Upload
alchemist
View
215
Download
0
Tags:
Embed Size (px)
DESCRIPTION
2015_-_Rahat_Masood_-_Cloud Authorization Exploring Techniques and Approach to[ Retrieved-2015!11!28]
Citation preview
Front. Comput. Sci., 2015, 9(2): 297–321
DOI 10.1007/s11704-014-3160-4
Cloud authorization: exploring techniques and approachtowards effective access control framework
Rahat MASOOD, Muhammad Awais SHIBLI, Yumna GHAZI, Ayesha KANWAL, Arshad ALI
School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST),
Islamabad - 44000, Pakistan
c© Higher Education Press and Springer-Verlag Berlin Heidelberg 2014
Abstract Despite the various attractive features that Cloud
has to offer, the rate of Cloud migration is rather slow, pri-
marily due to the serious security and privacy issues that exist
in the paradigm. One of the main problems in this regard is
that of authorization in the Cloud environment, which is the
focus of our research. In this paper, we present a systematic
analysis of the existing authorization solutions in Cloud and
evaluate their effectiveness against well-established industrial
standards that conform to the unique access control require-
ments in the domain. Our analysis can benefit organizations
by helping them decide the best authorization technique for
deployment in Cloud; a case study along with simulation re-
sults is also presented to illustrate the procedure of using our
qualitative analysis for the selection of an appropriate tech-
nique, as per Cloud consumer requirements. From the results
of this evaluation, we derive the general shortcomings of the
extant access control techniques that are keeping them from
providing successful authorization and, therefore, widely
adopted by the Cloud community. To that end, we enumer-
ate the features an ideal access control mechanisms for the
Cloud should have, and combine them to suggest the ultimate
solution to this major security challenge – access control as
a service (ACaaS) for the software as a service (SaaS) layer.
We conclude that a meticulous research is needed to incorpo-
rate the identified authorization features into a generic ACaaS
framework that should be adequate for providing high level
of extensibility and security by integrating multiple access
Received May 9, 2013; accepted July 1, 2014
E-mail: [email protected]
control models.
Keywords authorization, access control, software as a ser-
vice, extensible access control markup language, identity &
access management, cloud security
1 Introduction
Even with the advancement in technology, efficient storage
and manipulation of large volumes of data on servers has be-
come a major challenge for the industry. Adding more servers
can decrease and distribute the load on individual servers;
however, increases the complexity of managing the servers
and the data. Management of massive amounts of data also
produces inaccurate results that might cause server failures,
unavailability, security breaches, integrity loss and other un-
desirable outcomes [1]. A lot of these issues have been allevi-
ated by the emergence of Cloud paradigm, which supports the
processing of voluminous data using clusters of commodity
hardware [2]. It allows organizations to leverage their IT ser-
vices with enhanced agility, availability, scalability and stor-
age capacity, not to mention the opportunity to reduce over-
all cost in achieving high throughput and tackling large scale
computation problems. However, since Cloud is still consid-
ered a nascent technology, it has many holes that need to be
patched up. Security in Cloud is such a critical problem which
is the main reason why organizations hesitate from hosting
their applications and storing their data on the Cloud.
Unlike traditional computing environments, where data
owners and consumers are in the same domain, providing se-
298 Front. Comput. Sci., 2015, 9(2): 297–321
curity in the distributed and heterogeneous Cloud paradigm
is a daunting challenge. The Cloud offers services to vari-
ous organizations under the same umbrella which raises se-
curity concerns, including secure data management, risk from
malicious insiders, data segregation, misuse of stored on the
third party premises, confidentiality, integrity and availabil-
ity of personal and business critical information stored on
Cloud [3, 4]. Even if Cloud service providers (CSPs) are of-
fering security controls on the consumer data, still there are
significant chances of misguided risk management that may
cause Cloud service consumers (CSCs) to face unfavourable
consequences. These challenges arise because the consumers
lack control over Cloud’s security policies and therefore, can-
not verify the effectiveness of the security controls applied
on their data or resources. Hence, security is a hot topic in
the Cloud community, which requires further investigation
and mitigation of prevailing security challenges to help en-
sure mass adoption of the paradigm [5, 6].
Of all the major concerns, we are focusing on risks and
threats pertaining to access control management on Software
as a Service (SaaS) layer of Cloud computing, since it is a
substantial obstacle for CSPs and CSCs [2, 3]. Cloud appli-
cations are accessed via Internet which dictates the need of
strong security controls particularly the reliable and robust
processes to grant access only to authorized users. In this re-
gard, access control is considered as one of the best options to
mediate the users’ access on sensitive data [7]. Access control
is an essential security feature that restricts the access of con-
fidential data and resources to unauthorized users. Figure 1
presents a high-level view of access control mechanisms in
Cloud.
Fig. 1 Access control in Cloud environment
The origins of access control date back to 1969 [8], where
the concept of subjects and objects was introduced. Lat-
tice based access control (LBAC) was initially introduced to
control the access to subject and objects based on security
levels for every subject and object. However, LBAC mod-
els were not scalable and were restricted to specific scenar-
ios. To overcome such limitations, traditional access con-
trol models were proposed, which are broadly classified into
discretionary and mandatory access control models. In dis-
cretionary access control (DAC) model, access restrictions
are defined by data owner while in mandatory access con-
trol (MAC) model, access rules are specified by the system
[9, 10]. Sandhu et al. [11] proposed the notion of role-based
access control (RBAC) to access the resources of enterprises.
Since then, a number of access control models, such as at-
tribute based access control (ABAC) and task based access
control (TBAC), have been developed and enhanced for the
protection of information systems and each of these models
have defined access restrictions through different criteria. De-
spite the development of a variety of access control models,
there remains room for further research and development in
the area.
Access control in cloud is becoming quite a necessity,
given the recent upsurge in the number of Cloud consumers.
The traditional access control techniques can be implemented
in Cloud environment, since their working mechanisms are
generic in nature and could be integrated as an intermedi-
ate entity with any type of enterprise application. Yet, one of
the major obstacles lies is the interpretation of, often com-
plex and sometimes ambiguous, Cloud environment secu-
rity policies and their translation in well-defined and unam-
biguous rules enforceable by a CSP or CSC. Access con-
trol techniques must capture all the potential scenarios that
might arise in order to ensure optimal protection of sensi-
tive data. When users move their application to Cloud, tradi-
tional access control mechanisms are no longer sufficient be-
cause the applications are residing on untrusted networks (de-
parameterization). As Cloud is offering services to numerous
users that may be from within organizations or outside them;
therefore, access levels must be segregated so as to ensure
authorized access. Sensitivity level of applications also varies
depending upon their operation and data usage; thus, Cloud
customers must have the capability to incorporate required
access control mechanisms in their applications. Various ac-
cess control systems have been developed so far; however,
most of them are well-suited only for static and centralized
computing environment, where the set of service consumers
and services are known beforehand [12]. These traditional ac-
cess models have their limitations in highly distributed and
dynamic computing environment since they neither evaluate
the privileges during the usage of a resource nor consider the
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 299
essential environment attributes [13]. The access rights need
to be pre-defined and assigned to subjects, before executing
any access control request [14,15]. For a Cloud environment,
it is extremely necessary to keep track of “who is using what
and how much”; therefore, service delivery models should
be extensible enough to incorporate specific policies put for-
ward by the organization. When access control solutions are
implemented outside the local boundary of organization, the
management and applicability of these mechanisms become
more complex and challenging. Employing the existing en-
terprise directory services, such as Light-weight Directory
Access Protocol (LDAP), in Cloud typically fails to provide
adequate access control, since they offer no support for the
management of access control from Cloud service consumer
endpoints. In addition, some organizations provide manual
provisioning and de-provisioning of users and applications in
the Cloud which adds to the administrative burden of IT staff.
Our research motivation and contribution focus on solv-
ing the aforementioned problems and holistically determin-
ing the authorization requirements of the Cloud environment,
specifically the SaaS model. Abstractly, the issues to be cov-
ered include access management of resources by data own-
ers, extensibility to formulate policies and rules for each user
level, support for delegation of rights, dynamic specification
of entities involved in the data sharing etc. In this regard,
the focal point of our research work is securely mediating
CSCs’ access to sensitive data. We have covered the holistic
authorization requirements of the Cloud environment, espe-
cially for SaaS model, and we qualitatively evaluate the ex-
tant relevant solutions based on certain NIST-defined factors.
A case study of an electronic health record (EHR) system
along with simulation results in NetLogo are presented to il-
lustrate the step-by-step procedure of how organizations may
use our qualitative analysis and NIST-defined parameters to
select an appropriate authorization technique, as per their re-
quirements. Based on our extensive analysis on authorization
requirements and Cloud access control mechanisms, we pro-
vide a comprehensive access control management strategy on
the SaaS layer of Cloud. Our proposed strategy is a leap to-
wards the development of access control as a service (ACaaS)
– which stems from its significantly more popular parent, se-
curity as a service (SECaaS). Firstly, we have identified the
key problems that are hindering the secure management of re-
sources in Cloud. The identification further assists us in find-
ing the corresponding key features that can mitigate the prob-
lems for the effective realization of ACaaS strategy at SaaS
layer of Cloud computing. After thorough research, we come
to the conclusion that a holistic ACaaS mechanism needs to
be devised, which encompasses all the requisite security and
managerial features and provides an efficient and reliable ac-
cess control to Cloud consumers and complies with inter-
national standards. Furthermore, our review will assist the
Cloud community in understanding the various challenges as-
sociated with providing authorization services in Cloud that
may be technical, such as privilege escalation and separation
of duties, or managerial, like the steep requirement of time
and uniformity.
Rest of the paper is organized as follows: Cloud challenges
that need thorough research and effective solutions in Section
2. Section 3 discusses the in-depth analysis of existing Cloud
access control techniques followed by a real-world case study
in its subsection. Section 4 enumerates the main issues im-
peding the development of an effective access control mech-
anism and identifies features needed to overcome these is-
sues. Section 5 presents our future research directions to suc-
cessfully execute these features in the form of framework and
Section 6 concludes the paper.
2 Cloud security challenges
Although Cloud has gained a considerable amount of trac-
tion in the industry, it has many inherent issues that are yet to
be solved satisfactorily and IT experts are proactively work-
ing to that effect [16]. As data in Cloud is processed outside
the influence of the enterprise, its security is a black hole for
the CSCs [17]. To accelerate the trend of Cloud migration,
CSCs need unequivocal answers to the following questions:
“Is the physical and software infrastructure of CSPs secured?
What happens to my data in Cloud? Can all my genuine users
get seamless and secure accessibility? Are CSPs compliant
with the organization’s regulations? How are organizational
requirements, like security, governance and regulatory com-
pliance, addressed in Cloud environment?” Therefore, Cloud
services require controls for privileged user access, regula-
tory compliances, data location, data safety, encryption and
segregation, storage, backup and recovery of data [18, 19].
Figure 2 abstractly presents the security concerns on Cloud.
Broadly, we can divide Cloud security issues into four cate-
gories:
1) Cloud Infrastructure Platform: these involve security
problems associated with the networking, storage and secu-
rity vulnerabilities of physical data centres of Cloud.
2) Data Management: issues ranging from data confiden-
tiality, data integrity, data locality, tracing of data origin and
its representation. When organizations shift to the Cloud,
their data comes under the control of a third party which
300 Front. Comput. Sci., 2015, 9(2): 297–321
Fig. 2 Security challenges in cloud
poses many threats on privacy and security of the data. Users
are provided with a high level of abstraction for most of
the services; therefore, they have low level control over the
shared resources [20].
3) Access Management: access management entails secu-
rity problems of AAA (authentication, authorization, and au-
diting), managing access control policies and encrypted com-
munication of confidential Cloud data. There can be ambigu-
ities in accessing user’s data in shared infrastructure. We will
further discuss access management in the next section.
4) Compliance: this category includes the regulatory is-
sues of Cloud-based activities like auditing, tracing of dif-
ferent operations and their compliance concerns. It caters to
major governance problems that need review and participa-
tion from the IT managers for a robust, well-defined compli-
ance validation. Regrettably, Cloud services are fraught with
“resolved” compliance issues such as Sarbanes-Oxley [21],
HIPAA [22] and European privacy laws about allowing data
regarding employees to be stored in other systems [23].
