Data-Centric Access Control for Cloud Computing

The usual approach to security for cloud-hosted applications is strong separation. However, it is often the case that the same data is used by different applications, particularly given the increase in data-driven (`big data' and IoT) applications. We argue that access control for the cloud should no longer be application-specific but should be data-centric, associated with the data that can flow between applications. Indeed, the data may originate outside cloud services from diverse sources such as medical monitoring, environmental sensing etc. Information Flow Control (IFC) potentially offers data-centric, system-wide data access control. It has been shown that IFC can be provided at operating system level as part of a PaaS offering, with an acceptable overhead. In this paper we consider how IFC can be integrated with application-specific access control, transparently from application developers, while building from simple IFC primitives, access control policies that align with the data management obligations of cloud providers and tenants.

[1]  Barbara Liskov,et al.  IFDB: decentralized information flow control for databases , 2013, EuroSys '13.

[2]  Daniel Slamanig,et al.  ARCHISTAR: Towards Secure and Robust Cloud Based Data Sharing , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[3]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[4]  David M. Eyers,et al.  DEFCON: High-Performance Event Processing with Information Security , 2010, USENIX Annual Technical Conference.

[5]  Jatinder Singh,et al.  Data Flow Management and Compliance in Cloud Computing , 2015, IEEE Cloud Computing.

[6]  Xin Jin,et al.  A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC , 2012, DBSec.

[7]  Jatinder Singh,et al.  Clouds of Things Need Information Flow Control with Hardware Roots of Trust , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[8]  David M. Eyers,et al.  Information Flow Audit for PaaS Clouds , 2016, 2016 IEEE International Conference on Cloud Engineering (IC2E).

[9]  Michael R. Genesereth,et al.  Computational law , 2005, ICAIL '05.

[10]  Jaehong Park,et al.  A provenance-based access control model , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[11]  David M. Eyers,et al.  Information Flow Control for Secure Cloud Computing , 2014, IEEE Transactions on Network and Service Management.

[12]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[13]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[14]  Christopher Millard,et al.  Cloud Computing Law , 2013 .

[15]  Claudia Eckert,et al.  Practical information-flow aware middleware for in-car communication , 2013, CyCAR '13.

[16]  Kai Hwang,et al.  Trusted Cloud Computing with Secure Resources and Data Coloring , 2010, IEEE Internet Computing.

[17]  David W. Chadwick,et al.  Enforcing "sticky" security policies throughout a distributed application , 2008, MidSec '08.

[18]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[19]  R. K. Shyamasundar,et al.  Realizing Purpose-Based Privacy Policies Succinctly via Information-Flow Labels , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[20]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[21]  Jon Crowcroft,et al.  Jitsu: Just-In-Time Summoning of Unikernels , 2015, NSDI.

[22]  John C Garner Final HIPAA security regulations: a review. , 2003, Managed care quarterly.

[23]  Wayne A. Jansen,et al.  Cloud Hooks: Security and Privacy Issues in Cloud Computing , 2011, 2011 44th Hawaii International Conference on System Sciences.

[24]  David M. Eyers,et al.  FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications , 2015, CCS.

[25]  Jatinder Singh,et al.  Camflow: Managed Data-Sharing for Cloud Services , 2015, IEEE Transactions on Cloud Computing.

[26]  Siani Pearson,et al.  Sticky Policies: An Approach for Managing Privacy across Multiple Parties , 2011, Computer.

[27]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[28]  David M. Eyers,et al.  Integrating Messaging Middleware and Information Flow Control , 2015, 2015 IEEE International Conference on Cloud Engineering.

[29]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[30]  David M. Eyers,et al.  Information Flow Audit for Transparency and Compliance in the Handling of Personal Data , 2016, 2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW).

[31]  David Safford,et al.  Trustworthy geographically fenced hybrid clouds , 2014, Middleware.

[32]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[33]  Larry L. Peterson,et al.  Container-based operating system virtualization: a scalable, high-performance alternative to hypervisors , 2007, EuroSys '07.

[34]  Margo I. Seltzer,et al.  A primer on provenance , 2014, CACM.

[35]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[36]  Angelos D. Keromytis,et al.  Cloudopsy: An Autopsy of Data Flows in the Cloud , 2013, HCI.