Chunhua Gu,Fei Luo,Ya Li,Weichao Ding

DOI: https://doi.org/10.1109/compcomm.2018.8780863

2018-01-01

Abstract:The characteristic of the cloud computing, resources sharing, determines that user behavior trustworthiness is crucial to the security of cloud resources. However, the traditional access control model (Role Based Access Control, RBAC) is only based on user identity trust and does not consider whether the user behavior is trusted or not, and the authorization mechanism is static, lacking of flexibility. Moreover, the lack of monitoring of user behavior makes it unable to timely detect and prevent the illegal operation of users. In view of the above several problems, this paper improves the traditional RBAC model, introduces the concepts of user trust evaluation and security level to the RBAC, uses the fuzzy analytic hierarchy process (FAHP) to calculate the user trust value, supervise and control the process when the user executes permissions, so as to achieve the purpose of dynamic access control based on user identity trust and behavior trust. The results of validation analysis of the improved model show that the improved RBAC model overcomes the shortcomings of the traditional RBAC model and can better protect the security of cloud resources, with small control granularity and good flexibility.

Guo-yuan LIN,Shan HE,Hao HUANG,Ji-yi WU,Wei CHEN

2012-01-01

Abstract:In view of the current popular cloud computing technology,some security problems were analyzed.Based on BLP(Bell-LaPadula) model and Biba model,using the access control technology based on behavior to dynamic adjusting scope of subject's visit,it put forward the CCACSM ( cloud omputing access control security model).The model not only guarantees the cloud computing environment information privacy and integrity,and makes cloud computing environment with considerable flexibility and practical.At last,it gives the model's part,safety justice and realization process.

Ruoyu Wu,Xinwen Zhang,Gail‐Joon Ahn,Hadi Sharifi,Haiyong Xie

IF: 56.9

2013-01-01

Science

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and finegrained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of pluggable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaSRBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS. We describe challenges and lessons in implementing ACaaSRBAC, demonstrate how this service can be seamlessly integrated with enterprise cloud applications, and discuss evaluation results.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Fei Liu,Jing Wang,Hongtao Bai,Huiping Sun

DOI: https://doi.org/10.1109/ITNG.2015.34

2015-01-01

Abstract:As cloud computing technology develops rapidly, more convenience has been brought to users by various cloud providers with various cloud services. However, difficulty of management, especially when different access control protocols and personal information involved, has become one of barriers that inhibit the development process of cloud technology. In this paper, a user-centered ID MaaS (Identity Management as a Service) is proposed combined with a novel access control model based on trust and risk evaluation. Besides, a format-preserving encryption (FPE) method is proposed as an auxiliary scheme guaranteeing the effectiveness of access control. ID MaaS offers a solution that effectively alleviates the difficulty of realizing unified management of users' identity and information among diverse cloud service providers.

Robail Yasrab

DOI: https://doi.org/10.48550/arXiv.1804.04731

2018-04-13

Abstract:Cloud computing has brought a revolution in the field of information technology and improving the efficiency of computational resources. It offers computing as a service enabling huge cost and resource efficiency. Despite its advantages, certain security issues still hinder organizations and enterprises from it being adopted. This study mainly focused on the security of Platform-as-a-Service (PaaS) as well as the most critical security issues that were documented regarding PaaS infrastructure. The prime outcome of this study was a security model proposed to mitigate security vulnerabilities of PaaS. This security model consists of a number of tools, techniques and guidelines to mitigate and neutralize security issues of PaaS. The security vulnerabilities along with mitigation strategies were discussed to offer a deep insight into PaaS security for both vendor and client that may facilitate future design to implement secure PaaS platforms.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Ruoyu Wu,Xinwen Zhang,Gail-Joon Ahn,Hadi Sharifi,Haiyong Xie

DOI: https://doi.org/10.1109/SocialCom.2013.66

2013-01-01

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and fine-grained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of plug gable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaS_RBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS.

Yang Xu,Quanrun Zeng,Guojun Wang,Cheng Zhang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-030-05345-1_31

2018-01-01

Abstract:The emerging attribute-based access control (ABAC) mechanism is an expressive, flexible, and manageable authorization technique that is particularly suitable for current distributed, inconstant and complex service-oriented scenarios. Unfortunately, the inevitable disclosure of attributes that carry sensitive information bring significant risks to users' privacy, which obstructs the further development and popularization of the ABAC severely. In this paper, we propose an effective privacy-preserving ABAC (P-ABAC) scheme to defend against privacy leakage risks of users' attributes. In the P-ABAC approach, the necessary sensitive attributes are securely handled on the service requester side by using the homomorphic encryption method for privacy protection. And meanwhile, the service provider is still able to make accurate access decisions according to the received attribute ciphertext and pre-set policies with the help of the homomorphic encryption-based secure multi-party computation techniques, while learning no privacy information. The theoretical analysis proves that our model contributes to making an efficient and effective ABAC model with the enhanced privacy-protection feature.