Cloud Security Alliance (CSA)1) states that the security
of a CSP is characterized by the maturity, effectiveness and
completeness of risk-adjusted security controls. These con-
trols need to be implemented on Cloud, ranging from facil-
ities (physical security), to the network infrastructure (net-
work security), to the IT systems (system security), and all
the way to the information and applications (application se-
curity) [7], as illustrated in Fig. 3. However, deployment of
these security controls manifests rigidity for CSCs, as most
security controls are at the provider’s side and consumers can
only negotiate the contract for security services (particularly
for SaaS deployment model). For CSCs (enterprises), it is
very necessary to evaluate the potential risks for the Cloud;
for example, to map out how the data is transferred between
organizations, Cloud services and any customers. Other than
the abovementioned issues, advanced security challenges of
Cloud computing, like abstraction, lack of execution con-
trols, third party control of data and multi-party processing
of data, also need great attention. These challenges need to
be properly addressed before deploying the applications on
the Cloud.
Fig. 3 Security controls needed in Cloud environment
3 Assessment of access control techniques forCloud environment
Authorization in Cloud environment demands an effective ac-
cess control mechanism that can protect Cloud resources and
restrict unauthorized access to sensitive data. However, the
designing and implementation of effective Cloud-based ac-
cess control techniques are somewhat trickier and challeng-
ing because they need to cater to the variety of customers
belonging to different domains [24]. Various access control
techniques have been introduced for assuring access manage-
ment of data and applications on Cloud. In order to highlight
the key challenges that Cloud consumers can face for ade-
quate protection of their data, there is a need to perform a
comprehensive analysis of access control techniques.
In this section, we perform a detailed and in-depth criti-
cal analysis of existing access control techniques according
to the steep demands of Cloud’s various service models. The
following subsection explains the criteria we have used to
1) Cloud Security Alliance, https://Cloudsecurityalliance.org/(30-March-2013)
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 301
carry out the aforementioned analysis.
3.1 Assessment methodology
The security features of any system are not always quantifi-
able so as to assign absolute values to them. NIST presents a
report [25] on qualitatively evaluating the security aspects of
any system through the information security metrics. Accord-
ing to the report, there are number of security properties that
are difficult to measure quantitatively and their analysis need
to be performed in a subjective manner. NIST also provides
well-established security guidelines and procedures for en-
terprises to securely execute their processes and operations.
Among such guidelines, NIST has formulated an assessment
criterion for evaluating access control mechanisms [26]. Ac-
cording to this report, operational impacts of access control
techniques are significant because they not only affect the ad-
ministrative aspects and user productivity, but also impinge
on an organization’s ability to successfully execute its oper-
ations. Therefore, access control systems are required to be
evaluated on the basis of these metrics before making it func-
tional and operational in practical scenarios. Incorrect con-
figuration of a single policy could result in undermining of
organization’s security posture.
We employ a “qualitative” approach for our research that
will assist us in finding a reliable access control technique out
of the existing techniques that best fits the authorization re-
quirements of applications hosted on the SaaS layer of Cloud.
To execute our analysis, we have thoroughly appraised all
the access control quality metrics defined by NIST in [26],
and we have filtered the parameters most relevant to the goal
of our research. Mainly these features include separation of
duty, (ease of) privilege assignment, least privilege, policy
conflicts, configuration flexibility, policy repository and re-
trieval, policy distribution and horizontal scope. In addition
to that, we also base our analysis on the specific properties
offered explicitly by any access control technique. We finally
evaluate the techniques on whether or not they possess cer-
tain features or not, and mark them High or Low accordingly.
High level indicates that the system offers complete support
to a feature and fulfils all the requirements stated against that
particular feature. Low level indicates that the system under
consideration lacks support to the feature in question.
3.2 Analysis of extant access control techniques
In this section, we perform an analysis of the existing access
control techniques, based on the above mentioned parame-
ters, in order to find out which of them would be better suited
for the Cloud environment. We have mentioned only 14 of all
the Cloud access control techniques but the analysis is prac-
tical for any technique that provides authorization for Cloud
environments. The detail of each technique is discussed in
the Appendix A2) ; reading the appendix will help reader to
better understand the techniques. Table 1 lists all the access
control mechanisms that we have analysed, along with their
main technical features.
• Secure data access in Cloud computing [27]
Sanka et al. discuss the open problem challenges together
with the capability based access control technique that en-
sures only the valid users will access the outsourced data.
This technique allows least privilege by assigning access
rights to the basic unit of data file. Duties are clearly defined
for Cloud consumers with the specification of access rights
in capability access list. Users can only perform the functions
specified by data owners in their corresponding list following
the separation of duty. Policy conflicts are not managed in this
proposed system. Capability list contains the static entities of
users and their corresponding allowable objects which are not
well-suited for dynamic environments like Cloud. It does not
consider the various factors necessary for formulating an ac-
curate access decision, which is the major requirement for
distributed environments and results in limiting its configu-
ration flexibility. Double encryption is used in the proposed
technique to provide strong cryptographic strength through
which key management, configuration and their distribution
to large number of consumers become a large performance
overhead. It will make the system inflexible to be adopted in
different computing platforms and environments, thus limit-
ing its scope. The access control policies for private Cloud are
stored at the local databases of data providers and the users’
logs, whereas privacy preference specifications are managed
at data owner’s end, therefore offering local as well as feder-
ated policy repository and retrieval feature. The system spec-
ifies policy by defining permissions in the capability list with
user id and file id that will somehow simplify the policy cre-
ation process, therefore introducing the ease of privilege as-
signments feature.
• Secure access mechanism for Cloud storage [28]
Harnik et al. [28] also proposes Capability based access
control mechanism to address the access control require-
ments for Cloud storage. This technique propagates user ac-
cess rights by incorporating the chain of services mechanism.
The chain of services mechanism ensures the least privilege
2) Due to space limitations, we could not cover techniques in this section of paper. Please refer Appendix A for detailed discussion on these techniques.
302 Front. Comput. Sci., 2015, 9(2): 297–321
Table 1 Access control techniques and their technical features
Cloud access control techniques Salient features
Secure data access in Cloud computing [27] • Capability lists determine who uses what• Modified Diffie-Hellman exchange protocol to share asymmetric keys between CSPs and CSCs.• Capability based access control• Uses encryption and MD5 hash to secure data files
Secure access mechanism for Cloud storage[28]
• Capability based access control• Extensive delegation mechanism that appends original capability with reduced delegated capability• User ID in the capability reduces authentication overhead• User to user access delegation, availability, revocation, interoperability, and pre-resource audit ability
OpenPMF SCaaS: authorization as a servicefor Cloud & SOA applications [29]
• Compliance and automation of security policies• Automation of policy generation, configuration, enforcement and incident reporting• Compliance as a service• Asynchronous policy updates
Distributed access control architecture forCloud computing software [30]
• Role-based access control (RBAC)• Targets the distributed architecture of Cloud• Secure SSL channel was used to transfer the data on Cloud• Encryption/decryption of data to be performed at client side resulting in extra processing• User revocation is also provided
API access control in Cloud using the rolebased access control model [31]
• Role-based access control model• Roles are defined in a static manner and cannot be modified dynamically• Two-staged authorization: user attributes for authentication and then role validation• Maintains database of permissions corresponding to different roles
Access control as a service for public Cloudstorage [32]
• Attribute-full proxy re-encryption (AF-PRE)• Simple key management• Capacity to compose the attributes along with the anticipated combination of authorization and encryp-
tion with appropriate separation.• Efficient in executing queries on encrypted data
A privacy enhancement system on academic-based private Cloud system using Eucalyp-tus open source Cloud infrastructure [33]
• Combines the best features of RBAC and ARBAC model• Core objective is to restrict unauthorized access to the personal identification information (PII)• User and data classification levels are defined according to which privacy preferences and access policies
are formulated• Access requests include Subject, Resource and Environment attributes
Provenance-based access control in Cloudenvironments [32]
• Provenance-based access control• Distribution of provenance in dynamic Cloud environment and assessment of remote data objects• Access control is provided at scope level• Access constraints include provenance other than objects, subjects and rights• Additional provenance database and policy database modules other than the core policy enforcement
point (PEP) and policy decision point (PDP)
Fine-grained data access control systemswith user accountability in Cloud comput-ing [34]
• Fine-grained access control through attribute based encryption (ABE)• Access policies are given using either private key or cipher text, where the former specifies files that a
user is able to access and in the latter, each file and user key has different attributes.• Resolved two main issues i.e., user accountability and efficient user revocation• Broadcast encryption is performed by data owner on user group
Usage control in Cloud systems [35] • Usage control (UCON) model using the OASIS XACML standard• Handles ongoing usage of previously assigned resources and supports access revocation• Implemented and integrated with the OpenNebula toolkit (ONE) that provides access control lists
(ACLs) and usage quotas
Achieving secure, scalable, and fine-graineddata access control in Cloud computing [36]
• Hierarchical attribute based encryption (combining hierarchical identity based encryption (HIBE) andcipher text policy based attribute based encryption (CP-ABE))
• Hierarchical structure has been given in which there are root master (RM) and domain masters (DM),where RM corresponds to private key generator and DM handles delegation of keys
• Unique identifier has been assigned to each DM and attribute, ID and attributes have been assigned tousers
• Each user’s position has been defined by his own ID and public key of DM administrating him
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 303
Continued from previous page
Cloud access control techniques Salient features
Multi-tenancy based access control in Cloud[37]
• Mandatory access control and discretionary access control models• Security rules are based on user identifications, rather than IP addresses• Five security modules: OpenSSL, identity and authentication module, audit module, access control and
management module• Classifies the subjects and objects in traditional access control mechanisms into two granule levels:
tenant granule level, managed by CSP to compartmentalize tenants, and application granule level, con-trolled by tenants to control access to their applications.
CloudPolice: taking access control out of thenetwork [38]
• Targets infrastructure as a service (IaaS)• Transfer of control messages and notification of policy updates for large number of VMs may results in
network performance degradation.• Several security policies, such as tenant isolation, inter-tenant communication, fair sharing among ten-
ants, etc. are identified. Based on these policies a policy model is defined that uses predicate logic(if-then)
• Furthermore, transfer of control messages and notification of policy updates for large number of VMsresult in network performance degradation.
• Each VM requires security group declaration and management
SaaS access control research based onUCON [39]
• UCON post-obligation model• Attributes mutability and continuity of attributes• Authorization and Obligations are the major components of the model.• Types of authorization mainly include PreA, OnA, PreB and OnB.
principle by assigning the end-client access token only to re-
quired users, according to their capabilities. Once user is au-
thenticated, the client is directed towards the authorization
component that generates a token having capability of the
user, thus ensuring the separation of duty principle in the
technique. However, the technique does not incorporate any
mechanism for resolving the policy conflicts. The access con-
trol manager of the proposed design is flexible enough to im-
plement diverse range of access control models that can in-
clude capability-based, attribute-based or role-based, allow-
ing compatibility with any of the underlying platforms and
environments, thus escalating the horizontal Scope. The data
centres in proposed technique are highly coupled with the
storage layer and replication manager; therefore, adding any
new module or deploying the existing solution in new sce-
nario introduces complex interoperability issues making the
configuration flexibility low. The identity Manager and access
Manager use their separate databases for storage of policies
and user’s capabilities related data, thus offering local policy
repository and retrieval. The Replica Manager updates the
entire user’s capabilities information across distributed dat-
acentres; however, the large number of replicas makes the
update process complex and the privilege assignment more
difficult.
• OpenPMF SCaaS: authorization as a service for Cloud &
SOA applications [29]
Lang et al. [29] present the concept of portable security
and compliance policy automation for Cloud applications.
