Skip to main content
SpringerLink
Log in

Trust-Based Access Control for Secure Cloud Computing

  • Chapter
  • First Online:
High Performance Cloud Auditing and Applications

Abstract

Multi-tenancy, elasticity and dynamicity pose several novel challenges for access control in a cloud environment. Accessing subjects may dynamically change, resources requiring protection may be created or modified, and subject access requirements to resources may change during the course of the application execution. Users may need to acquire different permissions from different administrative domains based on the services in cloud computing environment. Traditional identity-based access control models such as attribute-based access control (ABAC), role-based access control (RBAC), discretionary access control (DAC), or mandatory access control (MAC) cannot be applied directly in clouds. In this chapter, we explore challenges of cloud access control, identify desirable properties of access control models, and introduce the novel graph-theoretic semantics of access control model. We specify how authorization occurs in the proposed model, and present how to incorporate features such as separation of duty (SoD).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Fournet, C.: Access control based on execution history. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium, NDSS’03, San Diego. The Internet Society (2003)

    Google Scholar 

  2. Bauer, L., Schneider, M.A., Felten, E.W.: A general and flexible access-control system for the web. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, pp. 93–108. USENIX Association, Berkeley (2002)

    Google Scholar 

  3. Bertino, E., Bonatti, P.A., Ferrari, E.: TRBAC: a temporal role-based access control model. ACM Trans. Inf. Syst. Secur. 4(3), 191–233 (2001). doi:10.1145/501978.501979

    Article  Google Scholar 

  4. Bhatti, R., Joshi, J., Bertino, E., Ghafoor, A.: Access control in dynamic XM-based web-services with X-RBAC. In: Proceedings of the 1st International Conference on Web Services, San Diego, pp. 243–249. CSREA Press (2003)

    Google Scholar 

  5. Bhatti, R., Bertino, E., Ghafoor, A.: A trust-based context-aware access control model for Web-services. Distrib. Parallel Databases 18(1), 83–105 (2005). doi:10.1007/s10619-005-1075-7

    Article  Google Scholar 

  6. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 17th IEEE Symposium on Security and Privacy, SP’96, Oakland, pp. 164–173. IEEE Computer Society, Washington, DC (1996)

    Google Scholar 

  7. Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: ietf.org, the KeyNote trust management system (version 2). http://goo.gl/Bpfn0 (1999)

  8. Bobba, R., Fatemieh, O., Khan, F., Gunter, C.A., Khurana, H.: Using attribute-based access control to enable attribute-based messaging. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC’06, Miami Beach, pp. 403–413. IEEE Computer Society, Washington, DC (2006). doi:10.1109/ACSAC.2006.53

    Google Scholar 

  9. Bonatti, P.A., Samarati, P.: A uniform framework for regulating service access and information release on the web. J. Comput. Secur. 10(3), 241–271 (2002)

    Google Scholar 

  10. Braynov, S., Sandholm, T.: Trust revelation in multiagent interaction. In: CHI 2002 Workshop on the Philosophy and Design of Socially Adept Technologies, Minneapolis, pp. 57–60 (2002)

    Google Scholar 

  11. Brucker, A.D., Petritsch, H.: Extending access control models with break-glass. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT’09, Stresa, pp. 197–206. ACM, New York (2009). doi:10.1145/1542207.1542239

    Google Scholar 

  12. Chadwick, D.W., Otenko, A., Ball, E.: Role-based access control with X.509 attribute certificates. IEEE Internet Comput. 7(2), 62–69 (2003). doi:10.1109/MIC.2003.1189190

    Google Scholar 

  13. Chakraborty, S., Ray, I.: TrustBAC: integrating trust relationships into the RBAC model for access control in open systems. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, SACMAT’06, Lake Tahoe, pp. 49–58. ACM, New York (2006). doi:10. 1145/1133058.1133067

    Google Scholar 

  14. Chandran, S.M., Joshi, J.B.D.: LoT-RBAC: a location and time-based RBAC model. In: Proceedings of the 6th International Conference on Web Information Systems Engineering, WISE’05, New York, pp. 361–375. Springer, Berlin/Heidelberg (2005). doi:10.1007/11581062_ 27

