Journal of Grid Computing

, Volume 10, Issue 1, pp 151–172 | Cite as

City on the Sky: Extending XACML for Flexible, Secure Data Sharing on the Cloud

  • Tien Tuan Anh DinhEmail author
  • Wang Wenqiang
  • Anwitaman Datta


Sharing data from various sources and of diverse kinds, and fusing them together for sophisticated analytics and mash-up applications are emerging trends, and are prerequisites for realizing grand visions such as that of cyber-physical systems enabled smart cities. Cloud infrastructure can enable such data sharing both because it can scale easily to an arbitrary volume of data and computation needs on demand, as well as because of natural collocation of diverse such data sets within the infrastructure. However, in order to convince data owners that their data are well protected while being shared among cloud users, the cloud platform needs to provide flexible mechanisms for the users to express the constraints (access rules) subject to which the data should be shared, and likewise, enforce them effectively. We study a comprehensive set of practical scenarios where data sharing needs to be enforced by methods such as aggregation, windowed frame, value constrains, etc., and observe that existing basic access control mechanisms do not provide adequate flexibility to support effective data sharing in a secure and controlled manner. In this paper, we thus propose a framework for cloud that extends popular XACML model significantly by integrating flexible access control decisions and data access in a seamless fashion. We have prototyped the framework and deployed it on commercial cloud environment for experimental runs to test the efficacy of our approach and evaluate the performance of the implemented prototype.


Cloud computing Access control Flexible sharing Fine-grained policies XACML 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, D.J., Carney, D., Cetintemel, U., Cherniack, M., Convey, C., Lee, S., Stonebraker, M., Tatbul, N., Zdonik, S.: Aurora: A New Model and Architecture for Data Stream Management. In: VLDB’03 (2003)Google Scholar
  2. 2.
    Adamic, L.A., Huberman, B.A.: Zipf’s law and the internet. Glottometrics 3, 143–150 (2002)Google Scholar
  3. 3.
    Amazon: Amazon Elastic Compute Cloud. Accessed 2012
  4. 4.
    Becker, M.Y.: Secpal formalization and extensions. Microsoft Research, Tech. Rep. MSR-TR-2009-127 (2009)Google Scholar
  5. 5.
    Becker, M.Y.: Specification and analysis of dynamic authorisation policies. In: IEEE Computer Security Foundations Symposium (2009)Google Scholar
  6. 6.
    Bethencourt, J., Sahai, A., waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy (2007)Google Scholar
  7. 7.
    Carminati, B., Ferrari, E., Tan, K.L.: Enforcing access control over data streams. In: SACMAT (2007)Google Scholar
  8. 8.
    Carminati, B., Ferrari, E., Tan, K.L.: Specifying access control policies on data streams. In: DASFAA (2007)Google Scholar
  9. 9.
    U. Center for Embedded networked sensing: Sensorbase. Accessed 2012
  10. 10.
    Dean, J., Ghemawat, S.: Mapreduce: simplified data processing on large clusters. In: NSDI 2004 (2004)Google Scholar
  11. 11.
    Dwork, C.: Differential privacy. In: 33rd International Colloquium on Automata, Languages and Programming, pp. 1–12 (2006)Google Scholar
  12. 12.
    G. Inc.: Google fusion tables (beta). Accessed 2012
  13. 13.
    Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: CCS (2006)Google Scholar
  14. 14.
    Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: Plutus: scalable secure file sharing on untrusted storage. In: FAST 2003 (2003)Google Scholar
  15. 15.
    Klemm, A., Lindemann, C., Vernon, M.K., Waldhorst, O.P.: Characterizing the query behavior in peer-to-peer file sharing systems. In: SIGCOMM 2004, pp. 55–67 (2004)Google Scholar
  16. 16.
    M. Research: Senseweb. Accessed 2012
  17. 17.
    Mazzoleni, P., Bertino, E., Crispo, B., Sivasubramanian, S.: Xacml policy integration algorithms: not to be confused with xacml policy combination algorithms! In: 11th ACM Symposium on Access Control Models and Technologies, pp. 219–227 (2006)Google Scholar
  18. 18.
    Microsoft: Windows azure platform. Accessed 2012
  19. 19.
    Naor, D., Naor, M., Lotspiech, J.B.: Revocation and tracing schemes for stateless receivers. In: CRYPTO 2001, pp. 41–62. (2001)Google Scholar
  20. 20.
    Ninghui, L., Wang, Q., Q5rdaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: 14th ACM Symposium on Access Control Models and Technologies, pp. 135–144 (2009)Google Scholar
  21. 21.
    OASIS: OASIS eXtensible Access Control Markup Language (XACML) TC (2011). Accessed 2012
  22. 22.
    Okta Inc.: Accessed 2012
  23. 23.
    Popa, R.A., Lorch, J.R., Molnar, D., Wang, H.J., Zhuang, L.: Enabling security in cloud storage SLAs with CloudProof. In: USENIX Anual Technical Conference 2011 (2011)Google Scholar
  24. 24.
    Power, D., Slaymaker, M., Politou, E., Simpson, A.: A secure wrapper for ogsa-dai. In: Advances in Grid Computing, pp. 317–22 (2005)Google Scholar
  25. 25.
    Ramankrishnan, R., Gehrke, J.: Database Management Systems, 3rd edn. McGraw-Hill Higher Education (2002)Google Scholar
  26. 26.
    Rao, P., Lin, D., Bertino, E., Li, N., Lobo, L.: An algebra for fine-grained integration of xacml policies. In: 14th ACM Symposium on Access Control Models and Technologies, pp. 63–72 (2009)Google Scholar
  27. 27.
    Roy, I., Setty, S.T., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: security and privacy for mapreduce. In: NSDI 2010 (2010)Google Scholar
  28. 28.
    Security-enhanced Linux. Accessed 2012
  29. 29.
    Sun Microsystem, Inc: Sun’s xacml Implementation. (2004). Accessed 2012
  30. 30.
    Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable and fine-grained data access control in cloud computing. In: INFOCOM 2010, pp. 534–42 (2010)Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2012

Authors and Affiliations

  • Tien Tuan Anh Dinh
    • 1
    Email author
  • Wang Wenqiang
    • 1
  • Anwitaman Datta
    • 1
  1. 1.Nanyang Technological UniversitySingaporeSingapore

Personalised recommendations