The paper also discusses a reference implementation called
OpenPMF security & compliance as a service (SCaaS) which
is based on ObjectSecurity OpenPMF, Intalio BPMS, and
Promia Raven. SCaaS enforces the security policies to ensure
that only authorized users may invoke secure Cloud services
and applications following the least privilege principle. The
SCaaS policy feed services are used by multiple Cloud ten-
ants to avoid the policy conflicts that may arise due to the
generation of multiple conflicting technical policy rules for
shared resources, proposed scheme makes the use of model
driven security (MDS) concepts. The process of policy up-
date is asynchronous and is performed at application start-
up or whenever security rules change (without the need to
restart the protected end-system). This greatly enhances per-
formance and robustness and ensures configuration flexibil-
ity principle. Policies are either generated within Cloud using
hosted MDS and PaaS development tools, or are uploaded
from local MDS and development tools, thus offering lo-
cal repository for policy storage and retrieval. Furthermore,
separation of duty principle is ensured through the policy
modeling module that divides the tasks among various mod-
ules to guarantee the security and compliance requirements.
SCaaS is developed to support the diverse Cloud environment
where MDS is installed across multiple development tools
(e.g., Eclipse, Intalio BPMS) and aims to protect the appli-
cations on various runtime application platforms (e.g., vari-
ous web application servers, JavaEE, DDS, CORBA/CCM)
and hence, supports horizontal scope. In OpenPMF, the
304 Front. Comput. Sci., 2015, 9(2): 297–321
OpenPMF runtime policy repository is responsible for the
distribution of policy to the various Open-PMF policy deci-
sion/enforcement points (PDP/PEPs) on each protected ap-
plication runtime platform. However, presented SCcaaS does
not specify any mechanism for ensuring ease of privilege as-
signment feature.
• Distributed access control architecture for Cloud comput-
ing software [30]
Almuitairi et al. present a technique for data storage and
distributed access control at Cloud paradigm [30]. The pro-
posed architecture uses the RBAC model, where least priv-
ilege principle is ensured by limiting user access privileges
according to the assigned roles. Considering the collabora-
tive nature of Cloud, authors offer a specification for seman-
tic and contextual constraints to ensure adequate protection
of services and resources, thus providing adherence to the
configuration flexibility principle as well. This technique of-
fers clear separation between the specification of semantic,
such as separation of duty and contextual constraints (such
as temporal or environmental constraints included in an ac-
cess request), to ensure the security of Cloud services and
resources, especially for mobile services. The design of the
proposed architecture is generic enough to support other ac-
cess control policies (such as DAC and MAC), increasing the
horizontal scope of the system. The distributed access control
architecture includes support for both federated and loosely
coupled collaboration models that enhances the policy stor-
age and retrieval capabilities of the system. Access control
module (ACM) is composed of PDP, PEP and policy repos-
itory and deals with the distribution of policy at various lay-
ers. In order to avoid and resolve the policy conflicts in Cloud,
some verification models and tools are required; however, au-
thors mention it as their future work. In the same way, authors
do not specify any mechanism for ensuring ease of privilege
assignments feature.
• API access control in Cloud using the role based access
control model [31]
Sirisha et al. [31] proposed secure access control API for
Cloud using the RBAC model. The management for assign-
ing and revoking the roles and permissions is simple, thus
providing ease of privilege assignments feature. The role-
based and attribute-based access control mechanisms are im-
plemented at API level where the management of attributes
e.g., subjects, roles and resources, require little modifications
to deploy in different scenarios which escalates the configu-
ration flexibility. The attribute-validation and role-validation
modules use underlying local database, hence supporting the
policy distribution and retrieval features. There is no support
to the policy conflicts and least privilege features in the pro-
posed API access control in Cloud. The role and attribute
based access control models are implemented at the appli-
cation layer through which the Cloud consumers can access
the Cloud services. This API level access control is platform
independent and can be incorporated in any environment that
escalates the horizontal scope. The assignment, revocation
and management of roles are performed by the “role valida-
tion mechanism” module. Similarly, the assignment and re-
vocation of objects and their attributes are performed by the
“attribute validation mechanism” module, due to which the
proposed technique supports the separation of duty.
• Access control as a service for public Cloud storage [32]
Zhang et al. [32] present an access control service for pub-
lic Cloud storage, where authorization decisions depend on
the data owner’s decision or policy decision point (PDP)
module. In order to implement the designed service, an
attribute-full proxy re-encryption (AF-PRE) scheme is of-
fered as a core component of the proposed solution, where
access control expressions are often generated from attributes
that advance to establish a privilege-value. This value is then
sent to the PDP delegation module to assist the decision mak-
ing process and ensures the least privilege principle. The AF-
PRE scheme ensures the confidentiality of data contents and
provides certain mechanisms to prevent policy conflicts. Pro-
posed scheme offers a clear separation of policy and mecha-
nism such as attribute-based-encryption for outsourced situ-
ations, thus offering support to configuration flexibility. The
access control service for public Cloud storage is under the
control of data owner, and the PDP and policy enforcement
point (PEP) can be securely delegated, thus offering local
as well as federated policy repository and retrieval feature.
In addition, the authors highlight separation of duty as the
most significant feature of their scheme that offers support
to separation-methodology in Cloud scenarios. Horizontal
scope is another critical feature that this scheme offers via its
attribute-full proxy re-encryption mode; access control poli-
cies are publicized by re-encryption keys and privilege val-
ues, and are generated independently from encryption opera-
tion. Authorization update is the dedicated module that han-
dles the change in privileges and ensures the ease of privi-
lege assignments. Policy distribution is offered through pol-
icy translator module that computes a new privilege value,
updates its PriV-table and sends it to the PDP delegation mod-
ule that performs the replacing operation.
• A privacy enhancement system on academic based private
Cloud system using Eucalyptus open source Cloud infras-
tructure [33]
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 305
ARBAC [33] has been proposed that combines the best
features of attribute based access control (ABAC) and role
based access control (RBAC) models. Since ARBAC is the
composition of RBAC and ABAC, least privilege is sup-
ported by granting permissions according to specified at-
tributes and role parameters in policy. Management of at-
tributes (subject, resource and environment) in different sce-
narios require detailed configuration modifications, resulting
in low configuration flexibility. Access control policies are
stored and retrieved from a local repository and prior to en-
forcement, these policies are evaluated against the attributes
defined for subject, resource, environment and user roles,
which improves the system reliability. Separation of duty is
achieved in a way that each subject and resource is associ-
ated with particular attributes based on which job functions
and access rights are defined. User and data classification lev-
els are defined according to which privacy preferences, ac-
cess policies and privileges are formulated. Hence, it offers
support to ease of privilege assignment principle. Incorpora-
tion of additional parameter like environment attributes (that
can manage the system related properties and characteristics)
helps in increasing horizontal scope of the system across dif-
ferent platforms and applications. However, the paper does
not specify any mechanism for the distribution of generated
policies. Similarly, policy conflicts avoiding procedure is not
mentioned in proposed ARBAC system which may occur due
to the difference in access decision of multiple policies.
• Provenance-based access control in Cloud environments
[40]
Bates et al. [40] propose an access control model based
on provenance, which provides all the information about
different actions and processes taken on specific data. The
proposed access control mechanism supports least privilege
where the consumers are permitted to use only those data ob-
jects that are mandatory to perform certain actions in accor-
dance with their data provenance policies. However, there is
no specific procedure defined for assuring the separation of
duty principle, which is necessary to limit the access of sub-
jects for alleviating security breaches. If some conflicts ap-
pear between two or more policies, the provenance records in
provenance database are used to immediately revoke the sub-
ject’s privileges on that data object, hence providing support
for policy conflict feature. The access control policies are not
integrated into the operating system; however, transferring
from one policy to another is not an easy task even at the
API level due to large number of provenance records associ-
ated with each single data object. Therefore, the configura-
tion flexibility is lower in this provenance-based access con-
trol model. The provenance database is responsible for stor-
age of provenance information and policy database manages
the storage of security policies thus incorporating the policy
repository and retrieval feature locally. The core components
of the Cloud provenance authority which mainly include the
PEP, PDP, provenance database, and policy database can
easily be deployed in any environment independent of un-
derlying infrastructure; therefore supporting high horizontal
scope. However, presented provenance based system does not
specify any mechanism for ensuring ease of privilege assign-
ment feature.
• Fine-grained data access control systems with user account-
ability in Cloud computing [34]
For providing fine-grained access control in Cloud, at-
tribute based encryption (ABE) [34] resolved two main issues
i.e., user accountability and efficient user revocation. Pro-
posed scheme can prevent from external attackers (revoked
users, Cloud servers and users whose attributes do not match
with policy) and internal attackers as they cannot change their
IDs embedded in private key attribute. In this system, least
privilege principle is followed by defining access structure for
each user. If user access structure matches with the requested
file attributes, then access is granted to data hosted on Cloud.
Separation of duty is followed in a way that jobs are defined
for all the system entities: data owner, Cloud provider, con-
sumer and third party auditor. Cloud provider keeps the en-
crypted data files and user can access these files if their access
structure is matched with the file attributes specified by the
data owner. Access control policies are generated and stored
in a local policy repository for quick retrieval; furthermore,
each policy is associated with a user rather than with each
file to be accessed. Policy specification module of this sys-
tem requires defining access structure for each user, which
may introduce large overhead in terms of mathematical op-
erations and algorithms, and thus, does not provide ease of
privilege assignment. Policy conflicts are not managed by this
system, which may occur due to difference between decisions
of two or more access control policies. In addition, these sys-
tems require great amount of time to execute the mathemati-
cal operations and algorithms along with minimal support for
different execution environments, therefore, failing to deliver
horizontal scope. The system is not flexible enough because
it requires the management of complex operations which de-
crease its applicability in different environments that result in
low configuration flexibility. Similarly, proposed system does
not include the mechanisms for policy distribution.
• Usage control in Cloud systems [35]
Aliaksandr et al. [35] present an advanced authorization
306 Front. Comput. Sci., 2015, 9(2): 297–321
framework based on the usage control (UCON) model [41]
and the OASIS XACML standard to control the usage of
Cloud resources. It addresses the issue of unauthorized ongo-
ing accesses by interrupting the accesses that are in progress
when the corresponding access rights do not hold any more.
In addition, the designed access control service (ACS) con-
tinuously checks for the policy enforcement, therefore guar-
anteeing least privilege principle. If there is some conflict be-
tween the policies or if decision process recognizes the pol-
icy violation, resources are immediately released and access
rights are revoked, offering support to policy conflict feature.
The prototype of the authorization system is developed and
the API is then integrated with the OpenNebula thus ensuring
configuration flexibility. Proposed scheme provides a graphi-
cal user interface and ACS for the retrieval of user attributes
required for the UCON authorization system. The policy in-
formation point (PIP) contacts attribute managers (AMs) to
acquire the required attributes that are stored in its local
repository. The system offers horizontal scope through its AS
module that may execute on other machines instead of the one
that is enforcing the access control decision. AM module is
responsible for the handling of the policy distribution among
various components of the access control services. However,
this framework does not specify any mechanism to ensure
separation of duty. Similarly, ease of privilege assignment is
also not incorporated in the design and architecture of pre-
sented framework.
• Achieving secure, scalable, and fine-grained data access
control in Cloud computing [36]
Hierarchical attribute based encryption (combining hierar-
chical identity based encryption (HIBE) and cipher text pol-
icy based attribute based encryption (CP-ABE)) on Cloud has
also been proposed for access control [36]. The system fol-
lows the least privilege principle with the help of access struc-
ture assigned to users. This access structure defines the set of
access rights corresponding to each data file. Separation of
duty is satisfied in such a way that job functions are assigned
for each system entity and the system does not allow them to
execute tasks that are not permissible for them. Complexity
and overhead for policy specification increases with the num-
ber of attributes and steps required to execute mathematical
operations. Inclusion of new feature within system requires
tedious tasks which introduce performance overhead and sig-
nificantly decreases the ease of privilege assignment. Scope
of the proposed system is limited to specific application envi-
ronments due to the operational complexity of its mathemat-
ical functions, thus offering no support to horizontal scope.
For efficient user revocation, two-step algorithm is proposed
to update keys for the remaining users. However, addition of
any other property for access control introduces large num-
ber of processes and operations which involves complex in-
teroperability issues making the overall system’s configura-
tion flexibility low. There is no mechanism available in sys-
tem to handle policy conflicts for access decision between two
or more policies. In addition, the access control components
such as policy administrator point (PAP) and PDP, PEP for
policy distribution are not specified in their design and archi-
tecture.
