Toward role-based provisioning and access control for infrastructure as a service (IaaS)

Cloud computing has drawn much attention in recent years. One of its service models, called infrastructure as a service (IaaS), provides users with infrastructure services such as computation and data storage, heavily dependent upon virtualization techniques. Most of the current IaaS providers take the user-resource direct mapping approach for their business, where individual users are the only type of service consumer who can request and use virtualized resources as long as they pay for the usage. Therefore, in this approach, the users and virtual resources are centrally managed at the IaaS providers. However, this also results in the lack of support for scalable authorization management of users and resources, organization-level policy support, and flexible pricing for business users. Considering the increasing popularity and growing user base of cloud computing, there is a strong need for a more flexible IaaS model with a finer grained access control mechanism than the aforementioned all-or-nothing approach. In this paper we propose a domain-based, decentralized framework for provisioning and managing users and virtualized resources in IaaS. Specifically, an additional layer called domain is introduced to the user-resource direct mapping scheme, whereby de-centralization of user and resource management is facilitated. Our framework also allows the IaaS service provider to delegate its administrative routines to domains so that each domain is able to manage its users and virtualized resources allocated by the IaaS provider. Our domain-based approach offers benefits such as scalable user/resource management, domain-based security and governance policy support, and flexible pricing.

[1]  Gail-Joon Ahn,et al.  A rule-based framework for role based delegation , 2001, SACMAT '01.

[2]  Gail-Joon Ahn,et al.  The RSL99 language for role-based separation of duty constraints , 1999, RBAC '99.

[3]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2002, RFC.

[4]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[5]  Jason Crampton,et al.  On permissions, inheritance and role hierarchies , 2003, CCS '03.

[6]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[7]  David M. Eyers,et al.  Using trust and risk in role-based access control policies , 2004, SACMAT '04.

[8]  Sangrae Cho,et al.  ROLE-BASED EAM USING X.509 ATTRIBUTE CERTIFICATE∗ , 2003 .

[9]  John McLean,et al.  A Comment on the 'Basic Security Theorem' of Bell and LaPadula , 1985, Inf. Process. Lett..

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[12]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[13]  Seunghun Jin,et al.  On modeling system-centric information for role engineering , 2003, SACMAT '03.

[14]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[15]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[16]  Ravi S. Sandhu,et al.  Framework for role-based delegation models , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[17]  Ravi S. Sandhu,et al.  The RRA97 model for role-based administration of role hierarchies , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[18]  Fabrizio Valpreda Open Software Foundation , 2012 .