Xiao-Yong Li,Yong Shi,Yu Guo,Wei Ma

DOI: https://doi.org/10.1109/cise.2010.5677061

2010-01-01

Abstract:Though cloud computing has many advantages, it still faces a big challenge of security and privacy problem. This problem is also an obstacle to cloud computing since no one is willing to run his businesses in facilities he has no control over it. Moreover, since cloud computing is a multi-tenancy IT service mode, there should be a capability to compartmentalize different customers in cloud facilities; therefore, security duty separation between CSP and customers must be supported in cloud. However, this security duty separation is not common in traditional security mechanisms. Multi-tenancy based access control model (MTACM) was designed to embed the security duty separation principle in cloud; it was a two granule level access control mechanism, one was tenant granule for CSP to compartmentalize different customers, the other was application granule for customers to control the access to their own applications. MTACM was technically and practically feasible. A prototype introduced in this paper showed that MTACM has a good performance.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.18293/seke2015-37

2015-01-01

Abstract:One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies.Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases.In this paper, we take XACML as the policy language and build up a logical model.Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks.Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types.This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control.Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies.

Xin Pei,Huiqun Yu,Guisheng Fan

DOI: https://doi.org/10.1142/s0218194015710047

IF: 1.007

2015-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:One primary challenge of enforcing access control in cloud computing is how to ensure access with high efficiency while preserving data security. This paper proposes a fine-grained access control method for cloud resources. The basic idea is to use XACML as access control language and to optimize policies by data fragmentation and policy refinement algorithms. Through data fragmentation, the accessible resources are divided into disjoint data blocks, and each of them will be combined with a set of policy rules. This helps to refine the policy and to avoid data leakage caused by rule conflicting on the resource intersections. Finally, the disjoint data blocks and the optimized policy are distributed in the three-layered cloud, and the decision to a request is made by rule matching on a specific resource rather than traversing the whole policy rules. Experiments show that our proposal enjoys higher efficiency in cloud-based access control.

Sara Alayda,Najad.A. Almowaysher,Mamoona Humayun,NZ Jhanjhi

DOI: https://doi.org/10.37624/ijert/13.11.2020.3404-3414

2020-01-01

International Journal of Engineering Research and Technology

Abstract:Access control is essential to protect data and system resources by preventing unauthorized access.Cloud computing ensures that users get benefit from such resources by following their requests.Hence, users can access applications, programs, and storage.Data security is a significant concern to be dealt with in the cloud computing area.The dispersion of data across multiple storage devices in cloud computing and abundant access from heterogeneous devices pose serious security threats.Therefore, the protection of data and resources using proper access control mechanisms is a critical task for cloud service providers.Various access control approaches and models for cloud computing have been suggested in existing research , however; security breaches in these approaches cause great threats for cloud service providers.Based on the analysis of existing works, we proposed that the combination of multiple approaches is the best solution to ensure access control according to users' requirements and to the network conditions.Hence, concerning the analysis conducted on related works, we propose a hybrid approach based on the Attribute-based-Access-control and Role-Based-Access-Control models.Our approach combines the best features of these models and ensures both security and flexibility.Compared to the conventional models, the proposed approach defines different security levels via the assignment of a different number of attributes for each role by guaranteeing the least privilege concept.

Zhang Jiawei,Lu Ning,Ma Jianfeng,Wang Ruixiao,Shi Wenbo

DOI: https://doi.org/10.1007/s11036-021-01839-w

2021-01-01

Mobile Networks and Applications

Abstract:Cloud operating system (Cloud OS) is the heart of cloud management platform that takes control of various cloud resources. Therefore, it attracts numerous attacks, especially unauthorized access. Many existing works adopt role-based access control (RBAC) model for Cloud OS access control and token-based approaches as user credentials of sessions or transactions between users and cloud, but they fail to resist privilege abuse caused by RBAC policy rules tampering or token hijacking. To addresses this challenging problem, we propose a secure access control framework suitable for resource-centric Cloud OS. For one thing, we propose a new authorization model with cryptographically protected RBAC policy rules. To solve the policy decision problem caused by encrypted policy rules in this model, an approach is developed to transform it into permission searching problem and we further propose a policy decision scheme based on this. For another thing, we achieve user token unlinkability and token-replay-attack resistance by introducing randomization mechanism and leveraging one-show token technique. A proof of concept implementation has been developed and the proposed scheme is proven secure and efficient by security analysis and the performance evaluation.