•Multi-tenancy based access control in Cloud [37]
Due to multi-tenancy in Cloud computing, duty sepa-
ration between CSP and tenant is a main concern. Solu-
tion proposed in [37] is multi-tenancy based access control
model (MTACM) for application security in public Cloud. In
MTACM, the separation of duty between CSP and consumers
is supported by classifying the subjects and objects into two
granular levels, as described in Table 1. The five core modules
OpenSSL module, identification and authentication module,
audit module, access control module and management mod-
ule adhere to the platform dependency as all of these are im-
plemented on nginx module, hence limiting the scope of the
MTACM. The overhead of adding, creating and removing
the objects rules, subject rules and security policies is dis-
tributed between the Cloud providers and Cloud consumers,
thus providing the ease of privilege assignments feature and
improving the performance of MTACM system. However, the
MTACM system does not mention any procedure to avoid
the policy conflicts that may arise because of the access deci-
sions of multiple rules. The discretionary access control and
mandatory access control mechanisms are implemented at the
API level; however, the dependency of access control module
on top of Nginx requires complex modifications for different
environments, therefore, reducing the configuration flexibil-
ity.
• CloudPolice: taking access control out of the network [38]
Lucian et al. [38] proposed a hypervisor-based access con-
trol technique named “CloudPolice” for Cloud paradigm.
This technique provides flexibility, scalability and network
independency since it is proposed at the infrastructure level.
However, implementation of security policies at infrastruc-
ture level makes practical adaptation of this scheme diffi-
cult. Hypervisors are responsible to manage several VMs
at a time and sending/receiving of control messages will
be an extra overhead with respect to workload on hypervi-
sor. Furthermore, transfer of control messages and notifica-
tion of policy updates for large number of VMs result in
network performance degradation. The proposed hypervisor-
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 307
based access control technique offers configuration flexi-
bility for supporting policies in multi-tenant environments,
network-independence to decouple access control from the
network, and scalability to handle hundreds of thousands
servers and users. In the proposed distributed solution, pol-
icy repository and retrieval is handled in a distributed way
where hypervisors are required to be aware of the policies of
their hosted VMs only and not the policies of any other group,
or the group membership. This technique does not require a
policy management service from the Cloud provider but re-
quires an additional API in both the hypervisor and the VMs.
Use of API ensures the horizontal scope of the proposed sys-
tem. In CloudPolice, the Cloud provider is responsible for the
distribution of the group policy to the hypervisor at the VM
initialization and updates it at all the group members when
the policy changes. The authors of the proposed technique
do not explicitly talk about any system module that would
resolve potential the policy conflicts. Moreover, this frame-
work does not specify any mechanism to ensure separation
of duties. Similarly, ease of privilege assignment is also not
incorporated in the design and architecture of CloudPolice.
The principle of least privilege is also of great importance;
however, is not included in the proposed technique.
• SaaS Access Control Research Based on UCON [39]
Junli Zhu et al. [39] present a unified access control model
which is designed for preventing Cloud user’s critical data
from unauthorized and illegitimate access, using the UCON
post-obligation model. In proposed UCON model the PreA,
PreB, PostB and OnB are managed and maintained separately
by distributed modules and policy enforcement points, due to
which the model provides the separation of duty feature. The
UCON PreA, PreB, PostB and OnB model checks for the
user privileges and makes an authorization decision before
and during the usage of specific resource. During the use of
that resource, the model facilitates the continuous checking of
required obligations as well as encounter policies for the user
privileges, thus supporting the least privilege feature. The
proposed access control model is platform independent and
can be implemented for wide range of SaaS applications in
Cloud, therefore supporting the horizontal scope. In order to
alter the defined privileges of a user, all the associated PreA,
PreB, PostB and OnB policies need to be modified, which
affects the speed and performance of access control model;
hence making the process of privileges assignment more dif-
ficult. However, the model does not support any mechanism
for policy distribution or policy repository and retrieval. Sim-
ilarly, there is no procedure that can make authorization de-
cisions when there is any conflict between two or more rules,
thus lacks solution for policy conflicts. The model is imple-
mented for any SaaS layer application and supports configu-
ration flexibility.
3.3 Analysis discussion
All the aforementioned Cloud based access control tech-
niques have been evaluated against the selected NIST-defined
metrics and the summary of our qualitative analysis is pre-
sented in Table 2. Our analysis reveals that none of the access
control techniques covers all the essential features; moreover,
most lack compliance to international standards, hence rais-
ing interoperability issues. In addition, existing mechanisms
can only be applicable to small number of applications and
are static in a way that authorization system cannot update
themselves according to change in application security re-
quirements; rigorous manual configurations are required to
define and maintain access control policies. To sum it up,
the existing access control mechanisms, while promising, fall
short on certain requirements and still need improvement so
as to be able to provide complete access control in an en-
vironment as dynamic as Cloud. Our research findings from
this analysis serves as groundwork for the effective imple-
mentation and deployment of comprehensive access control
management strategy, ACaaS, for the applications hosted on
the SaaS layer of Cloud.
The study carried out in this paper will also help Cloud
consumers (organizations) in selecting suitable authorization
technique that fulfills their security requirements. As men-
tioned earlier, we have investigated each technique to re-
veal its pros and cons based on NIST-defined factors. How-
ever, our assessment is not based on absolute ranking because
the suitability and appropriateness of any technique depends
on the environment, circumstances and the security require-
ments of the Cloud consumer. For example, if “policy con-
flict avoiding algorithm” and “configuration flexibility” is a
crucial parameter for consumer, then authorization technique
“OpenPMF SCaaS: Authz aaS for Cloud & SOA App [29]”
is more appropriate. Similarly, if “Ease of Privilege Assign-
ment” and “policy conflict avoiding algorithm” are not im-
portant parameters, then techniques such as “Secure data ac-
cess in Cloud computing [27]” & “Usage control in Cloud
systems [35]” are more suitable. Therefore, we cannot give
absolute ranking to any of these techniques. Next subsection
presents a real-world case study illustrating step-by-step pro-
cedure for the selection of Cloud authorization technique for
the organizations interested in solving the prevalent problem
308 Front. Comput. Sci., 2015, 9(2): 297–321
Table 2 Analysis of Cloud based access control systems
Cloud authorization systemsSeparation
of duty
Horizontal
scope
Ease of
privilege
assignments
Policy
distribution
Least
privilege
Policy
conflict
Configuration
flexibility
Policy
repository
& retrieval
Secure data access in Cloud computing [27] High High High Low High Low High High
Secure access mechanism for Cloud storage[28]
High High Low High High Low Low High
OpenPMF SCaaS: authorization as a servicefor Cloud & SOA applications [29]
High High Low High High High High High
Distributed access control architecture forCloud computing software [30]
High High Low High High Low High High
API access control in Cloud using the rolebased access control model [31]
High High High High Low Low High High
Access control as a service for public Cloudstorage [32]
High Low High High Low High High High
A privacy enhancement system on academicbased private Cloud system [33]
High Low High High High Low Low High
Provenance-based access control in Cloudenvironments [40]
Low High Low High High High Low High
Fine-grained data access control systemswith user accountability in Cloud comput-ing [34]
High Low Low Low High Low Low High
Usage control in Cloud systems [35] Low High High High High High High High
Achieving secure, scalable, and fine-graineddata access control in Cloud computing [36]
High Low High Low High Low Low Low
Multi-tenancy based access control in Cloud[37]
High Low High High High Low Low High
CloudPolice: taking access control out of thenetwork [38]
High Low High High High Low Low High
SaaS access control research based onUCON [39]
High High Low High Low Low High High
of secure access to their application and resources hosted on
Cloud.
3.4 Realization in real Cloud computing environment —
case study
The abovementioned section comprehensively explains our
analysis of Cloud authorization techniques according to the
NIST access control metrics. However, for the effective re-
alization of our work, a case study of an electronic health
record (EHR) system is presented in this section that is de-
ployed at SaaS layer of Cloud by hospital administration
(Cloud consumer). This case study will help Cloud Con-
sumers in the selection of most appropriate technique accord-
ing to their authorization requirements by demonstrating the
working of our assessment in a real world scenario.
We assume that a hospital wants to deploy an EHR system
on Cloud having authorization requirements along with other
security functionalities. A cloud based EHR system stores
and processes the data of patients electronically and is de-
signed to cover a wide range of hospital administration and
management processes. The system involves various modules
including personal health record, E-prescription, report gen-
eration, clinical charting, mediation management, financial &
inventory billing, appointments and calendric modules. All
these modules demand security and privacy of their data and
resources (authentication, authorization and confidentiality)
for the reliable execution in Cloud and to improve the overall
quality of a complete system. The system essentially requires
access control in order to ensure the privacy of patients’ in-
formation and security of sensitive healthcare information,
where access to each resource must be evaluated by an au-
thorization technique. Therefore, for the presented case study,
we are focusing on the authorization of an EHR system and
how a hospital selects the suitable authorization technique
for its secure deployment in Cloud. Hospital administrators
are required to select the most appropriate authorization tech-
nique which best suits their authorization requirements:
• Least privilege (High)
An EMR system must provide fine-grained (granular) level
access control based on the identity and other unique cre-
dentials of the user. Access must be provided on a “Need to
Know” basis.
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 309
• Separation of duty (High)
Segregation of duties must be processed statically as well
as dynamically, where a single user can perform more than
one role but with the exception that only one role should be
activated at a particular time. For example, a nurse can only
make inventory request as long as she is an active adminis-
tration staff member on duty and is not associated with any
patient. All such rules need to be defined within a technique
before the deployment on Cloud.
• Policy conflict algorithms (High)
There should be no conflicts between the access control
polices of hospital. In order to provide accurate access con-
trol decisions for each request and maintain data integrity of
hospital data, policy conflict avoiding algorithm needs to be
incorporated within authorization technique that can possibly
avoid all the conflicts between policies. Administrators must
also create policies very carefully and should be well-aware
of how to handle the conflicts.
• Configuration flexibility (High)
An authorization technique for an EHR system must be
provided with the capacity to upgrade it to newly introduced
health care features and modules such as MRI & scanning,
scheduling & appointments, insurance & sponsors and equip-
ment inventory module. Moreover, for long term viability, the
technique must be adaptable to latest Cloud deployment tech-
nologies as well.
• Horizontal scope (High)
An authorization technique should be interoperable with
a number of Cloud platforms and operating systems such as
Linux, Windows or Mac. The operational coverage of a tech-
nique should be capable of handling multiple environments
through the generic and customized design of its mechanism.
The multiple environments might be: EHR application run-
ning on Linux server of Amazon EC2 or CloudStack, a single
module of EHR application running on various web browsers
(Firefox, Google Chrome, IE8) of client systems, or an ad-
ministrator managing policies through web interfaces. Addi-
tionally, the technique should be capable of developing and
evaluating access control policies for latest health care mod-
ules.
• Ease of Privilege Assignment (Low)
A technique should provide “policy administration point
as a service (PAPaaS)” in Cloud to create and manage ac-
cess control policies for each user and resource of the EHR
system with acceptable ease. However, it is not essential to
have less number of steps for assigning privileges to the users
i.e., assigning, revoking and altering the subject, resource or
rights. The hospital administrators will be trained to make
fewer mistakes in assigning privileges.
• Policy distribution (Low)
It is not necessary for the technique to store and distribute
policies globally at multiple hosting domains, e.g., across
multiple Cloud environments.
• Policy storage and retrieval (Low)
It is not necessary for the technique to connect to multiple
medical repositories simultaneously. The hospital only needs
to deploy a single policy retrieval point (PRP) in Cloud for its
access. Currently, it is not important to have multiple policy
storages. We summarize the above stated requirements in the
Table 3.
3.4.1 Theoretical analysis
Based on aforementioned access control requirements, we
have analyzed Cloud authorization techniques discussed in
subsection 3.2, to identify the most appropriate for the secu-
rity of an EHR system. Table 2 demonstrates the level up to
which these techniques are supporting the access control met-
rics. The techniques that are closely supporting the require-
ments are: “OpenPMF SCaaS: AuthzaaS for Cloud & SOA
App [29]”, “secure data access in Cloud computing [27]” and
“usage control in Cloud systems [35]”. Table 4 presents the
supported (�) and unsupported (×) authorization features of
the three techniques.
