Skip to main content

Advertisement

SpringerLink
Log in

A Formal Approach for the Identification of Authorization Policy Conflicts within Multi-Cloud Environments

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

The use of the Cloud computing has been constantly on the rise. The flexible billing model coupled with elastic resource provisioning make the Cloud appealing to consumers. However there are still many challenges associated with the Cloud limiting its adoption, such as vendor lock-in and security concerns. One way to address some of these challenges is to use services from more than one Cloud providers. This may help in avoiding the case of vendor lock-in and will also allow for the use of multiple resources available at multiple Clouds. The use of multi-cloud environments can also assist in the case of Cloud bursting where a workload in a private cloud bursts into a public cloud when the need arises. However, the security concerns in such an environment are amplified when compared to a single Cloud. In this paper we address the specification and consistency management of authorization policies in Multi-Cloud environments. The problem being address is significant as an erroneous authorization policy can have severe consequences on the security of the system being protected. In a Multi-Cloud environment, it is difficult to ensure consistency with different Clouds having authorization models, different implementations of the same authorization model and different access control policies. To this end, we have proposed a formal Event-Calculus based model to model the aggregated authorization policies from multiple Cloud providers. The translated Event-Calculus models are then reasoned upon to identify the policy conflicts. We have applied our approach on authorization policies from AWS, GCP and Microsoft Azure. Further, we have provided tool support to automate the complete verification process and provided detailed performance evaluation results to justify the practicality and scalability of the proposed approach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Availability of data and materials

The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.

References

  1. Al-Dahhan, R.: Efficient ciphertext-policy attribute based encryption for cloud-based access control. Ph.D. thesis, Liverpool John Moores University. https://doi.org/10.24377/LJMU.t.00011013 (2019)

  2. Alansari, S., Paci, F., Sassone, V.: A Distributed Access Control System for Cloud Federations. In: International Conference on Distributed Computing Systems (2017)

  3. AWS: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

  4. Azure: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

  5. Bonatti, P.A., di Vimercati, S.D.C., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. 5(1), 1–35 (2002). https://doi.org/10.1145/504909.504910

    Article  Google Scholar 

  6. Bouchaala, M., Ghazel, C., Saidane, L. A.: Toward Ciphertext Policy Attribute Based Encryption Model: a Revocable Access Control Solution in Cloud Computing. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds.) Risks and Security of Internet and Systems, pp 193–207. Springer International Publishing, Cham (2020)

  7. Bryans, J.: Reasoning about Xacml Policies Using Csp. In: SWS, pp. 28–35 (2005)

  8. Dang, T.K., Ha, X.S., Tran, L.K.: Xacs-dypol: Towards an xacml-based access control model for dynamic security policy (2020)

  9. Elliott, A., Knight, S.: Role explosion: Acknowledging the problem. In: Proceedings of the 2010 International Conference on Software Engineering Research & Practice, SERP 2010, July 12-15, 2010, Las Vegas, Nevada, USA, 2 Volumes, pp. 349–355 (2010)

  10. Google: https://cloud.google.com/iam/reference/rest/v1/Policy

  11. Hu, V.C., Ferraiolo, D., Kuhn, R., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to attribute based access control (abac) definition and considerations. NIST Special Publication 800, 162 (2014)

    Google Scholar 

  12. Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing Web Access Control Policies. In: WWW, pp. 677–686 (2007)

  13. Kowalski, R.A., Sergot, M.J.: A logic-based calculus of events. New Generation Comput. 4(1) (1986)

  14. Mazzoleni, P., Crispo, B., Sivasubramanian, S., Bertino, E.: XACML policy integration algorithms. ACM Trans. Inf. Syst. Secur. 11(1), 4:1–4:29 (2008). https://doi.org/10.1145/1330295.1330299

    Article  Google Scholar 

  15. Mueller, E.T.: Commonsense reasoning. Morgan kaufmann publishers inc., CA USA (2006)

  16. Nguyen, T.N., Thi, K.T.L., Dang, A.T., Van, H.D.S., Dang, T.K.: Towards a Flexible Framework to Support a Generalized Extension of Xacml for Spatio-Temporal Rbac Model with Reasoning Ability. In: ICCSA (5) (2013)

  17. Pustchi, N., Krishnan, R., Sandhu, R.S.: Authorization federation in iaas multi cloud. In: Proceedings of the 3rd International Workshop on Security in Cloud Computing, SCC@ASIACCS ’15, Singapore, Republic of Singapore, April 14, 2015, pp 63–71 (2015), https://doi.org/10.1145/2732516.2732523

