Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

EACF: extensible access control framework for cloud environments

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

The dynamic authorization and continuous monitoring of resource usage in cloud environments is a challenge. Moreover, the extant access control techniques are not well-suited for all types of the cloud-hosted applications predominantly for two reasons. Firstly, these techniques lack in providing features such as generality, extensibility, and flexibility. Secondly, they are static in nature, such that once the user is authorized, they do not evaluate the access request during and after the resource usage. Every application hosted in the cloud has its own requirement of evaluating access request; some applications require request evaluation before assigning resources, while some require continuous monitoring of resource usage along with a dynamic update of attribute values. To address these diverse requirements, we present an Extensible Access Control Framework (EACF) for cloud-based applications, which provides high-level extensibility by incorporating different access control models about the needs of the Cloud service consumers (organizations). A number of access control models are combined in the EACF, which provides reliable authorization service for managing and controlling access to the software as a service-hosted cloud applications.It also helps cloud consumers to provide authorized access to resources (data), as well as contributes to eliminate the need to write customized security code for individual applications. As a case study, three access control models are incorporated into the framework and tested on SaaS-hosted application DSpace to ascertain that the proposed features are functional and working fine.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. SaaS is a service delivery model which is meant to provide softwares and related functionalities using web based service remotely over the network. Due to this model, users are now free from installing applications and services on their local systems; instead, all the services are provided and managed over the internet and software and hardware management is no more concern for the application users.

  2. OASIS XACML 3.0 has been used as a base line in our proposed framework. PDP, PEP and PAP are only the XACML components which serve the purpose of authorization request/response processing. The objective to use XACML in our framework is to offer an underlying common policy language format. XACML is a specification language and is used to develop the base of our framework.

  3. An exemplary XACML profile of RBAC has been provided by OASIS. We took the RBAC profile as a sample and used its basic constructs to develop profiles of UCON, ABAC, and FGAC. The very first step in developing a generic framework is to construct its XACML profile, convert it into code, and plug-in with framework. If EACF needs to incorporate a new access control model, then first, we need to develop its profile, and then incorporate it in framework using Balana or any suitable implementation.

References

  1. Gouglidis A (2011) Towards new access control models for cloud computing systems. Kaspersky

  2. Tang Z, Wei J, Sallam A, Li K, Li R (2012) A new RBAC based access control model for cloud computing. In: Advances in Grid and Pervasive Computing. Springer, pp 279–288

  3. Ghazia U, Masood R, Awais Shibli M (2012) Comparative analysis of access control systems on the cloud. In: 2012 13th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel & Distributed Computing (SNPD). IEEE, pp 41–46

  4. Majumder A, Namasudra S, Nath S (2014) Taxonomy and classification of access control models for cloud environments. In: Continued Rise of the Cloud. Springer, pp 23–53

  5. Ferraiolo D, Cugini J, Kuhn DR (1995) Role-based access control (RBAC): Features and motivations. In: Proceedings of 11th Annual Computer Security Application Conference, pp 241–48

  6. Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control. In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. ACM, pp 57–64

  7. Park J, Sandhu R (2002) Towards usage control models: beyond traditional access control, ACM

  8. Yuan E, Jin T (2005) Attributed based access control (abac) for web services. In: Proceedings of the IEEE International Conference on Web Services (ICWS). IEEE

  9. Li J, Zhao G, Chen X, Xie D, Rong C, Li W, Tang L, Tang Y (2010) Fine-grained data access control systems with user accountability in cloud computing. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, pp 89–96

  10. Shi J, Zhu H (2010) A fine-grained access control model for relational databases. J Zhejiang Univ Sci C 11 (8):575–586

    Article  Google Scholar 

  11. Godik Simon, Anderson Anne, Parducci B, et al. (2002) Oasis extensible access control markup language (XACML) 3. Technical report, Technical Representative. OASIS

  12. GitHub wso2 (2016) WSO2 Balana Implementation

  13. Masood R, Shibli MA, et al. (2015) Cloud authorization: exploring techniques and approach towards effective access control framework. Frontiers of Computer Science 9(2):297–321