Table 4 clearly depicts that OpenPMF [29] is closely re-
lated to the authorization requirements of an EHR system and
therefore, hospital administrators can choose this technique
for ensuring authorized access to their resources on Cloud. If
“policy conflict avoiding algorithm” is an essential parame-
ter for an EHR system and it is possible for the hospital to
compromise on the “ease of privilege assignment” feature,
then OpenPMF [29] presents an ideal situation. However, if
“policy conflict avoiding algorithm” and “ease of privilege
assignment” are not imperative constraints to be fulfilled and
can somehow be avoided, then [27] and [35] also give an
ultimate solution. In summary, assessment of Cloud autho-
rization techniques, based on NIST defined parameters, helps
Table 3 Access metric requirements for an EMR system
Separation
of duty
Horizontal
scope
Ease of privilege
assignments
Policy
distribution
Least
privilege
Policy
conflict
Configuration
flexibility
Policy repository
& retrieval
High High Low Low High High High Low
310 Front. Comput. Sci., 2015, 9(2): 297–321
Table 4 Access metric requirements for an EMR system
Cloud authorization systemsSeparation
of duty
Horizontal
scope
Ease of
privilege
assignments
Policy
distribution
Least
privilege
Policy
conflict
Configuration
flexibility
Policy
repository
& retrieval
Secure data access in Cloud computing [27] � � � × � × � �
OpenPMF SCaaS: authorization as a servicefor Cloud & SOA applications [29]
� � × � � � � �
Usage control in Cloud systems [35] × � � � � � � �
Table 5 Calculated values of Cloud authorization techniques
Cloud authorization techniques Set W Set ACtech Cumvalue Cumvalue
Secure data access in Cloud computing[27]
{1,1,1,1,1,0,0,0} {1,1,0,1,1,1,0,1} ((1×1)+(1×1)+(1×0)+ (1×1)+(1×1)+(0×1)+(0×0)+(0×1)/8) 0.5
OpenPMF SCaaS: authorization as aservice for Cloud & SOA applications[29]
{1,1,1,1,1,0,0,0} {1,1,1,1,1,0,1,1} ((1×1)+(1×1)+(1×1)+(1×1)+ (1×1)+(0×0)+(0×1)+(0×1)/8) 0.625
Usage control in Cloud systems [35] {1,1,1,1,1,0,0,0} {1,0,1,1,1,1,1,1} ((1×1)+(1×0)+ (1×1)+(1×1)+(1×1)+(0×1)+(0×1)+(0×1)/8) 0.5
organizations in the appropriate selection of technique, de-
pending on the security priorities of the system (EHR system
in this case).
3.4.2 Evaluation using NetLogo
After theoretical analysis, the preliminary experimental re-
sults for the selection of appropriate techniques are also ex-
amined through simulation in NetLogo platform3). In real-
world scenarios, there can be many possible cases for the
selection of Cloud authorization technique depending upon
the combinations (High & Low level) of access control met-
rics. For instance, if a Cloud consumer requires “least priv-
ilege”, “dynamic SoD”, “policy distribution” and “configu-
ration flexibility” features then the [30] is more appropriate.
Similarly, we have run different test cases, particularly for
the selection of an appropriate technique for the EHR sys-
tem. The two main graphical user interfaces for this simu-
lation include “requirement setup” and “cloud authorization
techniques features” interfaces.
• Requirement setup interface Figure 4 shows the in-
terface for requirements setup, where a Cloud consumer
can input the required levels (Low & High) for access
control metrics, using drop down menu on GUI. Drop
down menu is listed with two main levels i.e., “High”
and “Low”. User can select any one of the two options
against each access control metrics, according to the
preferred requirements.
We have assigned numeric weights, 0 and 1, to High
& Low levels. The “High” level corresponds to value
“1” while “Low” level is assigned “0” value. If an orga-
nization needs any access control metric, then “High”
level will be selected and value “1” will be assigned
to that metric. Similarly, “Low” level can be selected
and its corresponding value is assigned to access con-
trol metric at the backend. In case of an EHR system,
access control metrics are assigned values, given in Eqs.
(1) and (2), as per hospital requirements.
W = {LeastPrivileges, S eparationo f
Duties, PolicyCon f lictAvoidingAlgorithm,
Con f igurationFlexibility,HorizontalS cope,
Easeo f PrivilegeAssignment, Policy
Distribution, PolicyRepository&Retrieval}. (1)
W = {1, 1, 1, 1, 1, 0, 0, 0}. (2)
Subsequently, the cumulative value is calculated for
all the techniques using the Eq. (3), where “n” is num-
ber of access control metrics n = 1, 2, . . . , 8.
Cumvalue =
n∑
i=1
Wi ∗ ACtech
‖ACtech‖ . (3)
• Selection of Cloud authorization technique After
providing the access control requirements at “Require-
ments Setup” phase, we evaluated each Cloud autho-
rization technique based on the given requirements. Ac-
cess control metrics supported by a specific technique
are represented by the set ACtech given in Eq. (4). For
instance, the set for OpenPMF [29] is represented by
3) NetLogo is a multi-agent programmable modeling environment for simulating different scenarios. It is particularly well-suited for modeling complexsystems developing over time.http://ccl.northwestern.edu/netlogo/(14-January-2014)
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 311
ACPMF = { 1, 1, 1, 1, 1, 0, 1, 1 }, in which the val-
ues 1 and 0 are used to represent whether the technique
supports specific feature or not.
ACtech = {ac1, ac2, ac3, ac4, ac5, ac6, ac7, ac8}. (4)
Fig. 4 NetLogo requirement setup interface
Fig. 5 Simulation results of Cloud authorization techniques
The Cumvalue for [29], [35] and [27] have the largest value
0.625 & 0.5 formulated in Table 5. Figure 5 presents the sim-
ulation results after performing calculations on authorization
techniques according to the requirements of an EHR system.
The results show that OpenPMF [29] is more appropriate
based on the access control features required by an EHR sys-
tem as compared to other techniques which cannot fulfill the
requirements and have less values. More precisely, OpenPMF
technique is more suitable since its Cumvalue is more than [27]
and [35] and closely fits the EHR requirements. It should also
be noted that results presented through NetLogo simulations
and theoretical analysis are same i.e., OpenPMF is more suit-
able technique. Theoretical analysis uses manual assessment
while NetLogo uses mathematical formulations to select the
suitable technique.
In summary, the presented case study illustrates the use of
techniques assessment in real life scenarios where one Cloud
consumer (organization) needs to select a technique accord-
ing to authorization requirements. Our assessment followed
by this case study will help Cloud consumers in the selection
of authorization technique satisfying their requirements.
4 Identified problems and proposed ACaaSstrategy
Access control should be a mandatory component of Cloud
to make accurate and disclosure-free access decisions based
on multiple factors for minimizing the illegal usage of re-
sources and services. Since confidentiality level of data varies
in different applications, there is a need for an effective access
control mechanism. While giving access to data on a Cloud,
security issues must be handled in a way to provide trusted
and secure environment [42]. Although CSPs have the op-
tion of integrating the various extant authorization mecha-
nisms within their services to protect data and resources of
their customers, our analysis in the previous section depicts
that extant access control models have a lot of room for im-
provement. Therefore, we dedicate this section to discussing
the general weaknesses in authorization systems and how to
overcome them.
4.1 Weaknesses in extant access control techniques
The access control techniques discussed in the previous sec-
tion are far from perfect, we have narrowed them down to the
following generic problems:
1) Management of user profile and access control policies
In a Cloud computing environment, maintaining and creat-
ing user profiles and access control policies is more challeng-
ing because the information may come from different sources
– using different processes, naming conventions, and tech-
nologies – and may need to be transmitted securely between
organizations over a hostile Internet. Moreover, there are typ-
ically too many technical rules to manage and these rules do
not match the understanding of human administrators. Fur-
thermore, these technical rules needs to be updated frequently
to remain correct after each time systems change, and it is
hard to establish that the level of confidence/assurance of the
technical policy enforcement matches the intent of the human
administrator. As a consequence, it is critical to carefully plan
the tools and processes to make the access policies updating
process manageable through automation.
312 Front. Comput. Sci., 2015, 9(2): 297–321
2) Inflexibility of traditional mechanisms
Different types of access control mechanisms are proposed
and deployed so far for traditional enterprise applications that
mainly include role-based [11], task-based [43,44], attribute-
based access [45,46], DAC, MAC, digital rights management
(DRM) [47], trust management (TM) [48], claim-based and
authorization-based access control. Enterprises can leverage
these authorization mechanisms to seamlessly protect Cloud
applications as well. However, these access control mecha-
nisms have some specific parameters and are suitable only
for particular scenarios to provide restricted access of data.
To make authorized access to resources on Cloud, access con-
trol policies must be formulated in a way that they can han-
dle the dynamic nature of Cloud environment. Some of the
Cloud services do not call for strict authorization rules and
are accessed after confirmation of few user attributes. Other
services require the verification of several factors considering
the additional constraints before permitting access to Cloud
based data. Inflexibility of techniques often also leads to com-
pliance and interoperability issues. Therefore, an access con-
trol mechanism having strictly-defined features is not suitable
for all types of applications and services hosted on Cloud.
3) CSP-Driven access control
CSA specifies some challenges in selecting or reviewing
the adequacy of access control solutions for Cloud services
[7,49]. According to them, it is very difficult to determine the
suitability of the access control technique for different types
of services and applications hosted on Cloud. Authorization
feature provided by Cloud providers uses one or more ac-
cess control models and is not extensible to add new mod-
els according to customer requirements. As a result, CSCs
are forced to reshape the security requirement of their ap-
plications. Almost all the security features like confidential-
ity, integrity and availability are provided by CSPs. It means
encryption, authorization and authentication are in hands of
providers. Also, the organizations do not find suitable for-
mat for specification of policies and user information. These
problems need to be catered by providing the liberty to select
any technique that suits the security requirement of an orga-
nization. There should be a framework for protecting data of
Cloud consumers that can be customized by consumers ac-
cording to their own security needs along with the basic se-
curity features provided by Cloud providers. Customization
must be provided to Cloud service consumer organization for
controlling access to their hosted applications, as required.
4) Particularity of solutions
To reduce the load and management tasks of organiza-
tions, regarding secure authorization to resources on Cloud,
there is a vital need of generic framework that encompasses
multiple models and has the ability to add any access con-
trol model within framework based on security requirements
of consumer. Moreover, data residing on Cloud belongs to
wide variety of customers having different sensitivity level
for data; this necessitates the enforcement of comprehensive
access control framework for Cloud environment. For exam-
ple the RBAC is useful for restricting access to data of com-
mercial organizations while UCON model is suitable for con-
trolling usage of confidential information of health care sys-
tems. Therefore, authorization framework should be generic
to provide the access control policies and access management
functionality for all these Cloud services.
We regard these factors as hindrances in securing the data
of CSCs against illegal accesses. In order to circumvent the
potential issues that might arise due to weak access control
mechanisms, we are proposing the features that an effective
access control management strategy must incorporate to cater
to the dynamism of Cloud environment. It means that the
abovementioned issues can be resolved by mapping problems
into solutions which will eventually lead towards a reliable
access control solution for the SaaS layer of Cloud comput-
ing.
4.2 Essential features for effective Cloud authorization
mechanism
Analysis and findings reveal that there is need to address the
challenges of developing a holistic and reliable access con-
trol management strategy for SaaS model of Cloud. To over-
come the aforementioned weaknesses, we propose potential
features that an authorization management strategy must pro-
vide for Cloud hosted applications. Incorporation of these
features will not only resolve these issues but may also pos-
sibly pave way for a single consolidated comprehensive au-
thorization framework. Eventually, this access control frame-
work would be extensible and generic enough to satisfy the
dynamic requirements of Cloud. These features will not only
protect resources (data and application) of Cloud consumers
but will also allow them to customize the framework accord-
ing to their security needs and demands.
