research-article

Amusa: middleware for efficient access control management of multi-tenant SaaS applications

Authors:

Jasper Bogaerts,

Wouter JoosenAuthors Info & Claims

SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

Pages 2141 - 2148

https://doi.org/10.1145/2695664.2695708

Published: 13 April 2015 Publication History

Abstract

Software-as-a-service (SaaS) has been a growing trend in cloud computing for several years. Moreover, SaaS providers are evolving to application-level multi-tenancy, in which all tenants share the application instances, platform and data store with the aim of maximizing resource sharing. For multi-tenant SaaS applications, access control often is the only application-level security mechanism. However, such access control is inherently complex because both the provider and all tenants should be able to specify their access rules for the application. Moreover, these rules must all be securely combined and correctly enforced in the shared multi-tenant application. To address this challenge, we present the Amusa access control middleware. Amusa enables both the provider and all its tenants to efficiently declare their access rules on the SaaS application. To achieve this, Amusa provides incremental three-layered management based on attribute-based tree-structured policies. Afterwards, Amusa securely combines the access rules of all parties and enforces them at run-time with low performance overhead.

References

[1]

Security Assertion Markup Language (SAML) v2.0. http://www.oasis-open.org/standards#samlv2.0, March 2005.

[2]

Namespaces Java API - Google App Engine - Google Developers. https://developers.google.com/appengine/docs/java/multitenancy/, May 2014.

[3]

J. M. Alcaraz Calero, N. Edwards, J. Kirschnick, L. Wilcock, and M. Wray. Toward a multi-tenancy authorization system for cloud services. Security Privacy, IEEE, 2010.

Digital Library

[4]

J. Bacon, D. Evans, D. Eyers, M. Migliavacca, P. Pietzuch, and B. Shand. Enforcing end-to-end application security in the cloud. In Middleware. 2010.

Digital Library

[5]

C.-P. Bezemer, A. Zaidman, B. Platzbeecker, T. Hurkmans, and A. 't Hart. Enabling multi-tenancy: An industrial experience report. In ICSM, 2010.

Digital Library

[6]

M. Colombo, A. Lazouski, F. Martinelli, and P. Mori. Access and usage control in grid systems. In Handbook of Information and Communication Security. 2010.

[7]

J. Crampton and M. Huth. An authorization framework resilient to policy evaluation failures. ESORICS, 2010.

Digital Library

[8]

N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder policy specification language. IEEE POLICY, 2001.

Digital Library

[9]

M. Decat, J. Bogaerts, B. Lagaisse, and W. Joosen. The e-document case study: functional analysis and access control requirements. Technical report, KU Leuven, 2014.

[10]

M. Decat, J. Bogaerts, B. Lagaisse, and W. Joosen. The workforce management case study: functional analysis and access control requirements. Technical report, KU Leuven, 2014.

[11]

K. Fatema, D. Chadwick, and S. Lievens. A multi-privacy policy enforcement system. IFIP. 2011.

[12]

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. TISSEC, 2001.

Digital Library

[13]

C. J. Guo, W. Sun, Y. Huang, Z. H. Wang, and B. Gao. A framework for native multi-tenancy application development and management. In CEC/EEE, 2007.

[14]

V. Hu, D. Ferraiolo, R. Kuhn, A. Schnitzer, K. Sandlin, R. Miller, and K. Scarfone. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication, 2014.

[15]

V. Kumar, B. F. Cooper, G. Eisenhauer, and K. Schwan. imanage: Policy-driven self-management for enterprise-scale systems. Middleware, 2007.

Digital Library

[16]

A. Lazouski, G. Mancini, F. Martinelli, and P. Mori. Usage control in cloud systems. In Internet Technology And Secured Transactions, pages 202--207, 2012.

[17]

N. Li, Q. Wang, W. Qardaji, E. Bertino, P. Rao, J. Lobo, and D. Lin. Access control policy combining: Theory meets practice. In ACM SACMAT, 2009.

Digital Library

[18]

A. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: a fast and scalable XACML policy evaluation engine. In ACM SIGMETRICS, 2008.

Digital Library

[19]

P. Mell and T. Grance. The NIST definition of cloud computing. NIST, 2009.

[20]

T. Moses et al. eXtensible Access Control Markup Language (XACML) 2.0. OASIS Standard, 2005.

[21]

P. Samarati and S. de Vimercati. Access control: Policies, models, and mechanisms. In Foundations of Security Analysis and Design. 2001.

Digital Library

[22]

M. Sloman. Policy driven management for distributed systems. Journal of Network and Systems Management, 1994.

[23]

W. Sun, X. Zhang, C. J. Guo, P. Sun, and H. Su. Software as a service: Configuration and customization perspectives. In IEEE SERVICES, 2008.