Wenfang Zhao,Fei Gao

DOI: https://doi.org/10.1109/ccis.2012.6664411

2012-01-01

Abstract:Cloud Environment is a platform shared by multi-tenants from different credible domains, thus achieving data sharing safely and effectively has been a great concern to legitimate users. In this paper, we provide a flexible access control strategy which is based on the RBAC (Role-based Access Control) model, and is integrated with a series of security attributes and organization labels for enterprise applications. This strategy subdivides the roles and their corresponding permissions into smaller fractions so as to realize the dynamic performance and fine-grained assignment of an application on the assumption of the reliance of the Third Party. Finally, an analysis combined with one actual implementation is provided to show its effectiveness and practicality in the process of access control while applied in the enterprise-like corporation systems.

Zhuo Tang,Juan Wei,Ahmed Sallam,Kenli Li,Ruixuan Li

DOI: https://doi.org/10.1007/978-3-642-30767-6_24

2012-01-01

Abstract:Access Control is an important component of Cloud Computing; specially, User access control management; however, Access Control in Cloud environment is different from traditional access environment and using general access control model can't cover all entities within Cloud Computing, noting that Cloud environment includes different entities such as data owner, end user, and service provider. In this paper, we propose a new access control based on Role-based access control (RBAC) model. This model includes two kind of roles, user role (UR) and owner role (OR); such that, Users get credential from owners to communicate with service provider and to get access permissions of resources. We also discuss the aspects of user access control management, such as authentication, privilege management, and deprovisioning. Moreover, we use administrative scope to update hierarchy when there is a role added or revoked to simplify the user access control management. By applying the model in Cloud environment the results shows that it can reduce the security problems to two classes in the RT [←,∩] role-based trust-management language with a test-paper system.

Wei-Tek Tsai,Qihong Shao

DOI: https://doi.org/10.1109/ISADS.2011.21

2011-01-01

Abstract:In cloud computing, security is an important issue due to the increasing scale of users. Current approaches to access control on clouds do not scale well to multi-tenancy requirements because they are mostly based on individual user IDs at different granularity levels. However, the number of users can be enormous and causes significant overhead in managing security. RBAC (Role-Based Access Control) is attractive because the number of roles is significantly less, and users can be classified according to their roles. This paper proposes a RBAC model using a role ontology for Multi-Tenancy Architecture (MTA) in clouds. The ontology is used to build up the role hierarchy for a specific domain. Ontology transformation operations algorithms are provided to compare the similarity of different ontology. The proposed framework can ease the design of security system in cloud and reduce the complexity of system design and implementation.

Mang Su,Anmin Fu,Yan Yu,Guozhen Shi

DOI: https://doi.org/10.1109/trustcom.2016.0299

2016-01-01

Abstract:More and more people prefer to obtain information from cloud. Different users tend to access different resources they interested at anytime across different networks by a variety of equipments. As same as the traditional management of file, the lifecycle theory is still suitable the electronic data in cloud computing. Firstly, we analyze the motivation of access control in cloud, and summarize the security requirements for the data management in the whole lifecycle. Second, we propose a resource-centric dynamic adaptive access control model (RCDA), which is extended from the action-based access control (ABAC). RCDA is able to describe other access control models through the way of customization. Furthermore, we give the scheme for implementation of RCDA. Finally, we make the comparisons between the RCDA and other existing models, and the results indicate that RCDA is able to satisfy the security requirements for the whole lifecycle of data by adaptively adjusting the access control policies.

Xinfeng Ye,Bakh Khoussainov

DOI: https://doi.org/10.1504/IJGUC.2013.056252

2013-01-01

Abstract:Fine-grained access control schemes are commonly used in cloud computing. In this type of schemes, each data item is given its own access control policy. The entity that wants to access the data item needs to provide its credentials to a policy enforcer. In a cloud environment, normally, the policy enforcer is not the owner of the data. The access control policies and the credentials might reveal some information that the policy enforcer is not entitled to know. This paper proposes a fine-grained access control scheme. It prevents the policy enforcers from comprehending the access control policies and the entities' credentials by using cryptographic techniques. Compared with the existing schemes, the proposed scheme provides higher level privacy.

