An insider threat aware access control for cloud relational databases

The request-response paradigm that consists of policy decision points (PDPs) and policy enforcement points (PEPs) is used for access control in Cloud computing. The model uses PEP-side caching to increase the availability and reduce the processing overhead on PDP. This paper shows that using PEP-side caching can be exploited by insiders to bypass cloud access control mechanisms, which increases insider threat in cloud computing. To overcome this problem, the paper proposes a manageable model that detects and prevents insider threat at PEP side with minimum overhead on the performance of PEP and PDP. The model has been extensively tested and the results show its effectiveness in mitigating insider threat. Moreover, the experiments demonstrate that the overhead posed by the model on PEP and PDP is low. Lemmas, theorems and algorithm have been provided to show the correctness and the applicability of the proposed approach.

[1]  Csilla Farkas,et al.  The Inference Problem and Updates in Relational Databases , 2001, DBSec.

[2]  Cong Wang,et al.  Ensuring data storage security in Cloud Computing , 2009, 2009 17th International Workshop on Quality of Service.

[3]  Jason Crampton,et al.  The secondary and approximate authorization model and its application to Bell-LaPadula policies , 2006, SACMAT '06.

[4]  Robert H. Anderson,et al.  Understanding the Insider Threat , 2004 .

[5]  Jie Xu,et al.  An automatic intrusion diagnosis approach for clouds , 2011, Int. J. Autom. Comput..

[6]  Yaser Jararweh,et al.  PEP-side caching: An insider threat port , 2013, 2013 IEEE 14th International Conference on Information Reuse & Integration (IRI).

[7]  Walid G. Aref,et al.  A Distributed Access Control Architecture for Cloud Computing , 2012, IEEE Software.

[8]  William R. Claycomb,et al.  Insider Threats to Cloud Computing: Directions for New Research Challenges , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[9]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[10]  Carlo Curino,et al.  Relational Cloud: a Database Service for the cloud , 2011, CIDR.

[11]  Industrial Strategy Information security breaches survey , 2013 .

[12]  Konstantin Beznosov,et al.  Cooperative Secondary Authorization Recycling , 2009, IEEE Transactions on Parallel and Distributed Systems.

[13]  Brajendra Panda,et al.  Predicting and Preventing Insider Threat in Relational Database Systems , 2010, WISTP.

[14]  Yanchun Zhang,et al.  Privacy-aware access control with trust management in web service , 2011, World Wide Web.

[15]  Carrie Gates,et al.  Defining the insider threat , 2008, CSIIRW '08.

[16]  A. Watson,et al.  OMG (Object Management Group) architecture and CORBA (common object request broker architecture) specification , 2002 .

[17]  Brajendra Panda,et al.  Organizing Access Privileges: Maximizing the Availability and Mitigating the Threat of Insiders' Knowledgebase , 2010, 2010 Fourth International Conference on Network and System Security.

[18]  Kai Hwang,et al.  Cloud Security with Virtualized Defense and Reputation-Based Trust Mangement , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[19]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[20]  Steven Furnell,et al.  Towards an insider threat prediction specification language , 2006, Inf. Manag. Comput. Secur..

[21]  Dimitris Gritzalis,et al.  The Insider Threat in Cloud Computing , 2011, CRITIS.

[22]  Günter Karjoth,et al.  Access control with IBM Tivoli access manager , 2003, TSEC.

[23]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[24]  David Thompson,et al.  1997 Computer Crime and Security Survey , 1998, Inf. Manag. Comput. Secur..

[25]  Brajendra Panda,et al.  Malicious Modification Attacks by Insiders in Relational Databases: Prediction and Prevention , 2010, 2010 IEEE Second International Conference on Social Computing.

[26]  Brajendra Panda,et al.  Insider threat mitigation: preventing unauthorized knowledge acquisition , 2012, International Journal of Information Security.

[27]  Yves Deswarte,et al.  An authorization scheme for distributed object systems , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[28]  Gail-Joon Ahn,et al.  SecureCloud: Towards a Comprehensive Security Framework for Cloud Computing Environments , 2010, 2010 IEEE 34th Annual Computer Software and Applications Conference Workshops.

[29]  Bhavani Thuraisingham Developing and Securing the Cloud , 2018 .

[30]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .

[31]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[32]  Yaser Jararweh,et al.  Mitigating insider threats in a cloud using a knowledgebase approach while maintaining data availability , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[33]  Shari Lawrence Pfleeger,et al.  Security in Computing, 4th Edition , 2006 .

[34]  Yaser Jararweh,et al.  Mitigating insider threat in cloud relational databases , 2016, Secur. Commun. Networks.

[35]  Brajendra Panda,et al.  Tackling Insider Threat in Cloud Relational Databases , 2012, 2012 IEEE Fifth International Conference on Utility and Cloud Computing.

[36]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[37]  James B. D. Joshi,et al.  A trust-and-risk aware RBAC framework: tackling insider threat , 2012, SACMAT '12.

[38]  Elisa Bertino,et al.  Protecting outsourced data in cloud computing through access management , 2016, Concurr. Comput. Pract. Exp..

[39]  Microsystems Sun,et al.  Enterprise JavaBeans^ Specification Version 2.1 , 2002 .

[40]  王德伦 英语-翻译-Internet , 2000 .

[41]  Kevin Borders,et al.  CPOL: high-performance policy evaluation , 2005, CCS '05.