CLOUD-HOSTED PROXY BASED COLLABORATION IN MULTI- CLOUD COMPUTING ENVIRONMENTS WITH ABAC METHODS

Transcription

1 CLOUD-HOSTED PROXY BASED COLLABORATION IN MULTI- CLOUD COMPUTING ENVIRONMENTS WITH ABAC METHODS Shilpa G S 1, Maria Navin J R 2 1 PG Student, Dept. of Computer Science and Engineering, SVCE Bangalore, 2 Asst.Professor, Dept. of Computer Science and Engineering, SVCE Bangalore. ABSTRACT Many organizations are gradually shifting towards the use of Cloud computing. Cloud computing on deploying with proxies and service providers reduces cost and increases the accessibility of data. A set of possible solutions can be seen in the recent research related to single and multi-cloud security. Multi-cloud environment includes the distributed clouds integration in a large open system to handle all the issues regarding aggregation and integration of the Clouds entirely detached from vendors and providers. So, there is a need to address the privacy, policy and trust issues. Access Control Methods ensure that authorized user s access to the data and the system. It leads to the design of attribute based access control mechanism for cloud computing INTRODUCTION A proposed proxy based multi-cloud computing allows resource sharing among cloud providers with dynamic colla-boration. Client centric approaches encourages inter-operability without pre-established business agreements among cloud providers but initiated by cloud customers or trusted third party s to address the challenges such as privacy policy and trust[1]. Cloud-hosted proxy deploys the cloud service provider host proxies within its infrastructure administer and manage the proxies. It will handle the service request from the client who wants to access these proxies. Cloud service providers (CSPs) deploy proxies as an autonomou s cloud system and offer it as a service to clients. Proxy Service Providers (PSPs) are deployed as an autonomous cloud that offers collaborative services to clients and CSPs. Policy conflicts results in security breaches when proxies dynamically use different security policies to provide collaborative services among multiple CSPs. Proxies are selected to service the request simultaneously based on latency. Proxies must use certain mechanisms to monitor for and defend against the resulting security breaches. Data as a service (DaaS) is an emerging cloud service in which organizations can seamlessly store data in the cloud and retrieve it based on access control policies that cover legal requirements and organizational policies. An expressive access control model can specify access control policies on protected objects in terms of a subject s properties, called identity attributes[1]. They can incorporate a subject s id, age, organizational role, and access location. Such an attribute based access control (ABAC) model Provides fine-grained data access and expresses policies closer to organizational policies. 2. ARCHITECTURE 2.1 Cloud Hosted Proxy Cloud computing can be decided as a new paradigm for the dynamic provisioning of computing services. Cloud service provider[2] swarm proxies within its infrastructure administer and manage the proxies and will handle the service request from the client who wants to access these proxies. In Fig. 2.1, Initially client interacts with CSPs and initiates a service request to C1. If request is not satisfied then the proxies within C1 discovers the need for a service from C2 and C3.

2 Fig 2.1: cloud hosted proxy This infrastructure offers some solutions to the problems such as portability and interoperability for management of both SaaS and PaaS[8]. The disparate layers of a cloud environ-ment (Saas, IaaS, and PaaS) provide dedicated services. However their granularity and difficulty vary, so we converted that a principled description of these services is needed to promote the interoperability among multiple clouds dynamically. 3. RELATED WORK Access control is defined as policy or procedure in order to allow, deny or restrict access to a system. It helps in monitoring and recording of all actions involved to access a system. Access Control identify users attempting to access in an unauthorized way to enhance security. A Mandatory access Control (MAC) which is been used in the Secure Military application whereas the Discretionary Access Controls (DAC) is used in the Security processing of industrial and the Civilian of Government[2]. DAC is not found and it is inappropriate access for many commercial and civilian Government Organisation. The non -discretionary access control and the role-based access control (RBAC)[3] are more central to the secure processing of nonmilitary systems than DAC. Once proxies identify policy conflicts, certain conflict resolution strategies are introduced to resolve them. However, current conflict resolution mechanisms have certain limitations to overcome the problems with dynamic heterogenous environment. For example, current conflict resolution mechanisms such as Extensible Access Control Markup Language (XACML) policies exacerbates the issues because the identified policy conflicts are resolved with selection of one resolution algorithm. Role based Access Control (RBAC) defines job role to deter-mine authorized user access to the system. The role of a user is associated with privileges[4]. So legal agreement should be reached when privileges changes with the role. Access methods supports authorization based on user identity, group affiliations, and the nature of a specific activity. It offers general support for flexible delegation of rights including capability -based access control for slices and other global objects. It enables flexible declarative authorization policies and delegated policy evaluation combining policy rules from multiple entities in thefederated system. The trust structure is more addressed on deploying the proxies for collaboration. Key aspects of trust in federated systems reduce to choices about whose assertions to believe, whose commands to accept, or what sensitive information to reveal and to whom. Trust logic offers a powerful formalism for participating servers to represent these choices with the help of proxies. Our approach factors these choices out of the control framework software: the federation structure emerges from the combination of local policies, and may be changed without modifying the control software. 4. ATTRIBUTE BASED ACCESS CONTROL METHOD An expressive access control model, attributes can specify access control policies on protected objects on basis of subject s properties called identity attributes. Subject s address, organizational role, age, and location of access are used to define identity. Such an attribute-based access control (ABAC)[4] model provides finegrained data access and expresses policies closer to organizational policies. A secured resources and da ta is accessed in controlled manner within the system. However, controlling which users (subjects) can access which computing and network resources is through access control. It also manages users, files and other resources. It

