Security Compliance Auditing of Identity and Access Management in the Cloud: Application to OpenStack

Cloud computing has seen a lot of interests and adoption lately. Nonetheless, the widespread adoption of cloud is still being hindered by the lack of transparency and accountability, which has traditionally been ensured through security compliance auditing techniques. Auditing in cloud, however, presents many new challenges in data collection and processing (e.g., data format inconsistency and lack of correlation due to the heterogeneity of cloud infrastructures) and in verification (e.g., prohibitive performance overhead due to the sheer scale of cloud infrastructures and their self-provisioning, elastic, and dynamic nature). In this paper, we propose a security compliance auditing framework for cloud, with special focus on identity and access management, and we implement and evaluate the framework based on OpenStack, one of the most popular cloud management systems. Our experimental results show that auditing with formal methods in large cloud environment is realistic (e.g., our auditing solution can handle 60 thousand users in less than one minute).