Achieving Efficient Access Control via XACML Policy in Cloud Computing

One primary challenge of applying access control methods in cloud computing is to ensure data security while supporting access efficiency, particularly when adopting multiple access control policies. Many existing works attempt to propose suitable frameworks and schemes to solve the problems, however, these proposals only satisfy specified use cases. In this paper, we take XACML as the policy language and build up a logical model. Based on this, we introduce the fine-grained data fragment algorithm to optimize the policies, whose resource property represents physical meaningful data blocks. Data are organized in a tree structure, where each leaf node represents a minimal physical meaningful data block, and internal nodes are combined data types. This method can eliminate conflicts and redundancies among rules and policies, thus to refine the policy set and achieve fine-grained access control. Our approach can also be applied to processing multi-types of data, and experiments are carried out to show the improvements of efficiencies. Keywords-Access control; Policy optimization; Data fragment; XACML; cloud computing

[1]  Jorge Lobo,et al.  Policy ratification , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[2]  Yao Zheng,et al.  Scalable and Secure Sharing of Personal Health Records in Cloud Computing Using Attribute-Based Encryption , 2019, IEEE Transactions on Parallel and Distributed Systems.

[3]  Anna Cinzia Squicciarini,et al.  Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation , 2011, IEEE Transactions on Services Computing.

[4]  Stéphane Betgé-Brezetz,et al.  A Multi-environment Application of Privacy Data Envelopes , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[5]  Gail-Joon Ahn,et al.  Discovery and Resolution of Anomalies in Web Access Control Policies , 2013, IEEE Transactions on Dependable and Secure Computing.

[6]  Siani Pearson,et al.  Sticky Policies: An Approach for Managing Privacy across Multiple Parties , 2011, Computer.

[7]  Cees T. A. M. de Laat,et al.  Decision Diagrams for XACML Policy Evaluation and Management , 2015, Comput. Secur..

[8]  Wang Ya,et al.  XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology , 2011 .

[9]  Siani Pearson,et al.  Towards accountable management of identity and privacy: sticky policies and enforceable tracing services , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[10]  Jorge Lobo,et al.  A Similarity Measure for Comparing XACML Policies , 2013, IEEE Transactions on Knowledge and Data Engineering.

[11]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[12]  Michael Huth,et al.  A simple and expressive semantic framework for policy composition in access control , 2007, FMSE '07.

[13]  Francesca Lonetti,et al.  Automated testing of eXtensible Access Control Markup Language-based access control systems , 2013, IET Softw..

[14]  Slim Trabelsi,et al.  Sticky policies for data control in the cloud , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[15]  Xian Wu,et al.  A verification for PDAC model by policy language , 2012, 2012 7th International Conference on Computer Science & Education (ICCSE).

[16]  Gail-Joon Ahn,et al.  Representing and Reasoning about Web Access Control Policies , 2010, 2010 IEEE 34th Annual Computer Software and Applications Conference.

[17]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  Timothy Grance,et al.  Guidelines on Security and Privacy in Public Cloud Computing | NIST , 2012 .