3 controls user s privileges to files or resources (objects). Identification, authentication, autho-rization and accountability are the steps taken in access control systems before actually accessing the resources or the object in general. In early stages of computing and information technology, researchers and technologists realized the importance of preventing users from interfering each other on shared systems. Various access control models were developed. User s identity was the main index to allow users to use the system or its resources. This approach was called Identification Based Access Control (IBAC)[5]. However, with the growth of the networks and the number of users, defending capabity of IBAC for controlling policy conflicts is less. To enhance the dynamism, access control were introduced with advanced concepts which included owner/ group/ public IBAC model doesn t solve the challenges posed in distributed systems. Managing access to the system and resources became hard and vulnerable to errors. A new method known as Role Based Access Control (RBAC) determines user s access to the system based on the Job role. The job role is to be satisfied with the least amount of permissions or functionalities for privilege concept. As a role changes, with privileges, permissions can be added or deleted. However, problems became apparent when RBAC was extended across administrative domains. And it proved difficult to reach an agreement on what privileges to associate with a role. Accordingly, a policy based access control known as Attribute Based Access Control (ABAC) came into existence [ 6]. In ABAC, access is granted on attributes that the user could prove to have such as date of birth or national number. However, reaching to an agreement on a set of attributes is very hard, especially across multiple agencies or domains and organizations. All access control methods rely on authentication of the user at the site, as well as, time taken to request the service. Sometimes authenticated access control may be maintained. Tight cou pling among multiple heterogenous domains becomes a major issue. This is done to merge identities or define the attributes or roles. Furthermore, subsets decision of privileges of an administrator is a challenging approach. ABAC defines certain principles to solve certain policy conflicts that cannot be solved with expressive access control model such as XACML. they are as follows It includes licensing restrictions for dynamic integration into a proprietary system. It involves access control and can fully encompass access control policy of a modern architecture. ABAC policy can be combined with mechanism to provide fine grain control over large data sets. Method(1) is demonstrated for existing working architecture. Method(2) is demonstrated by a working policy defined and (3) is demonstrated by evaluating use case models. Attribute Based Access Control is composed four entities. A Requestor(Req): makes requests to the cloud and undergoes a series of actions on the service. A Service (Serv): software and hardware with a network based interface and pre-defined operations A Resource (Res): one or more cloud services involve in this action with a specific set of state data in XML document. An environment (Env): contains information regarding the decision on access of data with respect to date and time. It may not be related with any entity. ABAC Characterizes hierarchical policy structure based on the concept of abstraction and encapsulation. The attributes of identities is defined in [6] as follows: Attr(Req) { ReqAttr p[1, P ]} p = [ 1, P ]}