    Google Scholar 

  15. Chen, L., Crampton, J.: On spatio-temporal constraints and inheritance in role-based access control. In: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, ASIACCS’08, Tokyo, pp. 205–216. ACM, New York (2008). doi:10.1145/1368310. 1368341

    Google Scholar 

  16. Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy, SP’07, Oakland, pp. 222–230. IEEE Computer Society, Washington, DC (2007). doi:10.1109/SP.2007.21

    Google Scholar 

  17. Cohen, E., Thomas, R.K., Winsborough, W., Shands, D.: Models for coalition-based access control (CBAC). In: Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, SACMAT’02, Monterey, pp. 97–106. ACM, New York (2002). doi:10.1145/507711. 507727

    Google Scholar 

  18. Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, SACMAT’01, Chantilly, pp. 10–20. ACM, New York (2001). doi:10.1145/373256.373258

    Google Scholar 

  19. Covington, M.J., Fogla, P., Zhan, Z., Ahamad, M.: A context-aware security architecture for emerging applications. In: Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC’02, Las Vegas. IEEE Computer Society, Washington, DC (2002)

    Google Scholar 

  20. Coyne, E.J.: Role engineering. In: Proceedings of the 1st ACM Workshop on Role-Based Access Control, RBAC’95, Gaithersburg. ACM, New York (1996). doi:10.1145/270152.270159

    Google Scholar 

  21. Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: a spatially aware RBAC. ACM Trans. Inf. Syst. Secur. 10(1) (2007). doi:10.1145/1210263.1210265

    Google Scholar 

  22. Edjlali, G., Acharya, A., Chaudhary, V.: History-based access control for mobile code. In: Proceedings of the 5th ACM Conference on Computer and Communications Security, CCS’98, San Francisco, pp. 38–48. ACM, New York (1998). doi:10.1145/288090.288102

    Google Scholar 

  23. fas.org: DOD 5200-28-STD: trusted computer system evaluation criteria. http://goo.gl/L0fUw (1985)

  24. Ferraiolo, D., Kuhn, R.: Role-based access controls. In: Proceedings of the 15th NIST-NCSC National Computer Security Conference, Baltimore, pp. 554–563 (1992)

    Google Scholar 

  25. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001). doi:10.1145/501978.501980

    Article  Google Scholar 

  26. Franco, L., Sahama, T., Croll, P.: Security enhanced Linux to enforce mandatory access control in health information systems. In: Proceedings of the 2nd Australasian Workshop on Health Data and Knowledge Management, HDKM’08, Wollongong, pp. 27–33. Australian Computer Society, Inc., Darlinghurst (2008)

    Google Scholar 

  27. Frank, M., Basin, D., Buhmann, J.M.: A class of probabilistic models for role engineering. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS’08, Alexandria, pp. 299–310. ACM, New York (2008). doi:10.1145/1455770.1455809

    Google Scholar 

  28. Georgiadis, C.K., Mavridis, I., Pangalos, G., Thomas, R.K.: Flexible team-based access control using contexts. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, SACMAT’01, Chantilly, pp. 21–27. ACM, New York (2001). doi:10.1145/373256. 373259

    Google Scholar 

  29. Harrington, A., Jensen, C.: Cryptographic access control in a distributed file system. In: Proceedings of the 8th ACM Symposium on Access Control Models and Technologies, SACMAT’03, Como, pp. 158–165. ACM, New York (2003). doi:10.1145/775412.775432

    Google Scholar 

  30. Hu, V., Ferraiolo, D.F., Kuhn, D.R.: Assessment of access control systems. Interagency report 7316, National Institute of Standards and Technology (NIST) (2006)

    Google Scholar 

  31. Jin, S., Ahn, J., Cha, S., Huh, J.: Architectural support for secure virtualization under a vulnerable hypervisor. In: Proceedings of the 44th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO’11, Porto Alegre, pp. 272–283. ACM, New York (2011). doi:10. 1145/2155620.2155652

