Ruoyu Wu,Xinwen Zhang,Gail-Joon Ahn,Hadi Sharifi,Haiyong Xie

DOI: https://doi.org/10.1109/SocialCom.2013.66

2013-01-01

Abstract:Organizations and enterprises have been outsourcing their computation, storage, and workflows to Infrastructure-as-a-Service (IaaS) based cloud platforms. The heterogeneity and high diversity of IaaS cloud environment demand a comprehensive and fine-grained access control mechanism, in order to meet dynamic, extensible, and highly configurable security requirements of these cloud consumers. However, existing security mechanisms provided by IaaS cloud providers do not satisfy these requirements. To address such an emergent demand, we propose a new cloud service called access control as a service (ACaaS), a service-oriented architecture in cloud to support multiple access control models, with the spirit of plug gable access control modules in modern operating systems. As a proof-of-concept reference prototype, we design and implement ACaaS_RBAC to provide role-based access control (RBAC) for Amazon Web Services (AWS), where cloud customers can easily integrate the service into enterprise applications in order to extend RBAC policy enforcement in AWS.

bo li,jianxin li,lu liu,chao zhou

DOI: https://doi.org/10.1002/sec.1216

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:Cloud computing, as an emerging computing paradigm, greatly facilitates resource sharing and enables providing computing power as services over the Internet. However, it also brings new challenges for security and access control, especially in infrastructure as a service clouds. The introduction of virtualization layer increases new security risks, which should be restricted and confined by more stringent access control techniques. In this paper, we propose a flexible and fine-grained access control framework, named IaaS-oriented Hybrid Access Control (iHAC), which combines the advantages of both the role-based access control and type enforcement model. We consider access control issues from the perspective of virtual machines. A permission transition model is designed to dynamically assign permissions to virtual machines. A Virtual Machine Monitor (VMM)-based access control mechanism is presented to confine the virtual machine's behaviors in a fine-grained manner. A VMM-enabled network access control approach is proposed to regulate the communication among virtual machines. iHAC is successfully implemented in the Internet based Virtual Computing Infrastructure (iVIC) platform, and several experiments are conducted to evaluate its effectiveness and efficiency. The results show that iHAC can make correct access control decisions with low performance overhead. Copyright (c) 2015John Wiley & Sons, Ltd.

MA Qiang,AI Zhong-Liang

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.12.014

2012-01-01

Abstract:In order to solve the security problems of operation and management in IaaS(Infrastructure as a Service),a access control mechanism is designed based on the traditional access control model and the features of IaaS.Firstly,the secure features of cloud computing and the inadequacies of existing programs are analyzed,It is pointed out the security of IaaS is the basis for the security of cloud computing.Then,according to four design principles,the CIRBAC model and the CITE model are designed,which can be used in the infrastructure layer of cloud computing based on the RBAC model and the TE model,and the modules of the models is designed in detail.Finally,the models are achieved at the openstack environment with Xen-based virtualization layer.The model enhances the security of IaaS.

Chao Zhou,Bo Li

DOI: https://doi.org/10.1109/UCC.2014.139

2014-01-01

Abstract:Cloud computing, as an emerging computing paradigm, greatly facilitates resource sharing and enables providing computing power as services over the Internet. However, it also brings new challenges for security and access control, especially in IaaS clouds. The introduction of virtualization layer increases new security risks which should be restricted and confined by more stringent access control techniques. In this paper, we propose a hybrid access control framework, named iHAC, which combines the advantages of both Role-based Access Control (RBAC) and Type Enforcement (TE) model to enable unified access control and authorization for IaaS clouds. A permission transition model is provided to dynamically assign permission to virtual machines. A VMM-based access control mechanism is designed to confine the VM's behaviors in a fine-grained manner. Ihac is implemented and evaluated in iVIC platform. The experimental results show that our proposed framework is effective and efficient.

Wenfang Zhao,Fei Gao

DOI: https://doi.org/10.1109/ccis.2012.6664411

2012-01-01

Abstract:Cloud Environment is a platform shared by multi-tenants from different credible domains, thus achieving data sharing safely and effectively has been a great concern to legitimate users. In this paper, we provide a flexible access control strategy which is based on the RBAC (Role-based Access Control) model, and is integrated with a series of security attributes and organization labels for enterprise applications. This strategy subdivides the roles and their corresponding permissions into smaller fractions so as to realize the dynamic performance and fine-grained assignment of an application on the assumption of the reliance of the Third Party. Finally, an analysis combined with one actual implementation is provided to show its effectiveness and practicality in the process of access control while applied in the enterprise-like corporation systems.

