. OASIS Committee Draft (2010)Google Scholar
  33. 33.
    Bernstein, D., Vij, D.: Intercloud security considerations. In: Proceedings of the IEEE 2nd International Conference on Cloud Computing Technology and Science, pp. 537–544. Indianapolis, Indiana, USA (2010)Google Scholar
  34. 34.
    Almulla, S.A., Yeun, C.Y.: Cloud computing security management. In: Proceedings of 2nd International Conference on Engineering Systems Management and Its Applications, pp. 1–7. Sharjah, United Arab Emirates (2010)Google Scholar
  35. 35.
    Rimal, B.P., Jukan, A., Katsaros, D., Goeleven, Y.: Architectural requirements for cloud computing systems: an enterprise cloud approach. J. Comput. 9(1), 3–26 (2011)Google Scholar
  36. 36.
    Goodner, M., Nadalin, A. (eds.): Web Services Federation Language (WS-Federation) Version 1.2, OASIS Web Services Federation (WSFED) TC (2009)Google Scholar
  37. 37.
    Hammer-Lahav, E. (ed.): The OAuth 1.0 Protocol. (2010). Accessed 15 June 2012
  38. 38.
    Sengupta, S., Kaulgud, V., Sharma, V.S.: Cloud computing security—trends and research directions. In: Proceedings of the 7th IEEE World Congress on Services, pp. 524–531. Washington DC, USA (2011)Google Scholar
  39. 39.
    Catteddu, D., Hogben, G.: Cloud computing: benefits, risks and recommendations for Information security. Technical Report, European Network and Information Security Agency (2009)Google Scholar
  40. 40.
    Jansen, W., Grance, T.: Guidelines on Security and Privacy in Public Cloud Computing. Information Technology Laboratory. National Institute of Standards and Technology (NIST). (2011). Accessed 15 June 2012
  41. 41.
    The Cloud Security Alliance (CSA): security guidance for critical areas of focus in cloud computing v3.0. (2011). Accessed 15 June 2012
  42. 42.
    Habib, S.M., Ries, S., Muhlhauser, M.: Cloud computing landscape and research challenges regarding trust and reputation. In: Proceedings of the Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing, pp. 410–415. Xi’an, China (2010)Google Scholar
  43. 43.
    Palson Kennedy, R., Gopal, T.V.: Assessing the risks and opportunities of cloud computing—defining identity management systems and maturity models. In: Proceedings of the IEEE 2nd International Conference on Trendz in Information Sciences & Computing, pp. 138–142. Chennai, India (2010)Google Scholar
  44. 44.
    Pearson, S., Benameur, A.: Privacy, security and trust issues arising from cloud computing. In: Proceedings of the IEEE 2nd International Conference on Cloud Computing Technology and Science, pp. 693–702. Indianapolis, USA (2010)Google Scholar
  45. 45.
    Casola, V., Rak, M., Villano, U.: Identity federation in cloud computing. In: Proceedings of the IEEE 6th International Conference on Information Assurance and Security, pp. 253–259. Atlanta, USA (2010)Google Scholar
  46. 46.
    Celesti, A., Tusa, F., Villari, F.M., Puliafito, A.: Security and cloud computing: intercloud identity management infrastructure. In: Proceedings of the 19th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises, pp. 253–259. Larissa, Greece (2010)Google Scholar
  47. 47.
    Ates, M., Ravet, S., Ahmat, A.M., Fayolle, J.: An identity-centric internet: identity in the cloud, identity as a service and other delights. In: Proceedings of the 6th International Conference on Availability, Reliability and Security, pp. 555–560. Vienna, Austria (2011)Google Scholar
  48. 48.
    ETSI GS INS-004V 1.1.1, Group specification: identity and access management for networks and services; Dynamic federation negotiation and trust management in IdM systems (2010-11)Google Scholar
  49. 49.
    Almenarez, F., Marín, A., Díaz, D., Cortés, A., Campo, C., García, C.: Trust management for multimedia P2P applications in autonomic networking. Ad Hoc Netw. 9(4), 687–697 (2011)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  • Patricia Arias-Cabarcos
    • 1
    Email author
  • Florina Almenárez-Mendoza
    • 1
  • Andrés Marín-López
    • 1
  • Daniel Díaz-Sánchez
    • 1
  • Rosa Sánchez-Guerrero
    • 1
  1. 1.Department of Telematics EngineeringUniversity Carlos III of MadridLeganés, MadridSpain

Personalised recommendations