2015_-_Rahat_Masood_-_Cloud Authorization Exploring Techniques and Approach to[ Retrieved-2015!11!28]

Front. Comput. Sci., 2015, 9(2): 297–321

DOI 10.1007/s11704-014-3160-4

Cloud authorization: exploring techniques and approachtowards effective access control framework

Rahat MASOOD, Muhammad Awais SHIBLI, Yumna GHAZI, Ayesha KANWAL, Arshad ALI

School of Electrical Engineering and Computer Science (SEECS), National University of Sciences and Technology (NUST),

Islamabad - 44000, Pakistan

c© Higher Education Press and Springer-Verlag Berlin Heidelberg 2014

Abstract Despite the various attractive features that Cloud

has to offer, the rate of Cloud migration is rather slow, pri-

marily due to the serious security and privacy issues that exist

in the paradigm. One of the main problems in this regard is

that of authorization in the Cloud environment, which is the

focus of our research. In this paper, we present a systematic

analysis of the existing authorization solutions in Cloud and

evaluate their effectiveness against well-established industrial

standards that conform to the unique access control require-

ments in the domain. Our analysis can benefit organizations

by helping them decide the best authorization technique for

deployment in Cloud; a case study along with simulation re-

sults is also presented to illustrate the procedure of using our

qualitative analysis for the selection of an appropriate tech-

nique, as per Cloud consumer requirements. From the results

of this evaluation, we derive the general shortcomings of the

extant access control techniques that are keeping them from

providing successful authorization and, therefore, widely

adopted by the Cloud community. To that end, we enumer-

ate the features an ideal access control mechanisms for the

Cloud should have, and combine them to suggest the ultimate

solution to this major security challenge – access control as

a service (ACaaS) for the software as a service (SaaS) layer.

We conclude that a meticulous research is needed to incorpo-

rate the identified authorization features into a generic ACaaS

framework that should be adequate for providing high level

of extensibility and security by integrating multiple access

Received May 9, 2013; accepted July 1, 2014

E-mail: [email protected]

control models.

Keywords authorization, access control, software as a ser-

vice, extensible access control markup language, identity &

access management, cloud security

1 Introduction

Even with the advancement in technology, efficient storage

and manipulation of large volumes of data on servers has be-

come a major challenge for the industry. Adding more servers

can decrease and distribute the load on individual servers;

however, increases the complexity of managing the servers

and the data. Management of massive amounts of data also

produces inaccurate results that might cause server failures,

unavailability, security breaches, integrity loss and other un-

desirable outcomes [1]. A lot of these issues have been allevi-

ated by the emergence of Cloud paradigm, which supports the

processing of voluminous data using clusters of commodity

hardware [2]. It allows organizations to leverage their IT ser-

vices with enhanced agility, availability, scalability and stor-

age capacity, not to mention the opportunity to reduce over-

all cost in achieving high throughput and tackling large scale

computation problems. However, since Cloud is still consid-

ered a nascent technology, it has many holes that need to be

patched up. Security in Cloud is such a critical problem which

is the main reason why organizations hesitate from hosting

their applications and storing their data on the Cloud.

Unlike traditional computing environments, where data

owners and consumers are in the same domain, providing se-

298 Front. Comput. Sci., 2015, 9(2): 297–321

curity in the distributed and heterogeneous Cloud paradigm

is a daunting challenge. The Cloud offers services to vari-

ous organizations under the same umbrella which raises se-

curity concerns, including secure data management, risk from

malicious insiders, data segregation, misuse of stored on the

third party premises, confidentiality, integrity and availabil-

ity of personal and business critical information stored on

Cloud [3, 4]. Even if Cloud service providers (CSPs) are of-

fering security controls on the consumer data, still there are

significant chances of misguided risk management that may

cause Cloud service consumers (CSCs) to face unfavourable

consequences. These challenges arise because the consumers

lack control over Cloud’s security policies and therefore, can-

not verify the effectiveness of the security controls applied

on their data or resources. Hence, security is a hot topic in

the Cloud community, which requires further investigation

and mitigation of prevailing security challenges to help en-

sure mass adoption of the paradigm [5, 6].

Of all the major concerns, we are focusing on risks and

threats pertaining to access control management on Software

as a Service (SaaS) layer of Cloud computing, since it is a

substantial obstacle for CSPs and CSCs [2, 3]. Cloud appli-

cations are accessed via Internet which dictates the need of

strong security controls particularly the reliable and robust

processes to grant access only to authorized users. In this re-

gard, access control is considered as one of the best options to

mediate the users’ access on sensitive data [7]. Access control

is an essential security feature that restricts the access of con-

fidential data and resources to unauthorized users. Figure 1

presents a high-level view of access control mechanisms in

Cloud.

Fig. 1 Access control in Cloud environment

The origins of access control date back to 1969 [8], where

the concept of subjects and objects was introduced. Lat-

tice based access control (LBAC) was initially introduced to

control the access to subject and objects based on security

levels for every subject and object. However, LBAC mod-

els were not scalable and were restricted to specific scenar-

ios. To overcome such limitations, traditional access con-

trol models were proposed, which are broadly classified into

discretionary and mandatory access control models. In dis-

cretionary access control (DAC) model, access restrictions

are defined by data owner while in mandatory access con-

trol (MAC) model, access rules are specified by the system

[9, 10]. Sandhu et al. [11] proposed the notion of role-based

access control (RBAC) to access the resources of enterprises.

Since then, a number of access control models, such as at-

tribute based access control (ABAC) and task based access

control (TBAC), have been developed and enhanced for the

protection of information systems and each of these models

have defined access restrictions through different criteria. De-

spite the development of a variety of access control models,

there remains room for further research and development in

the area.

Access control in cloud is becoming quite a necessity,

given the recent upsurge in the number of Cloud consumers.

The traditional access control techniques can be implemented

in Cloud environment, since their working mechanisms are

generic in nature and could be integrated as an intermedi-

ate entity with any type of enterprise application. Yet, one of

the major obstacles lies is the interpretation of, often com-

plex and sometimes ambiguous, Cloud environment secu-

rity policies and their translation in well-defined and unam-

biguous rules enforceable by a CSP or CSC. Access con-

trol techniques must capture all the potential scenarios that

might arise in order to ensure optimal protection of sensi-

tive data. When users move their application to Cloud, tradi-

tional access control mechanisms are no longer sufficient be-

cause the applications are residing on untrusted networks (de-

parameterization). As Cloud is offering services to numerous

users that may be from within organizations or outside them;

therefore, access levels must be segregated so as to ensure

authorized access. Sensitivity level of applications also varies

depending upon their operation and data usage; thus, Cloud

customers must have the capability to incorporate required

access control mechanisms in their applications. Various ac-

cess control systems have been developed so far; however,

most of them are well-suited only for static and centralized

computing environment, where the set of service consumers

and services are known beforehand [12]. These traditional ac-

cess models have their limitations in highly distributed and

dynamic computing environment since they neither evaluate

the privileges during the usage of a resource nor consider the

Rahat MASOOD, et al. Cloud authorization: exploring techniques and approach towards effective access control framework 299

essential environment attributes [13]. The access rights need

to be pre-defined and assigned to subjects, before executing

any access control request [14,15]. For a Cloud environment,

it is extremely necessary to keep track of “who is using what

and how much”; therefore, service delivery models should

be extensible enough to incorporate specific policies put for-

ward by the organization. When access control solutions are

implemented outside the local boundary of organization, the

management and applicability of these mechanisms become

more complex and challenging. Employing the existing en-

terprise directory services, such as Light-weight Directory

Access Protocol (LDAP), in Cloud typically fails to provide

adequate access control, since they offer no support for the

management of access control from Cloud service consumer

endpoints. In addition, some organizations provide manual

provisioning and de-provisioning of users and applications in

the Cloud which adds to the administrative burden of IT staff.

Our research motivation and contribution focus on solv-

ing the aforementioned problems and holistically determin-

ing the authorization requirements of the Cloud environment,

specifically the SaaS model. Abstractly, the issues to be cov-

ered include access management of resources by data own-

ers, extensibility to formulate policies and rules for each user

level, support for delegation of rights, dynamic specification

of entities involved in the data sharing etc. In this regard,

the focal point of our research work is securely mediating

CSCs’ access to sensitive data. We have covered the holistic

authorization requirements of the Cloud environment, espe-

cially for SaaS model, and we qualitatively evaluate the ex-

tant relevant solutions based on certain NIST-defined factors.

A case study of an electronic health record (EHR) system

along with simulation results in NetLogo are presented to il-

lustrate the step-by-step procedure of how organizations may

use our qualitative analysis and NIST-defined parameters to

select an appropriate authorization technique, as per their re-

quirements. Based on our extensive analysis on authorization

requirements and Cloud access control mechanisms, we pro-

vide a comprehensive access control management strategy on

the SaaS layer of Cloud. Our proposed strategy is a leap to-

wards the development of access control as a service (ACaaS)

– which stems from its significantly more popular parent, se-

curity as a service (SECaaS). Firstly, we have identified the

key problems that are hindering the secure management of re-

sources in Cloud. The identification further assists us in find-

ing the corresponding key features that can mitigate the prob-

lems for the effective realization of ACaaS strategy at SaaS

layer of Cloud computing. After thorough research, we come

to the conclusion that a holistic ACaaS mechanism needs to

be devised, which encompasses all the requisite security and

managerial features and provides an efficient and reliable ac-

cess control to Cloud consumers and complies with inter-

national standards. Furthermore, our review will assist the

Cloud community in understanding the various challenges as-

sociated with providing authorization services in Cloud that

may be technical, such as privilege escalation and separation

of duties, or managerial, like the steep requirement of time

and uniformity.

Rest of the paper is organized as follows: Cloud challenges

that need thorough research and effective solutions in Section

2. Section 3 discusses the in-depth analysis of existing Cloud

access control techniques followed by a real-world case study

in its subsection. Section 4 enumerates the main issues im-

peding the development of an effective access control mech-

anism and identifies features needed to overcome these is-

sues. Section 5 presents our future research directions to suc-

cessfully execute these features in the form of framework and

Section 6 concludes the paper.

2 Cloud security challenges

Although Cloud has gained a considerable amount of trac-

tion in the industry, it has many inherent issues that are yet to

be solved satisfactorily and IT experts are proactively work-

ing to that effect [16]. As data in Cloud is processed outside

the influence of the enterprise, its security is a black hole for

the CSCs [17]. To accelerate the trend of Cloud migration,

CSCs need unequivocal answers to the following questions:

“Is the physical and software infrastructure of CSPs secured?