4 Attr(Serv) { ServAttr q[1, Q ]} q = [ 1, Q ]} Attr(Res) { ResAttr r[1,r]} r = [ 1, R ]} Attr(Env) {EnvAttr s[1, S]} s = [ 1, S ]} Where P, Q, R and S are the integers and represent the maximum number of attributes for each entity. The ABAC policy design is actually the abstraction of policy components as a super set. Policy = {P m [ I,M ],P m is a policy} Policy evaluation and Policy decision are the two mechanisms used to solve the policy conflicts and avoid security breaches. P n _df() is the policy evaluation function of policy Pn and is defined as: P n _df( Attr(req), Attr(Serv), Attr(Res), Attr(Env) ) = n permit or deny. ABAC[4] allows 4 entities to define attributes in cloud system. It is as follows: ReqAttr1 = Attribute (GID= admin = ####### ) ServAttr1 = Attribute (Special Type = PaaS, Service Name = plateform Creation ) ResAttr1 = Attribute (Computing = Node1 and Node2, networking = switch1 ) EnvAttr1 = Attribute (Service Time = time, domain = Cloud1 and Cloud2 ) Policy decision is made by passing the attributes of the entities to the decision function df () aft er evaluation of policies. Decision_ABAC = df(requestor, Service, Resource, Environment) = P 1 _df(requestor), P 2 _df(service), P 3 _df(source), P 4 _df(environ- ment). 5. RESULTS Initially, the client must register with database required for access is described in Fig In this paper, the proposed frame work must allocate the storage area for the clouds service Provider and must display the available clouds that are in the multi cloud computing environments.

5 Fig 4.1: Database registration The Fig. 4.2 illustrates that client interacts among multiple clouds with authentication. M any resources available in clouds can be accessed through client login. Now, the user can send the request to the CSP to access the resources present in registered clouds and uploaded files. Thus, availability and scalability be advantageous factors in this multi-cloud computing environment with secured access. The interaction among client and cloud or multiple clouds doesn t require prior pre-established agreements and addresses trust, privacy and policies. Fig 4.1: Authentication of client Actually, files are uploaded into the database in Fig. 4.3 before the CSP s receive the request. These files are associated with unique ID to preserve privacy. Fig 4.3: Upload the files. The Fig. 4.4 displays the files uploaded into the clouds.when the user request for the service, if the requested service is not available in that cloud then it route the request among multiple clouds. The files are secured with keys generated using secret sharing algorithm.

6 6. CONCLUSION Fig 4.4: Secured files in clouds Attribute Based Access Control (ABAC) can subsume all access control requirements of the architectures. In this paper, ABAC resolves the problem with one resolution algorithm. This model provides fine -grained data access and expresses policies closer to organizational policies. Proxies used in this framework addresses trust, privacy and policies without using pre-established agreements and collects intermediate results on routing among multiple clouds. Policy set is composed of various policies that need to be supported and have their own decisions and decision making algorithms using identity attributes. It effectively supports multiple policies and provides more flexibility and scalability[8]. REFERENCES [1]Mukesh Singhal and Santosh Chandrasekhar, University of California, Mercedv Tingjian Ge, University of Massachusetts Lowell Elisa Bertino, Purdue University Collaboration in Multi-cloud Computing Environments: Framework and Security Issues IEEE paper year [2]Sushmita Ruj, Milos Stojmenovic, And Amiya Nayak,, " Decentralized Access Control With Anonymousauthentication Of Data Stored In Clouds", Ieee Transactions On Parallel And Distributed Systems, Vol. 25, No. 2, February 2014sushmita Ruj, Milos Stojmenovic, And Amiya Nayak,, " Decentralized Access Control With Anonymous authentication Of Data Stored In Clouds", IEEE Transactions On Parallel And Distributed Systems, Vol. 25, No. 2, February [3]Ferraiolo DF and Kuhun DR Role Based Access Control. Proceeding of 15 th National Computer Security Conference, Baltimore MD. pp [4]D.R. Kuhn, E.J. Coyne, and T.R. Weil, Adding Attributes to Role- Based Access Control, IEEE Computer, vol. 43, no. 6, pp , June [5]T. Barton et al Identity Federation and Attribute Based Authorization through the Globus Toolkit, Shibboleth, Gridshib and My Proxy. [6] Access Control In Cloud Computing Environment by Abdul Raouf Khanon may 2012 ARPN Journal of Engineering and Applied Sciences. [7] Attribute-Based Access Control for Distributed Systems by David J. B. Cheperdak B.Sc., University of Victoria, [8]An Intelligent Technique for Framework and Security Issues Association in Multi Cloud Environment J Manjuvani 1, Bhaludra Raveendranadh Singh 2, K Laxmi 3, Moligi Sangeetha International Journal of Computer Trends and Technology (IJCTT) volume 16 number 5 Oct 2014