Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Guangyu Chen,Jian Liu,Ming Xian

DOI: https://doi.org/10.1088/1742-6596/1314/1/012190

2019-01-01

Journal of Physics Conference Series

Abstract:With the increase of data volume, the service of data publication and subscription is an efficient method to share massive data. It is impossible to capture and manage data with traditional database tools. Therefore, the cloud platform becomes the most suitable platform for data publication and subscription due to its huge storage, strong computing power and good economical utility. In the process of data publishing and subscription, cloud server as a third party is semi-honest, which will bring serious privacy problems. In this paper, a secure data publishing and subscription scheme based on cloud platform is proposed, which can protect the privacy of data and subscriber interest, and achieve efficient and accurate data publishing and subscription. It can realize that only data subscribers who meet the requirements of access rights can obtain and decrypt the data, and the matching of data subscriber interest and data label can be realized at the same time. In addition, this scheme also supports user cancellation, it can cancel dishonest users in the system.

Tien Tuan Anh Dinh,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1305.6146

2013-05-28

Abstract:As tremendous amount of data being generated everyday from human activity and from devices equipped with sensing capabilities, cloud computing emerges as a scalable and cost-effective platform to store and manage the data. While benefits of cloud computing are numerous, security concerns arising when data and computation are outsourced to a third party still hinder the complete movement to the cloud. In this paper, we focus on the problem of data privacy on the cloud, particularly on access controls over stream data. The nature of stream data and the complexity of sharing data make access control a more challenging issue than in traditional archival databases. We present Streamforce - a system allowing data owners to securely outsource their data to the cloud. The owner specifies fine-grained policies which are enforced by the cloud. The latter performs most of the heavy computations, while learning nothing about the data. To this end, we employ a number of encryption schemes, including deterministic encryption, proxy-based attribute based encryption and sliding-window encryption. In Streamforce, access control policies are modeled as secure continuous queries, which entails minimal changes to existing stream processing engines, and allows for easy expression of a wide-range of policies. In particular, Streamforce comes with a number of secure query operators including Map, Filter, Join and Aggregate. Finally, we implement Streamforce over an open source stream processing engine (Esper) and evaluate its performance on a cloud platform. The results demonstrate practical performance for many real-world applications, and although the security overhead is visible, Streamforce is highly scalable.

Databases,Cryptography and Security

Xin Liu,Hao Wang,Bo Zhang,Bin Zhang

DOI: https://doi.org/10.1016/j.ins.2021.10.038

IF: 8.1

2022-01-01

Information Sciences

Abstract:In a data access control system oriented toward the cloud storage environment, a data owner defines attribute-based access control policies for data files to realize fine-grained data sharing. However, the existing schemes have defects in user execution efficiency and user privacy protection, and they do not consider the problems of user revocation and attribute updates. To this end, we propose a ciphertext policy attribute-based encryption method with verifiable outsourced decryption; this requires a user to complete decryption with the help of a server, but the results of the outsourced decryption can be verified independently. With this new encryption scheme and the technique of k-times anonymous authentication, a new fine-grained data access control system was constructed; this system allows a server to provide users with outsourced decryption services, and users’ computation cost is independent of the size of the underlying access control policy. Moreover, the number of outsourced decryption requests is limited. In addition, the new system supports user revocation and attribute updates and it is provably secure under formal proofs. An efficiency analysis shows that it can be compared with other similar systems in terms of performance, despite the addition of several practical properties.

computer science, information systems

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Caiqun Shi,Qinlong Huang,Rui Jian,Genghui Chi

