Access Control Framework of Personal Cloud based on XACML



Similar documents
GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

How To Secure Cloud Computing, Public Auditing, Security, And Access Control In A Cloud Storage System

Access Control of Cloud Service Based on UCON

A Robust Multimedia Contents Distribution over IP based Mobile Networks

Near Sheltered and Loyal storage Space Navigating in Cloud

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

SECURE CLOUD STORAGE PRIVACY-PRESERVING PUBLIC AUDITING FOR DATA STORAGE SECURITY IN CLOUD

OpenHRE Security Architecture. (DRAFT v0.5)

Improving data integrity on cloud storage services

Cloud Access Security Broker (CASB): A pattern for secure access to cloud services

Usage Control in Cloud Systems

A Proxy-Based Data Security Solution in Mobile Cloud

Multi Tenancy Access Control Using Cloud Service in MVC

Web Applications Access Control Single Sign On

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

A Semantic Approach for Access Control in Web Services

Entitlements Access Management for Software Developers

DELEGATING LOG MANAGEMENT TO THE CLOUD USING SECURE LOGGING

Secure Privacy Preserving Public Auditing for Cloud storage

goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

Context-Aware Role Based Access Control Using User Relationship

AEIJST - June Vol 3 - Issue 6 ISSN Cloud Broker. * Prasanna Kumar ** Shalini N M *** Sowmya R **** V Ashalatha

A survey on cost effective multi-cloud storage in cloud computing

Secure Data Sharing in Cloud Computing using Hybrid cloud

Federation Proxy for Cross Domain Identity Federation

AN IMPLEMENTATION OF E- LEARNING SYSTEM IN PRIVATE CLOUD

Data Integrity for Secure Dynamic Cloud Storage System Using TPA

SecureCloud: Towards a Comprehensive Security Framework for Cloud Computing Environments

Cloud Computing: Computing as a Service. Prof. Daivashala Deshmukh Maharashtra Institute of Technology, Aurangabad

CryptoNET: Security Management Protocols

Authentication and Authorization Systems in Cloud Environments

RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM

Privacy-preserving Digital Identity Management for Cloud Computing

Verifying Correctness of Trusted data in Clouds

Chapter 2 Taxonomy and Classification of Access Control Models for Cloud Environments

Development of a User Management Module for Internet TV Systems

Performance Measuring in Smartphones Using MOSES Algorithm

Introduction to SAML

DATA SECURITY IN CLOUD USING ADVANCED SECURE DE-DUPLICATION

A Secure and Dependable Cloud Storage Service in Cloud Computing

Index Terms: Cloud Computing, Cloud Security, Mitigation Attack, Service Composition, Data Integrity. 1. Introduction

Cloud Information Accountability Framework for Auditing the Data Usage in Cloud Environment

Security Considerations for Public Mobile Cloud Computing

Role Based Encryption with Efficient Access Control in Cloud Storage

Enabling Public Accountability and Data Sharing for Storage Security in Cloud Computing

CLOUD-HOSTED PROXY BASED COLLABORATION IN MULTI- CLOUD COMPUTING ENVIRONMENTS WITH ABAC METHODS

A Secure & Efficient Data Integrity Model to establish trust in cloud computing using TPA

Application Based Access Control on Cloud Networks for Data Security

preliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.

Secure Data transfer in Cloud Storage Systems using Dynamic Tokens.

Domain 12: Guidance for Identity & Access Management V2.1

Implementing XML-based Role and Schema Migration Scheme for Clouds

Control and management of privileged users

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

Review of Cloud Computing Architecture for Social Computing

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Logical Data Models for Cloud Computing Architectures

Using XACML Policies as OAuth Scope

Role Based Access Control and the JXTA Peer-to-Peer Framework

Evaluation of different Open Source Identity management Systems

RSA BASED CPDP WITH ENCHANCED CLUSTER FOR DISTRUBED CLOUD STORAGE SERVICES

Providing Data Protection as a Service in Cloud Computing

SAML-Based SSO Solution

An SAML Based SSO Architecture for Secure Data Exchange between User and OSS

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

A Model for Access Control Management in Distributed Networks

LetsVi: A Collaborative Video Editing Tool Based on Cloud Storage

PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS

Cloud Computing Service Models, Types of Clouds and their Architectures, Challenges.

Towards secure and consistency dependable in large cloud systems

ADVANCE SECURITY TO CLOUD DATA STORAGE

Distributed auditing mechanism in order to strengthen user s control over data in Cloud computing Environment

Technical. Overview. ~ a ~ irods version 4.x

A Secure Decentralized Access Control Scheme for Data stored in Clouds

Flexible Identity Federation

Cloud Computing. What is Cloud Computing?