    Article  MathSciNet  Google Scholar 

  14. Younis YA, Kifayat K, Merabti M (2014) An access control model for cloud computing. Journal of Information Security and Applications 19(1):45–60

    Article  Google Scholar 

  15. Lang U (2010) Openpmf scaas: Authorization as a service for cloud & soa applications. In: 2010 IEEE Second International Conference on Cloud Computing Technology and Science (CloudCom). IEEE, pp 634–643

  16. Almutairi A, Sarfraz M, Basalamah S, Aref W, Ghafoor A (2011) A distributed access control architecture for cloud computing. IEEE

  17. Sirisha A, Kumari GG (2010) API access control in cloud using the role based access control model. In: Trendz in Information Sciences & Computing (TISC), 2010. IEEE, pp 135–137

  18. Zhang Y, Chen JL (2012) Access control as a service for public cloud storage. In: 32nd International Conference on Distributed Computing Systems Workshops (ICDCSW). IEEE, pp 526– 536

  19. Mon EE, Naing TT (2011) The privacy-aware access control system using attribute-and role-based access control in private cloud. In: 4th International Conference on Broadband Network and Multimedia Technology (IC-BNMT). IEEE, pp 447– 451

  20. Bates A, Mood B, Valafar M, Butler K (2013) Towards secure provenance-based access control in cloud environments. In: Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. ACM, pp 277–284

  21. Lazouski A, Mancini G, Martinelli F, Mori P (2012) Usage control in cloud systems. In: 2012 International Conference for Internet Technology And Secured Transactions. IEEE, pp 202–207

  22. Masood R, Awais Shibli M, Bilal M, et al. (2012) Usage control model specification in XACML policy language. In: Computer Information Systems and Industrial Management. Springer, pp 68–79

  23. Yu S, Wang C, Ren K, Lou W (2010) Achieving secure, scalable, and fine-grained data access control in cloud computing. In: 2010 Proceedings of INFOCOM. IEEE, pp 1–9

  24. Li XY, Shi Y, Guo Y, Ma W (2010) Multi-tenancy based access control in cloud. In: International Conference on Computational Intelligence and Software Engineering (CiSE). IEEE , pp 1–4

  25. Popa L, Minlan Y, Ko SY, Ratnasamy S, Stoica I (2010) Cloudpolice: taking access control out of the network. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, p 7

  26. Zhu J, Wen Q (2012) Saas access control research based on ucon. In: 2012 Fourth International Conference on Digital Home (ICDH). IEEE, pp 331–334

  27. Huang J, Nicol D, Bobba R, Huh JH (2012) A framework integrating attribute-based policies into role-based access control. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies. ACM, pp 187–196

  28. Khamadja S, Adi K, Logrippo L (2013) An access control framework for hybrid policies. In: Proceedings of the 6th International Conference on Security of Information and Networks. ACM, pp 282–286

  29. Upadhyaya S (2011) Mandatory access control. In: Encyclopedia of Cryptography and Security. Springer, pp 756–758

  30. Khamadja S, Adi K, Logrippo L (2013) Designing flexible access control models for the cloud. In: Proceedings of the 6th International Conference on Security of Information and Networks, pages 225–232 ACM

  31. Yang K, Jia X, Ren K (2013) Attribute-based fine-grained access control with efficient revocation in cloud storage systems. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. ACM, pp 523– 528

  32. Rashwand S, Mišić J (2010) A novel access control framework for secure pervasive computing. In: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference. ACM, pp 829–833

  33. Hansmann U (2003) Pervasive computing: The mobile world. Springer

  34. Ullah S, Xuefeng Z, Feng Z (2013) Tcloud: A dynamic framework and policies for access control across multiple domains in cloud computing. Int J Comput Appl 62(2):01–07

    Google Scholar 

  35. Mchumo S, Chi H (2010) A framework for access control model in enterprise healthcare via saml. In: Proceedings of the 48th Annual Southeast Regional Conference. ACM, p 113