    Google Scholar 

  32. Joshi, J.B.D., Shafiq, B., Ghafoor, A., Bertino, E.: Dependencies and separation of duty constraints in GTRBAC. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, SACMAT’03, Como, pp. 51–64. ACM, New York (2003). doi:10.1145/ 775412.775420

    Google Scholar 

  33. Joshi, J.B.D., Bertino, E., Latif, U., Ghafoor, A.: A generalized temporal role-based access control model. IEEE Trans. Knowl. Data Eng. 17(1), 4–23 (2005). doi:10.1109/TKDE.2005.1

    Article  Google Scholar 

  34. Kandala, S., Sandhu, R., Bhamidipati, V.: An attribute based framework for risk-adaptive access control models. In: Proceedings of the 6th International Conference on Availability, Reliability and Security, ARES’11, Vienna, pp. 236–241. IEEE Computer Society, Washington, DC (2011). doi:10.1109/ARES.2011.41

    Google Scholar 

  35. Kumaraswamy, S., Lakshminarayanan, S., Reiter, M., Stein, J., Wilson, Y.: cloudsecurityalliance.org, domain 12: guidance for identity & access management v2.1. http://goo.gl/Nnjg1 (2010)

  36. Li, N., Mitchell, J.C.: DATALOG with constraints: a foundation for trust management languages. In: Proceedings of the 5th International Symposium on Practical Aspects of Declarative Languages, PADL’03, New Orleans, pp. 58–73. Springer, London (2003)

    Google Scholar 

  37. Li, N., Mitchell, J.C.: RT: a role-based trust management framework. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition, Washington DC, vol. 1, pp. 201–212 (2003)

    Google Scholar 

  38. Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust-management framework. In: Abadi, M., Bellovin, S. (eds.) Proceedings of the 23rd IEEE Symposium on Security and Privacy, SP’02, Oakland, pp. 114–130. IEEE Computer Society, Washington, DC (2002)

    Google Scholar 

  39. Marinovic, S., Craven, R., Ma, J., Dulay, N.: Rumpole: a flexible break-glass access control model. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT’11, Innsbruck, pp. 73–82. ACM, New York (2011). doi:10.1145/1998441. 1998453

    Google Scholar 

  40. McGraw, R.W.: Risk-adaptable access control. In: Proceedings of the 1st NIST Privilege Management Workshop, Gaithersburg (2009)

    Google Scholar 

  41. Mell, P., Grance, T.: nist.gov, NIST special publication 800-145: the NIST definition of cloud computing. http://goo.gl/eBGBk (2011)

  42. oasis-open.org: XACML language proposal, version 0.8. http://goo.gl/CXnLq (2002)

  43. Ray, I., Toahchoodee, M.: A spatio-temporal role-based access control model. In: The 21st Annual IFIP TC-11 WG 11.3 Working Conference on Data and Applications Security, Redondo Beach, pp. 211–226. Springer, Berlin/Heidelberg (2007)

    Google Scholar 

  44. Ray, I., Toahchoodee, M.: A spatio-temporal access control model supporting delegation for pervasive computing applications. In: Proceedings of the 5th International Conference on Trust, Privacy and Security in Digital Business, TrustBus’08, Turin, pp. 48–58. Springer, Berlin/Heidelberg (2008). doi:10.1007/978-3-540-85735-8_6

  45. Ray, I., Kumar, M., Yu, L.: LRBAC: a location-aware role-based access control model. In: Proceedings of the 2nd International Conference on Information Systems Security, ICISS’06, Kolkata, pp. 147–161. Springer, Berlin/Heidelberg (2006). doi:10.1007/11961635_10

  46. Ristenpart, T., Tromer, E., Shacham, H., Savage, S.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS’09, Chicago, pp. 199–212. ACM, New York (2009). doi:10.1145/1653662.1653687

  47. Ruj, S., Stojmenovic, M., Nayak, A.: Privacy preserving access control with authentication for securing data in clouds. In: Proceedings of the 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, CCGRID’12, Ottawa, pp. 556–563. IEEE Computer Society, Washington, DC (2012). doi:10.1109/CCGrid.2012.92