What happens to my data in Cloud? Can all my genuine users

get seamless and secure accessibility? Are CSPs compliant

with the organization’s regulations? How are organizational

requirements, like security, governance and regulatory com-

pliance, addressed in Cloud environment?” Therefore, Cloud

services require controls for privileged user access, regula-

tory compliances, data location, data safety, encryption and

segregation, storage, backup and recovery of data [18, 19].

Figure 2 abstractly presents the security concerns on Cloud.

Broadly, we can divide Cloud security issues into four cate-

gories:

1) Cloud Infrastructure Platform: these involve security

problems associated with the networking, storage and secu-

rity vulnerabilities of physical data centres of Cloud.

2) Data Management: issues ranging from data confiden-

tiality, data integrity, data locality, tracing of data origin and

its representation. When organizations shift to the Cloud,

their data comes under the control of a third party which

300 Front. Comput. Sci., 2015, 9(2): 297–321

Fig. 2 Security challenges in cloud

poses many threats on privacy and security of the data. Users

are provided with a high level of abstraction for most of

the services; therefore, they have low level control over the

shared resources [20].

3) Access Management: access management entails secu-

rity problems of AAA (authentication, authorization, and au-

diting), managing access control policies and encrypted com-

munication of confidential Cloud data. There can be ambigu-

ities in accessing user’s data in shared infrastructure. We will

further discuss access management in the next section.

4) Compliance: this category includes the regulatory is-

sues of Cloud-based activities like auditing, tracing of dif-

ferent operations and their compliance concerns. It caters to

major governance problems that need review and participa-

tion from the IT managers for a robust, well-defined compli-

ance validation. Regrettably, Cloud services are fraught with

“resolved” compliance issues such as Sarbanes-Oxley [21],

HIPAA [22] and European privacy laws about allowing data

regarding employees to be stored in other systems [23].

Cloud Security Alliance (CSA)1) states that the security

of a CSP is characterized by the maturity, effectiveness and

completeness of risk-adjusted security controls. These con-

trols need to be implemented on Cloud, ranging from facil-

ities (physical security), to the network infrastructure (net-

work security), to the IT systems (system security), and all

the way to the information and applications (application se-

curity) [7], as illustrated in Fig. 3. However, deployment of

these security controls manifests rigidity for CSCs, as most

security controls are at the provider’s side and consumers can

only negotiate the contract for security services (particularly

for SaaS deployment model). For CSCs (enterprises), it is

very necessary to evaluate the potential risks for the Cloud;

for example, to map out how the data is transferred between

organizations, Cloud services and any customers. Other than

the abovementioned issues, advanced security challenges of

Cloud computing, like abstraction, lack of execution con-

trols, third party control of data and multi-party processing

of data, also need great attention. These challenges need to

be properly addressed before deploying the applications on

the Cloud.

Fig. 3 Security controls needed in Cloud environment

3 Assessment of access control techniques forCloud environment

Authorization in Cloud environment demands an effective ac-

cess control mechanism that can protect Cloud resources and

restrict unauthorized access to sensitive data. However, the

designing and implementation of effective Cloud-based ac-

cess control techniques are somewhat trickier and challeng-

ing because they need to cater to the variety of customers

belonging to different domains [24]. Various access control

techniques have been introduced for assuring access manage-

ment of data and applications on Cloud. In order to highlight

the key challenges that Cloud consumers can face for ade-

quate protection of their data, there is a need to perform a

comprehensive analysis of access control techniques.

In this section, we perform a detailed and in-depth criti-

cal analysis of existing access control techniques according

to the steep demands of Cloud’s various service models. The

following subsection explains the criteria we have used to

1) Cloud Security Alliance, https://Cloudsecurityalliance.org/(30-March-2013)


carry out the aforementioned analysis.

3.1 Assessment methodology

The security features of any system are not always quantifi-

able so as to assign absolute values to them. NIST presents a

report [25] on qualitatively evaluating the security aspects of

any system through the information security metrics. Accord-

ing to the report, there are number of security properties that

are difficult to measure quantitatively and their analysis need

to be performed in a subjective manner. NIST also provides

well-established security guidelines and procedures for en-

terprises to securely execute their processes and operations.

Among such guidelines, NIST has formulated an assessment

criterion for evaluating access control mechanisms [26]. Ac-

cording to this report, operational impacts of access control

techniques are significant because they not only affect the ad-

ministrative aspects and user productivity, but also impinge

on an organization’s ability to successfully execute its oper-

ations. Therefore, access control systems are required to be

evaluated on the basis of these metrics before making it func-

tional and operational in practical scenarios. Incorrect con-

figuration of a single policy could result in undermining of

organization’s security posture.

We employ a “qualitative” approach for our research that

will assist us in finding a reliable access control technique out

of the existing techniques that best fits the authorization re-

quirements of applications hosted on the SaaS layer of Cloud.

To execute our analysis, we have thoroughly appraised all

the access control quality metrics defined by NIST in [26],

and we have filtered the parameters most relevant to the goal

of our research. Mainly these features include separation of

duty, (ease of) privilege assignment, least privilege, policy

conflicts, configuration flexibility, policy repository and re-

trieval, policy distribution and horizontal scope. In addition

to that, we also base our analysis on the specific properties

offered explicitly by any access control technique. We finally

evaluate the techniques on whether or not they possess cer-

tain features or not, and mark them High or Low accordingly.

High level indicates that the system offers complete support

to a feature and fulfils all the requirements stated against that

particular feature. Low level indicates that the system under

consideration lacks support to the feature in question.

3.2 Analysis of extant access control techniques

In this section, we perform an analysis of the existing access

control techniques, based on the above mentioned parame-

ters, in order to find out which of them would be better suited

for the Cloud environment. We have mentioned only 14 of all

the Cloud access control techniques but the analysis is prac-

tical for any technique that provides authorization for Cloud

environments. The detail of each technique is discussed in

the Appendix A2) ; reading the appendix will help reader to

better understand the techniques. Table 1 lists all the access

control mechanisms that we have analysed, along with their

main technical features.

• Secure data access in Cloud computing [27]

Sanka et al. discuss the open problem challenges together

with the capability based access control technique that en-

sures only the valid users will access the outsourced data.

This technique allows least privilege by assigning access

rights to the basic unit of data file. Duties are clearly defined

for Cloud consumers with the specification of access rights

in capability access list. Users can only perform the functions

specified by data owners in their corresponding list following

the separation of duty. Policy conflicts are not managed in this

proposed system. Capability list contains the static entities of

users and their corresponding allowable objects which are not

well-suited for dynamic environments like Cloud. It does not

consider the various factors necessary for formulating an ac-

curate access decision, which is the major requirement for

distributed environments and results in limiting its configu-

ration flexibility. Double encryption is used in the proposed

technique to provide strong cryptographic strength through

which key management, configuration and their distribution

to large number of consumers become a large performance

overhead. It will make the system inflexible to be adopted in

different computing platforms and environments, thus limit-

ing its scope. The access control policies for private Cloud are

stored at the local databases of data providers and the users’

logs, whereas privacy preference specifications are managed

at data owner’s end, therefore offering local as well as feder-

ated policy repository and retrieval feature. The system spec-

ifies policy by defining permissions in the capability list with

user id and file id that will somehow simplify the policy cre-

ation process, therefore introducing the ease of privilege as-

signments feature.

• Secure access mechanism for Cloud storage [28]

Harnik et al. [28] also proposes Capability based access

control mechanism to address the access control require-

ments for Cloud storage. This technique propagates user ac-

cess rights by incorporating the chain of services mechanism.

The chain of services mechanism ensures the least privilege

2) Due to space limitations, we could not cover techniques in this section of paper. Please refer Appendix A for detailed discussion on these techniques.

302 Front. Comput. Sci., 2015, 9(2): 297–321

Table 1 Access control techniques and their technical features

Cloud access control techniques Salient features

Secure data access in Cloud computing [27] • Capability lists determine who uses what• Modified Diffie-Hellman exchange protocol to share asymmetric keys between CSPs and CSCs.• Capability based access control• Uses encryption and MD5 hash to secure data files

Secure access mechanism for Cloud storage[28]

• Capability based access control• Extensive delegation mechanism that appends original capability with reduced delegated capability• User ID in the capability reduces authentication overhead• User to user access delegation, availability, revocation, interoperability, and pre-resource audit ability

OpenPMF SCaaS: authorization as a servicefor Cloud & SOA applications [29]

• Compliance and automation of security policies• Automation of policy generation, configuration, enforcement and incident reporting• Compliance as a service• Asynchronous policy updates

Distributed access control architecture forCloud computing software [30]

• Role-based access control (RBAC)• Targets the distributed architecture of Cloud• Secure SSL channel was used to transfer the data on Cloud• Encryption/decryption of data to be performed at client side resulting in extra processing• User revocation is also provided

API access control in Cloud using the rolebased access control model [31]

• Role-based access control model• Roles are defined in a static manner and cannot be modified dynamically• Two-staged authorization: user attributes for authentication and then role validation• Maintains database of permissions corresponding to different roles

Access control as a service for public Cloudstorage [32]

• Attribute-full proxy re-encryption (AF-PRE)• Simple key management• Capacity to compose the attributes along with the anticipated combination of authorization and encryp-

tion with appropriate separation.• Efficient in executing queries on encrypted data

A privacy enhancement system on academic-based private Cloud system using Eucalyp-tus open source Cloud infrastructure [33]

• Combines the best features of RBAC and ARBAC model• Core objective is to restrict unauthorized access to the personal identification information (PII)• User and data classification levels are defined according to which privacy preferences and access policies

are formulated• Access requests include Subject, Resource and Environment attributes

Provenance-based access control in Cloudenvironments [32]

• Provenance-based access control• Distribution of provenance in dynamic Cloud environment and assessment of remote data objects• Access control is provided at scope level• Access constraints include provenance other than objects, subjects and rights• Additional provenance database and policy database modules other than the core policy enforcement

point (PEP) and policy decision point (PDP)

Fine-grained data access control systemswith user accountability in Cloud comput-ing [34]

• Fine-grained access control through attribute based encryption (ABE)• Access policies are given using either private key or cipher text, where the former specifies files that a

user is able to access and in the latter, each file and user key has different attributes.• Resolved two main issues i.e., user accountability and efficient user revocation• Broadcast encryption is performed by data owner on user group

Usage control in Cloud systems [35] • Usage control (UCON) model using the OASIS XACML standard• Handles ongoing usage of previously assigned resources and supports access revocation• Implemented and integrated with the OpenNebula toolkit (ONE) that provides access control lists

(ACLs) and usage quotas

Achieving secure, scalable, and fine-graineddata access control in Cloud computing [36]

• Hierarchical attribute based encryption (combining hierarchical identity based encryption (HIBE) andcipher text policy based attribute based encryption (CP-ABE))

• Hierarchical structure has been given in which there are root master (RM) and domain masters (DM),where RM corresponds to private key generator and DM handles delegation of keys

• Unique identifier has been assigned to each DM and attribute, ID and attributes have been assigned tousers

• Each user’s position has been defined by his own ID and public key of DM administrating him


Continued from previous page

Cloud access control techniques Salient features

Multi-tenancy based access control in Cloud[37]

• Mandatory access control and discretionary access control models• Security rules are based on user identifications, rather than IP addresses• Five security modules: OpenSSL, identity and authentication module, audit module, access control and

management module• Classifies the subjects and objects in traditional access control mechanisms into two granule levels:

tenant granule level, managed by CSP to compartmentalize tenants, and application granule level, con-trolled by tenants to control access to their applications.