Xiao-guang HAN,Xuan-xia YAO,Wu QU,Yan-feng SUO

DOI: https://doi.org/10.3969/j.issn.1671-1815.2014.29.044

2014-01-01

Abstract:In the cloud computing environment,access control is on-demand and it requires users under control when accessing different resources. Based on the theory of role-based access control( RBAC),OURBAC is presented according to the characteristic. It is a new access control model based on role access of users and objects. Access permission rules of authority judgment for specific user are also designed. The algorithm used in OURBAC model made the cloud resource access control be further refined,and significantly reduced the number of roles in the system to improving the operation system efficiency and safety effectively. Based on the actual implementation of application,the implementation process of OURBAC model is designed and the security of the algorithm is analyzed.

Fangbo Cai,Nafei Zhu,Jingsha He,Pengyu Mu,Wenxin Li,Yi Yu

DOI: https://doi.org/10.1007/s10586-018-1850-7

2018-01-01

Cluster Computing

Abstract:Access control is an important measure for the protection of information and system resources to prevent illegitimate users from getting access to protected objects and legitimate users from attempting to access the objects in ways that exceed what they are allowed. The restriction placed on access from a subject to an object is determined by the access policy. With the rapid development of cloud computing, cloud security has increasingly become a common concern and should be dealt with seriously. In this paper, we survey access control models and policies in different application scenarios, especially for cloud computing, by following the development of the internet as the main line and by examining different network environments and user requirements. Our focus in the survey is on the relationships among different models and technologies along with the application scenarios as well as the pros and cons of each model. Special attention will be placed on access control for cloud computing, which is reflected in the summaries of the access control models and methods. We also identify some emerging issues of access control and point out some future research directions for cloud computing.

Hanene Boussi Rahmouni,Kamran Munir,Mohammed Odeh,Richard McClatchey

DOI: https://doi.org/10.48550/arXiv.1202.5482

2012-11-13

Abstract:There is widespread agreement that cloud computing have proven cost cutting and agility benefits. However, security and regulatory compliance issues are continuing to challenge the wide acceptance of such technology both from social and commercial stakeholders. An important facture behind this is the fact that clouds and in particular public clouds are usually deployed and used within broad geographical or even international domains. This implies that the exchange of private and other protected data within the cloud environment would be governed by multiple jurisdictions. These jurisdictions have a great degree of harmonisation; however, they present possible conflicts that are hard to negotiate at run time. So far, important efforts were played in order to deal with regulatory compliance management for large distributed systems. However, measurable solutions are required for the context of cloud. In this position paper, we are suggesting an approach that starts with a conceptual model of explicit regulatory requirements for exchanging private data on a multijurisdictional environment and build on it in order to define metrics for non-compliance or, in other terms, risks to compliance. These metrics will be integrated within usual data access-control policies and will be checked at policy analysis time before a decision to allow/deny the data access is made.

Distributed, Parallel, and Cluster Computing

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Yan Danfeng,Yang Fangchun

2011-01-01

China Communications

Abstract:Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.

Tang Bo,Li Qi,Sandhu Ravi

DOI: https://doi.org/10.1109/PST.2013.6596058

2013-01-01

Abstract:Most cloud services are built with multi-tenancy which enables data and configuration segregation upon shared infrastructures. In this setting, a tenant temporarily uses a piece of virtually dedicated software, platform, or infrastructure. To fully benefit from the cloud, tenants are seeking to build controlled and secure collaboration with each other. In this paper, we propose a Multi-Tenant Role-Based Access Control (MT-RBAC) model family which aims to provide fine-grained authorization in collaborative cloud environments by building trust relations among tenants. With an established trust relation in MT-RBAC, the trustee can precisely authorize cross-tenant accesses to the truster's resources consistent with constraints over the trust relation and other components designated by the truster. The users in the trustee may restrictively inherit permissions from the truster so that multi-tenant collaboration is securely enabled. Using SUN's XACML library, we prototype MT-RBAC models on a novel Authorization as a Service (AaaS) platform with the Joyent commercial cloud system. The performance and scalability metrics are evaluated with respect to an open source cloud storage system. The results show that our prototype incurs only 0.016 second authorization delay for end users on average and is scalable in cloud environments.

