A Usage Control Based Architecture for Cloud Environments

Today modern computing systems leverage distributed models such as cloud, grid, etc. One of the obstacles of wide spreading these distributed computing models is security challenges which includes access control problem. These computing models because of providing features like on-demand self-service, ubiquitous network access, rapid elasticity and scalability, having dynamic infrastructure and offering measured service, need a powerful and continuous control over access and usage session. Usage control (UCON) model is emerged to cover some drawbacks of traditional access control models with features like attribute mutability and continuity of control. Several recent works have been done to apply UCON for distributed computing environments, but none of them could cover all aspects of the model. In this paper we propose an architecture for applying UCON model in cloud environments. Moreover we present a new architecture for obligation handling. We also introduce a new approach to handle attribute mutability. For implementation we have extended XACML syntax and semantics as policy language and leveraged Sun's OASIS XACML implementation.

[1]  Jaehong Park,et al.  Usage control: a unified framework for next generation access control , 2003 .

[2]  Jaehong Park,et al.  Usage Control: A Vision for Next Generation Access Control , 2003, MMM-ACNS.

[3]  Fabio Martinelli,et al.  Usage control in computer security: A survey , 2010, Comput. Sci. Rev..

[4]  Cees T. A. M. de Laat,et al.  Extending XACML authorisation model to support policy obligations handling in distributed application , 2008, MGC '08.

[5]  Jean-Pierre Seifert,et al.  Security Enforcement Model for Distributed Usage Control , 2008, 2008 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (sutc 2008).

[6]  Michael Hafner,et al.  Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with Sectet , 2008, MoDELS.

[7]  Danwei Chen,et al.  Access Control of Cloud Service Based on UCON , 2009, CloudCom.

[8]  Paulo Ferreira,et al.  Obligation policies: an enforcement platform , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[9]  Antonios Gouglidis,et al.  On the Definition of Access Control Requirements for Grid and Cloud Computing Systems , 2009, GridNets.

[10]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[11]  Jean-Pierre Seifert,et al.  A general obligation model and continuity: enhanced policy enforcement engine for usage control , 2008, SACMAT '08.

[12]  Alexander Pretschner,et al.  On Obligations , 2005, ESORICS.

[13]  Laurent Bussard,et al.  Obligation Language for Access Control and Privacy Policies , 2009 .

[14]  Huang Xiuli,et al.  Access Control of Cloud Service Based on UCON , 2009, CLOUD-II 2009.

[15]  Ravi S. Sandhu,et al.  Toward a Usage-Based Security Framework for Collaborative Computing Systems , 2008, TSEC.

[16]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[17]  Fabio Martinelli,et al.  A Proposal on Enhancing XACML with Continuous Usage Control Features , 2009, CoreGRID@Euro-Par.