Assisted Authoring, Analysis and Enforcement of Access Control Policies in the Cloud

The heterogeneity of cloud computing platforms hinders the proper exploitation of cloud technologies since it prevents interoperability, promotes vendor lock-in and makes it very difficult to exploit the well-engineered security mechanisms made available by cloud providers. In this paper, we introduce a technique to help developers to specify and enforce access control policies in cloud applications. The main idea is twofold. First, use a high-level specification language with a formal semantics that allows to answer access requests abstracting from an access control mechanism available in a particular cloud platform. Second, exploit an automated translation mechanism to compute (equivalent) policies that can be enforced in two of the most widely used cloud platforms: AWS and Openstack. We illustrate the technique on a running example and report our experience with a prototype implementation.

[1]  Ravi S. Sandhu,et al.  Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud , 2015, 2015 IEEE International Conference on Information Reuse and Integration.

[2]  Stan Matwin,et al.  A Non-technical User-Oriented Display Notation for XACML Conditions , 2009, MCETECH.

[3]  Clara Bertolissi,et al.  Automated Synthesis of Run-time Monitors to Enforce Authorization Policies in Business Processes , 2015, AsiaCCS.

[4]  Chiara Ghidini,et al.  A Declarative Framework for Specifying and Enforcing Purpose-Aware Policies , 2015, STM.

[5]  Ritu Chadha,et al.  Modular natural language interfaces to logic-based policy frameworks , 2013, Comput. Stand. Interfaces.

[6]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[7]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[8]  Sushil Jajodia,et al.  Access control policies and languages , 2007, Int. J. Comput. Sci. Eng..

[9]  Scott D. Stoller,et al.  Mining attribute-based access control policies from RBAC policies , 2013, 2013 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT).

[10]  Hui Song,et al.  CloudMF: Applying MDE to Tame the Complexity of Managing Multi-cloud Applications , 2014, 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.

[11]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[12]  Ravi S. Sandhu,et al.  Community-Based Secure Information and Resource Sharing in AWS Public Cloud , 2015, 2015 IEEE Conference on Collaboration and Internet Computing (CIC).

[13]  Alessandro Armando,et al.  SMT-based Enforcement and Analysis of NATO Content-based Protection and Release Policies , 2016, ABAC '16.

[14]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.