CloudPolice: taking access control out of thenetwork [38]

• Targets infrastructure as a service (IaaS)• Transfer of control messages and notification of policy updates for large number of VMs may results in

network performance degradation.• Several security policies, such as tenant isolation, inter-tenant communication, fair sharing among ten-

ants, etc. are identified. Based on these policies a policy model is defined that uses predicate logic(if-then)

• Furthermore, transfer of control messages and notification of policy updates for large number of VMsresult in network performance degradation.

• Each VM requires security group declaration and management

SaaS access control research based onUCON [39]

• UCON post-obligation model• Attributes mutability and continuity of attributes• Authorization and Obligations are the major components of the model.• Types of authorization mainly include PreA, OnA, PreB and OnB.

principle by assigning the end-client access token only to re-

quired users, according to their capabilities. Once user is au-

thenticated, the client is directed towards the authorization

component that generates a token having capability of the

user, thus ensuring the separation of duty principle in the

technique. However, the technique does not incorporate any

mechanism for resolving the policy conflicts. The access con-

trol manager of the proposed design is flexible enough to im-

plement diverse range of access control models that can in-

clude capability-based, attribute-based or role-based, allow-

ing compatibility with any of the underlying platforms and

environments, thus escalating the horizontal Scope. The data

centres in proposed technique are highly coupled with the

storage layer and replication manager; therefore, adding any

new module or deploying the existing solution in new sce-

nario introduces complex interoperability issues making the

configuration flexibility low. The identity Manager and access

Manager use their separate databases for storage of policies

and user’s capabilities related data, thus offering local policy

repository and retrieval. The Replica Manager updates the

entire user’s capabilities information across distributed dat-

acentres; however, the large number of replicas makes the

update process complex and the privilege assignment more

difficult.

• OpenPMF SCaaS: authorization as a service for Cloud &

SOA applications [29]

Lang et al. [29] present the concept of portable security

and compliance policy automation for Cloud applications.

The paper also discusses a reference implementation called

OpenPMF security & compliance as a service (SCaaS) which

is based on ObjectSecurity OpenPMF, Intalio BPMS, and

Promia Raven. SCaaS enforces the security policies to ensure

that only authorized users may invoke secure Cloud services

and applications following the least privilege principle. The

SCaaS policy feed services are used by multiple Cloud ten-

ants to avoid the policy conflicts that may arise due to the

generation of multiple conflicting technical policy rules for

shared resources, proposed scheme makes the use of model

driven security (MDS) concepts. The process of policy up-

date is asynchronous and is performed at application start-

up or whenever security rules change (without the need to

restart the protected end-system). This greatly enhances per-

formance and robustness and ensures configuration flexibil-

ity principle. Policies are either generated within Cloud using

hosted MDS and PaaS development tools, or are uploaded

from local MDS and development tools, thus offering lo-

cal repository for policy storage and retrieval. Furthermore,

separation of duty principle is ensured through the policy

modeling module that divides the tasks among various mod-

ules to guarantee the security and compliance requirements.

SCaaS is developed to support the diverse Cloud environment

where MDS is installed across multiple development tools

(e.g., Eclipse, Intalio BPMS) and aims to protect the appli-

cations on various runtime application platforms (e.g., vari-

ous web application servers, JavaEE, DDS, CORBA/CCM)

and hence, supports horizontal scope. In OpenPMF, the

304 Front. Comput. Sci., 2015, 9(2): 297–321

OpenPMF runtime policy repository is responsible for the

distribution of policy to the various Open-PMF policy deci-

sion/enforcement points (PDP/PEPs) on each protected ap-

plication runtime platform. However, presented SCcaaS does

not specify any mechanism for ensuring ease of privilege as-

signment feature.

• Distributed access control architecture for Cloud comput-

ing software [30]

Almuitairi et al. present a technique for data storage and

distributed access control at Cloud paradigm [30]. The pro-

posed architecture uses the RBAC model, where least priv-

ilege principle is ensured by limiting user access privileges

according to the assigned roles. Considering the collabora-

tive nature of Cloud, authors offer a specification for seman-

tic and contextual constraints to ensure adequate protection

of services and resources, thus providing adherence to the

configuration flexibility principle as well. This technique of-

fers clear separation between the specification of semantic,

such as separation of duty and contextual constraints (such

as temporal or environmental constraints included in an ac-

cess request), to ensure the security of Cloud services and

resources, especially for mobile services. The design of the

proposed architecture is generic enough to support other ac-

cess control policies (such as DAC and MAC), increasing the

horizontal scope of the system. The distributed access control

architecture includes support for both federated and loosely

coupled collaboration models that enhances the policy stor-

age and retrieval capabilities of the system. Access control

module (ACM) is composed of PDP, PEP and policy repos-

itory and deals with the distribution of policy at various lay-

ers. In order to avoid and resolve the policy conflicts in Cloud,

some verification models and tools are required; however, au-

thors mention it as their future work. In the same way, authors

do not specify any mechanism for ensuring ease of privilege

assignments feature.

• API access control in Cloud using the role based access

control model [31]

Sirisha et al. [31] proposed secure access control API for

Cloud using the RBAC model. The management for assign-

ing and revoking the roles and permissions is simple, thus

providing ease of privilege assignments feature. The role-

based and attribute-based access control mechanisms are im-

plemented at API level where the management of attributes

e.g., subjects, roles and resources, require little modifications

to deploy in different scenarios which escalates the configu-

ration flexibility. The attribute-validation and role-validation

modules use underlying local database, hence supporting the

policy distribution and retrieval features. There is no support

to the policy conflicts and least privilege features in the pro-

posed API access control in Cloud. The role and attribute

based access control models are implemented at the appli-

cation layer through which the Cloud consumers can access

the Cloud services. This API level access control is platform

independent and can be incorporated in any environment that

escalates the horizontal scope. The assignment, revocation

and management of roles are performed by the “role valida-

tion mechanism” module. Similarly, the assignment and re-

vocation of objects and their attributes are performed by the

“attribute validation mechanism” module, due to which the

proposed technique supports the separation of duty.

• Access control as a service for public Cloud storage [32]

Zhang et al. [32] present an access control service for pub-

lic Cloud storage, where authorization decisions depend on

the data owner’s decision or policy decision point (PDP)

module. In order to implement the designed service, an

attribute-full proxy re-encryption (AF-PRE) scheme is of-

fered as a core component of the proposed solution, where

access control expressions are often generated from attributes

that advance to establish a privilege-value. This value is then

sent to the PDP delegation module to assist the decision mak-

ing process and ensures the least privilege principle. The AF-

PRE scheme ensures the confidentiality of data contents and

provides certain mechanisms to prevent policy conflicts. Pro-

posed scheme offers a clear separation of policy and mecha-

nism such as attribute-based-encryption for outsourced situ-

ations, thus offering support to configuration flexibility. The

access control service for public Cloud storage is under the

control of data owner, and the PDP and policy enforcement

point (PEP) can be securely delegated, thus offering local

as well as federated policy repository and retrieval feature.

In addition, the authors highlight separation of duty as the

most significant feature of their scheme that offers support

to separation-methodology in Cloud scenarios. Horizontal

scope is another critical feature that this scheme offers via its

attribute-full proxy re-encryption mode; access control poli-

cies are publicized by re-encryption keys and privilege val-

ues, and are generated independently from encryption opera-

tion. Authorization update is the dedicated module that han-

dles the change in privileges and ensures the ease of privi-

lege assignments. Policy distribution is offered through pol-

icy translator module that computes a new privilege value,

updates its PriV-table and sends it to the PDP delegation mod-

ule that performs the replacing operation.

• A privacy enhancement system on academic based private

Cloud system using Eucalyptus open source Cloud infras-

tructure [33]


ARBAC [33] has been proposed that combines the best

features of attribute based access control (ABAC) and role

based access control (RBAC) models. Since ARBAC is the

composition of RBAC and ABAC, least privilege is sup-

ported by granting permissions according to specified at-

tributes and role parameters in policy. Management of at-

tributes (subject, resource and environment) in different sce-

narios require detailed configuration modifications, resulting

in low configuration flexibility. Access control policies are

stored and retrieved from a local repository and prior to en-

forcement, these policies are evaluated against the attributes

defined for subject, resource, environment and user roles,

which improves the system reliability. Separation of duty is

achieved in a way that each subject and resource is associ-

ated with particular attributes based on which job functions

and access rights are defined. User and data classification lev-

els are defined according to which privacy preferences, ac-

cess policies and privileges are formulated. Hence, it offers

support to ease of privilege assignment principle. Incorpora-

tion of additional parameter like environment attributes (that

can manage the system related properties and characteristics)

helps in increasing horizontal scope of the system across dif-

ferent platforms and applications. However, the paper does

not specify any mechanism for the distribution of generated

policies. Similarly, policy conflicts avoiding procedure is not

mentioned in proposed ARBAC system which may occur due

to the difference in access decision of multiple policies.