Dancheng Li,Cheng Liu,Qiang Wei,Zhiliang Liu,BinSheng Liu

DOI: https://doi.org/10.1109/ICIECS.2010.5678213

2010-01-01

Abstract:SaaS (Software as a Service) deliver software as a service over the Internet, eliminating the need to install and run the application on the customers' own computers and simplifying maintenance and support. Access control is an important information security mechanism, according to user identity and the attribution of a predefined group of users to restrict access to certain information items, and limit the use of certain functions. In view of the features of multi-tenant, if we apply existing access control methods to SaaS systems directly, the following problems will appear: (1) role name conflicts (2) cross-level management (3) the isomerism of tenants' access control. This paper propose the S-RBAC model which can be applied to SaaS systems, this model extends from the RBAC model and ARBAC97 model, it uses layered structures to achieve system-level and tenant-level access control, solves the SaaS system access control problems. And we put forward a way to implement the access control module for SaaS systems based on S-RBAC model.

Zhuo Tang,Juan Wei,Ahmed Sallam,Kenli Li,Ruixuan Li

DOI: https://doi.org/10.1007/978-3-642-30767-6_24

2012-01-01

Abstract:Access Control is an important component of Cloud Computing; specially, User access control management; however, Access Control in Cloud environment is different from traditional access environment and using general access control model can't cover all entities within Cloud Computing, noting that Cloud environment includes different entities such as data owner, end user, and service provider. In this paper, we propose a new access control based on Role-based access control (RBAC) model. This model includes two kind of roles, user role (UR) and owner role (OR); such that, Users get credential from owners to communicate with service provider and to get access permissions of resources. We also discuss the aspects of user access control management, such as authentication, privilege management, and deprovisioning. Moreover, we use administrative scope to update hierarchy when there is a role added or revoked to simplify the user access control management. By applying the model in Cloud environment the results shows that it can reduce the security problems to two classes in the RT [←,∩] role-based trust-management language with a test-paper system.

Yang Zhang,Jun-Liang Chen

DOI: https://doi.org/10.1109/ICDCSW.2012.65

2012-01-01

Abstract:With the rapid application of service-oriented technologies, service and data outsourcing has become a practical and useful computing paradigm. Combined use of access control and cryptography was proposed by many researchers to protect sensitive information in this outsourcing scenario. However, the rigid combination in existing approaches has difficulty in satisfying the flexibility requirement of access control for diverse applications. In this paper, we propose an access control service for public cloud storage, where authorization is controlled by the data owner, and the PDP (Policy Decision Point) and PEP (Policy Enforcement Point) can be securely delegated. In order to implement the service, an attribute-full proxy re-encryption scheme is presented as its corner stone. The other features of our service are as follows: simple key management without the need of key derivation for users to decrypt cipher texts, composing attributes for accessing resources with subject attributes' having inner structures, and authorization relatively separating from encryption. We also give some proofs and analysis of our implementation.

Dancheng Li,Cheng Liu,Binsheng Liu

DOI: https://doi.org/10.5815/ijmecs.2011.05.07

2011-01-01

International Journal of Modern Education and Computer Science

Abstract:SaaS is a new way to deploy software as a hosted service and accessed over the Internet which means the customers don't need to maintain the software code and data on their own servers. So it's more important for SaaS systems to take security issues into account. Access control is a security mechanism that enables an authority to access to certain restricted areas and resources according to the permissions assigned to a user. Several access models have been proposed to realize the access control of single instance systems. However, most of the existing models couldn't address the following SaaS system problems: (1) role name conflicts (2) cross-level management (3) the isomerism of tenants' access control (4) temporal delegation constraints. This paper describes a hierarchical RBAC model called H- RBAC solves all the four problems of SaaS systems mentioned above. This model addresses the SaaS system access control in both system level and tenant level. It combines the advantages of RBDM and ARBAC97 model and introduces temporal constraints to SaaS access control model. In addition, a practical approach to implement the access control module for SaaS systems based on H-RBAC model is also proposed in this paper.

