Tang Bo,Li Qi,Sandhu Ravi

DOI: https://doi.org/10.1109/PST.2013.6596058

2013-01-01

Abstract:Most cloud services are built with multi-tenancy which enables data and configuration segregation upon shared infrastructures. In this setting, a tenant temporarily uses a piece of virtually dedicated software, platform, or infrastructure. To fully benefit from the cloud, tenants are seeking to build controlled and secure collaboration with each other. In this paper, we propose a Multi-Tenant Role-Based Access Control (MT-RBAC) model family which aims to provide fine-grained authorization in collaborative cloud environments by building trust relations among tenants. With an established trust relation in MT-RBAC, the trustee can precisely authorize cross-tenant accesses to the truster's resources consistent with constraints over the trust relation and other components designated by the truster. The users in the trustee may restrictively inherit permissions from the truster so that multi-tenant collaboration is securely enabled. Using SUN's XACML library, we prototype MT-RBAC models on a novel Authorization as a Service (AaaS) platform with the Joyent commercial cloud system. The performance and scalability metrics are evaluated with respect to an open source cloud storage system. The results show that our prototype incurs only 0.016 second authorization delay for end users on average and is scalable in cloud environments.

Wenjuan Li,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/iceie.2010.5559829

2010-01-01

Abstract:Security and interoperability is the biggest challenge to promote cloud computing currently. Trust has proved to be one of the most important and effective alternative means to construct security in distributed systems. In order to efficiently and safely construct entities' trust relationship in cloud and cross-clouds environment, this paper proposed a novel cloud trust model and a new cloud security framework. The propose trust model is domain-based. It divides one cloud provider's resource nodes into the same trust domain. It designs different trust strategies for different roles. Trust recommendation is treated as one type of cloud services just like computation or storage. Based on the proposed trust model, it introduced a novel cloud security framework with an independent trust management module. Using the proposed security model, it introduced some trust-based security mechanisms. Results of simulation experiments show that the proposed security model can achieve high transaction success rate with high trust accuracy.

Bo Tang,Ravi Sandhu,Qi Li

DOI: https://doi.org/10.1002/cpe.3446

2013-01-01

Abstract:The cloud service model intrinsically caters to multiple tenants, most obviously in public clouds but also in private clouds for large organizations. Currently most cloud service providers (CSPs) isolate user activities and data within a single tenant boundary with no or minimum cross-tenant interaction. It is anticipated that this situation will evolve soon to foster cross-tenant collaboration supported by Authorization as a Service (AaaS). At present there is no widely accepted model for cross-tenant authorization. Recently, Calero et al [12] informally presented a multi-tenancy authorization system (MTAS) which extends the well-known role-based access control (RBAC) model by building trust relations among collaborating tenants. In this paper we formalize this MTAS model and propose extensions for finer-grained cross-tenant trust. We also develop an administration model for MTAS (AMTAS). We demonstrate the utility and practical feasibility of MTAS by means of an example policy specification in XACML. We anticipate researchers will develop additional multi-tenant authorization models before eventual consolidation and unification.

SHEN Qing-ni,YANG Ya-hui,YU Xi,ZHANG Li-zhe,CHEN Zhong

2011-01-01

Abstract:Cloud Storage is a multi-tenancy shared environment,so achieving data separation between different users effectively in the platform has become one of issues most concerned by users.In this paper,we provide business users a flexible access control policy,which is built on top of RBAC(Role-based Access Control),combined with organization label and a variety of security attributes with logical combinations.First of all,it provides strict inter-enterprise data isolation on cloud storage,ensuring that business users could not access data which doesn't belong to their organization.Moreover,it provides proper separation of organization internal data.Business users could customize the policy flexibly according to their own security requirements,isolating data from different sectors or geographical area.Finally,the policy provides a mechanism for corporations to share data on cloud storage by introducing the concept of "virtual organization",and guarantee companies with the same conflict set of interest could not be allowed to share data through traditional Chinese Wall Policy.This paper presents the design and implementation of a prototype based Hadoop distributed file system(HDFS),including security label,security policy,security decision module,enforcement procedure of security decision and user command interface.Then it analyzes the effectiveness and performance of the security mechanisms with experiments.The result shows that the policy meets the security requirement well and loss of system run-time performance is within an acceptable range.

Quratulain Alam,Saif U. R. Malik,Adnan Akhunzada,Kim-Kwang Raymond Choo,Saher Tabbasum,Masoom Alam

DOI: https://doi.org/10.1109/tifs.2016.2646639

IF: 7.231

2017-06-01

IEEE Transactions on Information Forensics and Security

Abstract:Sharing of resources on the cloud can be achieved on a large scale, since it is cost effective and location independent. Despite the hype surrounding cloud computing, organizations are still reluctant to deploy their businesses in the cloud computing environment due to concerns in secure resource sharing. In this paper, we propose a cloud resource mediation service offered by cloud service providers, which plays the role of trusted third party among its different tenants. This paper formally specifies the resource sharing mechanism between two different tenants in the presence of our proposed cloud resource mediation service. The correctness of permission activation and delegation mechanism among different tenants using four distinct algorithms (activation, delegation, forward revocation, and backward revocation) is also demonstrated using formal verification. The performance analysis suggests that the sharing of resources can be performed securely and efficiently across different tenants of the cloud.

