Cluster Computing

, Volume 22, Supplement 3, pp 6111–6122 | Cite as

Survey of access control models and technologies for cloud computing

  • Fangbo CaiEmail author
  • Nafei Zhu
  • Jingsha He
  • Pengyu Mu
  • Wenxin Li
  • Yi Yu


Access control is an important measure for the protection of information and system resources to prevent illegitimate users from getting access to protected objects and legitimate users from attempting to access the objects in ways that exceed what they are allowed. The restriction placed on access from a subject to an object is determined by the access policy. With the rapid development of cloud computing, cloud security has increasingly become a common concern and should be dealt with seriously. In this paper, we survey access control models and policies in different application scenarios, especially for cloud computing, by following the development of the internet as the main line and by examining different network environments and user requirements. Our focus in the survey is on the relationships among different models and technologies along with the application scenarios as well as the pros and cons of each model. Special attention will be placed on access control for cloud computing, which is reflected in the summaries of the access control models and methods. We also identify some emerging issues of access control and point out some future research directions for cloud computing.


Access control Cloud security Access control strategy Access control model 



The work in this paper has been supported by National Natural Science Foundation of China (61602456) and National High Technology Research and Development Program of China (863 Program) (2015AA017204).


  1. 1.
    Li, F.H., Xiong, J.B.: Access control technology for complex network environment. The people’s mail and telecommunications press (2015)Google Scholar
  2. 2.
    Bell, D.E., LaPadula, L.J.: Secure computer system: unified exposition and multics interpretation. DTIC Document, Mitre Corp Bedford MA, USA (1976)Google Scholar
  3. 3.
    Sandhu, R., Coyne, E.J., Feinstein, H.L., et al.: Role-based access control models. Computer 29(2), 38–47 (1996)Google Scholar
  4. 4.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The ARBAC97 mode for role-based administration of roles. ACM Trans. Inf. Syst. Secur. (TISSEC) 2(1), 105–135 (1999)Google Scholar
  5. 5.
    Sandhu, R., Munawer, Q.: The ARBAC99 model for administration of roles. In: Proceedings of 15th Annual Computer Security Applications Conference, pp. 229–238. IEEE, New York, NY, USA (1999)Google Scholar
  6. 6.
    Oh, S., Sandhu, R., Zhang, X.: An effective role administration model using organization structure. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(2), 113–137 (2006)Google Scholar
  7. 7.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., et al.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)Google Scholar
  8. 8.
    Thomas, R.K., Sandhu, R.: Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management. In: Proceedings of the IFIP TC11 WG11.3 Eleventh International Conference on Database Security XI: Status and Prospects, pp. 166–181. Chapman & Hall, Ltd., London, UK (1998)Google Scholar
  9. 9.
    Oh, S., Park, S.: Task-role-based access control model. Inf. Syst. 28(6), 533–562 (2003)zbMATHGoogle Scholar
  10. 10.
    Zhu, J.: Research on Group Perception and Access Control Technology in Role Coordination. College of computer science, Zhongshan University, Guangzhou (2009)Google Scholar
  11. 11.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)Google Scholar
  12. 12.
    Knorr, K.: Dynamic access control through Petri net workflows. In: 16th Annual Conference on Computer Security Applications, pp. 159–167 (2000)Google Scholar
  13. 13.
