Cloud computing enables an on-demand network access to a shared pool of configurable computing resources. It provides scalability, flexibility, and fault resilience. Although cloud computing has becoming increasingly popular, security remains a major issue to be addressed.
A cloud provider is the owner of a cloud. A cloud may consist of many servers providing many services.
One of the most commonly used methods for accessing and managing cloud resources is through an interface called Application Programming Interface (API) offered by cloud providers. For each service request from a client application to the cloud, the API typically mandates client authentication, for which the client application uses or proves the possession of a certain secret, such as a secret access key or a private key associated with an X.509 certificate. Securing these secrets to protect cloud transactions is critical because a stolen key or an unauthorized transaction could lead to direct access to consumers' resources, which could compromise the confidentiality, integrity, and availability of the data and services hosted in the cloud. However, the secure transfer, storage, and usage of the secrets for cloud transactions through API have not been well addressed, which negatively affects the security, usability, and adoption of cloud.
A cloud provider has proposed a new identity and access management service (IAM) that allows customers to manage users and user permissions in their cloud accounts. Before this kind of service is available, a customer with multiple users either has users share the account credentials, such as secret keys, or has multiple accounts at one cloud provider. The IAM allows a customer to create groups and users for accessing the same cloud account. The customer can generate a unique secret key for each user, and manage access rights to cloud services and resources for the groups and users.
Currently creating groups and users, generating unique secret keys, and assigning access permissions involve manual key manipulations. Besides keys are in clear text. An administrator uses for example the account's secret key or his own secret key, if already created, to create a user, a unique secret key, a login credential, and permissions through the cloud API or tools provided by the cloud provider. The administrator gets the user's secret key and login credential from the cloud provider, and gives them to the user so that the user can access the cloud services or resources using the key or the login credential. Nevertheless, such manual key manipulation may be insecure and not user friendly.
There is then a need to provide a solution in order to securely obtain a newly generated secret key and login credential for a new user of an existing cloud account, to securely store the secret keys and login credentials, and to securely provide the secret keys and login credentials to the new user.