• Provenance-based access control in Cloud environments

[40]

Bates et al. [40] propose an access control model based

on provenance, which provides all the information about

different actions and processes taken on specific data. The

proposed access control mechanism supports least privilege

where the consumers are permitted to use only those data ob-

jects that are mandatory to perform certain actions in accor-

dance with their data provenance policies. However, there is

no specific procedure defined for assuring the separation of

duty principle, which is necessary to limit the access of sub-

jects for alleviating security breaches. If some conflicts ap-

pear between two or more policies, the provenance records in

provenance database are used to immediately revoke the sub-

ject’s privileges on that data object, hence providing support

for policy conflict feature. The access control policies are not

integrated into the operating system; however, transferring

from one policy to another is not an easy task even at the

API level due to large number of provenance records associ-

ated with each single data object. Therefore, the configura-

tion flexibility is lower in this provenance-based access con-

trol model. The provenance database is responsible for stor-

age of provenance information and policy database manages

the storage of security policies thus incorporating the policy

repository and retrieval feature locally. The core components

of the Cloud provenance authority which mainly include the

PEP, PDP, provenance database, and policy database can

easily be deployed in any environment independent of un-

derlying infrastructure; therefore supporting high horizontal

scope. However, presented provenance based system does not

specify any mechanism for ensuring ease of privilege assign-

ment feature.

• Fine-grained data access control systems with user account-

ability in Cloud computing [34]

For providing fine-grained access control in Cloud, at-

tribute based encryption (ABE) [34] resolved two main issues

i.e., user accountability and efficient user revocation. Pro-

posed scheme can prevent from external attackers (revoked

users, Cloud servers and users whose attributes do not match

with policy) and internal attackers as they cannot change their

IDs embedded in private key attribute. In this system, least

privilege principle is followed by defining access structure for

each user. If user access structure matches with the requested

file attributes, then access is granted to data hosted on Cloud.

Separation of duty is followed in a way that jobs are defined

for all the system entities: data owner, Cloud provider, con-

sumer and third party auditor. Cloud provider keeps the en-

crypted data files and user can access these files if their access

structure is matched with the file attributes specified by the

data owner. Access control policies are generated and stored

in a local policy repository for quick retrieval; furthermore,

each policy is associated with a user rather than with each

file to be accessed. Policy specification module of this sys-

tem requires defining access structure for each user, which

may introduce large overhead in terms of mathematical op-

erations and algorithms, and thus, does not provide ease of

privilege assignment. Policy conflicts are not managed by this

system, which may occur due to difference between decisions

of two or more access control policies. In addition, these sys-

tems require great amount of time to execute the mathemati-

cal operations and algorithms along with minimal support for

different execution environments, therefore, failing to deliver

horizontal scope. The system is not flexible enough because

it requires the management of complex operations which de-

crease its applicability in different environments that result in

low configuration flexibility. Similarly, proposed system does

not include the mechanisms for policy distribution.

• Usage control in Cloud systems [35]

Aliaksandr et al. [35] present an advanced authorization

306 Front. Comput. Sci., 2015, 9(2): 297–321

framework based on the usage control (UCON) model [41]

and the OASIS XACML standard to control the usage of

Cloud resources. It addresses the issue of unauthorized ongo-

ing accesses by interrupting the accesses that are in progress

when the corresponding access rights do not hold any more.

In addition, the designed access control service (ACS) con-

tinuously checks for the policy enforcement, therefore guar-

anteeing least privilege principle. If there is some conflict be-

tween the policies or if decision process recognizes the pol-

icy violation, resources are immediately released and access

rights are revoked, offering support to policy conflict feature.

The prototype of the authorization system is developed and

the API is then integrated with the OpenNebula thus ensuring

configuration flexibility. Proposed scheme provides a graphi-

cal user interface and ACS for the retrieval of user attributes

required for the UCON authorization system. The policy in-

formation point (PIP) contacts attribute managers (AMs) to

acquire the required attributes that are stored in its local

repository. The system offers horizontal scope through its AS

module that may execute on other machines instead of the one

that is enforcing the access control decision. AM module is

responsible for the handling of the policy distribution among

various components of the access control services. However,

this framework does not specify any mechanism to ensure

separation of duty. Similarly, ease of privilege assignment is

also not incorporated in the design and architecture of pre-

sented framework.

• Achieving secure, scalable, and fine-grained data access

control in Cloud computing [36]

Hierarchical attribute based encryption (combining hierar-

chical identity based encryption (HIBE) and cipher text pol-

icy based attribute based encryption (CP-ABE)) on Cloud has

also been proposed for access control [36]. The system fol-

lows the least privilege principle with the help of access struc-

ture assigned to users. This access structure defines the set of

access rights corresponding to each data file. Separation of

duty is satisfied in such a way that job functions are assigned

for each system entity and the system does not allow them to

execute tasks that are not permissible for them. Complexity

and overhead for policy specification increases with the num-

ber of attributes and steps required to execute mathematical

operations. Inclusion of new feature within system requires

tedious tasks which introduce performance overhead and sig-

nificantly decreases the ease of privilege assignment. Scope

of the proposed system is limited to specific application envi-

ronments due to the operational complexity of its mathemat-

ical functions, thus offering no support to horizontal scope.

For efficient user revocation, two-step algorithm is proposed

to update keys for the remaining users. However, addition of

any other property for access control introduces large num-

ber of processes and operations which involves complex in-

teroperability issues making the overall system’s configura-

tion flexibility low. There is no mechanism available in sys-

tem to handle policy conflicts for access decision between two

or more policies. In addition, the access control components

such as policy administrator point (PAP) and PDP, PEP for

policy distribution are not specified in their design and archi-

tecture.

•Multi-tenancy based access control in Cloud [37]

Due to multi-tenancy in Cloud computing, duty sepa-

ration between CSP and tenant is a main concern. Solu-

tion proposed in [37] is multi-tenancy based access control

model (MTACM) for application security in public Cloud. In

MTACM, the separation of duty between CSP and consumers

is supported by classifying the subjects and objects into two

granular levels, as described in Table 1. The five core modules

OpenSSL module, identification and authentication module,

audit module, access control module and management mod-

ule adhere to the platform dependency as all of these are im-

plemented on nginx module, hence limiting the scope of the

MTACM. The overhead of adding, creating and removing

the objects rules, subject rules and security policies is dis-

tributed between the Cloud providers and Cloud consumers,

thus providing the ease of privilege assignments feature and

improving the performance of MTACM system. However, the

MTACM system does not mention any procedure to avoid

the policy conflicts that may arise because of the access deci-

sions of multiple rules. The discretionary access control and

mandatory access control mechanisms are implemented at the

API level; however, the dependency of access control module

on top of Nginx requires complex modifications for different

environments, therefore, reducing the configuration flexibil-

ity.

• CloudPolice: taking access control out of the network [38]

Lucian et al. [38] proposed a hypervisor-based access con-

trol technique named “CloudPolice” for Cloud paradigm.

This technique provides flexibility, scalability and network

independency since it is proposed at the infrastructure level.

However, implementation of security policies at infrastruc-

ture level makes practical adaptation of this scheme diffi-

cult. Hypervisors are responsible to manage several VMs

at a time and sending/receiving of control messages will

be an extra overhead with respect to workload on hypervi-

sor. Furthermore, transfer of control messages and notifica-

tion of policy updates for large number of VMs result in

network performance degradation. The proposed hypervisor-


based access control technique offers configuration flexi-

bility for supporting policies in multi-tenant environments,

network-independence to decouple access control from the

network, and scalability to handle hundreds of thousands

servers and users. In the proposed distributed solution, pol-

icy repository and retrieval is handled in a distributed way

where hypervisors are required to be aware of the policies of

their hosted VMs only and not the policies of any other group,

or the group membership. This technique does not require a

policy management service from the Cloud provider but re-

quires an additional API in both the hypervisor and the VMs.

Use of API ensures the horizontal scope of the proposed sys-

tem. In CloudPolice, the Cloud provider is responsible for the

distribution of the group policy to the hypervisor at the VM

initialization and updates it at all the group members when

the policy changes. The authors of the proposed technique

do not explicitly talk about any system module that would

resolve potential the policy conflicts. Moreover, this frame-

work does not specify any mechanism to ensure separation

of duties. Similarly, ease of privilege assignment is also not

incorporated in the design and architecture of CloudPolice.

The principle of least privilege is also of great importance;

however, is not included in the proposed technique.

• SaaS Access Control Research Based on UCON [39]

Junli Zhu et al. [39] present a unified access control model

which is designed for preventing Cloud user’s critical data

from unauthorized and illegitimate access, using the UCON

post-obligation model. In proposed UCON model the PreA,

PreB, PostB and OnB are managed and maintained separately

by distributed modules and policy enforcement points, due to

which the model provides the separation of duty feature. The

UCON PreA, PreB, PostB and OnB model checks for the

user privileges and makes an authorization decision before

and during the usage of specific resource. During the use of

that resource, the model facilitates the continuous checking of

required obligations as well as encounter policies for the user

privileges, thus supporting the least privilege feature. The

proposed access control model is platform independent and

can be implemented for wide range of SaaS applications in

Cloud, therefore supporting the horizontal scope. In order to

alter the defined privileges of a user, all the associated PreA,

PreB, PostB and OnB policies need to be modified, which

affects the speed and performance of access control model;

hence making the process of privileges assignment more dif-

ficult. However, the model does not support any mechanism

for policy distribution or policy repository and retrieval. Sim-

ilarly, there is no procedure that can make authorization de-

cisions when there is any conflict between two or more rules,

thus lacks solution for policy conflicts. The model is imple-

mented for any SaaS layer application and supports configu-

ration flexibility.

3.3 Analysis discussion

All the aforementioned Cloud based access control tech-

niques have been evaluated against the selected NIST-defined

metrics and the summary of our qualitative analysis is pre-

sented in Table 2. Our analysis reveals that none of the access

control techniques covers all the essential features; moreover,

most lack compliance to international standards, hence rais-

ing interoperability issues. In addition, existing mechanisms

can only be applicable to small number of applications and

are static in a way that authorization system cannot update

themselves according to change in application security re-

quirements; rigorous manual configurations are required to

define and maintain access control policies. To sum it up,

the existing access control mechanisms, while promising, fall

short on certain requirements and still need improvement so

as to be able to provide complete access control in an en-

vironment as dynamic as Cloud. Our research findings from

this analysis serves as groundwork for the effective imple-

mentation and deployment of comprehensive access control

management strategy, ACaaS, for the applications hosted on

the SaaS layer of Cloud.

The study carried out in this paper will also help Cloud

consumers (organizations) in selecting suitable authorization

technique that fulfills their security requirements. As men-

tioned earlier, we have investigated each technique to re-

veal its pros and cons based on NIST-defined factors. How-

ever, our assessment is not based on absolute ranking because

the suitability and appropriateness of any technique depends

on the environment, circumstances and the security require-

ments of the Cloud consumer. For example, if “policy con-

flict avoiding algorithm” and “configuration flexibility” is a

crucial parameter for consumer, then authorization technique

“OpenPMF SCaaS: Authz aaS for Cloud & SOA App [29]”

is more appropriate. Similarly, if “Ease of Privilege Assign-

ment” and “policy conflict avoiding algorithm” are not im-

portant parameters, then techniques such as “Secure data ac-

cess in Cloud computing [27]” & “Usage control in Cloud

systems [35]” are more suitable. Therefore, we cannot give

absolute ranking to any of these techniques. Next subsection

presents a real-world case study illustrating step-by-step pro-

cedure for the selection of Cloud authorization technique for

the organizations interested in solving the prevalent problem

308 Front. Comput. Sci., 2015, 9(2): 297–321

Table 2 Analysis of Cloud based access control systems

Cloud authorization systemsSeparation

of duty

Horizontal

scope

Ease of

privilege

assignments

Policy

distribution

Least

privilege

Policy

conflict

Configuration

flexibility

Policy

repository

& retrieval

Secure data access in Cloud computing [27] High High High Low High Low High High

Secure access mechanism for Cloud storage[28]

High High Low High High Low Low High


High High Low High High High High High

Distributed access control architecture forCloud computing software [30]

High High Low High High Low High High

API access control in Cloud using the rolebased access control model [31]

High High High High Low Low High High

Access control as a service for public Cloudstorage [32]

High Low High High Low High High High

A privacy enhancement system on academicbased private Cloud system [33]

High Low High High High Low Low High

Provenance-based access control in Cloudenvironments [40]

Low High Low High High High Low High

Fine-grained data access control systemswith user accountability in Cloud comput-ing [34]

High Low Low Low High Low Low High

Usage control in Cloud systems [35] Low High High High High High High High

Achieving secure, scalable, and fine-graineddata access control in Cloud computing [36]

High Low High Low High Low Low Low

Multi-tenancy based access control in Cloud[37]


CloudPolice: taking access control out of thenetwork [38]


SaaS access control research based onUCON [39]

High High Low High Low Low High High

of secure access to their application and resources hosted on

Cloud.

3.4 Realization in real Cloud computing environment —

case study

The abovementioned section comprehensively explains our

analysis of Cloud authorization techniques according to the

NIST access control metrics. However, for the effective re-

alization of our work, a case study of an electronic health

record (EHR) system is presented in this section that is de-

ployed at SaaS layer of Cloud by hospital administration

(Cloud consumer). This case study will help Cloud Con-

sumers in the selection of most appropriate technique accord-

ing to their authorization requirements by demonstrating the

working of our assessment in a real world scenario.

We assume that a hospital wants to deploy an EHR system

on Cloud having authorization requirements along with other

security functionalities. A cloud based EHR system stores

and processes the data of patients electronically and is de-

signed to cover a wide range of hospital administration and

management processes. The system involves various modules

including personal health record, E-prescription, report gen-

eration, clinical charting, mediation management, financial &

inventory billing, appointments and calendric modules. All

these modules demand security and privacy of their data and

resources (authentication, authorization and confidentiality)

for the reliable execution in Cloud and to improve the overall

quality of a complete system. The system essentially requires

access control in order to ensure the privacy of patients’ in-

formation and security of sensitive healthcare information,

where access to each resource must be evaluated by an au-

thorization technique. Therefore, for the presented case study,

we are focusing on the authorization of an EHR system and

how a hospital selects the suitable authorization technique

for its secure deployment in Cloud. Hospital administrators

are required to select the most appropriate authorization tech-

nique which best suits their authorization requirements:

• Least privilege (High)

An EMR system must provide fine-grained (granular) level

access control based on the identity and other unique cre-

dentials of the user. Access must be provided on a “Need to

Know” basis.


• Separation of duty (High)

Segregation of duties must be processed statically as well

as dynamically, where a single user can perform more than

one role but with the exception that only one role should be

activated at a particular time. For example, a nurse can only

make inventory request as long as she is an active adminis-

tration staff member on duty and is not associated with any

patient. All such rules need to be defined within a technique

before the deployment on Cloud.

• Policy conflict algorithms (High)

There should be no conflicts between the access control

polices of hospital. In order to provide accurate access con-

trol decisions for each request and maintain data integrity of

hospital data, policy conflict avoiding algorithm needs to be

incorporated within authorization technique that can possibly

avoid all the conflicts between policies. Administrators must

also create policies very carefully and should be well-aware

of how to handle the conflicts.

• Configuration flexibility (High)

An authorization technique for an EHR system must be

provided with the capacity to upgrade it to newly introduced

health care features and modules such as MRI & scanning,

scheduling & appointments, insurance & sponsors and equip-

ment inventory module. Moreover, for long term viability, the

technique must be adaptable to latest Cloud deployment tech-

nologies as well.

• Horizontal scope (High)

An authorization technique should be interoperable with

a number of Cloud platforms and operating systems such as

Linux, Windows or Mac. The operational coverage of a tech-

nique should be capable of handling multiple environments

through the generic and customized design of its mechanism.

The multiple environments might be: EHR application run-

ning on Linux server of Amazon EC2 or CloudStack, a single

module of EHR application running on various web browsers

(Firefox, Google Chrome, IE8) of client systems, or an ad-

ministrator managing policies through web interfaces. Addi-

tionally, the technique should be capable of developing and

evaluating access control policies for latest health care mod-

ules.

• Ease of Privilege Assignment (Low)

A technique should provide “policy administration point

as a service (PAPaaS)” in Cloud to create and manage ac-

cess control policies for each user and resource of the EHR

system with acceptable ease. However, it is not essential to

have less number of steps for assigning privileges to the users

i.e., assigning, revoking and altering the subject, resource or

rights. The hospital administrators will be trained to make

fewer mistakes in assigning privileges.

• Policy distribution (Low)

It is not necessary for the technique to store and distribute

policies globally at multiple hosting domains, e.g., across

multiple Cloud environments.

• Policy storage and retrieval (Low)

It is not necessary for the technique to connect to multiple

medical repositories simultaneously. The hospital only needs

to deploy a single policy retrieval point (PRP) in Cloud for its

access. Currently, it is not important to have multiple policy

storages. We summarize the above stated requirements in the

Table 3.

3.4.1 Theoretical analysis

Based on aforementioned access control requirements, we

have analyzed Cloud authorization techniques discussed in

subsection 3.2, to identify the most appropriate for the secu-

rity of an EHR system. Table 2 demonstrates the level up to

which these techniques are supporting the access control met-

rics. The techniques that are closely supporting the require-

ments are: “OpenPMF SCaaS: AuthzaaS for Cloud & SOA

App [29]”, “secure data access in Cloud computing [27]” and

“usage control in Cloud systems [35]”. Table 4 presents the

supported (�) and unsupported (×) authorization features of

the three techniques.

Table 4 clearly depicts that OpenPMF [29] is closely re-

lated to the authorization requirements of an EHR system and

therefore, hospital administrators can choose this technique

for ensuring authorized access to their resources on Cloud. If

“policy conflict avoiding algorithm” is an essential parame-

ter for an EHR system and it is possible for the hospital to

compromise on the “ease of privilege assignment” feature,

then OpenPMF [29] presents an ideal situation. However, if

“policy conflict avoiding algorithm” and “ease of privilege

assignment” are not imperative constraints to be fulfilled and

can somehow be avoided, then [27] and [35] also give an

ultimate solution. In summary, assessment of Cloud autho-

rization techniques, based on NIST defined parameters, helps

Table 3 Access metric requirements for an EMR system

Separation

of duty

Horizontal

scope

Ease of privilege

assignments

Policy

distribution

Least

privilege

Policy

conflict

Configuration

flexibility

Policy repository

& retrieval

High High Low Low High High High Low

310 Front. Comput. Sci., 2015, 9(2): 297–321

Table 4 Access metric requirements for an EMR system

Cloud authorization systemsSeparation

of duty

Horizontal

scope

Ease of

privilege

assignments

Policy

distribution

Least

privilege

Policy

conflict

Configuration

flexibility

Policy

repository

& retrieval

Secure data access in Cloud computing [27] � � � × � × � �


� � × � � � � �

Usage control in Cloud systems [35] × � � � � � � �

Table 5 Calculated values of Cloud authorization techniques

Cloud authorization techniques Set W Set ACtech Cumvalue Cumvalue

Secure data access in Cloud computing[27]

{1,1,1,1,1,0,0,0} {1,1,0,1,1,1,0,1} ((1×1)+(1×1)+(1×0)+ (1×1)+(1×1)+(0×1)+(0×0)+(0×1)/8) 0.5

OpenPMF SCaaS: authorization as aservice for Cloud & SOA applications[29]

{1,1,1,1,1,0,0,0} {1,1,1,1,1,0,1,1} ((1×1)+(1×1)+(1×1)+(1×1)+ (1×1)+(0×0)+(0×1)+(0×1)/8) 0.625

Usage control in Cloud systems [35] {1,1,1,1,1,0,0,0} {1,0,1,1,1,1,1,1} ((1×1)+(1×0)+ (1×1)+(1×1)+(1×1)+(0×1)+(0×1)+(0×1)/8) 0.5

organizations in the appropriate selection of technique, de-

pending on the security priorities of the system (EHR system

in this case).

3.4.2 Evaluation using NetLogo

After theoretical analysis, the preliminary experimental re-

sults for the selection of appropriate techniques are also ex-

amined through simulation in NetLogo platform3). In real-

world scenarios, there can be many possible cases for the

selection of Cloud authorization technique depending upon

the combinations (High & Low level) of access control met-

rics. For instance, if a Cloud consumer requires “least priv-

ilege”, “dynamic SoD”, “policy distribution” and “configu-

ration flexibility” features then the [30] is more appropriate.

Similarly, we have run different test cases, particularly for

the selection of an appropriate technique for the EHR sys-

tem. The two main graphical user interfaces for this simu-

lation include “requirement setup” and “cloud authorization

techniques features” interfaces.

• Requirement setup interface Figure 4 shows the in-

terface for requirements setup, where a Cloud consumer

can input the required levels (Low & High) for access

control metrics, using drop down menu on GUI. Drop

down menu is listed with two main levels i.e., “High”

and “Low”. User can select any one of the two options

against each access control metrics, according to the

preferred requirements.