  18. Ramya, P., Saraswathy, S., Sharmila, S.: Sivakumar, S.: T-Broker- a Trust-Aware Service Brokering Scheme for Multiple Cloud Collaborative Services. In: IEEE Transactions on Information Forensics and Security (2015)

  19. Rao, P., Lin, D., Bertino, E., Li, N., Lobo, J.: An algebra for fine-grained integration of XACML policies. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT 2009, Stresa, Italy, June 3-5, 2009, pp 63–72 (2009), https://doi.org/10.1145/1542207.1542218

  20. Rezvani, M., Rajaratnam, D., Ignjatovic, A., Pagnucco, M., Jha, S.: Analyzing XACML policies using answer set programming. Int. J. Inf. Sec. 18(4), 465–479 (2019). https://doi.org/10.1007/s10207-018-0421-5

    Article  Google Scholar 

  21. Sukmana, M.I.H., Torkura, K.A., Graupner, H., Cheng, F., Meinel, C.: Unified Cloud Access Control Model for Cloud Storage Broker. In: 2019 International Conference on Information Networking (ICOIN), Pp. 60–65 (2019), https://doi.org/10.1109/ICOIN.2019.8717982

  22. Sun, W., Yu, S., Lou, W., Hou, Y.T., Li, H.: Protecting your right: Verifiable attribute-based keyword search with fine-grained owner-enforced search authorization in the cloud. IEEE Trans. Parallel Distrib. Syst. 27(4), 1187–1198 (2016). https://doi.org/10.1109/TPDS.2014.2355202

    Article  Google Scholar 

  23. Tsankov, P., Marinovic, S., Dashti, M.T., Basin, D.A.: Decentralized Composite Access Control. In: POST (2014)

  24. Wei, J., Liu, W., Hu, X.: Secure and efficient attribute-based access control for multiauthority cloud storage. IEEE Syst. J. 12(2), 1731–1742 (2018). https://doi.org/10.1109/JSYST.2016.2633559

    Article  Google Scholar 

  25. Yang, K., Jia, X.: Expressive, efficient, and revocable data access control for multi-authority cloud storage. IEEE Trans. Parallel Distrib. Syst. 25(7), 1735–1744 (2014). https://doi.org/10.1109/TPDS.2013.253

    Article  Google Scholar 

  26. Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: INFOCOM. https://doi.org/10.1109/INFCOM.2010.5462174, pp 534–542 (2010)

  27. Zahoor, E., Asma, Z., Perrin, O.: A Formal Approach for the Verification of AWS IAM Access Control Policies. European Conference on Service-Oriented and Cloud Computing (2017)

  28. Zahoor, E., Bibi, U., Perrin, O.: Shadowed authorization policies - A disaster waiting to happen? 11881, 341–355. https://doi.org/10.1007/978-3-030-34223-4_22 (2019)

  29. Zahoor, E., Ikram, A., Akhtar, S., Perrin, O.: Authorization Policies Specification and Consistency Management within Multi-Cloud Environments. In: Gruschka, N. (ed.) Secure IT Systems - 23Rd Nordic Conference, Nordsec 2018, Oslo, Norway, November 28-30, 2018, Proceedings, Lecture Notes in Computer Science, Vol. 11252, pp 272–288. Springer, Oslo, Norway (2018)

  30. Zahoor, E., Perrin, O., Godart, C.: An Event-Based Reasoning Approach to Web Services Monitoring. In: ICWS (2011)

  31. Zhu, Y., Huang, D., Hu, C., Wang, X.: From RBAC to ABAC: constructing flexible data access control for cloud storage services. IEEE Trans. Services Computing 8(4), 601–616 (2015). https://doi.org/10.1109/TSC.2014.2363474

    Article  Google Scholar 

Download references

Acknowledgments

We would like to thank AWS educate for providing AWS Credits for carrying out this research.

Author information

Authors and Affiliations

  1. FAST, NUCES, Islamabad, Pakistan

    Ehtesham Zahoor & Asim Ikram

  2. Bahria University, Islamabad, Pakistan

    Sabina Akhtar

  3. Université de Lorraine, LORIA, 54506, Vandoeuvre-lès-Nancy Cedex, France

    Olivier Perrin

Authors
  1. Ehtesham Zahoor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Asim Ikram
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sabina Akhtar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Olivier Perrin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ehtesham Zahoor.

Ethics declarations

Please consider following sub-title declarations as part of the submission process.

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zahoor, E., Ikram, A., Akhtar, S. et al. A Formal Approach for the Identification of Authorization Policy Conflicts within Multi-Cloud Environments. J Grid Computing 20, 18 (2022). https://doi.org/10.1007/s10723-022-09606-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10723-022-09606-1

Keywords

Search

Navigation