DOI: https://doi.org/10.1109/tifs.2024.3482724

IF: 7.231

2024-10-30

IEEE Transactions on Information Forensics and Security

Abstract:The quality of medical services is improved by sharing electronic medical records (EMRs) across multiple medical institutions via cloud edge. However, EMRs contain private information about patients, and cloud servers are untrustworthy, thus they cannot be shared arbitrarily among senders and receivers. Access control encryption (ACE) is a preferred technique that produces encrypted EMRs and then restricts the capabilities of both senders and receivers to enforce the EMR flow via sanitizers. However, existing cross-domain ACE schemes employ a single sender authority to issue encryption keys for senders, which suffers from single point of failure and encryption key escrow that the sender authority can public EMRs arbitrarily. Moreover, they only support coarse-grained access structures such as AND gates, which is not suitable for flexible EMR sharing among medical institutions. To this end, we propose a cross-domain inner-product ACE (CD-IPACE) scheme that features decentralized encryption key generation and fine-grained access structures. Specifically, we construct CD-IPACE from inner-product encryption, threshold structure-preserving signature instantiated with a distributed key generation protocol, and non-interactive zero-knowledge proof, which prevents individual sender authorities from sending ciphertexts, and also protects both data and receiver privacy. Then, we design a secure EMR flow system in cloud edge named ESFlow based on CD-IPACE, which employs edge nodes as sanitizers to check encrypted EMRs and discard illegal ones. Finally, we demonstrate the security and practicality of ESFlow via formal security analysis and extensive experiments.

computer science, theory & methods,engineering, electrical & electronic

Tien Tuan Anh Dinh,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1210.0660

2012-10-02

Cryptography and Security

Abstract:There is an increasing trend for businesses to migrate their systems towards the cloud. Security concerns that arise when outsourcing data and computation to the cloud include data confidentiality and privacy. Given that a tremendous amount of data is being generated everyday from plethora of devices equipped with sensing capabilities, we focus on the problem of access controls over live streams of data based on triggers or sliding windows, which is a distinct and more challenging problem than access control over archival data. Specifically, we investigate secure mechanisms for outsourcing access control enforcement for stream data to the cloud. We devise a system that allows data owners to specify fine-grained policies associated with their data streams, then to encrypt the streams and relay them to the cloud for live processing and storage for future use. The access control policies are enforced by the cloud, without the latter learning about the data, while ensuring that unauthorized access is not feasible. To realize these ends, we employ a novel cryptographic primitive, namely proxy-based attribute-based encryption, which not only provides security but also allows the cloud to perform expensive computations on behalf of the users. Our approach is holistic, in that these controls are integrated with an XML based framework (XACML) for high-level management of policies. Experiments with our prototype demonstrate the feasibility of such mechanisms, and early evaluations suggest graceful scalability with increasing numbers of policies, data streams and users.

Kaifa Zheng,Caiyang Ding,Jinchen Wang

DOI: https://doi.org/10.3390/electronics12122737

IF: 2.9

2023-06-20

Electronics

Abstract:The node–edge–cloud collaborative computation paradigm has introduced new security challenges to data sharing. Existing data-sharing schemes suffer from limitations such as low efficiency and inflexibility and are not easily integrated with the node–edge–cloud environment. Additionally, they do not provide hierarchical access control or dynamic changes to access policies for data privacy preservation, leading to a poor user experience and lower security. To address these issues, we propose a data-sharing scheme using attribute-based encryption (ABE) that supports node–edge–cloud collaborative computation (DS-ABE-CC). Our scheme incorporates access policies into ciphertext, achieving fine-grained access control and data privacy preservation. Firstly, considering node–edge–cloud collaborative computation, it outsources the significant computational overhead of data sharing from the owner and user to the edge nodes and the cloud. Secondly, integrating deeply with the "node–edge–cloud" scenario, the key distribution and agreement between all entities embedded in the encryption and decryption process, with a data privacy-preserving mechanism, improve the efficiency and security. Finally, our scheme supports flexible and dynamic access control policies and realizes hierarchical access control, thereby enhancing the user experience of data sharing. The theoretical analysis confirmed the security of our scheme, while the comparison experiments with other schemes demonstrated the practical feasibility and efficiency of our approach in node–edge–cloud collaborative computation.

engineering, electrical & electronic,computer science, information systems,physics, applied

