Assisted Authoring, Analysis and Enforcement of Access Control Policies in the Cloud

Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 502)


The heterogeneity of cloud computing platforms hinders the proper exploitation of cloud technologies since it prevents interoperability, promotes vendor lock-in and makes it very difficult to exploit the well-engineered security mechanisms made available by cloud providers. In this paper, we introduce a technique to help developers to specify and enforce access control policies in cloud applications. The main idea is twofold. First, use a high-level specification language with a formal semantics that allows to answer access requests abstracting from an access control mechanism available in a particular cloud platform. Second, exploit an automated translation mechanism to compute (equivalent) policies that can be enforced in two of the most widely used cloud platforms: AWS and Openstack. We illustrate the technique on a running example and report our experience with a prototype implementation.


Policy translation and validation Attribute-based Access Control Amazon AWS OpenStack 


  1. 1.
    Armando, A., Ranise, S., Traverso, R., Wrona, K.: SMT-based enforcement and analysis of NATO content-based protection and release policies. In: Proceedings of the 2016 ACM International Workshop on Attribute Based Access Control, pp. 35–46. ACM (2016)Google Scholar
  2. 2.
    Bertolissi, C., Dos Santos, D.R., Ranise, S.: Automated synthesis of run-time monitors to enforce authorization policies in business processes. In: Proceedings of the ASIACCS, pp. 297–308. ACM (2015)Google Scholar
  3. 3.
    Committee, O.X.T., et al.: eXtensible Access Control Markup Language (XACML) Version 3.0. Oasis standard, OASIS (2013)Google Scholar
  4. 4.
    De Capitani Di Vimercati, S., Foresti, S., Samarati, P., Jajodia, S.: Access control policies and languages. Int. J. Comput. Sci. Eng. 3(2), 94–102 (2007)CrossRefGoogle Scholar
  5. 5.
    Masellis, R., Ghidini, C., Ranise, S.: A declarative framework for specifying and enforcing purpose-aware policies. In: Foresti, S. (ed.) STM 2015. LNCS, vol. 9331, pp. 55–71. Springer, Cham (2015). doi: 10.1007/978-3-319-24858-5_4 CrossRefGoogle Scholar
  6. 6.
    Ferry, N., Song, H., Rossini, A., Chauvel, F., Solberg, A.: CloudMF: applying MDE to tame the complexity of managing multi-cloud applications. In: IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC), pp. 269–277. IEEE (2014)Google Scholar
  7. 7.
    Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K., et al.: Guide to attribute based access control (ABAC) definition and considerations (draft). 800(162) 1–52 (2013). NIST Special PublicationGoogle Scholar
  8. 8.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-31540-4_4 CrossRefGoogle Scholar
  9. 9.
    Perry, J., Arkoudas, K., Chiang, J., Chadha, R., Apgar, D., Whittaker, K.: Modular natural language interfaces to logic-based policy frameworks. Comput. Stand. Interfaces 35(5), 417–427 (2013)CrossRefGoogle Scholar
  10. 10.
    Stepien, B., Felty, A., Matwin, S.: A non-technical user-oriented display notation for XACML conditions. In: Babin, G., Kropf, P., Weiss, M. (eds.) MCETECH 2009. LNBIP, vol. 26, pp. 53–64. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-01187-0_5 CrossRefGoogle Scholar
  11. 11.
    Xu, Z., Stoller, S.D.: Mining attribute-based access control policies from RBAC policies. In: 2013 10th International Conference and Expo on Emerging Technologies for a Smarter World (CEWIT), pp. 1–6. IEEE (2013)Google Scholar
  12. 12.
    Zhang, Y., Patwa, F., Sandhu, R.: Community-based secure information and resource sharing in AWS public cloud. In: 2015 IEEE Conference on Collaboration and Internet Computing (CIC), pp. 46–53. IEEE (2015)Google Scholar
  13. 13.
    Zhang, Y., Patwa, F., Sandhu, R., Tang, B.: Hierarchical secure information and resource sharing in OpenStack community cloud. In: 2015 IEEE International Conference on Information Reuse and Integration (IRI), pp. 419–426. IEEE (2015)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.Fondazione Bruno KesslerTrentoItaly

Personalised recommendations