08 - Standard Levels of Authentication and Security for Use in Japanese Academic Cloud Services

Kazu Yamaji (National Institute of Informatics), Kouji Nishimura (Hiroshima University), Yasuhiro Nagai (Kyoto University), Hiroyuki Sato (The University of Tokyo), Motonori Nakamura (National Institute of Informatics), Tomohiro Ito (Yamagata University), Takeshi Nishimura (National Institute of Informatics), Yoshihiro Okada (Kyushu University)

A project to encourage the use of cloud computing environments in research and education was funded as a Japanese National R&D Project in 2013. The project was formally entitled “A Community-Based Approach to Building Academic Clouds as a Next-Generation ICT Environments for Universities of Japan”. Due a general lack of standards, the movement towards cloud services by Japanese institutions is hesitant despite the well-known cost and quality-of-service benefits. This project scoped itself to fuel rapid adoption by selecting two primary targets: 1) investigate and survey the extent of computing resources required today in education, research, office work, content management service, and university management; 2) propose specific standards to be used for the development and utilization of cloud services for Japanese academic environments. The second target was further subdivided into network, security, privacy and identity management groups. This poster mainly focuses on the guidelines provided by those security and identity management groups.

The main outcome from security group was a unified recommended set of security policies for utilization of cloud services. The group builds on prior international work done by NIST in the Cloud Computing Synopsis and Recommendations and work done by ENISA in the Cloud Computing Information Assurance Framework. The security group went on to define 4 levels of sensitivity for data that may be stored in a cloud environment. A corresponding security policy is applied to each importance level. The identity management group applied a corresponding level of authentication to each level of data sensitivity. The poster describes in detail how university services ended up categorized according to these 4 importance levels and the authentication methods eventually used. Our next project will define good practices around use of multi-factor authentication and client certificates in order to improve future cloud identity and security guidelines.