Kan Yang,Xiaohua Jia,Kui Ren

DOI: https://doi.org/10.1145/2484313.2484383

2013-01-01

Abstract:A cloud storage service allows data owner to outsource their data to the cloud and through which provide the data access to the users. Because the cloud server and the data owner are not in the same trust domain, the semi-trusted cloud server cannot be relied to enforce the access policy. To address this challenge, traditional methods usually require the data owner to encrypt the data and deliver decryption keys to authorized users. These methods, however, normally involve complicated key management and high overhead on data owner. In this paper, we design an access control framework for cloud storage systems that achieves fine-grained access control based on an adapted Ciphertext-Policy Attribute-based Encryption (CP-ABE) approach. In the proposed scheme, an efficient attribute revocation method is proposed to cope with the dynamic changes of users' access privileges in large-scale systems. The analysis shows that the proposed access control scheme is provably secure in the random oracle model and efficient to be applied into practice.

Zishuai Song,Hui Ma,Rui Zhang,Wenhan Xu,Jianhao Li

DOI: https://doi.org/10.1109/tifs.2023.3266164

IF: 7.231

2023-04-21

IEEE Transactions on Information Forensics and Security

Abstract:Cloud-edge computing is a new paradigm for data sharing. Many computation tasks are assigned to multiple edge nodes to mitigate the computing burden of the cloud and data is also outsourced to them to provide real-time services for IoT devices. However, two major issues remain, namely data privacy and real-world deployment. According to the data privacy rights and principles that stated by General Data Protection Regulation (GDPR), data access control, restriction of data processing and finding inaccuracy data are critical issues that should be tackled in cloud-edge computing. Besides, since there are various types of devices and many of them are resource-constrained, how to efficiently apply deployment in cloud-edge computing is challenging for practice. In this work, we propose a new cryptographic primitive Controllable Outsourced Attribute-Based Proxy Re-Encryption (COAB-PRE) and a universal WebAssembly-based implementation framework for cross-platform deployment. In particular, COAB-PRE achieves bilateral and distributed access control whereby data producers and data consumers can both specify policies the other party must satisfy without a centralized access control server. The property, that we called controllable delegation, restricts the data processing on the edge nodes. COAB-PRE also supports comprehensive verifiability to find out a wrong result produced by the edge nodes and locate the misbehaved one. Moreover, we further discussed the potential property of COAB-PRE and put forward an improved scheme with high efficiency on devices. We also implemented our scheme using the approach and deployed it on different devices for experiment. All theoretical and experimental results indicate that our solution is secure and practical, and our implementation is suitable for cloud-edge computing.

computer science, theory & methods,engineering, electrical & electronic

Jinlu Liu,Jing Qin,Wenchao Wang,Lin Mei,Huaxiong Wang

DOI: https://doi.org/10.1016/j.csi.2023.103800

IF: 3.721

2023-10-18

Computer Standards & Interfaces

Abstract:Cloud computing has become the priority for users to store and share data due to its numerous tempting advantages. The "encryption-before-outsourcing" mechanism is necessary to protect data privacy against the semi-trusted cloud server. Key-Aggregate Cryptosystem (KAC) is a novel encryption paradigm for cloud data sharing. It enables users to decrypt multiple data encrypted with different keys using a constant size aggregate key. When selectively sharing data, the KAC effectively addresses the challenges of expensive key management in symmetric encryption (SE) and eliminates the need for multiple copies of ciphertexts in public key encryption (PKE). However, previous KAC schemes can only control what data users are allowed to receive by distributing aggregate keys, but not what data users can send. This limitation could potentially allow a malicious data owner to leak sensitive information by distributing aggregate keys to unauthorized users. Therefore, this paper aims to design the key-aggregate cryptosystem with bidirectional access control, which can control both what the user can receive and what the data owner can send. Inspired by access control encryption (ACE), we first propose a key-aggregate based access control encryption with user level (KA-ACE-UL) system that can control whether a sender can share his data with a receiver. Then, we investigate a finer-grained access control policy and propose a key-aggregate based access control encryption with user-data level (KA-ACE-UDL) system that can control the data classes a sender can share with a receiver. We instantiate the KA-ACE-UL and KA-ACE-UDL schemes based on Chu et al.'s KAC scheme. We prove our proposed schemes can achieve both secure data storage and controlled data sharing, ensuring security against unauthorized receivers and malicious senders. Finally, theoretical performance analysis and practical experiments show the efficiency of our proposed schemes.