  36. Costabello L, Villata S, Delaforge N, Gandon F (2012) Shi3ld: an access control framework for the mobile web of data. In: Proceedings of the 23rd ACM Conference on Hypertext and Social Media. ACM, pp 311–312

  37. Ferraiolo D, Atluri V, Gavrila S (2011) The policy machine: a novel architecture and framework for access control policy specification and enforcement. J Syst Archit 57(4):412–424

    Article  Google Scholar 

  38. Baker PH (2001) Security Assertions Markup Language. May 14:1–24

    Google Scholar 

  39. Rissanen E eXtensible Access Control Markup Language (XACML) version 3.0 (committe specification 01). In Technical report, OASIS, http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-cd-03-en.pdf

  40. Gamma E, Beck K (2006) Junit

  41. Smith M, Barton M, Bass M, Branschofsky M, McClellan G, Stuve D, Tansley R, Walker JH (2003) Dspace: An open source dynamic digital repository. Corporation for National Research Initiatives

  42. Mao Y, Junqueira FP, Marzullo K (2008) Mencius: Building efficient replicated state machines for wans. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation OSDI’08,. USENIX Association, Berkeley, CA, pp 369–384

  43. Amir Y, Coan B, Kirsch J, Lane J (2007) Customizable fault tolerance forwide-area replication. In: Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems, SRDS ’07. IEEE Computer Society, Washington, DC, pp 65–82

Download references

Acknowledgments

We are incredibly grateful for the financial assistance provided by National ICT R&D Funds, Ministry of Information Technology, Pakistan that made this research work possible. We are also thankful for the unconditional support provided by National University of Sciences and Technology and KTH-Applied Information Security Lab, Pakistan, to execute this research project.

Author information

Authors and Affiliations

  1. School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST), Islamabad, Pakistan

    Faria Mehak

  2. School of Electrical Engineering and Telecommunications (EE&T), University of New South Wales (UNSW), NSW, Australia

    Rahat Masood

  3. VisionIT, 38345 W 10 Mile Rd 340, Farmington Hills, MI, 48335, USA

    Muhammad Awais Shibli

  4. Middle East Technical University (METU), Northern Cyprus Campus, Mersin 10, Guzelyurt, Turkey

    Islam Elgedway

Authors
  1. Faria Mehak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rahat Masood
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Muhammad Awais Shibli
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Islam Elgedway
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rahat Masood.

Electronic supplementary material

Below is the link to the electronic supplementary material.

(PDF 0.99 MB)

Appendix A: Formal notations used in framework

Appendix A: Formal notations used in framework

Following are the notations which have been specified for the workflow of messages involved in the authorization phase.

1.1 Entities

C= Client

PEPaaS = Policy Enforcement Point as a Service

PDPaaS = Policy Decision Point as a Service

1.2 Time Stamps & Validity

TS1 = Time at which the authorization request is sent to PEPaaS

TS2 = Time at which the authorization request is sent to PDPaaS

TS3 = Time at which the authorization response is sent to PEPaaS to send further to Client

TimeInterval = Time Duration only during which the ticket is valid

1.3 Cryptography Computations

Issue-ID = Ticket Unique Identifier

Issuerc = Name of Client Issuer

PUpep = Public Key of PEPaaS PUpdp = Public Key of PDPaaS

SignatureAlgo = Digital Signature Algorithm

HashAlgo = Hash Algorithm SHA-1, SHA-2, MD5

Hashvalue = Hash value of the assertion

SignatureValue = Signed value of the assertion

Issuerpdp = Name of PDP Issuer

1.4 XACML Attributes

Subject = Requester ID/Name

Resource= Data on which access is required

Action = Action required on data

Environment= Date/Time at which request is made

1.5 XACML Parameters Option

Status = {Ok, Fail}

Decision = {Permit, Deny, Indeterminate, Not-Applicable}

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mehak, F., Masood, R., Shibli, M.A. et al. EACF: extensible access control framework for cloud environments. Ann. Telecommun. 72, 307–323 (2017). https://doi.org/10.1007/s12243-016-0548-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-016-0548-1

Keywords

Search

Navigation