1) Using common access control policy format
In order to adapt to the flexible requirements of Cloud and
to avoid interoperability and compatibility issues between
policies specified by CSPs and CSCs, commonly used pol-
icy specification format should be developed. The common
specification of access control policies will enable Cloud con-
sumers to make different access control policies and user pro-
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 313
files according to their own requirements. An appropriate in-
dustry standard for policy specification such as extensible ac-
cess control markup language (XACML) can be used to fa-
cilitate Cloud consumers by offering authorization services to
their applications. This will also reduce the issues of creating
and managing access control policies and user profiles be-
cause XACML is a powerful access control policy language
that specifies how to evaluate policies and how to interpret
those policies. This language is suitable for a variety of ap-
plication environments. The core language is insulated from
the application environment by the XACML context, which
is why we can use it for Cloud environment where variety
of applications, each with its own characteristics and secu-
rity requirements, are hosted to entertain their users. Accord-
ing to OASIS XACML4) , managing the policy configuration
at each point of policy enforcement is quite expensive and
unreliable5). Therefore, creating and managing access con-
trol policies manually does not demonstrate best practice in
the protection of the information assets of the enterprise and
its consumers on Cloud. XACML gives detailed general ac-
cess control requirements, and has standard extension points
for defining new functions, data types, combining logic, etc.
Keeping in view these standard extension points, a common
policy format must be used that can holistically cover differ-
ent Cloud applications.
2) Common access layer for Cloud applications
For the accumulation of all well-known access control
models, a product in the form of authorization application
needs to be developed which can allow secure authorization
of resources for variety of Cloud hosted applications. More
specifically, a common access control layer is required that
can act independently of applications hosted on the Cloud.
Thus, any enterprise planning to leverage their application on
Cloud will be able to integrate with this authorization applica-
tion for effective access control. Successful execution of this
application will provide the ability to decouple the business
logic of applications from the security aspect of the applica-
tion. This way, security will not have to be embedded within
the application. Rather, a separate access control layer will be
provided for authorized access of application resources.
3) Customization and extensibility for Cloud hosted applica-
tions
As discussed above, development of an authorization ap-
plication for SaaS-hosted Cloud environment will provide
secure access to its resources. To allow easy customization
for Cloud consumers, an extensibility feature needs to be in-
troduced so that new access control models could also be
incorporated into the authorization application. This feature
will provide autonomy to the users so that they can add new
access control models according to their own authorization
requirements. Depending on authorization requirements, ap-
plications will either select existing access control models
from policy repository or create policies of new access con-
trol model. Additionally, policy creation process based on
application requirements will be transparent from user; ap-
plication owners will only need to select appropriate access
control model and need to provide attributes based on appli-
cation domain. Extensibility feature will allow the capability
to deter new threats and attacks launched on Cloud-based ap-
plications.
4) Development and support for third party plug-ins
A lot of efforts are now being centred on the develop-
ment of open and proprietary APIs and plug-ins which seek
to enable features such as security, management and inter-
operability for Cloud. These APIs and plug-ins play a key
role in enhancing the Cloud services to make them more ef-
ficient and reliable. Plug-ins should be another feature of an
effective access management mechanism so that they can be
integrated with Cloud hosted applications.
Table 6 illustrates the mapping of Cloud authorization is-
sues (weaknesses) into essential features for effective Cloud
authorization.
4.3 Amalgamation of features into access control frame-
work – ACaaS
So far, we have discussed the weaknesses in the existing ac-
cess control techniques and have come up with must-have
features for an effective authorization mechanism. Further-
more, we have established that Cloud requires a flexible
access control mechanism applicable to various kinds of en-
vironments. An effective access control mechanism can only
be developed if we can incorporate all the above mentioned
features into one comprehensive framework. Therefore, fault-
less implementation of these access control features can be
the output in the form of an extensible and comprehensive
ACaaS. ACaaS is a Cloud-based approach which aims to
ensure ease in authentication and authorization of Cloud ser-
vice consumers while they access various Cloud services and
resources6). In ACaaS, the management and evaluation of
access control decisions is externalized and handled by some
4) OASIS, Extensible Access Control Markup Language (XACML), https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml5) OASIS,Extensible Access Control Markup Language (XACML) v3.0, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf, July 2008.6) Microsoft, ACS Overview, http://msdn.microsoft.com/en-us/library/gg429788.aspx, 2011.
314 Front. Comput. Sci., 2015, 9(2): 297–321
Table 6 Mapping of authorization issues into effective access management strategy
Weaknesses in extant access control techniques Essential features for effective Cloud authorization mechanism
Management of user profiles & access control policies• Information from different sources• Too many technical rules• Rules need to be updated frequently
Common policy language format−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
Using common access control policy format• Use of an appropriate industry standrad policy language• Reduces the issues of creating & managing user profiles
Inflexibility of traditional mechanisms• Do not have strict authorization rules• Compliance & interoperatbility issues
Comprehensive authorizationapplication
−−−−−−−−−−−−−−−−−−−−−−−−−−−→
Common access layer for Cloud application• Authorization application that can act independently• Decouple the business logic of app. from security
CSP driven access control• Uses only specific predefined parameters• Suitable only for few scenarios• Cannot handle dynamic nature of Cloud• Perform user verification before and after access
Customization & extensibility−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
Extensibility for Cloud hosted application• Extensibility that can add new access control model on-
the-fly• Provide autonomy o user applications• Transparent policy creation
Particularity of solutions• Do not reduce the load & management tasks• Do not provide generic framework• Do not have ability to add new access control
models• Do not have customization feature
Third party plugins−−−−−−−−−−−−−−−−−−−→
Development & support for third party plugins• Play key role in enhancing the Cloud services• Provide efficient & reliable Cloud services• Support for third-party plugins & APIs
trusted third-party service provider. ACaaS operates on ap-
plication layer and provides an authorization store that is
managed and accessed either through code or a manage-
rial gateway. After one-time configuration, CSCs access the
applications via ACaaS by using an authentication token
bundled with authorization claims. Instead of implement-
ing application-specific access control mechanisms, one can
choose ACaaS to authenticate and authorize their service con-
sumers. ACaaS not only facilitates fast and easy application
development, it also allows its customers to access and ac-
quire multiple services and resources with reduced (e.g., sin-
gle sign-on) authentications.
ACaaS needs to be developed in a way that it offers com-
patibility with well-known programming languages and run-
time environments along with the support for international
standards such as OpenID, OAuth, WS-Trust [7] etc. In ad-
dition, ACaaS must be compatible with most of the modern
web platforms such as Python, Java, .NET, Ruby and PHP.
Some real-time implementations of ACaaS are also available
in the market; Azure Platform AppFabric Access Control
Service7) , Junos Pulse Access Control Service Ver. 4.4 [50]
just to name few. An ACaaS layer comprises of PDP, PEP,
PAP and PIP [32] components. Each of these components can
be developed and managed either by the service consumer
or they may use the ones provided by the ACaaS provider
(trusted third party). To be precise, the access control ser-
vice provider ensures the segregation and confidentiality of
the data contents, even if it gets together with Cloud service
consumers and Cloud service providers.
The effective utilization of the access control framework
(or ACaaS) will assure that IT operations of any enterprise
can achieve reliable access control management for their ap-
plications hosted on SaaS layer. This framework will have
the property of extensibility, genericity, consumer-driven au-
thorization functions and common policy language format.
Extensibility will be used to incorporate existing and newly
proposed access control models. It means that based on secu-
rity requirements of applications, organizations can select any
model from the framework to provide secure access to their
application resources. In addition, this authorization frame-
work will also be available as a plug-in that can be used by
Cloud consumer organizations to securely manage their ap-
plication on Cloud. Thus, gathering features into framework
will help Cloud application owners to provide authorized ac-
cess to resources (data) on Cloud and will also eliminate the
need to write security code in their application.
5 Future research directions
ACaaS is a rather recent concept of offering authorization ser-
vices in Cloud, which is steadily gaining attention in the mar-
ket. Ideally, access control services should incorporate all the
managerial and technical aspects to provide the best possi-
7) Microsoft, Introduction to the Appfabric Access Control Service 2.0, http://msdn.microsoft.com/en-us/ identitytrainingcourse_introtoacslabsv2.aspx,2013.
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 315
ble solution. Even though research in this domain is moving
towards increasingly mature solutions, there are still a large
number of critical issues that have gone unattended. One glar-
ing issue that needs to be addressed is the lack of a common
policy format that would alleviate the inherent interoperabil-
ity issues in the Cloud environment. To this end, utilization
of a standard policy creation language XACML is highly rec-
ommended. Typically, the ACaaS layer is implemented over
the SaaS layer and the more advanced solutions focus on this
service model. Although the same rules apply for ACaaS for
PaaS and IaaS, there is a lot of room for improvement for pro-
viding the service on top of those deployment models since
they still provide the very basic authorization mechanisms.
For instance, adequate partitioning of policy domains and se-
cure delegated administration is required for PaaS. IaaS, on
the other hand, is less likely to be web-based and so the ac-
cess management service will have to be customized accord-
ingly. For this, access management will have to be on a per-
customer basis, so that the passwords and privileges given to
one customer do not enable them to access other customer
environments8).
In order to cater to the authorization issues of SaaS hosted
applications, an effective identity and access management
strategy is required for Cloud environment that allows data
owners to manage access to their resources and is extensi-
ble enough to formulate certain policies and rules to define
the access level for each user. A future direction could be
the verification and implementation of features proposed for
the holistic realization of access control management strat-
egy. For the realization of framework, well-known access
control models could be implemented using XACML. So far,
many of the widely-used access control models do not have
comprehensively designed, open source implementations in
XACML 3.0. Therefore, investigating such aspects of these
access control models with respect to XACML opens up new
avenues for research in the area of SaaS Cloud security.
Other issues include privacy of data owners and com-
pliance of the access control system with country- and
organization-specific privacy laws; extensibility to formulate
policies and rules for each level of user, support for delega-
tion rights in cross-Cloud domain, dynamic specification of
entities involved in data sharing, etc. Therefore, a reliable and
extensible authorization framework is highly encouraged to
satisfy the user requirements and dynamic nature of Cloud as
well.
6 Conclusions
The hype that Cloud technology has attracted is not unwar-
ranted; the academia and industry find the paradigm ripe with
opportunities and potential. However, despite the promising
features Cloud has to offer, consumers are still reticent to de-
ploy their applications on it, mainly due to the security and
privacy concerns that exist in the domain. For adequate data
and application security, Cloud computing demands extensi-
ble and reliable access control mechanisms that ensure effec-
tive authorization strategy for the resources hosted on Cloud.
This paper specifically focuses on authorization issues in
Cloud environment and addresses its concerns and potential
solutions. We have performed an in-depth analysis of various
state-of-the-art access control techniques based on the fea-
tures listed in a NIST report [26]; then we narrowed down
these features based on the authorization requirements of
Cloud. A case study is also presented that validates our anal-
ysis by selecting the most appropriate of the existing autho-
rization techniques based on the access control requirements
of Cloud consumer. Moreover, after conducting a thorough
study on access control mechanisms in Cloud and the related
work that exists within the domain, we come to the conclu-
sion that extant access control solutions are not generic and
do not cover all the required features holistically. Therefore,
there is a need for a meticulous research in order to develop
and design an effective ACaaS, which is an important pillar
of SECaaS model, which allows CSCs and CSPs to securely
manage access to their resources. In this regard, we first iden-
tify the main problems that render the existing models inad-
equate to be used in Cloud. From these challenges, we deter-
mine the features that are imperative for an access control as
a service layer.
ACaaS framework is the generic solution to all the au-
thorization problems in Cloud that have been identified in
Section 4.1 and incorporates all the features that an ideal
Cloud-based access control mechanism should have, that
have been listed in Section 4.2. This framework would be
comprehensive and reliable enough for managing and con-
trolling access to SaaS hosted Cloud applications and their
resources. Since it will be non-specific and will use well-
known standards like XACML, it will eradicate the com-
pliance and interoperability issues, hence, allowing it to be
used by different Cloud-based applications to make their data
accessible only to authorized users. Successful execution of
the proposed ACaaS framework will greatly improve access
8) Axiomatics, Axiomatics Cloud scenarios, https://www.axiomatics.com/cloud-scenarios.html
316 Front. Comput. Sci., 2015, 9(2): 297–321
control issues in Cloud and help assure Cloud consumers
(small to large enterprises) that their information on Cloud is
managed securely.