Tianyi Zhu,Weidong Liu,Jiaxing Song

DOI: https://doi.org/10.1109/CIT.2011.36

2011-01-01

Abstract:coRBAC is a specifically optimized RBAC system for cloud computing environment. It inherits the existing RBAC's role model and dRBAC's domain model, optimizes and improves the access control system for services which are hosted on the cloud computing platform. coRBAC greatly improves the certification process and user experience by reducing the unnecessary process of establishing secure connection and setting up multi-level cache, reduces the space complexity and time complexity of access control system.

Zhang Jiawei,Lu Ning,Ma Jianfeng,Wang Ruixiao,Shi Wenbo

DOI: https://doi.org/10.1007/s11036-021-01839-w

2021-01-01

Mobile Networks and Applications

Abstract:Cloud operating system (Cloud OS) is the heart of cloud management platform that takes control of various cloud resources. Therefore, it attracts numerous attacks, especially unauthorized access. Many existing works adopt role-based access control (RBAC) model for Cloud OS access control and token-based approaches as user credentials of sessions or transactions between users and cloud, but they fail to resist privilege abuse caused by RBAC policy rules tampering or token hijacking. To addresses this challenging problem, we propose a secure access control framework suitable for resource-centric Cloud OS. For one thing, we propose a new authorization model with cryptographically protected RBAC policy rules. To solve the policy decision problem caused by encrypted policy rules in this model, an approach is developed to transform it into permission searching problem and we further propose a policy decision scheme based on this. For another thing, we achieve user token unlinkability and token-replay-attack resistance by introducing randomization mechanism and leveraging one-show token technique. A proof of concept implementation has been developed and the proposed scheme is proven secure and efficient by security analysis and the performance evaluation.

Mang Su,Anmin Fu,Yan Yu,Guozhen Shi

DOI: https://doi.org/10.1109/trustcom.2016.0299

2016-01-01

Abstract:More and more people prefer to obtain information from cloud. Different users tend to access different resources they interested at anytime across different networks by a variety of equipments. As same as the traditional management of file, the lifecycle theory is still suitable the electronic data in cloud computing. Firstly, we analyze the motivation of access control in cloud, and summarize the security requirements for the data management in the whole lifecycle. Second, we propose a resource-centric dynamic adaptive access control model (RCDA), which is extended from the action-based access control (ABAC). RCDA is able to describe other access control models through the way of customization. Furthermore, we give the scheme for implementation of RCDA. Finally, we make the comparisons between the RCDA and other existing models, and the results indicate that RCDA is able to satisfy the security requirements for the whole lifecycle of data by adaptively adjusting the access control policies.

Yan Danfeng,Yang Fangchun

2011-01-01

China Communications

Abstract:Security is a key problem for the development of Cloud Computing. A common service security architecture is a basic abstract to support security research work. The authorization ability in the service security faces more complex and variable users and environment. Based on the multidimensional views, the service security architecture is described on three dimensions of service security requirement integrating security attributes and service layers. An attribute-based dynamic access control model is presented to detail the relationships among subjects, objects, roles, attributes, context and extra factors further. The model uses dynamic control policies to support the multiple roles and flexible authority. At last, access control and policies execution mechanism were studied as the implementation suggestion.

Xiao-Yong Li,Yong Shi,Yu Guo,Wei Ma

DOI: https://doi.org/10.1109/cise.2010.5677061

2010-01-01

Abstract:Though cloud computing has many advantages, it still faces a big challenge of security and privacy problem. This problem is also an obstacle to cloud computing since no one is willing to run his businesses in facilities he has no control over it. Moreover, since cloud computing is a multi-tenancy IT service mode, there should be a capability to compartmentalize different customers in cloud facilities; therefore, security duty separation between CSP and customers must be supported in cloud. However, this security duty separation is not common in traditional security mechanisms. Multi-tenancy based access control model (MTACM) was designed to embed the security duty separation principle in cloud; it was a two granule level access control mechanism, one was tenant granule for CSP to compartmentalize different customers, the other was application granule for customers to control the access to their own applications. MTACM was technically and practically feasible. A prototype introduced in this paper showed that MTACM has a good performance.