Chao-sheng FENG,Zhi-guang QIN,Ding YUAN,Yu QING

DOI: https://doi.org/10.3969/j.issn.0372-2112.2015.02.017

2015-01-01

Abstract:The loss of on-board domain and appearance of multi-tenant context bring some new problems and challenges to access control .In this paper ,these problems are listed and the reasons are analyzed first .And then ,aiming at these problems ,the corresponding solutions and techniques are introduced in terms of identity provision ,authentication ,authorization ,identity federation and single sign-on .Next ,latest works about access control of cloud computing are reviewed in terms of access control models ,at-tribute based access control of cipher text ,and access control of outsourcing data .At last ,the trend of study on access control of cloud computing is analyzed and predicted .

Guo-yuan LIN,Shan HE,Hao HUANG,Ji-yi WU,Wei CHEN

2012-01-01

Abstract:In view of the current popular cloud computing technology,some security problems were analyzed.Based on BLP(Bell-LaPadula) model and Biba model,using the access control technology based on behavior to dynamic adjusting scope of subject's visit,it put forward the CCACSM ( cloud omputing access control security model).The model not only guarantees the cloud computing environment information privacy and integrity,and makes cloud computing environment with considerable flexibility and practical.At last,it gives the model's part,safety justice and realization process.

Pengfei Sun,Qingni Shen,Liang Gu,Yangwei Li

DOI: https://doi.org/10.1109/anthology.2013.6784967

2013-01-01

Abstract:Virtualization technologies enable multi-tenancy cloud business models by providing a scalable, shared resource platform for all tenants. Computing capacity, storage, and network are shared between multi-tenants. However, placing different customers' workloads on the same virtualization platform may lead to security vulnerabilities, which include the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure. The co-location of many customers inevitably causes conflict for the cloud provider as customers' communication security requirements are likely to be divergent from each other. In this paper, we introduce Multi-lateral Security concept to multi-tenancy cloud platform. It is difficult to analyze policies defined by consumers in the same virtualization platform in order to guarantee configuration stability given that policies may have conflicts leading to unpredictable effects. We present the Multilateral Security Architecture for Virtualization platform (VPMS) which enables the multilateral security for consumers.

Yu-Ding WANG,Jia-Hai YANG,Cong XU,Xiao LING,Yang YANG

DOI: https://doi.org/10.13328/j.cnki.jos.004820

2015-01-01

Abstract:With the intensive and large scale development of cloud computing, security becomes one of the most important problems. As an important part of security domain, access control technique is used to limit users' capability and scope to access data and ensure the information resources not to be used and accessed illegally. This paper focuses on the state-of-the-art research of access control technology in cloud computing environment. First, it briefly introduces access control theory, and discusses the access control framework in cloud computing environment. Then, it thoroughly surveys the access control problems in cloud computing environment from three aspects including cloud access control model, cloud access control based on ABE (attribute-based encryption) cryptosystem, and multi-tenant and virtualization access control in cloud. In addition, it probes the best current practices of access control technologies within the major cloud service providers and open source cloud platforms. Finally, it summarizes the problems in the current research and prospects the development of future research.

Mang Su,Anmin Fu,Yan Yu,Guozhen Shi

DOI: https://doi.org/10.1109/trustcom.2016.0299

2016-01-01

Abstract:More and more people prefer to obtain information from cloud. Different users tend to access different resources they interested at anytime across different networks by a variety of equipments. As same as the traditional management of file, the lifecycle theory is still suitable the electronic data in cloud computing. Firstly, we analyze the motivation of access control in cloud, and summarize the security requirements for the data management in the whole lifecycle. Second, we propose a resource-centric dynamic adaptive access control model (RCDA), which is extended from the action-based access control (ABAC). RCDA is able to describe other access control models through the way of customization. Furthermore, we give the scheme for implementation of RCDA. Finally, we make the comparisons between the RCDA and other existing models, and the results indicate that RCDA is able to satisfy the security requirements for the whole lifecycle of data by adaptively adjusting the access control policies.

Mounira Msahli,Xiuzhen Chen,Ahmed Serhrouchni

DOI: https://doi.org/10.1109/ICEBE.2014.56

2014-01-01

Abstract:The centerpiece of an efficient Cloud security architecture is a well-defined access control policy. In literature we can find several access control models such as the Mandatory Access Control (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC) and the latest one Usage Control Authorization, oBligation and Condition (UCONABC). The UCONABC is very suitable for the context of distributed systems like cloud computing but it doesn't give any implementation method. In this paper we define the profile centric model using graph formalism and its implementation using matrix. We define the profile as the combination of all possible authorization, obligation, condition, role, etc... and other access parameters like attributes that we can found in Cloud system. We discuss its application using three matrixes (profile definition, profile inheritance and user assignment). Profile centric modeling is an optimum paradigm to define access control policy in complex distributed and elastic system like cloud computing. The proposed solution is validated and implemented over Hadoop distributed file system in the context of Safe Box as a service.