Acknowledgements We are incredibly grateful for the financial assistanceprovided by National ICT R&D Fund, Ministry of Information and Tech-nology, Pakistan that made this research work possible. Our special thanksare extended to National University of Science & Technology (NUST) andKTH-Applied Information Security (AIS) Lab for their unstinting support ofour work and for helping us in publishing this article.
Appendixes
Appendix A: Cloud access control techniques
1) Secure data access in Cloud computing [27]: Sanka et
al. [27] discusses the Cloud authorization challenges together
with capability based access control technique that ensures
the authorized access to outsourced data. The work proposed
in this paper modifies Diffie-Hellman key exchange protocol
that can be used by Cloud service provider and consumers
for secretly sharing a symmetric key. In addition, Capability
based access control system along with cryptographic tech-
niques has also been proposed for Cloud platform. The tech-
nique mainly involves three actors: data owner (DO), cloud
service provider (CSP) and user where CSP is mainly respon-
sible for offering services. A capability list is used to specify
the access rights of users and it consists of user ID (UID), file
ID (FID) and corresponding access policies. Values for access
rights are assigned as: 0 for read, 1 for write, 2 for both read
and write. DO computes the MD5 hash of data files; encrypt
it with their private key and public key of CSP. CSP stores
these encrypted data files and capability lists for users but the
contents of data files are not revealed to them. Diffie Hellman
algorithm is used to generate the symmetric keys which are
shared between CSP and user for the purpose of secure com-
munication. New user first performs the registration by DO
sending UID, FID, nonce, timestamp and the required access
rights. DO sends the capability list, intended encrypted con-
tent and corresponding decryption keys to CSP after the user
verification. CSP updates the capability list accordingly and
also sends registration confirmation to newly added user. Af-
ter that, user directly requests to CSP for data access and gets
encrypted response which is then decrypted to get the session
key and hash value.
2) Secure access mechanism for Cloud Storage [28]:Harnik et al. [28] proposed capability based access controlmechanism to address the access control requirements forCloud storage. Proposed model offers the efficient delegationmechanism by appending original capability with reduced
delegated capability. Identity field is introduced in the ca-
pability that performs user authentication and eliminates the
identification overhead at enforcement point. The proposed
mechanism also offers features like scalability, chains of ser-
vices, user to user access delegation, improved performance,
availability, revocation, interoperability, and pre-resource au-
dit ability.
3) OpenPMF SCaaS: authorization as a service for Cloud
& SOA applications [29]: Lang et al. [31] presents the con-
cept of portable security and compliance policy automation
for Cloud applications. Proposed system aims to provide pro-
tection to the Cloud applications and mashups in a seamless
manner. Further, this system intends to improve and simplify
the secure software development lifecycle for Cloud appli-
cations. The OpenPMF system comprises of two main com-
ponents: policy automation and technical policy generation.
The policy automation aspect includes policy configuration,
technical policy generation, application authorization man-
agement, and incident reporting. Policy configuration is of-
fered as a pay-per-use Cloud service to various application
development tools. On the other hand, the technical policy
generation, enforcement and monitoring module is implanted
into Cloud application development and runtime platforms.
The paper also discusses a reference implementation called
OpenPMF security & compliance as a service (SCaaS) which
is based on ObjectSecurity OpenPMF, Intalio BPMS, and
Promia Raven.
4) Distributed access control architecture for Cloud com-
puting software [30]: Almuitairi et al. [30] has presented a
technique for data storage and distributed access control in
Cloud paradigm. This technique uses attribute based encryp-
tion scheme and key distribution center that assigns keys to
users on the basis of attribute groups. An access policy is as-
signed to each data owner which contains list of attributes and
public keys to encrypt data against those attributes. A secure
SSL channel is also used to transfer the data on Cloud. The
Cloud provider provides encrypted data to users, which is de-
crypted by users for their use. Access policies are in the form
of trees, wherein attributes act as leaf nodes and Boolean
functions act as internal nodes. This scheme also provides
user revocation feature in which revoked user will not able to
use or see the data of providers.
5) API access control in Cloud using the role based access
control model [31]: Sirisha et al. [31] proposed secure ac-
cess control APIs for Cloud. This technique uses role based
access control model involving two-stages: user attribute au-
thentication and then, role validation. This technique assumes
that user is already authenticated with any reliable authen-
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 317
tication mechanism such as token, smart card or password
based and all its attributes and roles are managed in some
database. Once user is authenticated, his attributes are veri-
fied from a database and a specific role is assigned against
his attributes. Therefore, user can only access those services
that are allowed for assigned role. Same is the case in the sec-
ond stage of access control; there is a database of permissions
corresponding to different roles. After identifying roles, per-
missions are checked in database and accordingly, access is
granted or denied.
6) Access control as a service for public Cloud storage
[32]: Yang et al. [32] presented an access control service for
public cloud storage, where authorization decision is subject
to the data owner’s decision or PDP and PEP modules. This
paper aims to address the problem of flexible access control in
service and data outsourcing scenarios to protect the sensitive
data of owners. In order to implement the designed service,
an attribute-full proxy re-encryption (AF-PRE) scheme is of-
fered as a core component of the proposed solution. The key
features of presented solution include realization of simple
key management, capacity to compose the attributes along
with the anticipated combination of authorization and encryp-
tion with appropriate separation. In order to give the proof
of concept, authors have performed security analysis of their
system. They further claim that their scheme for executing
queries on the encrypted data can be efficiently integrated
with the presented solution.
7) A privacy enhancement system on academic based pri-
vate Cloud system using Eucalyptus open source Cloud in-
frastructure [33]: Mon et al. [35] proposed a privacy-aware
access control system (ARBAC) with the amalgamation of
features from two main models i.e., role based access con-
trol (RBAC) and attribute based access control (ABAC). The
main purpose of the system is to provide secure access to
personal identifiable information (PII) in cloud environment.
The system mainly consists of four main actors: data owners,
data users, cloud providers and privacy managers. Data own-
ers use virtual machines instances to host their data according
to organizational permissions and specify the privacy prefer-
ences of data. Users access the cloud based services and data
according to the defined access rights and policies. Cloud
providers perform different operations and management tasks
on servers according to the rules specified by the data owners.
Privacy manager is the essential component of the system,
responsible for the specification of privacy policies based on
user and data classification levels. In proposed ARBAC sys-
tem, user requests to access data and provides corresponding
subject, resource and environment attributes that are required
for the service. Cloud service provider verifies the given at-
tributes according to defined privacy policy in order to return
the response of either permit or deny.
8) Provenance-based access control in Cloud environments
[40]: Bates et al. [40] stated the granular access control to be
the most challenging and promising security issue for data
storage in Cloud computing. Relevant policies for migration
of data across the boundaries and scattered policies of orga-
nizations have been identified as the major reasons for this
issue. In this paper, an access control model has been intro-
duced, which is based on provenance and its use in critical
applications. Provenance provides all the information about
different actions and processes taken on specific data and is
used to mitigate these access control challenges in Cloud. The
system achieves the three main goals which include distribu-
tion of provenance in dynamic Cloud environment, assess-
ment of remote data objects and provenance based access
control model where provenance is also significant compo-
nent along with the basic objects, subjects and rights for ac-
cess control. The system also includes the additional prove-
nance database and policy database modules other than the
core PEP and PDP.
9) Fine-grained data access control systems with user ac-
countability in Cloud computing [34]: attribute based encryp-
tion (ABE) is proposed in [76], which aims to ensure fine-
grained access control and resolves the issues related to user
accountability and real-time revocation. There are two kinds
of ABE: key policy ABE (KP-ABE) and cipher text policy
(CP-ABE). In KP-ABE, access policy and user’s private key
are bounded together which helps to determine the files the
user is authorized to access. On the other hand, in CP-ABE,
access policy is defined within the cipher text where each
file and user key has different attributes; here, the relation-
ship is between the user key and his attributes. In proposed
model, the broadcast encryption has been performed by data
owner on user group by selecting the ran-dom number. The
encrypted data is then uploaded on Cloud.
10) Usage control in Cloud systems [35]: Aliaksandr et
al. [35] presents an advanced authorization framework based
on the usage control (UCON) model and the OASIS XACML
standard to control the usage of Cloud resources. Presented
framework is capable of handling the issue of long lasting
accesses by interrupting the ongoing usage of previously
assigned resources when the object’s access rights are re-
voked by the owner. Proposed framework’s prototype is im-
plemented and integrated with the OpenNebula toolkit (ONE)
that provides access control lists (ACLs) and usage quotas.
System performance tests are also carried out on the pro-
318 Front. Comput. Sci., 2015, 9(2): 297–321
totype to validate the effectiveness of the proposed system.
The ONE frontend and the authorization service (AS) are
hosted in the virtual machine with Ubuntu 10.04 and Java
1.6 support. However, the prototype requires improvements
in terms of security and management of various other long
lasting Cloud resources and services.
11) Achieving secure, scalable, and fine-grained data ac-
cess control in Cloud computing [36]: hierarchical attribute
based encryption (combining hierarchical identity based en-
cryption (HIBE) and cipher text policy based attribute based
encryption (CP ABE)) on Cloud has also been proposed for
access control [36]. Hierarchical structure is described in
which there are root master (RM) and domain masters (DM).
RM corresponds to private key generator which is used to
generate and distributes keys and other important parame-
ters. DM is like attribute authority in CP ABE and HIBE,
which handles delegation of keys to DM and their distribu-
tion to users at next level. Firstly, unique identifier is assigned
to each DM and then ID and attributes are assigned to users.
Each user’s position has been defined by his own ID and pub-
lic key of DM administrating him.
12) Multi-tenancy based access control in cloud [37]: due
to multi-tenancy in Cloud computing, duty separation be-
tween CSP and tenant is a main concern. Solution proposed in
[37] is multi-tenancy based access control model (MTACM)
for application security in public Cloud. The main idea of
MTACM is to classify the subjects and objects in traditional
access control mechanisms into two granule levels. One is
tenant granule level and the other is application granule level.
First level is managed or controlled by CSP to implement
the compartmentalization of different tenants, while second
is controlled by tenants to allow authorized access to their
applications. The subjects in MTACM access control lists are
users based while in most of access control mechanisms, ac-
cess control lists are IP based. One of the benefits of MTACM
is independent behavior since its deployment does not require
modifications to esisting applications. All the security rules
are based on user identifications, rather than IP addresses.
The prototype suggested for MTACM has four main mod-
ules: OpenSSL, identity and authentication, audit, access
control and management module. The prototype shows that
MTACM is the best solution to provide high performance and
compatibility for application layer of Cloud.
13) CloudPolice: taking access control out of the net-
work [38]: Lucian et al. [38] proposed a hypervisor-based
access control technique, named “Cloud-Police”, for Cloud
paradigm. Several security policies such as tenant isolation,
inter-tenant communication, fair sharing among tenants, rate
limiting tenants and locally initiated connections for intra-
Cloud based environment are identified. Based on these poli-
cies, a policy model is defined that uses predicate logic,
wherein several rules in the form of “if-then” action condi-
tion separated by comparison operator are used.14) SaaS access control research based on UCON [39]:
Junli Zhu et al. [39] have highlighted access control prob-
lem faced by Cloud consumers, which is mandatory for pro-
tecting the user’s sensitive information in SaaS model. Tradi-
tional access control models like attribute based, role based
or fine-grained access models are not sufficient for protecting
the private data of users in Cloud. This system presents a uni-
fied access control model which is designed for preventing
user’s critical data from unauthorized and illegitimate access.
Trust management and digital rights management have also
been identified as the important security problems faced by
today’s business world and IT organizations. In this system,
UCON model has been implemented with its two main prop-
erties of attribute mutability and continuity along with three
main components i.e., authorization, obligations and condi-
tions. Post-obligation model has also been implemented that
can guarantee the fine-grained and secure access control on
customer’s private data. Types of authorization mainly in-
clude PreA, where authorization is performed before granting
any access and OnA, where authorization is executed during
the usage. Similarly, PreB are some mandatory requirements
that should be satisfied before granting access. OnB are those
requirements which needed to be satisfied during the execu-
tion of access control.
