Securing Loosely-Coupled Collaboration in Cloud Environment through Dynamic Detection and Removal of Access Conflicts

Online collaboration service has become a popular offering of present day Software-as-a-Service (SaaS) clouds. It facilitates sharing of information among multiple participating domains and accessing them from remote locations. Owing to loosely-coupled nature of such collaborations, access request from a remote user is made in the form of a set of permissions. The cloud vendor maps the requested permissions into appropriate local roles in order to allow resource access. However, coexistence of such multiple simultaneous role activation requests may introduce conflicts which violate the principle of security. In this paper, we propose a distributed secure collaboration framework which enables collaborating domains to detect and remove these conflicts. Two features of our framework are: (i) it requires only local information, and (ii) it detects and removes conflicts on-the-fly. Formal proofs have been provided to establish the correctness of our approach. Experimental results and qualitative comparison with related work demonstrate the efficacy of our approach in terms of response time, thus addressing the scalability requirement of cloud services.

[1]  Marianne Winslett,et al.  Traust: a trust negotiation-based authorization service for open systems , 2006, SACMAT '06.

[2]  Hassan Takabi,et al.  Policy Management as a Service: An Approach to Manage Policy Heterogeneity in Cloud Computing Environment , 2012, 2012 45th Hawaii International Conference on System Sciences.

[3]  Ravi S. Sandhu,et al.  Role activation hierarchies , 1998, RBAC '98.

[4]  Amani S. Ibrahim,et al.  Collaboration-Based Cloud Computing Security Management Framework , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[5]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[6]  Elisa Bertino,et al.  A framework for verification and optimal reconfiguration of event-driven role based access control policies , 2012, SACMAT '12.

[7]  Elisa Bertino,et al.  Secure Collaboration in a Mediator-Free Distributed Environment , 2008, IEEE Transactions on Parallel and Distributed Systems.

[8]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[9]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[10]  Elisa Bertino,et al.  X-GTRBAC admin: a decentralized administration model for enterprise wide access control , 2004, SACMAT '04.

[11]  Ruixuan Li,et al.  Request-driven role mapping framework for secure interoperation in multi-domain environments , 2008, Comput. Syst. Sci. Eng..

[12]  Jose M. Alcaraz Calero,et al.  Toward a Multi-Tenancy Authorization System for Cloud Services , 2010, IEEE Security & Privacy.

[13]  Mukesh Singhal,et al.  Collaboration in multicloud computing environments: Framework and security issues , 2013, Computer.

[14]  Vincent C. Hu,et al.  Security policy verification for multi-domains in cloud systems , 2014, International Journal of Information Security.

[15]  Baochun Li,et al.  Oruta: Privacy-Preserving Public Auditingfor Shared Data in the Cloud , 2014, IEEE Trans. Cloud Comput..

[16]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[17]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[18]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[19]  Walid G. Aref,et al.  A Distributed Access Control Architecture for Cloud Computing , 2012, IEEE Software.

[20]  Li Gong,et al.  Computational Issues in Secure Interoperation , 1996, IEEE Trans. Software Eng..

[21]  Fang Liu,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[22]  Pierangela Samarati,et al.  Providing Security and Interoperation of Heterogeneous Systems , 2004, Distributed and Parallel Databases.

[23]  Hui Li,et al.  Oruta: Privacy-Preserving Public Auditing for Shared Data in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[24]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  Elisa Bertino,et al.  Access-control language for multidomain environments , 2004, IEEE Internet Computing.

[26]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[27]  Ruixuan Li,et al.  Resolution for conflicts of inter-operation in multi-domain environment , 2007, Wuhan University Journal of Natural Sciences.

[28]  Elisa Bertino,et al.  Secure interoperation in a multidomain environment employing RBAC policies , 2005, IEEE Transactions on Knowledge and Data Engineering.

[29]  David Banks,et al.  Toward Cloud-based Collaboration Services , 2009, HotCloud.

[30]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[31]  Jorge Lobo,et al.  Conflict Resolution Using Logic Programming , 2003, IEEE Trans. Knowl. Data Eng..

[32]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[33]  James B. D. Joshi,et al.  Supporting authorization query and inter-domain role mapping in presence of hybrid role hierarchy , 2006, SACMAT '06.

[34]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[35]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[36]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[37]  Emil C. Lupu,et al.  The uses of role hierarchies in access control , 1999, RBAC '99.

[38]  Elisa Bertino,et al.  Temporal hierarchies and inheritance semantics for GTRBAC , 2002, SACMAT '02.

[39]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[40]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[41]  Sajal K. Das,et al.  SelCSP: A Framework to Facilitate Selection of Cloud Service Providers , 2015, IEEE Transactions on Cloud Computing.