Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
08 Paper 31121147 IJCSIS Camera Ready Paper Pp. 48-52

08 Paper 31121147 IJCSIS Camera Ready Paper Pp. 48-52

Ratings: (0)|Views: 8 |Likes:
Published by ijcsis

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





A Three-Layer Access Control Architecture Basedon UCON for Enhancing Cloud Computing Security
Niloofar RahnamaeeDepartment of ComputerEngineeringTehran North Branch, Islamic AzadUniversityTehran, Iranniloofar_rahnamaee@gmail.comAhmad KhademzadehScientific and InternationalCooperation DepartmentIran Telecommunication ResearchCenterTehran, IranAmmar DaraDepartment of ComputerEngineeringScience and Research Branch,Islamic Azad UniversityTehran,Iranammar.dara@gmail.com 
By emerging cloud computing, organizations utilizethis new technology by consuming cloud services based on-demand. However, they must put their data and processes on acloud, therefore; they do not have enough control on their dataand they must map their access control policies on access controlpolicies of a cloud service. Also, some aspects of this technologylike interoperability, multi-tenancy, continuous access control arenot supported by traditional approaches. The usage controlmodel with two important specifications like continuous accesscontrol and attribute mutability are more compatible withsecurity requirements of cloud computing. In this paper, a threelayer access control based on the usage control for could serviceshas been proposed, in which separation of duties can support themulti-tenancy and the least privilege principle.
 Keywords-Clould Computing; Access Control; Usage Control (UCON); Multi-tenancy; Separation of Duties
Cloud computing, as an innovational improvement in ITtechnology, is a revolution in the software industry [1]. Themain goal of cloud technology is to realize “network as a highperformance computer” [2] in a way that all users, are capableto running processes and storing data on this infrastructure.Instead of traditional approaches, on-demand services willdeliver with a lower cost for organizations [2]. To achieve this,all data and processes should move onto cloud, whichnormally results in less security controls of the organization onits own data and processes. However, organizations prefer toaccess to their own data and processes with their ownpolicies[1]. According to openness, distribution and non-heterogeneity [1][2][3] nature of cloud, data integrity,confidentiality, privacy[3] and authorization[4] may be indanger. Access control as a security mechanism guaranteesthat a specific resource just and only is accessed by anauthorized user [5].Many different access control schemes has been offeredfor distributed systems, but the attribute-based models look more appropriate [1][2][3][5][6][9].There are three requirements for cloud services asfollows:1) Cloud service must be able to specify access controlpolicies of end users to service objects, which is based on itsbusiness logic.2) A cloud service consumer must be able to enforce moreaccess control policies on its user requests to the objects of theorganization. When an organization wants to use a cloudservice, it must map its policies on access control policies of the cloud service. This mapping of policies may violate theleast privilege principle. Therefore, organization can preventviolating their policies by enforcing more policies on accessrequests.3) Cloud service vendor must be able to offer cloudservices to consumer in all applicable levels. For example,tenants may rent only necessary functions with a lower costinstead of all the services.According these three requirements, the usage controlmodel is the best option among various access control policies.In this paper, a three level architecture based on the usagecontrol model is presented, which not only uses separation of duties but also supports multi-tenancy and cross-domaincommunication.In the second section of this paper, previous works andresearches on this subject are considered. Then, proposedapproach based on a three-layer access control is explained inthe third section. Section 4 describes the architecture of athree-layer access control model based on usage control alongwith four components. Then the proposed architecture hasbeen analyzed. We will give a conclusion description finally insection 5.II.
 According to the nature of cloud computing which isextensible, heterogeneous and multi-tenant, it is necessary toconsider these specifications in access control policies.Xiao and associates use access control list (ACL) tosupport multi tenancy [1]. In this research, access control isdivided into different levels: cloud service provider and tenant.The service provider creates a record per each tenant so thatinclude an managerial <s,o,a> tuple which tenants can managetheir users, objects and ACL by means of it. Jose M. Carlo andassociates offered an especial authorization model for cloudcomputing which customized the access control on a federatedenvironment for organization cooperation [4]. In this model
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 201248http://sites.google.com/site/ijcsis/ISSN 1947-5500