JIN Shi-jian,CAI Hong-ming,JIANG Li-hong

DOI: https://doi.org/10.3969/j.issn.1001-3695.2013.07.054

2013-01-01

Abstract:In order to control accessing to system resources in isolation and to manage requests from different group of users uniformly,this paper proposed the multi-tenant service oriented access control(MSOAC) model.It firstly analyzed the relationship among elements of business model,and identified the organization model,and related resource models.After that it transformed business model into MSOAC model,and then built the access control module to configure and run the model.Lastly,it examined the feasibility and correctness of the model using transportation and logistics information platform.The result shows that the MSOAC model can properly be used to provide a simple and flexible access control solution in multi-tenant environment.

Ruoyu Wu,Xinwen Zhang,Gail‐Joon Ahn,Hadi Sharifi,Haiyong Xie

IF: 56.9

2013-01-01

Science

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and finegrained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of pluggable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaSRBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS. We describe challenges and lessons in implementing ACaaSRBAC, demonstrate how this service can be seamlessly integrated with enterprise cloud applications, and discuss evaluation results.

Mang SU,Guozhen SHI,Anmin FU,Yan YU,Wei JIN

2018-01-01

Abstract:Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.

Ruoyu Wu,Xinwen Zhang,Gail-Joon Ahn,Hadi Sharifi,Haiyong Xie

DOI: https://doi.org/10.1109/SocialCom.2013.66

2013-01-01

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and fine-grained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of plug gable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaS_RBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.1142/s0218194015710047

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:One primary challenge of enforcing access control in cloud computing is how to ensure access with high efficiency while preserving data security. This paper proposes a fine-grained access control method for cloud resources. The basic idea is to use XACML as access control language and to optimize policies by data fragmentation and policy refinement algorithms. Through data fragmentation, the accessible resources are divided into disjoint data blocks, and each of them will be combined with a set of policy rules. This helps to refine the policy and to avoid data leakage caused by rule conflicting on the resource intersections. Finally, the disjoint data blocks and the optimized policy are distributed in the three-layered cloud, and the decision to a request is made by rule matching on a specific resource rather than traversing the whole policy rules. Experiments show that our proposal enjoys higher efficiency in cloud-based access control.

Jianting Ning,Xinyi Huang,Willy Susilo,Kaitai Liang,Ximeng Liu,Yinghui Zhang

DOI: https://doi.org/10.1109/tdsc.2020.3011525

2020-01-01

Abstract:Cloud-based data storage service has drawn increasing interests from both academic and industry in the recent years due to its efficient and low cost management. Since it provides services in an open network, it is urgent for service providers to make use of secure data storage and sharing mechanism to ensure data confidentiality and service user privacy. To protect sensitive data from being compromised, the most widely used method is encryption. However, simply encrypting data (e.g., via AES) cannot fully address the practical need of data management. Besides, an effective access control over download request also needs to be considered so that Economic Denial of Sustainability (EDoS) attacks cannot be launched to hinder users from enjoying service. In this article, we consider the dual access control, in the context of cloud-based storage, in the sense that we design a control mechanism over both data access and download request without loss of security and efficiency. Two dual access control systems are designed in this article, where each of them is for a distinct designed setting. The security and experimental analysis for the systems are also presented.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.18293/seke2015-37

2015-01-01

Abstract:One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies.Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases.In this paper, we take XACML as the policy language and build up a logical model.Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks.Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types.This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control.Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies.

Yuding WANG,Jiahai YANG

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2017.26.059

2017-01-01

Abstract:The key cloud computing characteristics,such as data openness,elasticity,and sharing,complicate data access control.Traditional access control models cannot provide flexible,dynamic access control to large numbers of users with massive data files.This paper presents a data access control model based on the data's role and attribute for cloud computing.An attribute element is assigned to the data to provide role-based access control so that users can be assigned roles based on their own attributes and the tenant's attributes and current status,and can access data with different attributes.The paper illustrates the design of this model and the work processes and provides a theoretical security analysis.The results show that the model can provide dynamic,safe,fine grained access control for users accessing data in a cloud environment.

Niu Shaozhang,Tu Shanshan,Huang Yongfeng

DOI: https://doi.org/10.1049/cje.2015.07.015

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:Cloud computing services have got rapid development in the field of the lightweight terminal, especially wireless communications. The comprehensive access control system framework is proposed for the cloud. A kind of access control scheme based on attribute encryption is designed, in which lightweight devices can safely use cloud computing resources to outsource encrypt/decrypt operations, and not worry for exposing terminal sensitive data. The scheme is verified by performance evaluation about the security, computing, storage, to ensure the legitimate interests of users in the cloud.