References
1. Abadi D J. Data management in the cloud: limitations and opportuni-
ties. IEEE Data Engineering Bulletin, 2009, 32(1): 3–12
2. Rimal B, Choi E, Lumb I. A taxonomy and survey of cloud computing
systems. In: Proceedings of the 5th International Joint Conference on
INC, IMS and IDC. 2009, 44–51
3. Subashini S, Kavitha V. A survey on security issues in service delivery
models of cloud computing. Journal of Network and Computer Appli-
cations, 2011, 34(1): 1–11
4. Bisong A, Rahman M. An overview of the security concerns in enter-
prise cloud computing. International Journal of Network Security & Its
Application, 2011, 3(1): 30–45
5. Popovic K, Hocenski Z. Cloud computing security issues and chal-
lenges. In: Proceedings of the 33rd International Convention on
MIPRO. 2010, 344–349
6. Arasu A, Eguro K, Kaushik R, Ramamurthy R. Querying encrypted
data. In: Proceedings of the IEEE 29th International Conference on
Data Engineering (ICDE). 2013, 1262–1263
7. Simmonds P, Yeomans A, Dobson I, Arnold J, Secombe A, Johnson P,
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 319
Tully S, Ramamorthy B, Kumaraswamy S, Mishra R, Lang U, Laun-
drup J, Wilson Y. Security Guidance for Critical Area of Focus in Cloud
Computing v3.0. Cloud Security Alliance (CSA), 2011
8. Lampson B. Dynamic protection structures. In: Proceedings of the
AFIPS Conference. 1969, 27–38
9. Elisa Bertino R. Database security-concepts, approaches, and chal-
lenges. IEEE Transactions on Dependable and Secure Computing,
2005, 2(1): 1–11
10. M. G. Piattini M, Fernandez-Medina E. Secure databases: state of the
art. In: Proceedings of the IEEE 34th Annual International Carnahan
Conference on Security Technology. 2000
11. Sandhu R, Coyne J, Feinstein L, Youman E. Role based access control
models. Computer Journals and Magazines, 1996, 29(2): 38–47
12. Khan A R. Access control in cloud computing environment. ARPN
Journal of Engineering and Applied Science, 2012, 7(5): 613–615
13. Han W, Lei C. A survey on policy languages in network and security
management. Computer Networks, 2012, 56(1): 477–489
14. Baskerville R. Information systems security design methods: implica-
tions for information systems development. ACM Computing Surveys
(CSUR), 1993, 25(4): 375–414
15. McCollum C J, Messing J R, Notargiacomo L. Beyond the pale of
MAC and DAC-defining new forms of access control. In: Proceedings
of the IEEE Computer Society Symposium on Research in Security
and Privacy. 1990, 190–200
16. Lovell R. Introduction to Cloud Computing. Think Grid, Business On-
demand, 2011
17. Zissis D, Dimitrios L. Addressing cloud computing security issues. Fu-
ture Generation Computer Systems, 2012, 28(3): 583–593
18. Borras J, Sabo J. Report on International Cloud Symposium. Technical
report. 2011
19. Halpert B. Auditing Cloud Computing: A Security and Privacy Guide.
John Wiley & Sons, Inc., 1–13
20. IBM. Strategies for Assessing Cloud Security. Technical report. Global
Technology Services. 2010
21. The Sarbanes-oxley Act of 2002: and Current Proposals by Nyse,
Amex and Nasdaq. Price Water House Coopers, 2003
22. Centers Disease Control and Prevention. Hipaa privacy rule and public
health. guidance from CDC and the US department of health and hu-
man services. MMWR: Morbidity and Mortality Weekly Report, 2003,
52 (Suppl. 1): 1–17
23. Pucciarelli C. It Cloud Decision Economic: 10 Best Practices for Pub-
lic It Cloud Decision Economic. Technical report. 2012
24. Masood R, Shibli M A. Comparative analysis of access control systems
on cloud. In: Proceedings of the 13th ACIS International Conference
on Software Engineering, Artificial Intelligence, Networking and Par-
allel & Distributed Computing (SNPD). 2012, 41–46
25. Jansen W. Directions in Security Metrics Research. DIANE Publish-
ing, 2010
26. Hu V C, Ferraiolo D, Kuhn D R. Assessment of Access Control Sys-
tems. US Department of Commerce, National Institute of Standards
and Technology, 2006
27. Sanka S, Hota C, Rajarajan M. Secure data access in cloud computing.
In: Proceedings of the IEEE 4th International Conference on Internet
Multimedia Services Architecture and Application (IMSAA). 2010,
44–51
28. Harnik D, Kolodne E, Ronen S, Satran J, Shulman A, Tal S. Secure ac-
cess mechanism for cloud storage. Scientific International Journal for
Parallel and Distributed Computing, 2011, 12(3): 317–336
29. Lang U. Openpmf scaas: authorization as a service for cloud & soa
applica-tions. In: Proceedings of the IEEE 2nd International Confer-
ence on Cloud Computing Technology and Science (CloudCom). 2010,
634–643
30. Almutairi A, Sarfraz M, Basalamah S, Aref W, Ghafoor A. A dis-
tributed access control architecture for cloud computing software.
IEEE Software Journal, 2012, 29(2): 36–44
31. Sirisha A, Kumari G. Api access control in cloud using the role based
access control model. In: Proceedings of the Trendz in Information
Sciences & Computing (TISC). 2010, 135–137
32. Zhang Y, Chen J L. Access control as a service for public cloud storage.
In: Proceedings of the 32nd Interna-tional Conference on Distributed
Computing Systems Workshops (ICDCSW). 2012, 526–536
33. Mon E, Naing T. The privacy-aware access control system using ar-
bac in private cloud. In: Proceedings of the 45th Hawaii International
Conference on System Sciences. 2011, 44–51
34. Li H, Zhao G, Chen X, Rong D, Li W, Tang L, Tang Y. Fine-grained
data access control systems with user accountability in cloud comput-
ing. In: Proceedings of the IEEE International Conference on Cloud
Computing Technology and Science (CloudCom). 2010, 89–96
35. Lazouski A, Mancini G, Martinelli F, Mori P. Usage control in cloud
systems. In: Proceedings of the International Conference on Internet
Technology And Secured Transactions. 2012, 202–207
36. Yu S, Wang C, KuiRen WL. Achieving secure, scalable, and fine-
grained data access control in cloud computing. In: Proceedings of the
IEEE International Conference on Computer Communications. 2010,
1–9
37. Li X, Shi Y, Guo Y, Ma W. Multi-tenancy based access control in cloud.
In: Proceedings of the International Conference on Computational In-
telligence and Software Engineering (CiSE). 2010, 1–4
38. Popa L, Yu M, Y. Ko S, Ratnasamy S, Stoica I. Cloudpolice: taking
access control out of the network. In: Proceedings of the 9th ACM
SIGCOMM Workshop on Hot Topics in Networks (Hotnets ’10). 2010
39. Zhu J, Wen Q. SaaS access control research based on ucon. In: Pro-
ceedings of the 4th International Conference on Digital Home (ICDH).
2012, 331–334
40. Bates A, Mood B, Valafar M, Butler K. Towards secure provenance-
based access control in cloud environments. In: Proceedings of the 3rd
ACM Conference on Data and Application Security and Privacy. 2013,
277–284
41. Masood R, Shibli M A, Bilal M, others. Usage control model specifi-
cation in XACML policy language. In: Proceedings of the Computer
Information Systems and Industrial Management. 2012, 68–79
42. Jansen W, Grance T. Guidelines on security and privacy in public cloud
computing. NIST Special Publication, 2011, 800: 144
43. Thomas R, Sandhu R. Towards a task-based paradigm for flexible and
adaptable access control in distributed applications. In: Proceedings of
the 2nd New Security Paradigms Workshop. 1993, 138–142
44. Thomas R, Sandhu R. Conceptual foundations for a model of task
based authorizations. In: Proceedings of the IEEE Computer Security
Foundations Workshop. 1994, 66–79
45. Priebe T, Dobmeier W, Kamprath N. Supporting attribute based access
control with ontologies. In: Proceedings of the 1st International Con-
ference on Availability, Reliability and Security (ARES). 2006, 8
46. Yuan E, Tong J. Attribute based access control, a new access control
320 Front. Comput. Sci., 2015, 9(2): 297–321
approach for service oriented architectures (soa). In: International Con-
ference on Computer Science & Service System (CSSS). 2012, 1405–
1408
47. Cooper A, Martin A. Towards an open, trusted digital rights man-
agement platform. In: Proceedings of the ACM Workshop on Digital
Rights Management. 2006, 79–88
48. Chakraborty S, Ray I. Trustbac: integrating trust relationships into the
rbac model for access control in open systems. In: Proceedings of the
11th ACM Symposium on Access Control Models and Technologies
(SACMAT). 2006, 49–58
49. Kumaraswamy S, Lakshminarayanan S, Stein M R J, Wilson Y. Do-
main 12: Guidance for Identity & Access Management v2. 1. Cloud
Security Alliance (CSA). 2010, 10
50. Junos Pulse Access Control Service 4.4 r1 Supported Platforms Docu-
ment. Technical Report, Juniper Networks. 2013
Rahat Masood completed her MS in
computer & communication security
from School of Electrical Engineer-
ing and Computer Science National
University of Sciences and Technol-
ogy (NUST-SEECS), Pakistan. As a
research fellow at KTH-Applied In-
formation Security Lab, she has con-
ducted research in different domains of
information security particularly including security of unstructured
databases and Cloud computing environments. Her research empha-
sized on designing and developing solutions through state of the art
technologies to protect data and resources, which are being out-
sourced at third part premises. Cloud computing technologies are
currently her area of interest in which she is exploring various se-
curity issues at software and infrastructure layer services. She has
previously done her BS with honours in software engineering from
University of Engineering and Technology, Pakistan.
Muhammad Awais Shibli is an assistant
professor at School of Electrical En-
gineering and Computer Sciences, Na-
tional University of Sciences and Tech-
nology (NUST-SEECS), Pakistan since
2011. He is presently the director of
KTH-SEECS Applied Information Se-
curity Lab, where he oversees research
and development that include solving
major information security issues in Cloud environments, databases
and mobile agent systems. Dr. Shibli received his MS and PhD de-
grees in Information Security from Kungliga Tekniska Högskolan,
Sweden. He has several publications in international journals and
conferences and has acquired large funds for numerous research
projects. He also serves on a number of committees and panels, in-
cluding IEEE, ACM, Springer, ICT and HEC.
Yumna Ghazi graduated from School
of Electrical Engineering and Com-
puter Sciences National University
of Sciences and Technology (NUST-
SEECS), Pakistan in 2013 with a BS
degree in information and communica-
tion systems engineering. For her fi-
nal project in her senior year, she de-
veloped an identity control and access
management solution for cloud-based applications. As a student,
Yumna has always been open to exploring new ideas, and being
a research associate at KTH-SEECS Applied Information Security
Lab gives her the latitude to do so. Her fields of interest include
the various domains under the umbrella of cyber security and cloud
computing.
Ayesha Kanwal has completed her MS
degree in the area of computer and
communication security, from School
of Electrical Engineering and Com-
puter Sciences National University
of Sciences and Technology (NUST-
SEECS), Pakistan. She also holds a BE
degree in software engineering. She is
currently working as a research assis-
tant in KTH-SEECS Applied Information Security Lab, in an ICT
R&D funded project for Cloud based applications. During her re-
search work, she has published several research articles in presti-
gious conferences along with impact factor journal papers. Her cur-
rent research interests include Cloud computing security, design and
development of trust evaluation models, cryptography, digital foren-
sics, Cloud virtualization and trust management in Cloud federation.
Arshad Ali is currently working as the
principal at School of Electrical Engi-
neering and Computer Sciences, Na-
tional University of Sciences and Tech-
nology, Pakistan where he is responsi-
ble for managing administrative, aca-
demic and research affairs. He received
his PhD degree from University of
Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 321
Pittsburgh, USA in 1992. His research and development concen-
trates in the field of grid computing, distributed computing, mobile
agents and distributed database systems. Among the various grants
that he has received over the years, US-AID, Nokia Research Cen-
ter of China and Koreon Research Development Program are few
to mention. In addition to all these, Arshad Ali has published 112
journals and conference papers, granted five US and Korean patents
and served as a member of different technical program committees.