SAFAX – An Extensible Authorization Service for Cloud Environments

Cloud storage services have become increasingly popular in recent years. Users are often registered to multiple cloud storage services that suit different needs. However, the ad-hoc manner in which data sharing between users is implemented leads to issues for these users. For instance, users are required to define different access control policies for each cloud service they use and are responsible for synchronizing their policies across different cloud providers. Users do not have access to a uniform and expressive method to deal with authorization. Current authorization solutions cannot be applied as-is, since they cannot cope with challenges specific to cloud environments. In this paper, we analyze the challenges of data sharing in multi-cloud environments and propose SAFAX, an XACML based authorization service designed to address these challenges. SAFAX's architecture allows users to deploy their access control policies in a standard format, in a single location, and augment policy evaluation with information from user selectable external trust services. We describe the architecture of SAFAX, a prototype implementation based on this architecture, illustrate the extensibility through external trust services and discuss the benefits of using SAFAX from both the user's and cloud provider's perspectives.

[1]  Cong Wang,et al.  Enhancing Attribute-Based Encryption with Attribute Hierarchy , 2009, 2009 Fourth International Conference on Communications and Networking in China.

[2]  David W. Chadwick,et al.  My Private Cloud Overview: A Trust, Privacy and Security Infrastructure for the Cloud , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[3]  Walid G. Aref,et al.  A Distributed Access Control Architecture for Cloud Computing , 2012, IEEE Software.

[4]  Stelvio Cimato,et al.  Managing key hierarchies for access control enforcement: Heuristic approaches , 2010, Comput. Secur..

[5]  Jan Zibuschka,et al.  Diffusion of Federated Identity Management , 2010, Sicherheit.

[6]  Antonino Simone,et al.  Flow-Based Reputation: More than Just Ranking , 2012, Int. J. Inf. Technol. Decis. Mak..

[7]  Cong Wang,et al.  Enhancing attribute-based encryption with attribute hierarchy , 2009, ICC 2009.

[8]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[9]  Romain Laborde,et al.  An Extensible XACML Authorization Web Service: Application to Dynamic Web Sites Access Control , 2009, 2009 Fifth International Conference on Signal Image Technology and Internet Based Systems.

[10]  Ruoyu Wu,et al.  ACaaS: Access Control as a Service for IaaS Cloud , 2013, 2013 International Conference on Social Computing.

[11]  Boris Skoric,et al.  Flow-based reputation with uncertainty: evidence-based subjective logic , 2014, International Journal of Information Security.

[12]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[13]  Bernd Grobauer,et al.  Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[14]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[15]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[16]  Sandro Etalle,et al.  Reputation-Based Ontology Alignment for Autonomy and Interoperability in Distributed Access Control , 2009, 2009 International Conference on Computational Science and Engineering.

[17]  Dennis G. Kafura,et al.  An XACML-based policy management and authorization service for globus resources , 2003, Proceedings. First Latin American Web Congress.

[18]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[19]  Kai Zhao,et al.  Towards an Approach of Semantic Access Control for Cloud Computing , 2009, CloudCom.

[20]  Andreas Matheus,et al.  Geospatial eXtensible Access Control Markup Language , 2008 .

[21]  王豐堅,et al.  一個在工作流程系統管理系統中基於Task-Role-Based Access Control Model的代理程序框架 , 2007 .

[22]  Ivan Stojmenovic,et al.  DACC: Distributed Access Control in Clouds , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[23]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[24]  Tao Xie,et al.  Designing Fast and Scalable XACML Policy Evaluation Engines , 2011, IEEE Transactions on Computers.

[25]  Milan Petkovic,et al.  An encryption scheme for a secure policy updating , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[26]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[27]  Klemens Böhm,et al.  A Flexible Architecture for Privacy-Aware Trust Management , 2010, J. Theor. Appl. Electron. Commer. Res..

[28]  Bernard J. Baars,et al.  Global Workspace Dynamics: Cortical “Binding and Propagation” Enables Conscious Contents , 2013, Front. Psychol..

[29]  Fabio Martinelli,et al.  Architecture, Workflows, and Prototype for Stateful Data Usage Control in Cloud , 2014, 2014 IEEE Security and Privacy Workshops.

[30]  Madjid Merabti,et al.  An access control model for cloud computing , 2014, J. Inf. Secur. Appl..

[31]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[32]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[33]  Jie Wu,et al.  Hierarchical attribute-based encryption for fine-grained access control in cloud storage services , 2010, CCS '10.

[34]  Rajkumar Buyya,et al.  InterCloud: Utility-Oriented Federation of Cloud Computing Environments for Scaling of Application Services , 2010, ICA3PP.

[35]  Sandro Etalle,et al.  GEM: A distributed goal evaluation algorithm for trust management , 2012, Theory and Practice of Logic Programming.

[36]  Jose M. Alcaraz Calero,et al.  Toward a Multi-Tenancy Authorization System for Cloud Services , 2010, IEEE Security & Privacy.

[37]  Sandro Etalle,et al.  A Semantic Security Framework for Systems of Systems , 2013, Int. J. Cooperative Inf. Syst..

[38]  Nicola Zannone,et al.  Enforcing Access Control in Virtual Organizations Using Hierarchical Attribute-Based Encryption , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.