    Google Scholar 

  48. Sampemane, G., Naldurg, P., Campbell, R.H.: Access control for active spaces. In: Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC’02, Las Vegas, pp. 343–352. IEEE Computer Society, Washington, DC (2002)

    Google Scholar 

  49. Samuel, A., Ghafoor, A., Bertino, E.: A framework for specification and verification of generalized spatio-temporal role-based access control model. Technical report CERIAS TR 2007–08, Purdue University (2007)

    Google Scholar 

  50. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996). doi:10.1109/ 2.485845

    Article  Google Scholar 

  51. Tassanaviboon, A., Gong, G.: OAuth and ABE based authorization in semi-trusted cloud computing: aauth. In: Proceedings of the 2nd International Workshop on Data Intensive Computing in the Clouds, DataCloud-SC’11, Seattle, pp. 41–50. ACM, New York (2011). doi:10. 1145/2087522.2087531

    Google Scholar 

  52. Thomas, R.K.: Team-based access control (TMAC): a primitive for applying role-based access controls in collaborative environments. In: Proceedings of the 2nd ACM Workshop on Role-Based Access Control, RBAC’97, Fairfax, pp. 13–19. ACM, New York (1997). doi:10.1145/ 266741.266748

    Google Scholar 

  53. Toahchoodee, M., Ray, I.: On the formal analysis of a spatio-temporal role-based access control model. In: Proceeedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, London, pp. 17–32. Springer, Berlin/Heidelberg (2008). doi:10.1007/978-3-540-70567-3_2

  54. van den Akker, T., Snell, Q.O., Clement, M.J.: The YGuard access control model: set-based access control. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies, SACMAT’01, Chantilly, pp. 75–84. ACM, New York (2001). doi:10.1145/373256. 373268

    Google Scholar 

  55. Wang, Q., Jin, H.: Data leakage mitigation for discretionary access control in collaboration clouds. In: Proceedings of the 16th ACM Symposium on Access Control Models and Technologies, SACMAT’11, Innsbruck, pp. 103–112. ACM, New York (2011). doi:10.1145/1998441. 1998457

    Google Scholar 

  56. Ya-Jun, G., Fan, H., Qing-Guo, Z., Rong, L.: An access control model for ubiquitous computing application. In: Proceedings of the 2nd International Conference on Mobile Technology, Applications and Systems, Guangzhou, pp. 1–6 (2005)

    Google Scholar 

Download references

Acknowledgements

This material is based upon work partially supported by the Air Force Office of Scientific Research (AFOSR)/the Air Force Research Laboratory (AFRL) Visiting Faculty Research Program (VFRP) extension grant LRIR 11RI01COR. The authors would like to thank Mr. John Graniero, AFRL Information Institute Director, for support for this research and the CyberBAT team members for their suggestions and comments. The views and conclusions contained in this document are those of the authors and should not be automatically interpreted as representing official policies, either expressed or implied, of the Air Force Research Laboratory or other federal government agencies.

Author information

Authors and Affiliations

  1. Colorado State University, Fort Collins, CO, USA

    Indrajit Ray & Indrakshi Ray

Authors
  1. Indrajit Ray
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Indrakshi Ray
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Indrajit Ray .

Editor information

Editors and Affiliations

  1. Air Force Research Laboratory, Rome, New York, USA

    Keesook J. Han

  2. School of Computing and Engineering, University of Missouri - Kansas City, Kansas City, Missouri, USA

    Baek-Young Choi

  3. Department of Engineering Technology The Dwight Look College of Engineering, Texas A&M University, College Station, Texas, USA

    Sejun Song

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer Science+Business Media New York

About this chapter

Cite this chapter

Ray, I., Ray, I. (2014). Trust-Based Access Control for Secure Cloud Computing. In: Han, K., Choi, BY., Song, S. (eds) High Performance Cloud Auditing and Applications. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-3296-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-3296-8_8

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-3295-1

  • Online ISBN: 978-1-4614-3296-8

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation