A Policy-Based Management Framework For Cloud Computing Security

........................................................................................................................... II ACKNOWLEDGEMENTS ................................................................................................ III TABLE OF CONTENTS ..................................................................................................... IV LIST OF FIGURES .............................................................................................................. VI LIST OF TABLES .............................................................................................................. VII LIST OF ACRONYMS ..................................................................................................... VIII CHAPTER 1: INTRODUCTION ....................................................................................... 1 1.1 RESEARCH MOTIVATION .......................................................................................................... 3 1.2 PROBLEM STATEMENT .............................................................................................................. 6 1.3 RESEARCH OBJECTIVE .............................................................................................................. 8 1.4 RESEARCH METHODOLOGY ...................................................................................................... 9 1.4.1 Design Science Research Model ....................................................................................... 9 1.4.2 Research Model ............................................................................................................... 12 1.4.3 Research Design Strategy ............................................................................................... 15 1.4.4 Data Collection Procedures ............................................................................................ 15 1.5 MEASUREMENT CRITERIA ...................................................................................................... 16 1.6 VALIDATION STRATEGY ......................................................................................................... 17 1.7 RESEARCH CONTRIBUTIONS ................................................................................................... 17 1.8 THESIS ORGANIZATION ........................................................................................................... 19 CHAPTER 2: ENTERPRISE INFORMATION SYSTEMS SECURITY ................... 20 2.1 REQUIREMENTS FOR EIS SECURITY ....................................................................................... 21 2.2 EIS SECURITY RISKS ............................................................................................................... 22 2.3 EIS SECURITY SOLUTIONS ...................................................................................................... 23 2.4 POLICY-BASED MANAGEMENT FOR EIS SECURITY ............................................................... 26 2.4.1 PBM Architecture ............................................................................................................ 27 2.4.2 PBM Challenges .............................................................................................................. 29 2.4.3 PBM Benefits ................................................................................................................... 30 2.5 CONCLUDING REMARK ........................................................................................................... 31 CHAPTER 3: CLOUD COMPUTING SECURITY ...................................................... 32 3.1 CLOUD COMPUTING OVERVIEW ............................................................................................. 33 3.1.1 Characteristics of Cloud Computing ............................................................................... 34 3.1.2 Types of Cloud Models .................................................................................................... 35 3.2 SECURITY CONSIDERATIONS FOR THE CLOUD ....................................................................... 37 3.3 SECURITY ARCHITECTURE FOR CLOUD COMPUTING ............................................................. 38 3.4 SECURITY BENEFITS OF CLOUD COMPUTING ......................................................................... 39 3.5 SECURITY CHALLENGES OF CLOUD COMPUTING ................................................................... 40 3.5.1 New Security Problems for the Cloud ............................................................................. 41 3.6 CLOUD COMPUTING SECURITY SOLUTIONS ........................................................................... 42 3.7 ACCESS CONTROL FOR CLOUD COMPUTING SECURITY ......................................................... 44 3.7.1 Access Control Basics ..................................................................................................... 45 3.7.2 Access Control Models for Cloud Computing Security ................................................... 52 3.8 CONCLUDING REMARK ........................................................................................................... 54

[1]  Luiz Carlos,et al.  INFORMATION SECURITY POLICY - A DEVELOPMENT GUIDE , 2013 .

[2]  Hang Zhao,et al.  Security Policy Definition and Enforcement in Distributed Systems , 2012 .

[3]  Mark Osborne,et al.  The Information Security Policy , 2006 .

[4]  S. Reeja ROLE BASED ACCESS CONTROL MECHANISM IN CLOUD COMPUTING USING CO-OPERATIVE SECONDARY AUTHORIZATION RECYCLING METHOD , 2012 .

[5]  Huaglory Tianfield Security issues in cloud computing , 2012, 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC).

[6]  方华 google,我,萨娜 , 2006 .

[7]  Jin Tong,et al.  NIST Cloud Computing Reference Architecture , 2011, 2011 IEEE World Congress on Services.

[8]  Francesca Lonetti,et al.  XACMUT: XACML 2.0 Mutants Generator , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[9]  Yu Guo,et al.  Multi-Tenancy Based Access Control in Cloud , 2010, 2010 International Conference on Computational Intelligence and Software Engineering.

[10]  Frank Gens,et al.  Cloud Computing Benefits, risks and recommendations for information security , 2010 .

[11]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[12]  David C. Wyld,et al.  Review of Access Control Models for Cloud Computing , 2013 .

[13]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[14]  Kailash Patidar,et al.  Integrating the Trusted Computing Platform into the Security of Cloud Computing System , 2012 .

[15]  Abdul Raouf Khan,et al.  ACCESS CONTROL IN CLOUD COMPUTING ENVIRONMENT , 2012 .

[16]  Antonios Gouglidis,et al.  On the Definition of Access Control Requirements for Grid and Cloud Computing Systems , 2009, GridNets.

[17]  Carlos Maziero,et al.  A Policy Based Framework for Access Control , 2003, ICICS.

[18]  Koichi Sasada,et al.  A decentralized access control mechanism using authorization certificate for distributed file systems , 2011, 2011 International Conference for Internet Technology and Secured Transactions.

[19]  Fang Hao,et al.  Secure Cloud Computing with a Virtualized Network Infrastructure , 2010, HotCloud.

[20]  Mehmet Hadi Gunes,et al.  Ensuring access control in cloud provisioned healthcare systems , 2011, 2011 IEEE Consumer Communications and Networking Conference (CCNC).

[21]  Robin Singh Bhadoria Security Architecture for Cloud Computing , 2015 .

[22]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[24]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[25]  Ravi S. Sandhu,et al.  Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Autorization Management , 1997, DBSec.

[27]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[28]  Emmanouil Magkos,et al.  T-ABAC: An attribute-based access control model for real-time availability in highly dynamic systems , 2013, 2013 IEEE Symposium on Computers and Communications (ISCC).

[29]  Paul Veerkamp,et al.  Modeling Design Process , 1990, AI Mag..

[30]  Ravi S. Sandhu,et al.  A multi-tenant RBAC model for collaborative cloud services , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[31]  Juri Luca De Coi,et al.  A Review of Trust Management, Security and Privacy Policy Languages , 2016, SECRYPT.

[32]  Pál Michelberger,et al.  After Information Security - Before a Paradigm Change (A Complex Enterprise Security Model) , 2012 .

[33]  Min YoungGi,et al.  Cloud Computing Security Issues and Access Control Solutions , 2012 .

[34]  Wolfgang Faber Answer Set Programming , 2013, Reasoning Web.

[35]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[36]  Qiaoyan Wen,et al.  SaaS Access Control Research Based on UCON , 2012, 2012 Fourth International Conference on Digital Home.

[37]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[38]  Danwei Chen,et al.  Access Control of Cloud Service Based on UCON , 2009, CloudCom.

[39]  Brendan Jennings,et al.  Policy-based architecture to enable autonomic communications - a position paper , 2006, CCNC 2006. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006..

[40]  Abdur Rahim Choudhary,et al.  Policy-based network management , 2004, Bell Labs Technical Journal.

[41]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[42]  Daniele Catteddu,et al.  Cloud Computing: Benefits, Risks and Recommendations for Information Security , 2009 .

[43]  Prashant J. Shenoy,et al.  The Case for Enterprise-Ready Virtual Private Clouds , 2009, HotCloud.

[44]  Qiang Wei,et al.  RBAC-Based Access Control for SaaS Systems , 2010, 2010 2nd International Conference on Information Engineering and Computer Science.

[45]  Jose M. Alcaraz Calero,et al.  Toward a Multi-Tenancy Authorization System for Cloud Services , 2010, IEEE Security & Privacy.

[46]  John C. Grundy,et al.  An Analysis of the Cloud Computing Security Problem , 2016, APSEC 2010.

[47]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[48]  Emil C. Lupu,et al.  Tools for domain-based policy management of distributed systems , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[49]  Charalabos Skianis,et al.  Policy Based Management for Security in Cloud Computing , 2011, STA Workshops.

[50]  Nicolae Paladi,et al.  State of The Art and Hot Aspects in Cloud DataStorage Security , 2013 .

[51]  Bharat K. Bhargava,et al.  An Entity-Centric Approach for Privacy and Identity Management in Cloud Computing , 2010, 2010 29th IEEE Symposium on Reliable Distributed Systems.

[52]  Marten van Dijk,et al.  On the Impossibility of Cryptography Alone for Privacy-Preserving Cloud Computing , 2010, HotSec.

[53]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[54]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[55]  Kehe Wu,et al.  A flexible policy-based access control model for Workflow Management Systems , 2011, 2011 IEEE International Conference on Computer Science and Automation Engineering.

[56]  Fei Gao,et al.  Design of dynamic fine-grained role-based access control strategy , 2012, 2012 IEEE 2nd International Conference on Cloud Computing and Intelligence Systems.

[57]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[58]  J. Aken Management Research as a Design Science: Articulating the Research Products of Mode 2 Knowledge Production in Management , 2005 .

[59]  Louay Karadsheh,et al.  Applying security policies and service level agreement to IaaS service model to enhance security and transition , 2012, Comput. Secur..

[60]  Herbert J. Mattord,et al.  Principles of Information Security, 4th Edition , 2011 .

[61]  John Strassner,et al.  Policy-based network management , 2003 .

[62]  Bernice Karn,et al.  Data Security — The Case Against Cloud Computing , 2011 .

[63]  François Siewe,et al.  A compositional framework for the development of secure access control systems , 2005 .

[64]  Anthony Sulistio,et al.  Designing Cloud Services Adhering to Government Privacy Laws , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[65]  Florin Ogigau-Neamtiu,et al.  CLOUD COMPUTING SECURITY ISSUES , 2012 .

[66]  Antonio Puliafito,et al.  Security and Cloud Computing: InterCloud Identity Management Infrastructure , 2010, 2010 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[67]  Siani Pearson,et al.  Privacy, Security and Trust in Cloud Computing , 2013 .

[68]  Morné Owen An enterprise information security model for a micro finance company: a case study , 2009 .

[69]  Sachin Kumar,et al.  Access Control Framework For Social Networking Systems Based On Present Access Control Policies , 2013 .

[70]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[71]  Shin-Jer Yang,et al.  Design Role-Based Multi-tenancy Access Control Scheme for Cloud Services , 2013, 2013 International Symposium on Biometrics and Security Technologies.

[72]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[73]  Hassan Takabi,et al.  DCDIDP: A distributed, collaborative, and data-driven intrusion detection and prevention framework for cloud computing environments , 2011, 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom).

[74]  Stephen W. Hartman,et al.  Information Security Governance Of Enterprise Information Systems: An Approach To Legislative Compliant , 2011, BIOINFORMATICS 2011.

[75]  Harit Shah,et al.  Security Issues on Cloud Computing , 2013, ArXiv.

[76]  Huang Xiuli,et al.  Access Control of Cloud Service Based on UCON , 2009, CLOUD-II 2009.