Toward Group-Based User-Attribute Policies in Azure-Like Access Control Systems

Cloud resources are increasingly pooled together for collaboration among users from different administrative units. In these settings, separation of duty between resource and identity management is strongly encouraged, as it streamlines organization of resource access in cloud. Yet, this separation may hinder availability and accessibility of resources, negating access to authorized and entitled subjects. In this paper, we present an in-depth analysis of group-reachability in user attribute-based access control. Starting from a concrete instance of an Access Control supported by the Azure platform, we adopt formal verification methods to demonstrate how it is possible to mitigate access availability issues, which may arise as per-attribute criteria groups are deployed.

[1]  Steven M. Bellovin,et al.  Privacy Enhanced Access Control for Outsourced Data Sharing , 2012, Financial Cryptography.

[2]  Ravi S. Sandhu,et al.  A conceptual framework for Group-Centric secure information sharing , 2009, ASIACCS '09.

[3]  Anna Lisa Ferrara,et al.  Vac - Verifier of Administrative Role-Based Access Control Policies , 2014, CAV.

[4]  C. R. Ramakrishnan,et al.  Policy Analysis for Administrative Role Based Access Control , 2006, CSFW.

[5]  Xin Jin,et al.  Reachability analysis for role-based administration of attributes , 2013, Digital Identity Management.

[6]  Ravi S. Sandhu,et al.  Community-Based Secure Information and Resource Sharing in Azure Cloud IaaS , 2016, SCC@AsiaCCS.

[7]  Anna Lisa Ferrara,et al.  Policy Analysis for Self-administrated Role-Based Access Control , 2013, TACAS.

[8]  Ronald L. Krutz,et al.  Cloud Security: A Comprehensive Guide to Secure Cloud Computing , 2010 .

[9]  Martin C. Rinard,et al.  Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies , 2013, TSEC.

[10]  Keke Gai,et al.  Proactive user-centric secure data scheme using attribute-based semantic access controls for mobile clouds in financial industry , 2018, Future Gener. Comput. Syst..

[11]  M V Patil,et al.  HASBE: A HIERARCHICAL ATTRIBUTE-BASED SOLUTION FOR FLEXIBLE AND SCALABLE ACCESS CONTROL IN CLOUD COMPUTING , 2006 .

[12]  Zhu Yan,et al.  EAR-ABAC: An Extended AR-ABAC Access Control Model for SDN-Integrated Cloud Computing , 2015 .

[13]  Anna Lisa Ferrara,et al.  Security Analysis of Role-Based Access Control through Program Verification , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[14]  Ravi S. Sandhu,et al.  Hierarchical Secure Information and Resource Sharing in OpenStack Community Cloud , 2015, 2015 IEEE International Conference on Information Reuse and Integration.

[15]  Gail-Joon Ahn,et al.  AR-ABAC: A New Attribute Based Access Control Model Supporting Attribute-Rules for Cloud Computing , 2015, 2015 IEEE Conference on Collaboration and Internet Computing (CIC).

[16]  Alessandro Armando,et al.  Boosting Model Checking to Analyse Large ARBAC Policies , 2012, STM.

[17]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[18]  Xin Jin,et al.  A role-based administration model for attributes , 2012, SRAS '12.