A cyber-resilient architecture for critical security services

Authentication and authorization are two of the most important services for any IT infrastructure. Taking into account the current state of affairs of cyber warfare, the security and dependability of such services is a first class priority. For instance, the correct and continuous operation of identity providers (e.g., OpenID) and authentication, authorization and accounting services (e.g., RADIUS) is essential for all sorts of systems and infrastructures. As a step towards this direction, we introduce a functional architecture and system design artifacts for prototyping fault- and intrusion-tolerant identification and authentication services. The feasibility and applicability of the proposed elements are evaluated through two distinct prototypes. Our findings indicate that building and deploying resilient and reliable critical services is an achievable goal through a set of system design artifacts based on well-established concepts in the fields of security and dependability. Additionally, we provide an extensive evaluation of both resilient RADIUS (R-RADIUS) and OpenID (R-OpenID) prototypes. We show that our solution makes services resilient against attacks without affecting their correct operation. Our results also pinpoint that the prototypes are capable of meeting the needs of small to large-scale systems (e.g., IT infrastructures with 800k to 10M users).