Digital Library

[24]

Bo Tang, R. Sandhu, and Qi Li. Multi-tenancy authorization models for collaborative cloud services. In CTS, pages 132--138, May 2013.

[25]

A. Wun and H.-A. Jacobsen. A policy management framework for content-based publish/subscribe middleware. In Middleware. 2007.

Digital Library

Cited By

Chaudhary PGoel SJain PSingh MAggarwal PAnupam (2021)The Astounding Relationship: Middleware, Frameworks, and API2021 9th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO)10.1109/ICRITO51393.2021.9596088(1-4)Online publication date: 3-Sep-2021
https://doi.org/10.1109/ICRITO51393.2021.9596088
Abdelmoamen AWang DJamali N(2019)Approaching Actor-Level Resource Control for AkkaJob Scheduling Strategies for Parallel Processing10.1007/978-3-030-10632-4_7(127-146)Online publication date: 13-Jan-2019
https://doi.org/10.1007/978-3-030-10632-4_7
Makki MVan Landuyt DLagaisse BJoosen WHofstede NHaddad HWainwright RChbeir R(2018)Transparent IO access control for application-level tenant isolationProceedings of the 33rd Annual ACM Symposium on Applied Computing10.1145/3167132.3167146(143-150)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3167132.3167146
Show More Cited By

Index Terms

Amusa: middleware for efficient access control management of multi-tenant SaaS applications

Recommendations

An Elastic Multi-tenant Database Schema for Software as a Service
DASC '11: Proceedings of the 2011 IEEE Ninth International Conference on Dependable, Autonomic and Secure Computing

Software as a Service (SaaS) is an online software delivery model which permits a third party provider offering software services to be used on-demand by tenants over the internet, instead of installing and maintaining them in their premises. Nowadays, ...
Multi-tenant Database Access Control
CSE '13: Proceedings of the 2013 IEEE 16th International Conference on Computational Science and Engineering

Storing data in the cloud is a new multi-tenant database solution that has recently emerged to deliver database for multiple users, who can store and access their data over the internet. This multi-tenant database designed to be used by multiple tenants ...
Towards an Efficient Policy Evaluation Process in Multi-Tenancy Cloud Environments
CCSW '16: Proceedings of the 2016 ACM on Cloud Computing Security Workshop

Cloud computing offers most of its services under multi-tenancy environments. To satisfy security requirements among collaborating tenants, each tenant may define a set of access control policies to secure access to shared data. Several cloud solutions ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

April 2015

2418 pages

ISBN:9781450331968

DOI:10.1145/2695664

Conference Chairs:
Roger L. Wainwright
University of Tulsa
,
Juan Manuel Corchado
University of Salamanca, Spain
,
Program Chairs:
Alessio Bechini
University of Pisa, Italy
,
Jiman Hong
Soongsil University, South Korea

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

SAC 2015

Sponsor:

SIGAPP

SAC 2015: Symposium on Applied Computing

April 13 - 17, 2015

Salamanca, Spain

Acceptance Rates

SAC '15 Paper Acceptance Rate 291 of 1,211 submissions, 24%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
176
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)2

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chaudhary PGoel SJain PSingh MAggarwal PAnupam (2021)The Astounding Relationship: Middleware, Frameworks, and API2021 9th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO)10.1109/ICRITO51393.2021.9596088(1-4)Online publication date: 3-Sep-2021
https://doi.org/10.1109/ICRITO51393.2021.9596088
Abdelmoamen AWang DJamali N(2019)Approaching Actor-Level Resource Control for AkkaJob Scheduling Strategies for Parallel Processing10.1007/978-3-030-10632-4_7(127-146)Online publication date: 13-Jan-2019
https://doi.org/10.1007/978-3-030-10632-4_7
Makki MVan Landuyt DLagaisse BJoosen WHofstede NHaddad HWainwright RChbeir R(2018)Transparent IO access control for application-level tenant isolationProceedings of the 33rd Annual ACM Symposium on Applied Computing10.1145/3167132.3167146(143-150)Online publication date: 9-Apr-2018
https://dl.acm.org/doi/10.1145/3167132.3167146
Bogaerts JLagaisse BJoosen W(2016)IdeaProceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 963910.1007/978-3-319-30806-7_16(251-259)Online publication date: 6-Apr-2016
https://dl.acm.org/doi/10.1007/978-3-319-30806-7_16
Decat MLagaisse BJoosen W(2015)Scalable and Secure Concurrent Evaluation of History-based Access Control PoliciesProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818008(281-290)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818008

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents