A framework and risk assessment approaches for risk-based access control in the cloud

Cloud computing is advantageous for customers and service providers. However, it has specific security requirements that are not captured by traditional access control models, e.g., secure information sharing in dynamic and collaborative environments. Risk-based access control models try to overcome these limitations, but while there are well-known enforcement mechanisms for traditional access control, this is not the case for risk-based policies. In this paper, we motivate the use of risk-based access control in the cloud and present a framework for enforcing risk-based policies that is based on an extension of XACML. We also instantiate this framework using a new ontology-based risk assessment approach, as well as other models from related work, and present experimental results of the implementation of our work.

[1]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[2]  Andrés Marín López,et al.  A Metric-Based Approach to Assess Risk for “On Cloud” Federated Identity Management , 2012, Journal of Network and Systems Management.

[3]  Lirong Dai,et al.  Using Risk in Access Control for Cloud-Assisted eHealth , 2012, 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems.

[4]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[5]  Carla Merkle Westphall,et al.  A dynamic risk-based access control architecture for cloud computing , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[6]  Manish Parashar,et al.  Dynamic context-aware access control for grid applications , 2003, Proceedings. First Latin American Web Congress.

[7]  Yan Li,et al.  Using Trust and Risk in Access Control for Grid Environment , 2008, 2008 International Conference on Security Technology.

[8]  M. Parashar,et al.  Context-aware Dynamic Access Control for Pervasive Applications , 2004 .

[9]  A. Karp,et al.  From ABAC to ZBAC : The Evolution of Access Control Models , 2009 .

[10]  James A. Thom,et al.  Cloud Computing Security: From Single to Multi-clouds , 2012, 2012 45th Hawaii International Conference on System Sciences.

[11]  Christine Morin,et al.  Contrail Virtual Execution Platform Challenges in Being Part of a Cloud Federation - (Invited Paper) , 2011, ServiceWave.

[12]  Ian A. Brown,et al.  A Security Risk Measurement for the RAdAC Model , 2007 .

[13]  Ning Zhang,et al.  An Access Control Architecture for Context-Risk-Aware Access Control: Architectural Design and Performance Evaluation , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[14]  Cees T. A. M. de Laat,et al.  Decision Diagrams for XACML Policy Evaluation and Management , 2015, Comput. Secur..

[15]  Wei-Tek Tsai,et al.  Role-Based Access-Control Using Reference Ontology in Clouds , 2011, 2011 Tenth International Symposium on Autonomous Decentralized Systems.

[16]  Hongxia Jin,et al.  Quantified risk-adaptive access control for patient privacy protection in health information systems , 2011, ASIACCS '11.

[17]  Carla Merkle Westphall,et al.  Risk-based Dynamic Access Control for a Highly Scalable Cloud Federation , 2013, SECURWARE 2013.

[18]  Cong Wang,et al.  Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[19]  Tom Mens,et al.  The Ecology of Software Ecosystems , 2015, Computer.

[20]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[21]  Hyangjin Lee,et al.  Criteria for Evaluating the Privacy Protection Level of Identity Management Services , 2009, 2009 Third International Conference on Emerging Security Information, Systems and Technologies.

[22]  Vivy Suhendra A Survey on Access Control Deployment , 2011, FGIT-SecTech.

[23]  M. Kunze,et al.  Cloud Federation , 2011 .

[24]  Bhavani M. Thuraisingham,et al.  ROWLBAC: representing role based access control in OWL , 2008, SACMAT '08.

[25]  Spyros G. Denazis,et al.  Identity management directions in future internet , 2011, IEEE Communications Magazine.

[26]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[27]  Steffen Staab,et al.  International Handbooks on Information Systems , 2013 .

[28]  Kamel Adi,et al.  Dynamic risk-based decision methods for access control systems , 2012, Comput. Secur..

[29]  Antonio Puliafito,et al.  Security and Cloud Computing: InterCloud Identity Management Infrastructure , 2010, 2010 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[30]  Jens Jensen,et al.  The CONTRAIL Approach to Cloud Federations , 2012 .

[31]  Antonio Puliafito,et al.  Three-Phase Cross-Cloud Federation Model: The Cloud SSO Authentication , 2010, 2010 Second International Conference on Advances in Future Internet.

[32]  Heejo Lee,et al.  Contextual Risk-Based Access Control , 2007, Security and Management.

[33]  Luca Gasparini Risk-Aware Access Control And XACML , 2013 .

[34]  Messaoud Benantar,et al.  Access Control Systems: Security, Identity Management and Trust Models , 2005 .

[35]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[36]  Liang Chen,et al.  XACML and risk-aware access control , 2013 .

[37]  Antonio Puliafito,et al.  Federation Establishment Between CLEVER Clouds Through a SAML SSO Authentication Profile , 2011 .

[38]  Marko Vukolic,et al.  The byzantine empire in the intercloud , 2010, SIGA.

[39]  Jorge Lobo,et al.  Risk-based security decisions under uncertainty , 2012, CODASPY '12.

[40]  Ramiro Liscano,et al.  Dynamic Role Assignment Using Semantic Contexts , 2009, 2009 International Conference on Advanced Information Networking and Applications Workshops.

[41]  W. N. Borst,et al.  Construction of Engineering Ontologies for Knowledge Sharing and Reuse , 1997 .

[42]  Carla Merkle Westphall,et al.  A Dynamic Approach to Risk Calculation for the RAdAC Model , 2014 .

[43]  Dohoon Kim,et al.  A Framework for Context Sensitive Risk-Based Access Control in Medical Information Systems , 2015, Comput. Math. Methods Medicine.

[44]  Nathan Dimmock How much is "enough"? Risk in trust-based access control , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[45]  Antonio F. Gómez-Skarmeta,et al.  Towards an authorization system for cloud infrastructure providers , 2011, Proceedings of the International Conference on Security and Cryptography.

[46]  Jorge Lobo,et al.  Risk-based access control systems built on fuzzy inferences , 2010, ASIACCS '10.

[47]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[48]  Antonio Puliafito,et al.  How to Enhance Cloud Architectures to Enable Cross-Federation , 2010, IEEE CLOUD.