the authorization 3-tuple <Subject, Privilege, Object>expanded to 5-tuple < Issuer, [User|Role], privilege, interface,ObjectPath > which are explained as follows: Issuer definesthat the User | Role has sufficient privilege on ObjectPath viainterface.Also for assigning the membership of user to a role andsupporting hRBAC, the tripe <Issuer,[User|Role], roleName>has been defined which explained as: Issuer defines that theUser | Role is responsible for the role/sub-role with role name.Therefore, the organizations define their access controlpolicies to their own resources on cloud, by these 5 and 3tuples [4].Chen Danwei and associates offered access controlarchitecture according to usage control model (UCON) forcloud computing. The majority of this paper is a negotiationmodule in authorization architecture to improve the flexibilityof access control on cloud services. When the requested accesshas not sufficient attributes, a second access choice via anegotiation module will provide, rather than of refusing accessdirectly [2].The general scenario of access control UCON modeldefined by three specifications in Fig.2. This scenario, dividesthe usage control in three phases: before usage, ongoing usage,and after usage. Decision-making control components(Authorization, Obligations and Conditions) can check andenforce in first two phases [7][8][9][10]. Obligations will notconsider on after usage phase in Core UCON Model, but inpapers [11][12] post-obligation are extended for Core UCONModel. In this paper we use the extended model of UCON.UCON is a session based access control model, because itcontrols not only access request, but also the ongoing access.Mutability means that the attributes of objects or subjects canbe updated as a result of an access. There are three types of updates: pre-update, on-update and post-update. Updating theattribute of an object or subject may result in to allow orrevoke current access or another access, according to theauthorizations of the access [13].
Figure 1. UCON scenario [13]
There are three main actors in cloud environment: user,vendor and original cloud provider which will consider astenant, service vendor and service creator, respectively. Tenantis an organization that rent the cloud from cloud servicevendors and it can have users.The cloud vendor is an organization that offers the cloudservices to the cloud user with guaranteed quality of experience (QoE) and quality of service (QoS) within theframework of a service level agreement (SLA). Service creatoris a developer service organization which provides access fortenants’ users to its services via service vendors.III.
 In the cloud environment, service creators usually defineaccess control policies of end users to a cloud service.However, tenants usually tend to have the most possiblecontrol on their data and be able to enforce more policies thanby the service creators on their access request of their endusers. In addition, vendors tend to offer their services toconsumers in all desired levels. Therefore, cloud accesscontrol mechanism must be able to support these threerequirements. As a result, in this paper; a three-layerarchitecture is proposed for decision and enforcement of access control policies. the layers are as follow:
Service layer 
: as an enforcer of service access controlpolicies.
Provider layer 
: as an enforcer of vendor accesscontrol policies.
Tenant layer 
: as an enforcer of service consumeraccess control policies.
Figure 2. The enforcement of three layers access control on user’s objects
In the service layer, it has been guaranteed that serviceobjects will be available for end users, according to creatoraccess policies. The service creator specifies these policiesbased on a business logic, which is related to that service. Forexample, in a healthcare service, the service creator willdetermine rights of the
role. In this layer, creatorsassign the first limits of the access rights of a cloud service.Therefore, these policies specify the maximum rights of otherlayers.In the provider layer, a service vendor can offer its serviceto its tenants in various levels. Some of service usage contractsare enforced by access control policies in this layer. Vendorsdefine access rights of their tenants. For example, hospital Acan rent a healthcare service only for its laboratory, whilehospital B not only want to rent the laboratory, but also forprescription and diagnosis sections. Therefore, further thancreator layer policy limitations, more policy enforcement ispossible. Hence, more limitations are enforced than servicelayer.In the tenant layer, organizations can enforce morepolicies to the previous layers. Then the least privilegeprinciple can be applied for all their users and objects in a
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 201249http://sites.google.com/site/ijcsis/ISSN 1947-5500
cloud. Usually, organizations using a cloud service have theirown interior access control policies. Therefore, they must maptheir policies on cloud service policies. This mapping mayviolate the least privilege principle for some users. It maypermit an unauthorized access according tenant policies;although it is permitted cloud service policies. Hence, tenantscan enforce more policies than policies by a cloud servicecreator and vendor. For example, service creator of ahealthcare service permits billing right for
, howeverhospital A does not want their nurses have this right.Therefore, Hospital A must map the nurse role to the nurserole of the service with billing right, which violates theorganization polices and the minimum privilege principle.Hence, hospital A tends to have a nurse role without billingrights. Hospital A can revoke nurses' billing rights in thetenant layer. In the tenant layer, more limits can be enforcedother than two previous layers.As shown in Fig. 2, preliminary access rights are definedin the first layer. Then, vendor layer can restrict the servicelayer of access rights, and finally tenant layer can limit accessrights of the two previous layers.IV.
 In this paper, a three-layer access control architecture basedon the usage control is proposed, which is “platform as aservice” and guaranties access control for SaaS services.In the Fig. 3, four components of the proposed accesscontrol architecture are shown, which are as follow:
Access control service
Service provider
Cloud provider
Identity provider.
Figure 3.The architecture of proposed three-layer usage control in cloud
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 201250http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->