We have assigned numeric weights, 0 and 1, to High

& Low levels. The “High” level corresponds to value

“1” while “Low” level is assigned “0” value. If an orga-

nization needs any access control metric, then “High”

level will be selected and value “1” will be assigned

to that metric. Similarly, “Low” level can be selected

and its corresponding value is assigned to access con-

trol metric at the backend. In case of an EHR system,

access control metrics are assigned values, given in Eqs.

(1) and (2), as per hospital requirements.

W = {LeastPrivileges, S eparationo f

Duties, PolicyCon f lictAvoidingAlgorithm,

Con f igurationFlexibility,HorizontalS cope,

Easeo f PrivilegeAssignment, Policy

Distribution, PolicyRepository&Retrieval}. (1)

W = {1, 1, 1, 1, 1, 0, 0, 0}. (2)

Subsequently, the cumulative value is calculated for

all the techniques using the Eq. (3), where “n” is num-

ber of access control metrics n = 1, 2, . . . , 8.

Cumvalue =

n∑

i=1

Wi ∗ ACtech

‖ACtech‖ . (3)

• Selection of Cloud authorization technique After

providing the access control requirements at “Require-

ments Setup” phase, we evaluated each Cloud autho-

rization technique based on the given requirements. Ac-

cess control metrics supported by a specific technique

are represented by the set ACtech given in Eq. (4). For

instance, the set for OpenPMF [29] is represented by

3) NetLogo is a multi-agent programmable modeling environment for simulating different scenarios. It is particularly well-suited for modeling complexsystems developing over time.http://ccl.northwestern.edu/netlogo/(14-January-2014)


ACPMF = { 1, 1, 1, 1, 1, 0, 1, 1 }, in which the val-

ues 1 and 0 are used to represent whether the technique

supports specific feature or not.

ACtech = {ac1, ac2, ac3, ac4, ac5, ac6, ac7, ac8}. (4)

Fig. 4 NetLogo requirement setup interface

Fig. 5 Simulation results of Cloud authorization techniques

The Cumvalue for [29], [35] and [27] have the largest value

0.625 & 0.5 formulated in Table 5. Figure 5 presents the sim-

ulation results after performing calculations on authorization

techniques according to the requirements of an EHR system.

The results show that OpenPMF [29] is more appropriate

based on the access control features required by an EHR sys-

tem as compared to other techniques which cannot fulfill the

requirements and have less values. More precisely, OpenPMF

technique is more suitable since its Cumvalue is more than [27]

and [35] and closely fits the EHR requirements. It should also

be noted that results presented through NetLogo simulations

and theoretical analysis are same i.e., OpenPMF is more suit-

able technique. Theoretical analysis uses manual assessment

while NetLogo uses mathematical formulations to select the

suitable technique.

In summary, the presented case study illustrates the use of

techniques assessment in real life scenarios where one Cloud

consumer (organization) needs to select a technique accord-

ing to authorization requirements. Our assessment followed

by this case study will help Cloud consumers in the selection

of authorization technique satisfying their requirements.

4 Identified problems and proposed ACaaSstrategy

Access control should be a mandatory component of Cloud

to make accurate and disclosure-free access decisions based

on multiple factors for minimizing the illegal usage of re-

sources and services. Since confidentiality level of data varies

in different applications, there is a need for an effective access

control mechanism. While giving access to data on a Cloud,

security issues must be handled in a way to provide trusted

and secure environment [42]. Although CSPs have the op-

tion of integrating the various extant authorization mecha-

nisms within their services to protect data and resources of

their customers, our analysis in the previous section depicts

that extant access control models have a lot of room for im-

provement. Therefore, we dedicate this section to discussing

the general weaknesses in authorization systems and how to

overcome them.

4.1 Weaknesses in extant access control techniques

The access control techniques discussed in the previous sec-

tion are far from perfect, we have narrowed them down to the

following generic problems:

1) Management of user profile and access control policies

In a Cloud computing environment, maintaining and creat-

ing user profiles and access control policies is more challeng-

ing because the information may come from different sources

– using different processes, naming conventions, and tech-

nologies – and may need to be transmitted securely between

organizations over a hostile Internet. Moreover, there are typ-

ically too many technical rules to manage and these rules do

not match the understanding of human administrators. Fur-

thermore, these technical rules needs to be updated frequently

to remain correct after each time systems change, and it is

hard to establish that the level of confidence/assurance of the

technical policy enforcement matches the intent of the human

administrator. As a consequence, it is critical to carefully plan

the tools and processes to make the access policies updating

process manageable through automation.

312 Front. Comput. Sci., 2015, 9(2): 297–321

2) Inflexibility of traditional mechanisms

Different types of access control mechanisms are proposed

and deployed so far for traditional enterprise applications that

mainly include role-based [11], task-based [43,44], attribute-

based access [45,46], DAC, MAC, digital rights management

(DRM) [47], trust management (TM) [48], claim-based and

authorization-based access control. Enterprises can leverage

these authorization mechanisms to seamlessly protect Cloud

applications as well. However, these access control mecha-

nisms have some specific parameters and are suitable only

for particular scenarios to provide restricted access of data.

To make authorized access to resources on Cloud, access con-

trol policies must be formulated in a way that they can han-

dle the dynamic nature of Cloud environment. Some of the

Cloud services do not call for strict authorization rules and

are accessed after confirmation of few user attributes. Other

services require the verification of several factors considering

the additional constraints before permitting access to Cloud

based data. Inflexibility of techniques often also leads to com-

pliance and interoperability issues. Therefore, an access con-

trol mechanism having strictly-defined features is not suitable

for all types of applications and services hosted on Cloud.

3) CSP-Driven access control

CSA specifies some challenges in selecting or reviewing

the adequacy of access control solutions for Cloud services

[7,49]. According to them, it is very difficult to determine the

suitability of the access control technique for different types

of services and applications hosted on Cloud. Authorization

feature provided by Cloud providers uses one or more ac-

cess control models and is not extensible to add new mod-

els according to customer requirements. As a result, CSCs

are forced to reshape the security requirement of their ap-

plications. Almost all the security features like confidential-

ity, integrity and availability are provided by CSPs. It means

encryption, authorization and authentication are in hands of

providers. Also, the organizations do not find suitable for-

mat for specification of policies and user information. These

problems need to be catered by providing the liberty to select

any technique that suits the security requirement of an orga-

nization. There should be a framework for protecting data of

Cloud consumers that can be customized by consumers ac-

cording to their own security needs along with the basic se-

curity features provided by Cloud providers. Customization

must be provided to Cloud service consumer organization for

controlling access to their hosted applications, as required.

4) Particularity of solutions

To reduce the load and management tasks of organiza-

tions, regarding secure authorization to resources on Cloud,

there is a vital need of generic framework that encompasses

multiple models and has the ability to add any access con-

trol model within framework based on security requirements

of consumer. Moreover, data residing on Cloud belongs to

wide variety of customers having different sensitivity level

for data; this necessitates the enforcement of comprehensive

access control framework for Cloud environment. For exam-

ple the RBAC is useful for restricting access to data of com-

mercial organizations while UCON model is suitable for con-

trolling usage of confidential information of health care sys-

tems. Therefore, authorization framework should be generic

to provide the access control policies and access management

functionality for all these Cloud services.

We regard these factors as hindrances in securing the data

of CSCs against illegal accesses. In order to circumvent the

potential issues that might arise due to weak access control

mechanisms, we are proposing the features that an effective

access control management strategy must incorporate to cater

to the dynamism of Cloud environment. It means that the

abovementioned issues can be resolved by mapping problems

into solutions which will eventually lead towards a reliable

access control solution for the SaaS layer of Cloud comput-

ing.

4.2 Essential features for effective Cloud authorization

mechanism

Analysis and findings reveal that there is need to address the

challenges of developing a holistic and reliable access con-

trol management strategy for SaaS model of Cloud. To over-

come the aforementioned weaknesses, we propose potential

features that an authorization management strategy must pro-

vide for Cloud hosted applications. Incorporation of these

features will not only resolve these issues but may also pos-

sibly pave way for a single consolidated comprehensive au-

thorization framework. Eventually, this access control frame-

work would be extensible and generic enough to satisfy the

dynamic requirements of Cloud. These features will not only

protect resources (data and application) of Cloud consumers

but will also allow them to customize the framework accord-

ing to their security needs and demands.

1) Using common access control policy format

In order to adapt to the flexible requirements of Cloud and

to avoid interoperability and compatibility issues between

policies specified by CSPs and CSCs, commonly used pol-

icy specification format should be developed. The common

specification of access control policies will enable Cloud con-

sumers to make different access control policies and user pro-


files according to their own requirements. An appropriate in-

dustry standard for policy specification such as extensible ac-

cess control markup language (XACML) can be used to fa-

cilitate Cloud consumers by offering authorization services to

their applications. This will also reduce the issues of creating

and managing access control policies and user profiles be-

cause XACML is a powerful access control policy language

that specifies how to evaluate policies and how to interpret

those policies. This language is suitable for a variety of ap-

plication environments. The core language is insulated from

the application environment by the XACML context, which

is why we can use it for Cloud environment where variety

of applications, each with its own characteristics and secu-

rity requirements, are hosted to entertain their users. Accord-

ing to OASIS XACML4) , managing the policy configuration

at each point of policy enforcement is quite expensive and

unreliable5). Therefore, creating and managing access con-

trol policies manually does not demonstrate best practice in

the protection of the information assets of the enterprise and

its consumers on Cloud. XACML gives detailed general ac-

cess control requirements, and has standard extension points

for defining new functions, data types, combining logic, etc.

Keeping in view these standard extension points, a common

policy format must be used that can holistically cover differ-

ent Cloud applications.

2) Common access layer for Cloud applications

For the accumulation of all well-known access control

models, a product in the form of authorization application

needs to be developed which can allow secure authorization

of resources for variety of Cloud hosted applications. More

specifically, a common access control layer is required that

can act independently of applications hosted on the Cloud.

Thus, any enterprise planning to leverage their application on

Cloud will be able to integrate with this authorization applica-

tion for effective access control. Successful execution of this

application will provide the ability to decouple the business

logic of applications from the security aspect of the applica-

tion. This way, security will not have to be embedded within

the application. Rather, a separate access control layer will be

provided for authorized access of application resources.