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-319-72389-1_27

2017-01-01

Abstract:Attribute-Based Access Control (ABAC) is a promising approach for addressing intricate management requirements in dynamic and distributed environments. Nevertheless, because of lacking flexible access exception handling mechanism, rigid rules in ABAC influence the resource availability and ultimately the working efficiency. In this paper, we propose a novel fuzzy ABAC model (FABAC) that extends the ABAC with better usability. We introduce the fuzzy mechanism into decision-making process. Based on the membership grades of requests to rules and the spare credits of respective subjects, our framework permits additional requests failing in rule matching, thus enhancing the information flows in business processes. Furthermore, we develop the credit system with history-based recovery mechanism, wherein the subject’s credits and corresponding recovery rate are impacted by the past authorizations on substandard requests, for maintaining the risk of abuse under control. The analysis reveals that our model contributes to attaining better tradeoff between security and usability.

Guowei Wu,Dongze Lu,Feng Xia,Lin Yao

DOI: https://doi.org/10.48550/arXiv.1201.0205

2011-12-31

Abstract:Access control is an issue of paramount importance in cyber-physical systems (CPS). In this paper, an access control scheme, namely FEAC, is presented for CPS. FEAC can not only provide the ability to control access to data in normal situations, but also adaptively assign emergency-role and permissions to specific subjects and inform subjects without explicit access requests to handle emergency situations in a proactive manner. In FEAC, emergency-group and emergency-dependency are introduced. Emergencies are processed in sequence within the group and in parallel among groups. A priority and dependency model called PD-AGM is used to select optimal response-action execution path aiming to eliminate all emergencies that occurred within the system. Fault-tolerant access control polices are used to address failure in emergency management. A case study of the hospital medical care application shows the effectiveness of FEAC.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

ZHANG Jian-jun,ZHANG Qun,ZHANG Li

DOI: https://doi.org/10.3969/j.issn.1003-5060.2006.07.028

2006-01-01

Abstract:How to build an effective access control is very important to the security and reliability of the enterprise information management system(EIMS).In this paper,a kind of flexible object-oriented access control(FOOAC) model is presented based on the analysis of requirements of real access control and access control models of related information management systems,especially the role-based access control model.An access controller based on the FOOAC model is given to demonstrate the application of the model.

Yang Luo,Wu Luo,Tian Puyang,Qingni Shen,Anbang Ruan,Zhonghai Wu

DOI: https://doi.org/10.1109/cloud.2016.0017

2016-01-01

Abstract:The access control mechanisms of existing cloud systems, mainly OpenStack, fail to provide two key factors: i) centralized access mediation and ii) flexible policy customization. This situation prevents cloud administrators and end customers from enhancing their security. Furthermore, a variety of clouds have implemented their access control systems and policies in separated ways. This might confuse the customers whose businesses are built on multiple clouds, as they have to take efforts to accommodate their policies for different platforms. The OpenStack Security Modules (OSM) project has developed a least-invasive access control framework for OpenStack to enable different access control models to be implemented as loadable modules. This framework can be a good replacement of the existing permission checks in OpenStack and other platforms. We also propose an integration mechanism for multiple policies to form a single decision. This paper presents the design and implementation of OSM, including a new service called patron and an attachment module called access endpoint middleware (AEM). Experiments on the tempest benchmark indicate that OSM has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead remains as low as 7.3%, which is acceptable for practical use.

R. SheshadriK.,J. Lakshmi

DOI: https://doi.org/10.1109/CCGrid51090.2021.00099

2021-05-01

Abstract:Function as a Service (FaaS), a form of serverless computing, is one of the recent cloud computing service offerings, which abstracts and automates the management and provisioning of resources, and deployment of applications. It provides powerful abstractions to compose applications as stateless functions and triggers their executions through events. The platform offers autonomous scaling for applications and pay-as-you-go sub-second billing model. However, contemporary FaaS platforms provide limited features in stating resource requirements. They often lack specifications to express application specificities and resource requirements associated with Quality of Service (QoS). Such specifications can effectively guide the resource provisioning and function deployment at the resource provider, leading to efficient resource utilization and cost savings. This research exploration motivates the need for a QoS specification framework for FaaS and proposes ideas for realizing an initial QoS aware FaaS platform. Experimental results based on real-world workload trace show the cost savings and efficient resource utilization that QoS can bring in FaaS platforms.

Engineering,Computer Science

XIE Hao-hui,GAO Ji

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.05.070

2011-01-01

Abstract:Cloud computing is a computing paradigm that it assigns the computing and storing task to the cloud which is composed by a large number of computers.Cloud computing provides three types of services:infrastructure as a service,platform as a service and software as a service.While PaaS in cloud system plays a key role,there is now PaaS platform for low service coordination,lack of resources,unfriendly user interface and other issues.This paper designed and implemented PaaS platforms based on norm-governed and policy-driven autonomic model of service cooperation,which was using autonomic computing elements to achieve a collaborative self-service and was an exploratory study trying to solve the problems of existing platform to support PaaS,aiming to provide more efficient and economic development environment for the users.