computer science, software engineering, hardware & architecture

Jialu Hao,Cheng Huang,Jian Liu,Ming Xian,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2018.8647659

2018-01-01

Abstract:Data owners have benefited significantly from cloud computing for managing the numerous data produced by massive devices in various Internet of Things (IoT) applications, such as smart home and electronic healthcare. On the other hand, fine-grained access control on outsourced data is a big concern for data owners, after they lose physical control over their data. Key-policy attribute-based encryption (KP-ABE), which provides data confidentiality and fine-grained data access control simultaneously, can be naturally introduced in this cloud-based IoT paradigm. However, the primitive KP-ABE cannot achieve efficient data access control with flexible user revocation. In this paper, we propose an efficient and fine-grained data access control scheme based on the proxy re-encryption and key blinding techniques for cloud-based IoT. With the scheme, the decryption capability of misbehaving users can be efficiently revoked to prevent data disclosure. In addition, most of the costly update operations over ciphertexts and keys due to user revocation, are delegated to the cloud. Extensive experiment results demonstrate that our scheme is more efficient than existing solutions in terms of computation and communication overheads.

Lingshuang Liu,Cheng Huang,Dan Zhu,Dongxiao Liu,Jianbing Ni,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/globecom48099.2022.10000715

2022-01-01

Abstract:Pervasive edge computing (PEC) integrates the resources of peer devices at the network edge to serve users' latency-sensitive computation needs. Due to the high dynamics of the PEC environment, it is very challenging to achieve efficient service access control of edge servers and users without an "always-online" centralized server. In this paper, we propose a secure, efficient, and distributed service access control framework (SE-DAC) in the PEC environment. Specifically, SE-DAC extends the key-aggregate cryptosystem to achieve batch service authorization, where the service provider aggregates the access keys of different services to produce a constant-size aggregate key for the edge servers. Meanwhile, user authentication tasks are delegated to the edge servers by integrating secret sharing. The mutual authentication between the edge servers and the users is based on zero-round trip communication, such that the communication bandwidth cost is low. In addition, the service provider can efficiently revoke the authorization of the dropout or compromised edge servers in response to the dynamics of the PEC environment. Finally, we conduct numerical analysis and experiments to demonstrate that SE-DAC is highly computational efficient on service authorization, authentication, and revocation.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Lingshuang Liu,Cheng Huang,Dan Zhu,Dongxiao Liu,Jianbing Ni,Xuemin Shen

DOI: https://doi.org/10.1109/tmc.2024.3395388

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:In this paper, we propose an efficient and distributed service access control framework (E-DAC) in the pervasive edge computing (PEC) environment, where the resources of peer devices at the network edge are integrated to provide latencysensitive computing services to the nearby devices on behalf of edge servers. E-DAC addresses the challenge of efficient and distributed service access control, comprising edge service authorization, service access authorization, and mutual authentication between edge servers and edge devices. In dong so, E-DAC first extends a key-aggregate cryptosystem to enable batch service authorization, in which a service provider can aggregate the authorization keys of different services to produce a constant-size aggregate key for an edge server. Second, E-DAC enables users to acquire authorization from the service provider for service access on edge servers by using efficient secret sharing. Third, edge servers and users can authenticate with each other without interacting with a centralized server, while enabling secure zero-round trip communication, so that the service data is protected and the communication bandwidth cost is low. In addition, the service provider is capable of efficiently revoking the authorization of the dropout or compromised edge servers or users in response to the dynamics of the PEC environment. Finally, we prove the security of service access control in E-DAC, including unforgeability of service authorization and confidentiality of service data, and conduct extensive analysis and experiments to demonstrate that E-DAC is highly computational and communication-efficient on service authorization, authentication, and revocation.