Hong Sun,Xueqin Zhang,Chunhua Gu

DOI: https://doi.org/10.14257/ijgdc.2014.7.3.01

2014-01-01

International Journal of Grid and Distributed Computing

Abstract:With the development of cloud computing, and as the basis of data services, security problems of cloud storage are growing more attention. Based on distributed storage, multidomain and multi-tenant characteristics, combined with access control technologies, this paper sets up the Role-based Access Control using Ontology and domians in Cloud Storage (DOnto_RBAC), which could provide a concise and effective strategy for service providers (isps). According to the characteristics of access control in cloud storage, based on the standards (called CDMI), this paper adds Domains and Time constraints of roles into RBAC. With ontology technologies and the OWL language, this paper establishes ontology model including entities' descriptions and strategies to realize reasoning of multi-domain access control permissions. We realized our system through Python and established Restful APIs. Experiments in campus-level cloud storage called Swift showed that, using requests with Restful format commands, DOnto_RBAC was proved to be effective to manage distributed and multi-domain data in cloud storage.

Wenhui Wang,Jing Han,Meina Song,Xiaohui Wang

DOI: https://doi.org/10.1109/icpca.2011.6106526

2011-01-01

Abstract:Today, the problem of trusting cloud computing is a paramount concern for most enterprises. Whether user behavior is trusted and how to evaluate user's behavior trust are important research contents in cloud computing. This paper suggests an adaptive access algorithm by introducing the trust into cloud computing to decide the access control to the resources using an improved RBAC technique to solve more complex and difficult problems in the cloud computing environment. And the proposed model determines dynamically security level and access control for the common resources. Therefore, it is supposed to provide appropriate security services according to the dynamic changes of the common resources. This access control model bases on trust determines whether the user has the right to get access to the resource by dynamically authorizing. And this mechanism can control the user's malicious behavior effectively.

Khaled Riad,Zhu Yan

DOI: https://doi.org/10.1142/s0218843017500034

2017-01-01

International Journal of Cooperative Information Systems

Abstract:Providing a creditable basis for access control decision-making is not an easy task for the resource pooling, dynamic, and multi-tenant cloud environment. The trust notation can provide this creditable basis, based on multiple factors that can accurately compute the user’s trust for the granting access entity. In this paper, the formal trust model has been introduced, which presents a novel method to provide the basis for granting access. It is based on three factors and their semantic relations, which investigate important measures for the cloud environment. Also, a new Trust-Based Access Control (TB-AC) model has been proposed. The proposed model supports dynamically changing the user’s assigned permissions based on its trust level. In addition, TB-AC ensures secure resource sharing among potential untrusted tenants. TB-AC has been deployed on a separated VM in our private cloud environment, which is built using OpenStack. The experimental results indicated that TB-AC can evaluate access requests within reasonable and acceptable processing times, which is based on the final trust level calculation and the communication between TB-AC and some of the intended OpenStack services. By considering very rough conditions and huge traffic overhead, the final trust level can be calculated in an average time of 200[Formula: see text]ms. Furthermore, the communication overhead between TB-AC and each of Keystone, Nova, and Neutron is very light. Finally, TB-AC has been tested under different scenarios and is provable, usable and scalable.

N.N.Thilakarathne,Dilani Wickramaaarachchi

DOI: https://doi.org/10.48550/arXiv.2011.07764

2020-11-16

Abstract:Cloud computing is considered as the one of the most dominant paradigm in field of information technology which offers on demand cost effective services such as Software as a service (SAAS), Infrastructure as a service (IAAS) and Platform as a service (PAAS).Promising all these services as it is, this cloud computing paradigm still associates number of challenges such as data security, abuse of cloud services, malicious insider and cyber-attacks. Among all these security requirements of cloud computing access control is the one of the fundamental requirement in order to avoid unauthorized access to a system and organizational assets. Main purpose of this research is to review the existing methods of cloud access control models and their variants pros and cons and to identify further related research directions for developing an improved access control model for public cloud data storage. We have presented detailed access control requirement analysis for cloud computing and have identified important gaps, which are not fulfilled by conventional access control models. As the outcome of the study we have come up with an improved access control model with hybrid cryptographic schema and hybrid cloud architecture and practical implementation of it. We have tested our model for security implications, performance, functionality and data integrity to prove the validity. We have used AES and RSA cryptographic algorithms to implement the cryptographic schema and used public and private cloud to enforce our access control security and <a class="link-external link-http" href="http://reliability.By" rel="external noopener nofollow">this http URL</a> validating and testing we have proved that our model can withstand against most of the cyber attacks in real cloud environment. Hence it has improved capabilities compared with other previous access control models that we have reviewed through literature.

Cryptography and Security,Distributed, Parallel, and Cluster Computing