3) Customization and extensibility for Cloud hosted applica-

tions

As discussed above, development of an authorization ap-

plication for SaaS-hosted Cloud environment will provide

secure access to its resources. To allow easy customization

for Cloud consumers, an extensibility feature needs to be in-

troduced so that new access control models could also be

incorporated into the authorization application. This feature

will provide autonomy to the users so that they can add new

access control models according to their own authorization

requirements. Depending on authorization requirements, ap-

plications will either select existing access control models

from policy repository or create policies of new access con-

trol model. Additionally, policy creation process based on

application requirements will be transparent from user; ap-

plication owners will only need to select appropriate access

control model and need to provide attributes based on appli-

cation domain. Extensibility feature will allow the capability

to deter new threats and attacks launched on Cloud-based ap-

plications.

4) Development and support for third party plug-ins

A lot of efforts are now being centred on the develop-

ment of open and proprietary APIs and plug-ins which seek

to enable features such as security, management and inter-

operability for Cloud. These APIs and plug-ins play a key

role in enhancing the Cloud services to make them more ef-

ficient and reliable. Plug-ins should be another feature of an

effective access management mechanism so that they can be

integrated with Cloud hosted applications.

Table 6 illustrates the mapping of Cloud authorization is-

sues (weaknesses) into essential features for effective Cloud

authorization.

4.3 Amalgamation of features into access control frame-

work – ACaaS

So far, we have discussed the weaknesses in the existing ac-

cess control techniques and have come up with must-have

features for an effective authorization mechanism. Further-

more, we have established that Cloud requires a flexible

access control mechanism applicable to various kinds of en-

vironments. An effective access control mechanism can only

be developed if we can incorporate all the above mentioned

features into one comprehensive framework. Therefore, fault-

less implementation of these access control features can be

the output in the form of an extensible and comprehensive

ACaaS. ACaaS is a Cloud-based approach which aims to

ensure ease in authentication and authorization of Cloud ser-

vice consumers while they access various Cloud services and

resources6). In ACaaS, the management and evaluation of

access control decisions is externalized and handled by some

4) OASIS, Extensible Access Control Markup Language (XACML), https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml5) OASIS,Extensible Access Control Markup Language (XACML) v3.0, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf, July 2008.6) Microsoft, ACS Overview, http://msdn.microsoft.com/en-us/library/gg429788.aspx, 2011.

314 Front. Comput. Sci., 2015, 9(2): 297–321

Table 6 Mapping of authorization issues into effective access management strategy

Weaknesses in extant access control techniques Essential features for effective Cloud authorization mechanism

Management of user profiles & access control policies• Information from different sources• Too many technical rules• Rules need to be updated frequently

Common policy language format−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Using common access control policy format• Use of an appropriate industry standrad policy language• Reduces the issues of creating & managing user profiles

Inflexibility of traditional mechanisms• Do not have strict authorization rules• Compliance & interoperatbility issues

Comprehensive authorizationapplication

−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Common access layer for Cloud application• Authorization application that can act independently• Decouple the business logic of app. from security

CSP driven access control• Uses only specific predefined parameters• Suitable only for few scenarios• Cannot handle dynamic nature of Cloud• Perform user verification before and after access

Customization & extensibility−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Extensibility for Cloud hosted application• Extensibility that can add new access control model on-

the-fly• Provide autonomy o user applications• Transparent policy creation

Particularity of solutions• Do not reduce the load & management tasks• Do not provide generic framework• Do not have ability to add new access control

models• Do not have customization feature

Third party plugins−−−−−−−−−−−−−−−−−−−→

Development & support for third party plugins• Play key role in enhancing the Cloud services• Provide efficient & reliable Cloud services• Support for third-party plugins & APIs

trusted third-party service provider. ACaaS operates on ap-

plication layer and provides an authorization store that is

managed and accessed either through code or a manage-

rial gateway. After one-time configuration, CSCs access the

applications via ACaaS by using an authentication token

bundled with authorization claims. Instead of implement-

ing application-specific access control mechanisms, one can

choose ACaaS to authenticate and authorize their service con-

sumers. ACaaS not only facilitates fast and easy application

development, it also allows its customers to access and ac-

quire multiple services and resources with reduced (e.g., sin-

gle sign-on) authentications.

ACaaS needs to be developed in a way that it offers com-

patibility with well-known programming languages and run-

time environments along with the support for international

standards such as OpenID, OAuth, WS-Trust [7] etc. In ad-

dition, ACaaS must be compatible with most of the modern

web platforms such as Python, Java, .NET, Ruby and PHP.

Some real-time implementations of ACaaS are also available

in the market; Azure Platform AppFabric Access Control

Service7) , Junos Pulse Access Control Service Ver. 4.4 [50]

just to name few. An ACaaS layer comprises of PDP, PEP,

PAP and PIP [32] components. Each of these components can

be developed and managed either by the service consumer

or they may use the ones provided by the ACaaS provider

(trusted third party). To be precise, the access control ser-

vice provider ensures the segregation and confidentiality of

the data contents, even if it gets together with Cloud service

consumers and Cloud service providers.

The effective utilization of the access control framework

(or ACaaS) will assure that IT operations of any enterprise

can achieve reliable access control management for their ap-

plications hosted on SaaS layer. This framework will have

the property of extensibility, genericity, consumer-driven au-

thorization functions and common policy language format.

Extensibility will be used to incorporate existing and newly

proposed access control models. It means that based on secu-

rity requirements of applications, organizations can select any

model from the framework to provide secure access to their

application resources. In addition, this authorization frame-

work will also be available as a plug-in that can be used by

Cloud consumer organizations to securely manage their ap-

plication on Cloud. Thus, gathering features into framework

will help Cloud application owners to provide authorized ac-

cess to resources (data) on Cloud and will also eliminate the

need to write security code in their application.

5 Future research directions

ACaaS is a rather recent concept of offering authorization ser-

vices in Cloud, which is steadily gaining attention in the mar-

ket. Ideally, access control services should incorporate all the

managerial and technical aspects to provide the best possi-

7) Microsoft, Introduction to the Appfabric Access Control Service 2.0, http://msdn.microsoft.com/en-us/ identitytrainingcourse_introtoacslabsv2.aspx,2013.


ble solution. Even though research in this domain is moving

towards increasingly mature solutions, there are still a large

number of critical issues that have gone unattended. One glar-

ing issue that needs to be addressed is the lack of a common

policy format that would alleviate the inherent interoperabil-

ity issues in the Cloud environment. To this end, utilization

of a standard policy creation language XACML is highly rec-

ommended. Typically, the ACaaS layer is implemented over

the SaaS layer and the more advanced solutions focus on this

service model. Although the same rules apply for ACaaS for

PaaS and IaaS, there is a lot of room for improvement for pro-

viding the service on top of those deployment models since

they still provide the very basic authorization mechanisms.

For instance, adequate partitioning of policy domains and se-

cure delegated administration is required for PaaS. IaaS, on

the other hand, is less likely to be web-based and so the ac-

cess management service will have to be customized accord-

ingly. For this, access management will have to be on a per-

customer basis, so that the passwords and privileges given to

one customer do not enable them to access other customer

environments8).

In order to cater to the authorization issues of SaaS hosted

applications, an effective identity and access management

strategy is required for Cloud environment that allows data

owners to manage access to their resources and is extensi-

ble enough to formulate certain policies and rules to define

the access level for each user. A future direction could be

the verification and implementation of features proposed for

the holistic realization of access control management strat-

egy. For the realization of framework, well-known access

control models could be implemented using XACML. So far,

many of the widely-used access control models do not have

comprehensively designed, open source implementations in

XACML 3.0. Therefore, investigating such aspects of these

access control models with respect to XACML opens up new

avenues for research in the area of SaaS Cloud security.

Other issues include privacy of data owners and com-

pliance of the access control system with country- and

organization-specific privacy laws; extensibility to formulate

policies and rules for each level of user, support for delega-

tion rights in cross-Cloud domain, dynamic specification of

entities involved in data sharing, etc. Therefore, a reliable and

extensible authorization framework is highly encouraged to

satisfy the user requirements and dynamic nature of Cloud as

well.

6 Conclusions

The hype that Cloud technology has attracted is not unwar-

ranted; the academia and industry find the paradigm ripe with

opportunities and potential. However, despite the promising

features Cloud has to offer, consumers are still reticent to de-

ploy their applications on it, mainly due to the security and

privacy concerns that exist in the domain. For adequate data

and application security, Cloud computing demands extensi-

ble and reliable access control mechanisms that ensure effec-

tive authorization strategy for the resources hosted on Cloud.

This paper specifically focuses on authorization issues in

Cloud environment and addresses its concerns and potential

solutions. We have performed an in-depth analysis of various

state-of-the-art access control techniques based on the fea-

tures listed in a NIST report [26]; then we narrowed down

these features based on the authorization requirements of

Cloud. A case study is also presented that validates our anal-

ysis by selecting the most appropriate of the existing autho-

rization techniques based on the access control requirements

of Cloud consumer. Moreover, after conducting a thorough

study on access control mechanisms in Cloud and the related

work that exists within the domain, we come to the conclu-

sion that extant access control solutions are not generic and

do not cover all the required features holistically. Therefore,

there is a need for a meticulous research in order to develop

and design an effective ACaaS, which is an important pillar

of SECaaS model, which allows CSCs and CSPs to securely

manage access to their resources. In this regard, we first iden-

tify the main problems that render the existing models inad-

equate to be used in Cloud. From these challenges, we deter-

mine the features that are imperative for an access control as

a service layer.

ACaaS framework is the generic solution to all the au-

thorization problems in Cloud that have been identified in

Section 4.1 and incorporates all the features that an ideal

Cloud-based access control mechanism should have, that

have been listed in Section 4.2. This framework would be

comprehensive and reliable enough for managing and con-

trolling access to SaaS hosted Cloud applications and their

resources. Since it will be non-specific and will use well-

known standards like XACML, it will eradicate the com-

pliance and interoperability issues, hence, allowing it to be

used by different Cloud-based applications to make their data

accessible only to authorized users. Successful execution of

the proposed ACaaS framework will greatly improve access

8) Axiomatics, Axiomatics Cloud scenarios, https://www.axiomatics.com/cloud-scenarios.html

316 Front. Comput. Sci., 2015, 9(2): 297–321

control issues in Cloud and help assure Cloud consumers

(small to large enterprises) that their information on Cloud is

managed securely.

Acknowledgements We are incredibly grateful for the financial assistanceprovided by National ICT R&D Fund, Ministry of Information and Tech-nology, Pakistan that made this research work possible. Our special thanksare extended to National University of Science & Technology (NUST) andKTH-Applied Information Security (AIS) Lab for their unstinting support ofour work and for helping us in publishing this article.