Hong Mei,Jin Shao,Qianxiang Wang

DOI: https://doi.org/10.4018/ijcac.2012010101

2012-01-01

International Journal of Cloud Applications and Computing

Abstract:Platform as a Service PaaS is a typical cloud service paradigm that allows PaaS consumers to deploy and manage applications usually services to SaaS consumers. To ensure the quality of services to both PaaS consumers and SaaS consumers, PaaS must be equipped with enough monitoring and controlling ability to make runtime adjustment actions. Although most of the components in PaaS have provided their own management interface, it is hard to perform adjustment actions based on raw runtime data collected from these low level management interfaces due to the diversity and dynamics of components in PaaS. This paper proposes a model based monitoring and controlling approach for PaaS. The proposed approach masks the underlying heterogeneity of components in PaaS and presents a high level model for monitoring and controlling. The model is instantiated automatically based on pre-defined meta-model, which effectively reduces the development efforts. A monitoring and controlling framework based on this approach is designed and implemented in a practical PaaS, which shows the feasibility of the proposed approach.

Feng-Lin Li,Chi-Hung Chi

DOI: https://doi.org/10.48550/arXiv.1604.05389

2016-05-31

Abstract:With the prevalence of X-as-a-Service (e.g., software as a service, platform as a service, infrastructure as a service, etc.) and users' growing demand on good services, QoS (Quality of Service) assurance is becoming increasingly important to service delivery. Traditional service delivery mainly focuses on function or information provisioning, and does not give high priority to quality assurance. In this paper, we tackle the QoS assurance problem in a systematic way, from model to system. We first decompose traditional services into three components - namely software application, data and resource, then define models for these three kinds of basic services, and propose a set of operations for service publishing and composition. To illustrate our approach, we present a prototype system, the Platform as a Service (PaaS) system, which is developed in support of our framework and shows how QoS can be ensured through real-time monitoring and dynamic scaling (up or down).

Software Engineering

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1155/2018/6476315

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Attribute-based access control (ABAC) is a maturing authorization technique with outstanding expressiveness and scalability, which shows its overwhelmingly competitive advantage, especially in complicated dynamic environments. Unfortunately, the absence of a flexible exceptional approval mechanism in ABAC impairs the resource usability and business time efficiency in current practice, which could limit its growth. In this paper, we propose a feasible fuzzy-extended ABAC (FBAC) technique to improve the flexibility in urgent exceptional authorizations and thereby improving the resource usability and business timeliness. We use the fuzzy assessment mechanism to evaluate the policy-matching degrees of the requests that do not comply with policies, so that the system can make special approval decisions accordingly to achieve unattended exceptional authorizations. We also designed an auxiliary credit mechanism accompanied by periodic credit adjustment auditing to regulate expediential authorizations for mitigating risks. Theoretical analyses and experimental evaluations show that the FBAC approach enhances resource immediacy and usability with controllable risk.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.1142/s0218194015710047

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:One primary challenge of enforcing access control in cloud computing is how to ensure access with high efficiency while preserving data security. This paper proposes a fine-grained access control method for cloud resources. The basic idea is to use XACML as access control language and to optimize policies by data fragmentation and policy refinement algorithms. Through data fragmentation, the accessible resources are divided into disjoint data blocks, and each of them will be combined with a set of policy rules. This helps to refine the policy and to avoid data leakage caused by rule conflicting on the resource intersections. Finally, the disjoint data blocks and the optimized policy are distributed in the three-layered cloud, and the decision to a request is made by rule matching on a specific resource rather than traversing the whole policy rules. Experiments show that our proposal enjoys higher efficiency in cloud-based access control.

Andrea Margheri,Massimiliano Masi,Rosario Pugliese,Francesco Tiezzi

DOI: https://doi.org/10.48550/arXiv.1612.09339

2016-12-30

Abstract:Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the accesses to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automatic verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, as e.g. missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse- based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.

Software Engineering

Pau-Chen Cheng,Pankaj Rohatgi,Claudia Keser,Paul A. Karger,Grant M. Wagner,Angela Schuett Reninger

DOI: https://doi.org/10.1109/sp.2007.21

2007-05-01

Abstract:This paper presents a new model for, or rather a new way of thinking about adaptive, risk—based access control. Our basic premise is that there is always inherent uncertainty and risk in access control decisions that is best addressed in an explicit way. We illustrate this concept by showing how the rationale of the well—known, Bell—Lapadula model based, Multi-Level Security (MLS) access control model could be used to develop a risk-adaptive access control model. This new model is more like a Fuzzy Logic control system [9] than a traditional access control system and hence the name “Fuzzy MLS”. The long version of this paper is published as an IBM Research Report [3].