Chapter 2 Taxonomy and Classification of Access Control Models for Cloud Environments

Transcription

1 Chapter 2 Taxonomy and Classification of Access Control Models for Cloud Environments Abhishek Majumder, Suyel Namasudra and Samir Nath Abstract Cloud computing is an emerging and highly attractive technology due to its inherent efficiency, cost-effectiveness, flexibility, scalability and pay-per-use characteristics. But alongside these advantages, many new problems have also surfaced and some of these issues have become a cause of grave concern. One of the existing problems that have become critical in the cloud environment is the issue of access control and security. Access control refers to a policy that authenticates a user and permits the authorized user to access data and other resources of cloud-based systems. In access control, there are several restrictions and rules that need to be followed by the users before they can access any kind of data or resource from the cloud-based servers. In this context, there are many access control models suggested by researchers that currently exist. In this chapter, a brief discussion of the various access control models has been presented. Moreover, the taxonomy of access control schemes has also been introduced. Finally, based on the analysis of the mechanisms adapted therein, the access control models are classified into different classes of the proposed taxonomy. Keywords Access control models Taxonomy Classification Cloud environment Identity-based Non identity-based Centralized Collaborative 2.1 Introduction Cloud computing is an emerging computing paradigm that relies on sharing of resources rather than having local servers or personal devices to handle applications and data. Cloud computing is a synonym for distributed computing over a network. A. Majumder ( ) S. Namasudra S. Nath Department of Computer Science & Engineering, Tripura University, Suryamaninagar, Tripura West, Tripura, India [email protected] S. Namasudra [email protected] S. Nath [email protected] Z. Mahmood (ed.), Continued Rise of the Cloud, Computer Communications and Networks, DOI / _2, Springer-Verlag London

2 24 A. Majumder et al. The term cloud in cloud computing can be defined as a combination of hardware, networks, storage, services and interfaces to deliver aspects of computing resources.a cloud-based service includes the delivery of software, infrastructure and storage over the Internet, based on user requirements and demands. These services are provided on demand, as and when consumers require. Cloud computing is a rapidly developing area in information technology (IT). In fact, it has revolutionized the software industry. Because of the current growth of IT and database (db) system, there is an increased need for confidentiality and privacy protection. Access control has been considered as a major issue in the information security community. Through access control, the system restricts unauthorized users to access resources and guarantees confidentiality and integrity of its resources and valid consumers. But traditional access control models (ACMs) primarily consider static authorization decisions based on the subject s permissions on target objects. The goal of cloud computing is to realize the network as a high-performance computer. It allows the users to have all their data in the cloud and get all kinds of services from the cloud using their Internet terminal equipment. In this way, all users become capable of running processes and storing data in the cloud. There are three requirements for cloud services: Cloud service provider (CSP) must be able to specify access control policies for users to access data and other resources. An organization must be able to enforce more access control policies on its user requests for resources of the organization. When an organization wants to use a cloud service, it must map its policies on access control policies of the CSP. This mapping of policies may be violated. Therefore, an organization can prevent violation of its policies by enforcing more policies on access requests. Data owner (DO) must be able to offer cloud services to consumer. Cloud services are accessed using some kind of network, e.g. Internet. But the Internet has many security issues because of its vulnerabilities to hackers and other threats. Therefore, cloud services will face a larger number of security issues. Many security policies and technologies for web services are already available. These techniques can have significant impact on resolving security issues of cloud service. Of all the security issues, access control is an important issue. Traditional ACMs cannot be applied directly in cloud environment because of their static nature. A large amount of resource, huge number of dynamic users, dynamic and flexible constructions are some important characteristics of cloud services which should be considered in ACMsaccess control models for cloud computing. Each autonomous domain in a cloud system has its own security policy. So it is important that the access control be flexible enough to have these multiple policies in multiple domains. Many access control scheme for cloud computing have already been proposed. In this chapter, a detailed discussion on various access control schemes has been presented. Moreover, the taxonomy of these ACMs has been proposed. The organization of the chapter is as follows. Section 2.2 provides an overview of the concept of access control and the necessity of access control models ACMs. Section 2.3 provides an in-depth analysis of the various existing ACMs. In Sect. 2.4,