Jialu Hao,Cheng Huang,Jianbing Ni,Hong Rong,Ming Xian,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1016/j.comnet.2019.02.008

IF: 5.493

2019-01-01

Computer Networks

Abstract:Ciphertext-policy attribute-based encryption (CP-ABE) is a promising approach to achieve fine-grained access control over the outsourced data in Internet of Things (IoT). However, in the existing CP-ABE schemes, the access policy is either appended to the ciphertext explicitly or only partially hidden against public visibility, which results in privacy leakage of the underlying ciphertext and potential recipients. In this paper, we propose a fine-grained data access control scheme supporting expressive access policy with fully attribute hidden for cloud-based IoT. Specifically, the attribute information is fully hidden in access policy by using randomizable technique, and a fuzzy attribute positioning mechanism based on garbled Bloom filter is developed to help the authorized recipients locate their attributes efficiently and decrypt the ciphertext successfully. Security analysis and performance evaluation demonstrate that the proposed scheme achieves effective policy privacy preservation with low storage and computation overhead. As a result, no valuable attribute information in the access policy will be disclosed to the unauthorized recipients.

Xuejiao Liu,Yingjie Xia,Shasha Jiang,Fubiao Xia,Yanbo Wang

DOI: https://doi.org/10.1109/TrustCom.2013.60

2013-01-01

Abstract:Access control is one of the most important security mechanisms in cloud computing. Attributed based encryption provides an approach that allows data owners to integrate data access policies within the encrypted data. However, little work has been done to explore flexible authorization in specifying the data user's privileges and enforcing the data owner's policy in cloud based environments. In this paper, we propose a hierarchical attribute based access control scheme by extending ciphertext-policy attribute-based encryption (CP-ABE) with a hierarchical structure of multiauthorities and exploiting attribute-based signature (ABS). The proposed scheme not only achieves scalability due to its hierarchical structure, but also inherits fine-grained access control with authentication in supporting write privilege on outsourced data in cloud computing. In addition, we decouple the task of policy management from security enforcement by using the extensible access control markup language (XACML) framework. Extensive analysis shows that our scheme is both efficient and scalable in dealing with access control for outsourced data in cloud computing.

Kan Yang,Xiaohua Jia,Kui Ren,Bo Zhang

DOI: https://doi.org/10.1109/tifs.2013.2279531

IF: 7.231

2013-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data access control is an effective way to ensure data security in the cloud. However, due to data outsourcing and untrusted cloud servers, the data access control becomes a challenging issue in cloud storage systems. Existing access control schemes are no longer applicable to cloud storage systems, because they either produce multiple encrypted copies of the same data or require a fully trusted cloud server. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising technique for access control of encrypted data. However, due to the inefficiency of decryption and revocation, existing CP-ABE schemes cannot be directly applied to construct a data access control scheme for multiauthority cloud storage systems, where users may hold attributes from multiple authorities. In this paper, we propose data access control for multiauthority cloud storage (DAC-MACS), an effective and secure data access control scheme with efficient decryption and revocation. Specifically, we construct a new multiauthority CP-ABE scheme with efficient decryption, and also design an efficient attribute revocation method that can achieve both forward security and backward security. We further propose an extensive data access control scheme (EDAC-MACS), which is secure under weaker security assumptions.

Wen Qiang Wang,Dinh Tien Tuan Anh,Hock Beng Lim,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1205.6349

2012-06-01

Abstract:The proliferation of sensing devices create plethora of data-streams, which in turn can be harnessed to carry out sophisticated analytics to support various real-time applications and services as well as long-term planning, e.g., in the context of intelligent cities or smart homes to name a few prominent ones. A mature cloud infrastructure brings such a vision closer to reality than ever before. However, we believe that the ability for data-owners to flexibly and easily to control the granularity at which they share their data with other entities is very important - in making data owners feel comfortable to share to start with, and also to leverage on such fine-grained control to realize different business models or logics. In this paper, we explore some basic operations to flexibly control the access on a data stream and propose a framework eXACML+ that extends OASIS's XACML model to achieve the same. We develop a prototype using the commercial StreamBase engine to demonstrate a seamless combination of stream data processing with (a small but important selected set of) fine-grained access control mechanisms, and study the framework's efficacy based on experiments in cloud like environments.

Cryptography and Security,Distributed, Parallel, and Cluster Computing