    Botha, R.A., Eloff, J.H.P.: Designing role hierarchies for access control in workflow systems. In: Proceedings of the 25th International Computer Software and Applications Conference, pp. 117–122. IEEE Computer Society, Washington, DC, USA (2001)Google Scholar
  14. 14.
    Curry, S., Darbyshire, J., Fisher, D.W., Hartman, B., Herrod, S., Kumar, V., Martins, F. et al.: Infrastructure security: getting to the bottom of compliance in the cloud. The Security Division of EMC (2010)Google Scholar
  15. 15.
    Kaur, P.J., Kaushal, S.: Security concerns in cloud computing. In: Proceedings of the HPAGC 2011. CCIS, vol. 169, pp. 103–112(2011)Google Scholar
  16. 16.
    Shen, H.B., Hong, F.: Review of access control model. Appl. Res. Comput. 22(6), 9–11 (2005)Google Scholar
  17. 17.
    Han, D.J., Gao, J., Zhai, H.L., et al.: Research progress of access control model. Comput. Sci. 37(11), 29–33 (2010)Google Scholar
  18. 18.
    Lampson, B.W.: A scheduling philosophy for multiprocessing systems. Commun. ACM 11(5), 347–360 (1968)zbMATHGoogle Scholar
  19. 19.
    Luo, Y., Wu, Z.H.: A new method of access control policy descriptive language and its authorization. J. Comput. 1-18 (2017)Google Scholar
  20. 20.
    Cantor, S., Moreh, J., Philpott, R., Maler, E.: Metadata for the OASIS security assertion markup language (SAML) V2.0. OASIS Open, (2005)Google Scholar
  21. 21.
    Gary, C., Sun, M.: OASIS service provisioning markup language (SPML) versions 2.0. OASIS Open (2006)Google Scholar
  22. 22.
    Erik, R., Axiomatics, B.: OASIS extensible access control markup language (XACML) versions 3.0. OASIS Open (2013)Google Scholar
  23. 23.
    Lv, S., Liu, L., Shi, L., et al.: Intelligent planning method based on automatic reasoning technology. J. Softw. 20(5), 1226–1240 (2009)MathSciNetGoogle Scholar
  24. 24.
    Li, N., Tripunitaram, V.: Security analysis in role based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)Google Scholar
  25. 25.
    Lin, B.G.: Analysis of extended information system security domain model. J. Commun. 9–14 (2009)Google Scholar
  26. 26.
    Ye, Y., Lu, T., et al.: Triple helix model and its quantitative analysis methods. China Soft Sci. 11, 131–139 (2014)Google Scholar
  27. 27.
    Liu, Q.: Role-based access control techniques, South China University of technology press, pp. 55–60 (2010)Google Scholar
  28. 28.
    He, Z., Tian, J., Zhang, Y.: Style refinement and detection improvement of policy conflict. J. Jilin Univ. 25(3), 287–293 (2005). (in Chinese)Google Scholar
  29. 29.
    Yao, J., Mao, B., Xie, L.: A DAG-based security policy conflicts detection method. J. Comput. Res. Dev. 42(7), 1108–1114 (2005). (in Chinese)Google Scholar
  30. 30.
    Lupu, E.C., Sloman, M.: Conflicts in policy based distributed systems management. IEEE Trans. Softw. Eng. 25(6), 852–869 (1999)Google Scholar
  31. 31.
    Cholvy, L., Cuppens, F.: Analyzing consistency of security policies. IEEE Symposium on Security & Privacy, IEEE, pp. 103–112 (1997)Google Scholar
  32. 32.
    Li, X., Meng, L., Jiao, L.: Problems in results of policy conflict resolutions and detection and resolution methods in network management systems. J. Comput. Res. Dev. 43(7), 1297–1303 (2006). (in Chinese)Google Scholar
  33. 33.
    Li, R.X., Lu, J.F., Li, T.Y., et al.: A method of inconsistency conflict resolution for access control strategy. J. Comput. 36(06), 1210–1223 (2013)Google Scholar
  34. 34.
    Lu, J.F., Yan, X., Peng, H., Han, J.M.: An optimized strategy for inconsistent conflict resolution. J. Huazhong Univ.Sci.Technol. 42(11), 106–111 (2014)Google Scholar
  35. 35.
    Feng, D.G., Zhang, M., Zhang, Y.: The security research of cloud computing. J. Softw. 22(1), 71–83 (2011)Google Scholar
  36. 36.
    Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Trans. Inf. Syst. Secur. 2(1), 65–104 (1999)Google Scholar