3 2 Taxonomy and Classification of Access Control Models for Cloud Environments 25 the importance of taxonomy of ACMs has been discussed and Sect. 2.5 introduces the taxonomy of ACMs. Finally, the chapter concludes with Sect Access Control Access control [19] is generally a mechanism or procedure that allows, denies or restricts user access to a system. It is the process of deciding who can use specific system, resources and applications. An ACM is defined as a set of criteria a system administrator utilizes to define the system user s right. This ensures that only authorized users can access the data, and it also monitors and records all attempts made to access a system. It is a very important component of cloud security. Nowadays, a large number of distributed open systems are being developed. These systems are like virtual organizations. The relationship between users and resources is dynamic. In these systems, users and DOs are not in the same security domain. Users are normally identified by their attributes or characteristics and not by their predefined identities. In such cases, the traditional ACMs are not very much suitable and therefore many access control schemes have been developed. All ACMs rely on authentication of the user by the site at the time of request. Sometimes they are labelled as authentication-based access control. ACM provides security to the resources or data by controlling access to the resources and the system itself. However, access control is more than just controlling which users can access a computing or a network resource. In addition, access control manages users, files and other resources. It controls user s privileges to files or resources or data. In ACM, various steps like identification, authentication, authorization and accountability are performed before a user actually accesses the resources or the original objects Issues and Challenges Access control is a useful mechanism, but it has a number of issues that need to be addressed: DO must always be online for providing access right (AR) and authorization certificate. When a user makes a request for accessing data, the CSP must check the whole system for providing data, therefore the searching cost gradually increases. Because of searching the whole system for providing data, accessing time becomes higher. When a user wants to access data from an outside server, the user faces a lot of problems because he/she must be registered outside his/her domain. Data loss is a very serious problem in cloud computing while accessing data. If the vendor closes due to financial or legal problems, there will be a loss of data for the customers. The customers would not be able to access those data.

4 26 A. Majumder et al. Granularity (fine grained) is one of the most important issues in cloud computing while accessing data. When data are on a cloud, anyone can access it from any location. Access control algorithms should differentiate between a sensitive data and a common data, otherwise anyone can access sensitive data. There is a high possibility that the data can be stolen by a malicious user. The customer does not know where the data are located in cloud server. The vendor does not reveal where all the data are stored. Data may be located anywhere in the world, which may create legal problems over the access of the data. 2.3 Access Control Models This section presents a detailed discussion and analysis of different ACMs Mandatory Access Control Model Mandatory access control (MAC) model [2] can be defined as a means of restricting access to objects based on the sensitivity of the information contained in it and the authorization of subjects. Whenever a subject attempts to access an object, an authorization rule enforced by the administrator examines the security attributes and decides whether the access to the object can be given. MAC is the most important ACM amongst the available ACMs. It takes a hierarchical procedure to control access of resources or data. MAC focuses on controlling disclosure of information by assigning security levels to objects and subjects, limiting access across security levels and consolidating all classification and access controls into the system. It is relatively straightforward and is considered as a good model for commercial systems that operate in hostile environments where the risk of attack is very high. In MAC, the policy set-up and management are performed in a secured network and are limited to system administrators. It is a type of access control where the central administrator controls all the tasks. The administrator defines the usage and access policy, which cannot be modified by the user. The policy defines who can have access to which data or resources. MAC can be used in the military security [8] for preserving information confidentiality. The main advantage of MAC is its simplicity. It also provides higher security because only a system administrator can access or alter controls. Moreover, MAC facilitates the use of multilevel security [8]. The disadvantage of MAC is that the central administrator is the single point of failure. It does not ensure fine-grained least privilege, dynamic separation of duty and validation of trusted components. Moreover, in MAC, users need permission from the central administrator for each and every activity. MAC model is difficult and expensive to implement due to its reliance on trusted components and the necessity for applications.

