臺灣博碩士論文加值系統

現今的雲端運算(cloud computing)技術，除了提供隨著需求應變的整合機制之外，對於基礎架構(infrastructure)、平台資源(platform)、還有應用程式，也提供了服務化的機制。在這些程式進行服務化的過程，有許多的議題也正被討論著:

‧如何降低IT成本和複雜性，同時減少了需求應變的時間?
‧如何執行公司的安全政策和遵守法規原則，同時能兼顧開放式的存取服務？
‧如何改善客戶使用經驗，並提供安全的資訊存取和服務存取?

此外，雲端運算上的安全考量更是一個很重要的議題。在採用雲端服務時，組織單位之間的信任關係也隨之變成是變動的，如此，這容易造成資訊部門難以掌控的情況。本篇論文著重在，雲端運算環境下，進行身份與存取管理(Identity and Access Management- IAM)程序之時，所面臨的技術問題，包括:

1. 在雲端運算架構下的身份帳號開通管理 (Identity Provisioning Management)
2. 在雲端運算架構下的身份認證與授權管理(Authentication and Authorization Management)
3. 在雲端運算架構下的聯邦式身份管理(Federated Identity Management)
4. 在雲端運算架構下的確保管理(Assurance Management)

本架構所提之架構，已使組織單位可以透過所指定的帳號提供者(IdP)來認證想要使用雲端服務的使用者。我們業已完成一個應用於雲端運算的聯邦式身份確保與存取管理系統，我們希望透過此系統提供雲端環境中，身份與存取管理系統上的一個參考模型。

Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.However, cloud computing services are still in a developmental stage; cloud computing best practices are evolving, and security is still a major concern. Furthermore, the traditional Identity and Access Management (IAM) approach cannot fit into a cloud computing platform, because the enterprise does not control the cloud service provider’s IAM practices and has even less influence over strict security practices.

The system provides a solution for a Federated Identity Assurance and Access Management System in the Identity and Access Management (IAM) process for a cloud computing environment. The Federated Identity Manager described in this paper is implemented. It supports cross domain single sign-on (CD SSO) and interchanges access control information with partners, reflecting trust relationships. Four subsystems have been successfully implemented in the proposed Management System: Identity Provisioning Module, Authentication and Authorization Management Module, Federated Identity Management Module, and Assurance Management Module. The results of this research can offer better security service management framework for large scale of cloud security services.

目 錄

摘　要 ii
ABSTRACT iii
誌 謝 iv
目 錄 v
表目錄 vii
圖目錄 viii
第一章 緒論 1
1.1研究背景 1
1.2 研究動機與目的 4
1.3 國內外研究現況 6
1.4論文結構 9
第二章 相關研究與核心技術 10
2.1雲端安全模型 10
2.2聯邦式身份與信任管理(FEDERATED IDENTITY AND TRUST MANAGEMENT) 21
第三章 聯邦式身份確保與存取管理系統設計 45
3.1 聯邦式身份管理架構設計(Federated identity management architecture) 45
3.2聯邦式單一登入模組之設計(Federated single sign-on) 46
3.3聯邦式服務模組群之設計(Federation service modules) 50
3.4 帳號開通服務模組設計(Provisioning services module) 51
3.5網路服務管理模組設計(Web services management ) 52
第四章 系統建置與案例探討 53
4.1 系統建置與案例探討 53
4.2認證服務建置方法 60
4.3授權服務建置方法 61
4.4自動化登入設計方法 62
4.5以流程為基礎的安全管理模組之研究 63
第五章 結論與展望 66
5.1結論與展望 66
參考文獻 73

[1] F.L. Gutierrez Vela, J.L. Isla Montes, P. Paderewski Rodriguez, M. Sanchez Roman and B. Jimenez Valverde, “An architecture for access control management in collaborative enterprise systems based on organization models”, Science of Computer Programming, 66(1), 44-59, 2007
[2] Christian Emig, Frank Brandt, Sebastian Kreuzer, Sebastian Abeck, “Identity as a Service - Towards a Service-Oriented Identity Management Architecture” , Lecture notes in computer science, Vol. 4606, Springer,1-8, 2007.
[3] Emig, C., Schandua, H., and Abeck, S.,” SOA-Aware Authorization Control”, International Conference on Software Engineering Advances, Tahiti, French, Oct., 2006.
[4] Xu Wei, Wei Jun, Liu Yu, and Li Jing,” SOWAC: a service-oriented workflow access control model”, the 28th Annual International Computer Software and Applications Conference (COMPSAC 2004), Hong Kong , 28-30, Sept. , 2004.
[5] Lankhorst, and Marc M, “Towards A Service-Oriented Architecture for Demand-Driven e Government”, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007), Annapolis, Maryland U.S.A. , 15-19, Oct. , 2007.
[6] Peyton Liam, Hu Jun, Doshi Chintan, and Seguin Pierre,” Addressing Privacy in a Federated Identity Management Network for EHealth”, Eighth World Congress on the Management of eBusiness (WCMeB 2007), Toronto, Ontario, Canada , 12-13, July , 2007.
[7] Arsanjani, A., Liang-Jie Zhang, Ellis, M. Allam, A., Channabasavaiah, K., “S3: A Service-Oriented Reference Architecture”, IT Professional, 9(3), 10-17, 2007.
[8] Pasley, J., “How BPEL and SOA are changing Web services development”, IEEE Internet Computing, 9(3), 60 - 67, 2005.
[9] Blevec, Y., Ghedira, C., Benslimane, D., Delatte, X, “Service-Oriented Computing: Bringing Business Systems to the Web”, IT Professional, 9(3), 19 - 24, 2007.
[10] Gold, N.; Mohan, A.; Knight, C.; Munro, M., “Understanding service-oriented software”, Software, IEEE, 21(2), 71 – 77, 2004.
[11] M. Brian Blake, ” Decomposing Composition: Service-Oriented Software Engineers”, Software, IEEE, 24(6), 68 – 77, 2007.
[12] Gold N., Mohan A., Knight C., and Munro M., “Understanding service-oriented software”, Software, IEEE, 21(2), 71 – 77, 2007.
[13] Seung-Hyun Kim and Seunghun Jin, “Grid ID Management based on Distributed Agents using SPML”, IEEE Tenth International Symposium on Consumer Electronics, St. Petersburg, Russia, June 28 - July 1, 2006.
[14] Gavenraj Sodhi, “User provisioning with SPML”, Information Security Technical Report,, 9(1), 86-96, 2004
[15] Thompson, C.W.; Thompson, D.R., “Identity Management”, IEEE Internet Computing, 11(3), 82 - 85, 2007.
[16] Bramhall, P., Hansen M., Rannenberg K., and Roessler T.,”User-Centric Identity Management: New Trends in Standardization and Regulation”, Security & Privacy Magazine, IEEE, 5(4), 84 – 87, 2007.
[17] Xiaodong Jiang, and Landay J.A.,” Modeling privacy control in context-aware systems”, Pervasive Computing, IEEE, 1(3), 59-63, 2002.
[18] Jongil Jeong, Dongkyoo Shin, and Dongil Shin,” An XML-based single sign-on scheme supporting mobile and home network service environments”, Consumer Electronics, IEEE Transactions on, 50(4), 1081 - 1086, 2004.
[19] Terry Chia-Wei Wu, and Wen-Lian Hsu, “Web Directory Integration Using Conditional Random Fields”, 2006 IEEE/WIC/ACM International Conference on Web Intelligence , St. Petersburg, Russia, 18-22, December, 2006.
[20] Lange, C.F.J.; Chaudron, M.R.V.; Muskens, J., “In practice: UML software architecture and design description”, Software, IEEE, 23(2), 2006.
[21] Peltz, C., “Web services orchestration and choreography”, Computer, 36(10), 46 – 52, 2003.
[22] Min Luo; Goldshlager, B.; Liang-Jie Zhang, “Designing and implementing Enterprise Service Bus (ESB) and SOA solutions”, Services Computing, 2005 IEEE International Conference on, 11-15 July 2005.
[23] Louridas, P., “SOAP and Web Services”, Software, IEEE, 23(6), 62 - 67, 2006.
[24] Dobrica, L. and Niemela, E., “A survey on software architecture analysis methods”, Software Engineering, IEEE Transactions on, 28(7), 638 - 653, 2002.
[25] Mirko Viroli, Enrico Denti and Alessandro Ricci, “Engineering a BPEL orchestration engine as a multi-agent system”, Science of Computer Programming,66(3), 226-245,2007.
[26] E. Damiani, S. D. C. di Vimercati, and P. Samarati, "Managing multiple and dependable identities," IEEE Internet Computing, vol. 7, no. 6, pp. 29--37, November/December 2003.
[27] L Jean Camp, "Digital Identity," IEEE Technology & Society, 2004, Vol. 23, No 3 pp. 34 - 41.
[28] M.N. Huhns and D.A. Buell, “Trusted Autonomy,” IEEE Internet Computing, vol. 6, no. 3, 2002, pp. 92–95.
[29] OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, Mar. 2005.
[30] Ing-Yi Chen and Chao-Chi Huang, "A Reconfigurable Software Distribution Framework for Smart Living Environments," International Journal of Smart Home, Vol. 1, No.2, pp. 115-170, July 2007.
[31] Ing-Yi Chen and Chao-Chi Huang, "A Service-Oriented Agent Architecture to Support Telecardiology Services on Demand," Journal of Medical and Biological Engineering, Vol. 25, No.2, pp. 73-79, June 2005. (SCIE)
[32] Ing-Yi Chen and Chao-Chi Huang, " A Remotely Manageable Electrocardiogram Measurement System for Home Healthcare using OSGI Framework," Journal of Medical and Biological Engineering, Vol. 24, No.3, pp. 133-139, September 2004. .(SCIE)
[33] Ing-Yi Chen, Chao-Chi Huang, Hong-Dun Lin and Kang-Ping Lin, "A Web Services Based Brain Tumor Image Exchange System with Single Sign-On Access Management," Journal of Medical and Biological Engineering, Vol. 23, No.3, pp. 69-79, September 2003. .(SCIE)
[34] Ing-Yi Chen, Chao-Chi Huang, "A Reconfigurable Security Management System with Service Oriented Architecture," 10th International Conference on Enterprise Information Systems, Barcelona, Spain, June 2008.
[35] Ing-Yi Chen, Chao-Chi Huang, "A Reconfigurable Software Distribution Framework for Smart Living Environments," the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE-2007), Seoul, Korea, April 2007.
[36] Ing-Yi Chen, Chao-Chi Huang, "An SOA-Based Software Deployment Management System," 2006 IEEE/WIC/ACM International Conference on Web Intelligence (WI-06), Hong Kong, December 2006. (EI)
[37] Ing-Yi Chen, Chao-Chi Huang and Chen-Hsin Tsai, "The Design and Implementation of a Directory Based Wireless Network Operation Management System," IEEE International Conference on E-Commerce Technology for Dynamic E-Business (CEC-East'' 04), Beijing, China, September 2004.
[38] Chao-Chi Huang, Ing-Yi Chen, Kang-Ping Lin and Yuan-Yu Hsu, "A Web Service Based Brain Tumor Image Exchange System," 5th IFAC 2003 Symposium on Modelling and Control in Biomedical Systems (IFAC-2003), Melbourne, Australia, August 2003.