Jing Xu,Tang Jinglei,He Dongjian,Zan Linsen

DOI: https://doi.org/10.1109/icime.2010.5477832

2010-01-01

Abstract:In the paper, we analyze the features of access control of management-type SaaS. Based on the traditional RBAC, we put forward the access control model based on both tenant and role, in which the tenant is as the minimum unit of administrative domain. To be sure user identity with physical security, we put forward the hierarchical authentication and management of user in the management-type SaaS. In order to ensure the access control model of management-type SaaS in line with the reality, we abolish the inheritance right of role in the traditional RBAC. Based on the timing diagram of UML, analyzing the access control model of the cattle public administration platform based on the SaaS, we present its dynamic modeling of access control. Test and analysis is shown that the access control model based on both tenant and role can ensure the accessibility, security and privacy to access cross-domain in the management-type SaaS, and promote the popularization and application of the management-type SaaS.

Tang Bo,Li Qi,Sandhu Ravi

DOI: https://doi.org/10.1109/PST.2013.6596058

2013-01-01

Abstract:Most cloud services are built with multi-tenancy which enables data and configuration segregation upon shared infrastructures. In this setting, a tenant temporarily uses a piece of virtually dedicated software, platform, or infrastructure. To fully benefit from the cloud, tenants are seeking to build controlled and secure collaboration with each other. In this paper, we propose a Multi-Tenant Role-Based Access Control (MT-RBAC) model family which aims to provide fine-grained authorization in collaborative cloud environments by building trust relations among tenants. With an established trust relation in MT-RBAC, the trustee can precisely authorize cross-tenant accesses to the truster's resources consistent with constraints over the trust relation and other components designated by the truster. The users in the trustee may restrictively inherit permissions from the truster so that multi-tenant collaboration is securely enabled. Using SUN's XACML library, we prototype MT-RBAC models on a novel Authorization as a Service (AaaS) platform with the Joyent commercial cloud system. The performance and scalability metrics are evaluated with respect to an open source cloud storage system. The results show that our prototype incurs only 0.016 second authorization delay for end users on average and is scalable in cloud environments.

Weizhong Qiang,Deqing Zou,Shenglan Wang,Laurence Tianruo Yang,Hai Jin,Lei Shi

DOI: https://doi.org/10.1049/iet-ifs.2012.0094

2013-01-01

IET Information Security

Abstract:The security issue has been a challenging concern for cloud computing because of the multitenant usage model. In cloud, each application normally runs on a dynamic coalition that is composed by multiple virtual machines (VMs) running on different virtualised service nodes, which the authors called logic virtual domain (LVD). Moreover, the owners of cloud applications, who are also the tenants of cloud, would specify some security policies to control the access to those resources that they have paid for. Therefore the owners of cloud infrastructures have to provide the tenants with the mechanism to correctly configure and enforce the access control policies on resources that are from multiple service nodes, to meet the security requirements from cloud applications. To address the above challenge, this study presents the design and implementation about a multilayer access control architecture for LVD, named CloudAC, aiming to provide isolation control, information flow control and resource-sharing control among multiple VMs on Xen virtualisation platforms in cloud computing environment. The theory and technology this research formed will provide reliable security guarantee for resource configuration and application deployment on LVDs.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Shuangshuang Xu,Yang Xin,Hongliang Zhu,Shoushan Luo,Yuling Chen

DOI: https://doi.org/10.1109/SSCI44817.2019.9002757

2019-01-01

Abstract:Security of Platform as a Service for multi-tenant becomes a key factor for the sustainable development of the system. This paper analyzes the limitations and shortcomings of traditional identity authentication. Identity authentication is realized through the ticket authentication method. Considering the dynamic and timeliness of resources in cloud computing, this paper proposes a dynamic access control method based on Role-Based Access Control and usage control model from the perspective of business conversation, so as to realize the dynamic access control of tenants to resources in Platform as a Service. The paper elaborates on the security and usability of the key generation, distribution, update, and metadata access control processes. Practice shows that the cloud resource access control model can flexibly realize the control of cloud resources such as authority separation, resource attribute restriction and utilization control, so as to better meet the demand of cloud resource access control with multi-tenant sharing and dynamic characteristics in cloud environment.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.