5 2 Taxonomy and Classification of Access Control Models for Cloud Environments Discretionary Access Control Model Discretionary access control (DAC) restricts access of objects within the group of users to which they belong. A user or subject, who is given a discretionary access to a resource, is capable of passing the access to another subject. This model adopts the concept of object ownership. Here, the owner of the object is authorized to grant its access permissions to other subjects. In DAC [2], separate rules for each or a group of user are defined. Access to system resource is controlled by the operating system [31]. DAC allows each user or a group of user to access the user s or the group s data. It is a type of access control in which a user has complete control over all the programs the user owns and executes. The user can also give permission to other user to use the user-owned files or program. DAC is a default access control mechanism for almost all operating systems. It is very flexible and widely used in commercial and government sectors. In DAC, an access control list (ACL) is maintained. ACL is a tabular representation of subjects mapped to their individual ARs over the objects. It is effective but not much time efficient, with less number of subjects. In DAC, the system knows who the user of a process is but does not know what rights the user has over the objects of the system. Therefore, for creation and maintenance of ACL, the system either performs a right lookup on each object access or somehow maintains the active ARs of the subject. Because of this right management issue, modification of multi-object rights for individual users becomes difficult. The main advantage of this model is that a user can give their ARs to another user belonging to same group. DAC focuses on fine-grained access control of objects through the access control matrices [21] and object-level permission modes. The main problem is that ACL does not scale well on systems with large numbers of subjects and objects. Maintenance of the system and verification of security principles are extremely difficult in DAC because the users control ARs of their own objects. Lack of constraints on copying of information from one file to another makes it difficult to maintain safety polices Attribute-Based Access Control Model In attribute-based access control (ABAC) [2], the access control decisions are taken based on the attribute of the requestor, the service, the resources and the environment. Here, access is granted on the basis of attributes that the user could prove to have such as date of birth or social security number (SSN). But setting these attributes is very difficult. The ABAC system is composed of three parties, namely DO, data consumers, cloud server and third-party auditor, if necessary. To access the data files, shared by DO, data consumers or users can download the data files of their interest from the cloud server. After downloading, consumers decrypt the file. Neither the DO nor the user will be online all the time. They come online if necessary. The ABAC provides policy for sensitive data. It allows an organization to maintain its autonomy while collaborating efficiently. The ABAC is composed of four entities:

6 28 A. Majumder et al. Fig. 2.1 Health-care scenario Requestor: It sends request to the cloud and invokes action on the service Service: In this section, software and hardware provide services Resource: Resources are shared among the cloud services. When a user sends a request for a particular data or resource which is not present in that cloud service, the resource will be gathered from another service Environment: It contains information that might be useful for taking the access decision such as date and time Each data file can be associated with a set of attributes which are meaningful in the area of interest [19]. The access structure of each user is defined as a unique logical expression of these attributes to reflect the scope of user AR over data files. As the logical expression can represent any desired data file set, fine graininess of data access control is achieved [41]. To enforce this access structure, a public key component for each attribute is defined. Data files are encrypted using a public key component corresponding to their attributes. User secret keys are defined to reflect their access structures so that a user can easily decrypt a cipher text if and only if the data file attributes satisfy the user s access structure. If this mechanism is deployed alone, there will be heavy computational overhead. Specifically, problem will arise when a user wants to revoke from the server, which requires the DO to re-encrypt all the data files accessible to the leaving user. To resolve this problem and make the mechanism suitable for cloud computing, proxy re-encryption is combined with key policy-attribute-based encryption. This enables the DO to delegate most of the computation-intensive operations to cloud servers without disclosing the file contents. Here, data confidentiality is achieved because cloud servers cannot read the plain text of the DO. Figure 2.1 presents a scenario of a health-care centre. For each data file, the DO assigns a set of meaningful attributes. Different data file can have a common set

7 2 Taxonomy and Classification of Access Control Models for Cloud Environments 29 of attributes. Cloud servers keep an attributes history list (AHL) which keeps the version evolution history of each attribute. There are proxy re-encryption [1] keys. In the ABAC, there is a dummy attribute (Att D ). The main duty of the Att D is key management. The Att D is required in every data file s attribute set and will never be updated in future. The access structure of each user is implemented by an access tree. For key management, the root node must be an AND gate, and one child of that root node is a leaf node which is associated with the Att D. The Att D is not attached to any other node. The ABAC allows fine grandness of data access without disclosing the data contents in a cloud server. But the ABAC does not provide data confidentiality and scalability simultaneously Role-Based Access Control Model The role-based access control (RBAC) [14] determines the user access to the system by the job role. The role of a user is assigned based on the latest privileges concept. It is defined by the minimum amount of permissions and functionalities that are necessary for the job to be done. Permissions can be added or deleted if the role changes. Access control decisions are often determined by the individual roles users play as part of an organization. This includes the specification of duties, responsibilities and qualifications. For example, the roles in a bank include user, loan officer and accountant. Roles can also be applied to military system. Analyst, situation analyst and traffic analyst are common roles in a tactical system. The RBAC is based on access control decisions which allow user to access data within the organization. ARs are grouped by role name and access to resources is restricted to users who have been authorized to assume the associated role. The users cannot pass access permissions to the other users. For example, if an RBAC system is used in a hospital, each person who is allowed to access the hospital s network has a predefined role (doctors, nurse, lab technician, etc). RBAC is used in many applications [3, 13, 22] such as mobile application and naming and grouping of a large db. All roles are group of transactions. A transaction can be thought of as a transformation procedure [10] plus a set of associated data items. Each role has an associated set of individual members. The RBAC provides a many-to-many relationships between individual users and ARs. Figure 2.2 shows the relationship between individual users, roles/groups or transformation procedures and system objects. The RBAC can be described in terms of sets and relations. These sets and relationships are as follows: For each subject an active role is assigned which is currently used by the subject. It is denoted as: AR (s = subject) = [the active role for subject s]. Each subject may be authorized to perform one or more roles. It is denoted as RA (s = subject) = [authorized roles for subject s].

8 30 A. Majumder et al. Fig. 2.2 How to assign a role for a particular user Each role may be authorized to perform one or more transactions. TA (r = role) = [transaction authorized for one role]. Subjects may execute transactions. The execution operation will be performed if a subject can execute transaction at the current time otherwise execution operation will not be performed. exec (s = subject, t = tran) = [true if and only if subject s can execute transaction t]. In RBAC, for accessing the data or communicating with the cloud server, the users should give their identity and then must satisfy the following three basic rules: Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role, i.e. s = subject, t = tran, (exec (s, t) AR(s) = Null). Role authorization: A subject s role must be authorized for the subject, i.e. s: subject (AR (s) RA (s)). With the previous rule, this rule ensures that users can take one role for which they are authorized. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject s active role, i.e. s = subject, t = tran, (exec (s, t) t TA(AR (s))). With the rule of role assignment and role authorization, transaction authorization ensures that the users can execute only a transaction for which they are authorized. Because the condition is only if, the transaction authorization rule allows additional restriction on a transaction [14]. That is, the rule does not guarantee a transaction to be executed just because it is in TA (AR (s)). This would require a fourth rule to enforce control over the modes. Fourth rule is: s: subject, t: tran, o: object, (exec(s, t) access(ar(s), t, o, x)), where x is a mode of operation like read, write, append, etc. RBAC is a non-dac mechanism which allows and promotes central administration of an organizational-specific security policy [28]. That means administrative task consists of granting and revoking membership to the set of specified roles within the

9 2 Taxonomy and Classification of Access Control Models for Cloud Environments 31 Fig. 2.3 The VPC gateway connections system. For example, when a new user enters the organization, administration simply grants membership to an existing role. When a user s function changes within the organization, the user membership to the user s existing roles can be easily deleted and new roles can be granted. At last, when the user leaves the organization all memberships to all roles are deleted. The main problems arise on RBAC when it is extended across administrative domain of the organization Gateway-Based Access Control Model The gateway-based access control (GBAC) [38] enables the users in a private cloud to access resources of other collaborative private clouds transparently, dynamically and anonymously. The GBAC is mainly based on a gateway. For each and every organization, there is a gateway which is responsible for converting the user s original data into Security Assertion Markup Language (SAML). Then this SAML goes to the target organization. Here, the gateway plays a vital role for communication of data. It enables a secure connection between the two private clouds. In order to complete a task, several enterprises will form a collaborative cloud so that they can share data. As a collaborative cloud is task oriented, the users involved in that task make a virtual team. The team members are dynamic and anonymous to the peer clouds. They may use a third party to communicate with each other because the peer cloud may not have the same platform for communication. Figure 2.3 shows a gateway connection of a virtual private cloud (VPC). In a VPC [30], a user in one cloud is able to access the resources in a peer cloud. As shown in Fig. 2.3, there are two layers. The first and the second layers are used to implement inter-enterprise and intra-enterprise securities, respectively. In interenterprise layer, there are two units, namely the network security unit (NSU) and the data security unit (DSU). When two organizations want to communicate with

10 32 A. Majumder et al. each other, the NSU deals with security function. The NSU checks for virus in the system. It works as a local gateway. The DSU implements security functions such as authorization, authentication, access control, confidentiality and privacy for any transaction between the two private (or enterprise) clouds. TheVPC will be compliant with the existing private cloud and require little change to the inter-enterprise layer. When a user from a collaborative cloud wants to make use of the resource of a peer cloud, the user should be treated as a user of the target cloud. Thus, the gateway will ensure the security of the cloud. The gateway includes the following components: Traffic collection unit: It collects traffic from network devices such as routers and servers. Traffic processing unit: It classifies the traffic data and records information such as Internet protocol (IP) source and destination addresses along with timestamps inadb. NSU: It comprises firewall, intrusion detection system (IDS) and virus scanner, etc., which handles security function as local legacy gateway. When a threat is identified, it notifies the response unit. DSU: It uses the db in traffic processing unit along with the rules from policy management unit to analyse network traffic. When a threat is identified, it notifies the response unit. Policy management unit: It provides predefined rules for the behaviour of analysis unit to identify the network. Response unit: When threats are detected, it notifies the alarm reporting and security configuration management who in turn will react accordingly. In GBAC, there is a unit called management organization unit (MOU) [39]. MOU may be installed in each computer of the enterprise in order to reduce the burden of the security gateway and to reduce the risk of information leakage. In GBAC, the users can access three types of resources: Access to inter-cloud resources: In an enterprise, any user can be verified using the legacy authentication mechanism. If a gateway is assigned for a special user of the enterprise, the user and the gateway can be authenticated [42] via the enterprise s internal mechanism. As shown in Fig. 2.4, when a user wants to access the resource of a collaborative enterprise, the user sends a request to the local authenticator A1, containing the user s authentication information. The user notifies the local gateway to send its credential to the local authenticator A1. After the local authenticator A1 verifies its authenticity, it sends the request to the gateway G1. The gateway G1 translates the request into an SAML format [32], replaces the requestor with an authorized identity, and signs on the translated request. Then it sends the request to the target gateway G2. The target gateway G2 verifies the request based on the signature of the sending gateway G1 and translates the standard request format into its own request format. G2 sends the request to its own authenticator A2. After A2 authenticates the request, the user can access the resource of service.

11