  37. 37.
    Thomas, R.K., Sandhu, R.: Task-based authorization controls (TBAC): a family of models for active and enterprise oriented authorization management. In: Proceedings of the 11th IFIP WG11.3 Conference on Database Security, pp. 166–181. Lake Tahoe (1997)Google Scholar
  38. 38.
    Li, F.H., Su, M., Shi, G.Z., Ma, J.F.: Research status and development trends of access control model. Chin. J. Electron. 40(4), 805–813 (2012). (in Chinese with English abstract)Google Scholar
  39. 39.
    Botha, R.A., Eloff, J.H.P.: Designing role hierarchies for access control in workflow system. The 25th Annual International Computer Software and Applications Conference Chicago, pp. 117–122 (2001)Google Scholar
  40. 40.
    Wang, X.W., Zhao, Y.M.: A task-role-based access control model for cloud computing. Comput. Eng. 38(24), 9–13 (2012)Google Scholar
  41. 41.
    Deng, J.B., Hong, F.: Task-based access control model. J. Softw. 14(1), 76–96 (2003)zbMATHGoogle Scholar
  42. 42.
    Park, S.: Task role based access control: an improved access control model for enterprise environment. The 11th International Conference in Database and Expert Systems Applications. pp. 264–273. London (2000)Google Scholar
  43. 43.
    Androulaki, E., Soriente, C., Malisa, L. et al.: Enforcing location and time based access control on cloud stored data. The 34th International Conference on Distributed Computing systems. pp. 637–648 (2014)Google Scholar
  44. 44.
    Li, F.H., Wang, W., Ma, J.F., et al.: Action based access control model. Chin. J. Electron. 17(3), 396–401 (2008)Google Scholar
  45. 45.
    Li, F.H., Wang, W., Ma, J.F., et al.: Action based access control model and its behavior management. J. Electron. 36(10), 1881–1890 (2008)Google Scholar
  46. 46.
    Li, F.H., Wang, W., Ma, J.F., et al.: The access control model of cooperative information system and its application. J. Commun. 29(9), 116–123 (2008)Google Scholar
  47. 47.
    Li, F.H., Wang, W., Ma, J.F., et al.: Action based access control for web services. The 5th International Conference on Information Assurance and Security, pp. 637-642. Xi’an, (2009)Google Scholar
  48. 48.
    Lin, G.Y., He, S., Huang, H., Wu, J.Y., Chen, W.: Access control security model based on behavior in cloud computing environment. J. Commun. 33(3), 59–66 (2012)Google Scholar
  49. 49.
    Yuan, E., Tong, J., Zhao, Z.: Attributed based access control (ABAC) for web services. The IEEE International Conference on Web Services, Orlando, Florida. pp. 561–569 (2005)Google Scholar
  50. 50.
    Wang, X.M., Fu, H., Zhang, C.L.: Research progress on properties based access control. J. Electron. 38(07), 1660–1667 (2010)Google Scholar
  51. 51.
    Ei, E.M., Thinn, T.N.: The privacy-aware access control system using attribute-and role-based access control in private cloud. Proceedings of the 2011 4th IEEE IC-BNMT. pp. 447–451 (2011)Google Scholar
  52. 52.
    Parkark, J., Sandhu, R.: Towards usage control models: Beyond traditional access control. Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, pp. 57–64. ACM press, Monterey California (2002)Google Scholar
  53. 53.
    Chu, X.B., Qin, Y.: A distributed control system based on trusted computing. J. Comput. 33(1), 93–102 (2010)Google Scholar
  54. 54.
    Tavizi, T., Shajari, M., Dodangeh, P.: A usage control based architecture for cloud environments. Parallel and Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International. pp. 1534–1539, IEEE (2012)Google Scholar
  55. 55.
    Park, J., Sandhu, R.: The UCON ABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)Google Scholar
  56. 56.
    Mounira, M., Rached, A., Ahmed, S.: Access control in probative value cloud. In: Proceedings of the 8th International Conference for Internet Technology and Secured Transactions (2013)Google Scholar
  57. 57.
    Park, J., Zhang, X.W., Sandhu, R.: Attribute mutability in usage control. In: Proceedings of the Annual IFIP WG Working Conference on Data and Applications Security, pp. 15-29 (2004)Google Scholar
  58. 58.
    Zhang, X.W., Nakae, M., Covington, M.J., et al.: Toward a usage-based security framework for collaborative computing systems. ACM Trans. Inf. Syst. Secur. 11(1), 1–36 (2008)Google Scholar
  59. 59.
    Park, J.: Usage Control: A Unified Framework for Next Generation Access Control. George Mason University, Virginia (2003)Google Scholar
  60. 60.
    Zhang, X.W., Parisi-Presicce, F., Sandhu, R., et al.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8(4), 35–87 (2005)Google Scholar
  61. 61.
    Dong, Q.X., Guan, Z., Chen, Z.: An overview of computational cryptography on cryptographic data. Appl. Res. Comput. 33(09), 2561–2572 (2016)Google Scholar
  62. 62.
    Vipul, G., Amit, S., Omkant, P., Brent, W.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the ACM Conference on Computer and Communications Security. pp. 89-98 (2006)Google Scholar
  63. 63.
    Ostrovsky, R., Sahai, A., Waters, B.: Attribute-Based encryption with non-monotonic access structures. In: Proceedings of the 14th ACM Conference on Computer and Communications Security. pp. 1–17. ACM Press, New York (2007)Google Scholar
  64. 64.
    Attrapadung, N., Imai, H.: Conjunctive broadcast and attribute-based encryption. In: Shacham, H., Waters, B. (eds.) Pairing-Based Cryptography-Pairing 2009, pp. 248–265. Springer-Verlag, Berlin (2009)zbMATHGoogle Scholar
  65. 65.
    Shu, J.S., Cao, D., Wang, X.F.: Attribute based encryption mechanism. J. Softw. 22(6), 1299–1315 (2011)MathSciNetzbMATHGoogle Scholar
  66. 66.
    Xiong, J.B., Yao, Z.Q., Ma, J.F., et al.: A portfolio document model and access control scheme in a cloud computing environment. J. Xi’an Jiao Tong Univ. 48(2), 25–31 (2014)Google Scholar
  67. 67.
    Liu, X., Zhang, Y., Wang, B.: Mona: secure multi-owner data sharing for dynamic groups in the cloud. IEEE Trans. Parallel Distrib. Syst. 24(6), 1182–1192 (2013)Google Scholar
  68. 68.
    Chen, S.H., Chen, R.J.: Dealer less multi server timed release encryption scheme with privacy preserving encoding. The Second International Conference on Information Security and Digital Forensics, p. 1 (2005)Google Scholar
  69. 69.
    Unruh, D.: Revocable quantum timed release encryption. The 33th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 129–146. Springer Verlag, Copenhagen, Heidelberg (2014)Google Scholar
  70. 70.
    Zhou, L., Varadharajan, V., Hitchens, M.: Enforcing role based access control for secure data storage in the cloud. Comput. J. 54(10), 1675–1687 (2011)Google Scholar
  71. 71.
    Zhu, Y., Hu, H.X., et al.: Provably secure role based encryption with revocation mechanism. J. Comput. Sci. Technol. 26(4), 697–710 (2011)MathSciNetzbMATHGoogle Scholar
  72. 72.
    Shamir, A.: Identity Based Crypto Systems and Signature Schemes. CRYPTO 84 on Advances in Cryptology. Springer Verlag, New York (1985)Google Scholar
  73. 73.
    Sahai, A., Waters, B.: Fuzzy identity based encryption. The 24th Annual International Conference on Theory and Applications of Cryptographic Techniques, pp. 457–473. Springer Verlag, Berlin Heidelberg (2005)Google Scholar
  74. 74.
    Wang, Y.D., Yang, J.H., Xu, C., et al.: Survey on access control technologies for cloud computing. J. Softw. 26(5), 1129–1150 (2015)MathSciNetGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  • Fangbo Cai
    • 1
    Email author
  • Nafei Zhu
    • 1
  • Jingsha He
    • 1
  • Pengyu Mu
    • 1
  • Wenxin Li
    • 1
  • Yi Yu
    • 1
  1. 1.Faculty of Information TechnologyBeijing University of TechnologyBeijingChina

Personalised recommendations