A Novel Method for Storage Security in Cloud Computing D. Kanchana, Dr. S. Dhandapani

Transcription:

Access Control Framework of Personal Cloud based on XACML 1 Jun-Young Park, 2 Young-Rok Shin, 3 Kyoung-Hun Kim, 4 Eui-Nam Huh 1First Author, 2 Kyung Hee University, {parkhans, shinyr}@khu.ac.kr 3 Gangdong College, iioii.net@gmail.com *4Corresponding Author Kyung Hee University, johnhuh@khu.ac.kr Abstract Collaboration services have been receiving a great deal of attention for personal users in cloud computing. However, collaboration services have a lot of problems in terms of privacy and security. When a user accesses a cloud computing service, the cloud service provider can easily obtain and collect personal information without permission from the user. Therefore, to solve this problem, we define the requirements of personal cloud Access Control (AC) and propose an AC framework based on the personal cloud service reference model. 1. Introduction Keywords: Personal Cloud Security, Cloud Access Control Currently, many personal cloud services are provided by global IT companies, and cloud computing services have been garnered a great deal of attention for personal users. Personal users have been increasingly utilizing cloud services, and problems related to user privacy have increased accordingly. Cloud service providers offer convenient services to individual users; however, they can also easily obtain and collect personal information without permission from users. Therefore, we need privacy protection in Cloud computing services and their security frameworks to conceal user information from cloud service providers. The personal cloud is a popular concept these days. It describes a user-centric service model of cloud computing with which a user is able to access their personal contents and services anytime, anywhere and with any device [1, 2 and 5]. The Personal Cloud can be divided into three categories: Online Storage, WebTop, and Web-based Applications [1]. Each of these frees up resources, either in terms of processing power, as in the case of Web-based applications, or in the case of an Internet-based desktop (known as WebTop), where any computer with an Internet connection can become our personal computer via a Web browser. Ÿ Online Storage gives users a reliable and secure place to store user data such as documents, MP3s, or movies. The user is able to access their personal storage wherever there is an Internet connection using whatever device the user has. Ÿ Web-Based Applications such as Google docs are another very recent advance in personal cloud computing. Hosted software applications do not have to be downloaded and installed on user computer or mobile devices. Ÿ WebTop service is slightly different than the two mentioned above, as its goal is to recreate the highly personalized setting of the user s own desktop with an online version that can be accessed anywhere with an Internet connection. For example, when the user is away from her desk, WebTop allows access to the information that was formerly found only on the desktop of the user s own computer, such as contacts, e-mail, and files, through a personalized and familiar desktop with synchronization tools. The Personal Cloud must provide integrated storage and management services, because the Personalized Content Service is distributed and managed through each device and web-service. The personalized content service provides an environment for the storage/operation/management of downloaded public contents (e.g. movies, music, dramas, etc.) and management tools and personalized retrieval. The Privacy Service needs to protect personal information that is shared in order to provide services based on individual personal information. It is possible to protect personal information and user personal data (videos, pictures, files, etc.) among users, service providers, and a data auditor through International Journal of Advancements in Computing Technology(IJACT) Volume5, Number13, September 2013 221

double encryption, even if data leakage and loss occurs [2]. In this paper, Section 2 gives an overview of the related existing AC methods. Section 3 defines the requirements and proposes a personal cloud AC framework and use-case. Section 4 analyzes the proposed framework through a comparison with distributed access control. Section 5 concludes the paper. 2. Related Access Control Methods Several researchers have previously addressed the access control issues of cloud computing [9-10]. Personal Cloud AC employs XACML and RBAC based on the Personal Cloud reference model. Also, we need to look into the Distributed Access Control Architecture (DACA) for a performance evaluation. 2.1 XACML extensible Access Control Markup Language (XACML) defines the syntax for a policy language and the semantics for processing those policies. There is also a request and response format to query the policy system, and semantics for determining the applicability of the policies to requests [4]. 2.2 Role-Based Access Control (RBAC) [3] The authors of [3] presented the Role-Based Access Control (RBAC), in which roles are created by the system administrator to represent specific task competencies that determine the resource types and what each role can access. Individual users are assigned to certain roles according to their job functions. Each role is associated with a set of permissions. A many-to-many mapping exists between the users and roles and between roles and permissions. 2.3 A Distributed Access Control Architecture (DACA) for Cloud Computing The distributed access control architecture for multitenant and virtualized environments is based on the principles from security management and software engineering. As shown in Figure 2, this architecture consists of an Access Control Module (ACM, Figure 1), a Virtual Resource Manager (VRM), and a Service-Level Agreement (SLA, Figure 1) [6]. They adopted an XML-based specification due to its compatibility with the emerging standards for cloud systems and security protocols, with the ultimate goal being that the proposed architecture should be interoperable with complementary security protocols for cloud systems [7]. Figure 2. DAC Architecture Figure 1. AC Module and SLA Module 222

3. Personal Cloud Access Control 3.1 Requirements of Personal Cloud AC We defined several requirements of Personal Cloud access control of a generic AC model for collaborative environments that should be supported as follows: Ÿ Compatibility with Previous Security Policy: Access control of personal cloud services must be compatible with security policies of existing services, web-services, or cloud services, rather than creating individual service-based security policies Ÿ Establish an Individual Security Policy: Personal cloud service is managed independently by Cloud Service Providers (CSPs). In this sense, each CSP should establish an individual security policy to manage them. Ÿ Cloud Service Collaboration and Inter-Cloud: A user and service should be certified automatically in corresponding services for cloud service collaboration and inter-cloud by the AC model. Ÿ User Privacy Guarantee: The access control model should be able to protect against any violations of privacy in the personal cloud. A CSP manager can violate the user privacy, so the model should support the user privacy protection from the CSP by using a temporary ID. Ÿ 3rd-Party Auditor: The access control model needs a trusted 3rd-party auditor for verification and compliance regarding the collaboration service. Ÿ Access Control based SLA: All of the service providers should ensure an SLA for the QoS based on established access control policies. 3.2 Personal Cloud AC Framework This framework employs a well-known access control scheme such as RBAC, XACML, etc. In this sense, our proposed framework can be adopted by the other existing access control systems. Figure 3 shows the Personal Cloud AC framework, and the descriptions are as follows: Figure 3. Personal Cloud AC Framework Ÿ User (Client) requests service access to CoSP using their own device with personal information. Ÿ Collaboration Service Provider (CoSP) provides user authentication by the 3rd party SP. - Policy Enforcement Point (PEP): With the service access request, the PEP verifies 223

credentials from the 3rd party SP regarding user authentication in accordance with the user s service information. Then the credential verification publishes an access token based on the service information and authority. Ÿ The Cloud Service Provider (CSP) is composed of PDP, PIP, and PAP, which are described as follows, and it is able to generate, determine, store and delete the security policy. - Policy Decision Point (PDP) requests access policy and user role information in order to verify authority. The permission check module compares the access control list, user role and access policy, and then decides permission. - Policy Information Point (PIP) stores security policy-related cloud service and user permission in each service. - Policy Administration Point (PAP) manages security policy and policy list. Ÿ The 3rd-Party Service Provider (SP) is in charge of user authentication and audit concerns for all service providers. 3.3 Use-case of the Personal Cloud AC Framework The proposed Personal Cloud AC Framework is not only supported in the single cloud provider, but also multiple cloud providers. Also, this framework is designed to focus on the collaboration contents service, so we need to examine cases of the Personal Cloud AC Framework in multiple cloud provider environments. Figure 4. Use-cases of the Personal Cloud AC Framework Figure 4 depicts two scenarios in which a user requests access to the service. Scenario (A) shows one access token including two authorizations for collaboration services. It must delegate the authorization and services. In scenario (B), the user requests access to both services at once. This scenario needs to merge both services in the CoSP. 4. Performance Analysis Table 1. Access Control System Parameters and Costs Notation Meaning Cost N U Req PEP Proc ED Trans PDP Proc DE Trans DD Trans C T # of CSP Packet Cost of user request for service Processing Cost for processing user request in PEP Transmit Cost between PEP and PDP Processing Cost for processing user request in PDP Transmit Cost between PDP and PEP Transmit Cost between PDP1 and PDP2 Total Cost 0.001 0.003 0.001 0.003 0.001 0.001 224

We compared the performance of the DACA and the Personal cloud Access Control Framework (PACF) with scenarios A and B. As shown in Table 1, we defined the access control system parameters and the benchmark costs of the PEP and PDP processing [8]. Practically, the DACA is not designed for the authentication process. Therefore, the performance analysis is focused on a comparison of the policy process costs. Also, we assume that all of the transmit costs and U Req are 0.001, and we exclude the SLA module and the authentication process. 4.1. DACA workflow The DACA has PEP and PDP in a Cloud Service Provider (CSP). The DACA sequence diagram is shown in Figure 5 based on the Access Control Module (ACM). Figure 5. Sequence Diagram of DACA As shown in Figure 5, if the user requests authorization to access N CSPs, the DACA needs authorization from each CSP. Therefore, the total cost, C T_DACA, is calculated as follows: _ = + + + + + + + + + + (1) So, _ = + ( + + + ) (2) 4.2. Workflow of PACF (A) The PACF consists of PEP in the CoSP, a 3 rd Party in the outsource, and PDP in the CSP. The PEP is conducted in the CoSP, and is independent from a CSP. If an authorization is requested for multiple services, PEP generates the access token for accessing multiple services and then transfers the access token to the first PDP in CSP1. The first PDP checks permission and then transfers the second PDP. In this case (A), PEP generates one access token and provides successive authorization as follows: 225

Figure 6. Sequence Diagram of (A) The total cost of (A) of the PACF, CT_PACF_A, is calculated as follows: _ _ = + + + + + + + (3) So, _ _ = + + + ( + )+ (4) 4.3. Workflow of PACF (B) PACF (B) shows the case in which there are authorization requests for multiple services at once, in which case the PEP generates N access tokens and then transmits the access tokens to each PDP in the CSPs. Each PDP checks the permissions individually as follows: Figure 7. Sequence Diagram of (B) The total cost of (B) of the PACF, CT_PACF_B, is calculated as follows: _ _ = + + + + + (5) So, _ _ = + + ( + ) (6) 4.4. Performance Analysis We compared DACA, PACF_A and PACF_B in Figure 8. 226

Figure 8. Performance for Cost Analysis As shown in Figure 8, even though the DACA is similar to other scenarios in a single cloud environment, the cost is increased when the number of CSPs increases. However, the cost of PACFAB is increased less when the number of CSPs increases. This proves through a cost analysis that PACF is appropriate when providing collaboration services. 5. Conclusion In this paper, we designed an access control framework based on user requirements considering a personal cloud environment and cloud collaboration services. The personal cloud must be considered privacy and security for individual users. However, many previous studies have not focused on this area, and many questions remain unanswered. The contributions of this paper are three-fold. First, we propose Personal Cloud Access Control based on XACML. According to this concept, the Personal Cloud Access Control almost supports the access control system based on XACML. The proposed access control is focused on compatibility with the existing access control systems. Second, our proposed model offers independent management of the cloud service provider and flexible expandability through the division between PEP and PDP (including PIP and PAP). Finally, this framework supports user-centric collaboration services using an access token process. In the future, we will design more detailed authentication and authorization components. Also, we will make improvements to adapt our framework to more practical cloud environments. 6. Acknowledgements This work was supported by the IT R&D program of MKE/KEIT [10035321, Terminal Independent Personal Cloud System]. The Corresponding Author is Eui-Nam Huh. 7. References [1] Jose Rivera, Cloud Computing for Personal Use, The Epoch Times, 2010.02.15. [2] Eui-Nam Huh, Definition and Requirement Analysis of Personal Cloud Service, TTA Standard of Korea, 2011.12. [3] Sandhu, R.S. Coyne, E.J, Role-Based Access Control Models, IEEE Computer (IEEE Press), vol 29, no 2, pp. 38-47, 1996. [4] R. Yavatkar, D. Pendarakis, R. Guerin, A Framework for Policy-based Admission Control, IETF Standard, RFC 2753, 2000.01. 227

[5] Sang-ho Na, Jun-young Park, Eui-nam Huh, Personal Cloud Computing Security Framework, IEEE APSCC 2010, 2010.12, pp.671-675. [6] Almutairi, A. Sarfraz, M., A Distributed Access Control Architecture for Cloud Computing, IEEE Software, vol 29, no 2, 2012.03, pp.36-44. [7] R. Bhatti, E. Bertino, and A. Ghafoor, X- Federate: A Policy Engineering Framework for Federated Access Management, IEEE Trans. Software Eng., vol. 32, no. 5, 2006, pp. 330 346. [8] Adam Bates, Ben Mood, Towards secure provenance-based access control in cloud environments, ACM CODASPY '13, 2013.02, pp.277-284. [9] D. Nurmi, R Wolski, The Eucalyptus Open-Source Cloud-Computing System, Proc. 9th IEEE/ACM Int l Symp. Cluster Computing and the Grid (CCGRID 09), IEEE CS, 2009, pp. 124 131. [10] S. Berger, Pendarakis D., Security for the Cloud Infrastructure: Trusted Virtual Data Center Implementation, IBM J. Research and Development, vol. 53, no. 4, 2009, pp. 560 571. 228

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information