Appendixes

Appendix A: Cloud access control techniques

1) Secure data access in Cloud computing [27]: Sanka et

al. [27] discusses the Cloud authorization challenges together

with capability based access control technique that ensures

the authorized access to outsourced data. The work proposed

in this paper modifies Diffie-Hellman key exchange protocol

that can be used by Cloud service provider and consumers

for secretly sharing a symmetric key. In addition, Capability

based access control system along with cryptographic tech-

niques has also been proposed for Cloud platform. The tech-

nique mainly involves three actors: data owner (DO), cloud

service provider (CSP) and user where CSP is mainly respon-

sible for offering services. A capability list is used to specify

the access rights of users and it consists of user ID (UID), file

ID (FID) and corresponding access policies. Values for access

rights are assigned as: 0 for read, 1 for write, 2 for both read

and write. DO computes the MD5 hash of data files; encrypt

it with their private key and public key of CSP. CSP stores

these encrypted data files and capability lists for users but the

contents of data files are not revealed to them. Diffie Hellman

algorithm is used to generate the symmetric keys which are

shared between CSP and user for the purpose of secure com-

munication. New user first performs the registration by DO

sending UID, FID, nonce, timestamp and the required access

rights. DO sends the capability list, intended encrypted con-

tent and corresponding decryption keys to CSP after the user

verification. CSP updates the capability list accordingly and

also sends registration confirmation to newly added user. Af-

ter that, user directly requests to CSP for data access and gets

encrypted response which is then decrypted to get the session

key and hash value.

2) Secure access mechanism for Cloud Storage [28]:Harnik et al. [28] proposed capability based access controlmechanism to address the access control requirements forCloud storage. Proposed model offers the efficient delegationmechanism by appending original capability with reduced

delegated capability. Identity field is introduced in the ca-

pability that performs user authentication and eliminates the

identification overhead at enforcement point. The proposed

mechanism also offers features like scalability, chains of ser-

vices, user to user access delegation, improved performance,

availability, revocation, interoperability, and pre-resource au-

dit ability.

3) OpenPMF SCaaS: authorization as a service for Cloud

& SOA applications [29]: Lang et al. [31] presents the con-

cept of portable security and compliance policy automation

for Cloud applications. Proposed system aims to provide pro-

tection to the Cloud applications and mashups in a seamless

manner. Further, this system intends to improve and simplify

the secure software development lifecycle for Cloud appli-

cations. The OpenPMF system comprises of two main com-

ponents: policy automation and technical policy generation.

The policy automation aspect includes policy configuration,

technical policy generation, application authorization man-

agement, and incident reporting. Policy configuration is of-

fered as a pay-per-use Cloud service to various application

development tools. On the other hand, the technical policy

generation, enforcement and monitoring module is implanted

into Cloud application development and runtime platforms.

The paper also discusses a reference implementation called

OpenPMF security & compliance as a service (SCaaS) which

is based on ObjectSecurity OpenPMF, Intalio BPMS, and

Promia Raven.

4) Distributed access control architecture for Cloud com-

puting software [30]: Almuitairi et al. [30] has presented a

technique for data storage and distributed access control in

Cloud paradigm. This technique uses attribute based encryp-

tion scheme and key distribution center that assigns keys to

users on the basis of attribute groups. An access policy is as-

signed to each data owner which contains list of attributes and

public keys to encrypt data against those attributes. A secure

SSL channel is also used to transfer the data on Cloud. The

Cloud provider provides encrypted data to users, which is de-

crypted by users for their use. Access policies are in the form

of trees, wherein attributes act as leaf nodes and Boolean

functions act as internal nodes. This scheme also provides

user revocation feature in which revoked user will not able to

use or see the data of providers.

5) API access control in Cloud using the role based access

control model [31]: Sirisha et al. [31] proposed secure ac-

cess control APIs for Cloud. This technique uses role based

access control model involving two-stages: user attribute au-

thentication and then, role validation. This technique assumes

that user is already authenticated with any reliable authen-


tication mechanism such as token, smart card or password

based and all its attributes and roles are managed in some

database. Once user is authenticated, his attributes are veri-

fied from a database and a specific role is assigned against

his attributes. Therefore, user can only access those services

that are allowed for assigned role. Same is the case in the sec-

ond stage of access control; there is a database of permissions

corresponding to different roles. After identifying roles, per-

missions are checked in database and accordingly, access is

granted or denied.

6) Access control as a service for public Cloud storage

[32]: Yang et al. [32] presented an access control service for

public cloud storage, where authorization decision is subject

to the data owner’s decision or PDP and PEP modules. This

paper aims to address the problem of flexible access control in

service and data outsourcing scenarios to protect the sensitive

data of owners. In order to implement the designed service,

an attribute-full proxy re-encryption (AF-PRE) scheme is of-

fered as a core component of the proposed solution. The key

features of presented solution include realization of simple

key management, capacity to compose the attributes along

with the anticipated combination of authorization and encryp-

tion with appropriate separation. In order to give the proof

of concept, authors have performed security analysis of their

system. They further claim that their scheme for executing

queries on the encrypted data can be efficiently integrated

with the presented solution.

7) A privacy enhancement system on academic based pri-

vate Cloud system using Eucalyptus open source Cloud in-

frastructure [33]: Mon et al. [35] proposed a privacy-aware

access control system (ARBAC) with the amalgamation of

features from two main models i.e., role based access con-

trol (RBAC) and attribute based access control (ABAC). The

main purpose of the system is to provide secure access to

personal identifiable information (PII) in cloud environment.

The system mainly consists of four main actors: data owners,

data users, cloud providers and privacy managers. Data own-

ers use virtual machines instances to host their data according

to organizational permissions and specify the privacy prefer-

ences of data. Users access the cloud based services and data

according to the defined access rights and policies. Cloud

providers perform different operations and management tasks

on servers according to the rules specified by the data owners.

Privacy manager is the essential component of the system,

responsible for the specification of privacy policies based on

user and data classification levels. In proposed ARBAC sys-

tem, user requests to access data and provides corresponding

subject, resource and environment attributes that are required

for the service. Cloud service provider verifies the given at-

tributes according to defined privacy policy in order to return

the response of either permit or deny.

8) Provenance-based access control in Cloud environments

[40]: Bates et al. [40] stated the granular access control to be

the most challenging and promising security issue for data

storage in Cloud computing. Relevant policies for migration

of data across the boundaries and scattered policies of orga-

nizations have been identified as the major reasons for this

issue. In this paper, an access control model has been intro-

duced, which is based on provenance and its use in critical

applications. Provenance provides all the information about

different actions and processes taken on specific data and is

used to mitigate these access control challenges in Cloud. The

system achieves the three main goals which include distribu-

tion of provenance in dynamic Cloud environment, assess-

ment of remote data objects and provenance based access

control model where provenance is also significant compo-

nent along with the basic objects, subjects and rights for ac-

cess control. The system also includes the additional prove-

nance database and policy database modules other than the

core PEP and PDP.

9) Fine-grained data access control systems with user ac-

countability in Cloud computing [34]: attribute based encryp-

tion (ABE) is proposed in [76], which aims to ensure fine-

grained access control and resolves the issues related to user

accountability and real-time revocation. There are two kinds

of ABE: key policy ABE (KP-ABE) and cipher text policy

(CP-ABE). In KP-ABE, access policy and user’s private key

are bounded together which helps to determine the files the

user is authorized to access. On the other hand, in CP-ABE,

access policy is defined within the cipher text where each

file and user key has different attributes; here, the relation-

ship is between the user key and his attributes. In proposed

model, the broadcast encryption has been performed by data

owner on user group by selecting the ran-dom number. The

encrypted data is then uploaded on Cloud.

10) Usage control in Cloud systems [35]: Aliaksandr et

al. [35] presents an advanced authorization framework based

on the usage control (UCON) model and the OASIS XACML

standard to control the usage of Cloud resources. Presented

framework is capable of handling the issue of long lasting

accesses by interrupting the ongoing usage of previously

assigned resources when the object’s access rights are re-

voked by the owner. Proposed framework’s prototype is im-

plemented and integrated with the OpenNebula toolkit (ONE)

that provides access control lists (ACLs) and usage quotas.

System performance tests are also carried out on the pro-

318 Front. Comput. Sci., 2015, 9(2): 297–321

totype to validate the effectiveness of the proposed system.

The ONE frontend and the authorization service (AS) are

hosted in the virtual machine with Ubuntu 10.04 and Java

1.6 support. However, the prototype requires improvements

in terms of security and management of various other long

lasting Cloud resources and services.

11) Achieving secure, scalable, and fine-grained data ac-

cess control in Cloud computing [36]: hierarchical attribute

based encryption (combining hierarchical identity based en-

cryption (HIBE) and cipher text policy based attribute based

encryption (CP ABE)) on Cloud has also been proposed for

access control [36]. Hierarchical structure is described in

which there are root master (RM) and domain masters (DM).

RM corresponds to private key generator which is used to

generate and distributes keys and other important parame-

ters. DM is like attribute authority in CP ABE and HIBE,

which handles delegation of keys to DM and their distribu-

tion to users at next level. Firstly, unique identifier is assigned

to each DM and then ID and attributes are assigned to users.

Each user’s position has been defined by his own ID and pub-

lic key of DM administrating him.

12) Multi-tenancy based access control in cloud [37]: due

to multi-tenancy in Cloud computing, duty separation be-

tween CSP and tenant is a main concern. Solution proposed in

[37] is multi-tenancy based access control model (MTACM)

for application security in public Cloud. The main idea of

MTACM is to classify the subjects and objects in traditional

access control mechanisms into two granule levels. One is

tenant granule level and the other is application granule level.

First level is managed or controlled by CSP to implement

the compartmentalization of different tenants, while second

is controlled by tenants to allow authorized access to their

applications. The subjects in MTACM access control lists are

users based while in most of access control mechanisms, ac-

cess control lists are IP based. One of the benefits of MTACM

is independent behavior since its deployment does not require

modifications to esisting applications. All the security rules

are based on user identifications, rather than IP addresses.

The prototype suggested for MTACM has four main mod-

ules: OpenSSL, identity and authentication, audit, access

control and management module. The prototype shows that

MTACM is the best solution to provide high performance and

compatibility for application layer of Cloud.

13) CloudPolice: taking access control out of the net-

work [38]: Lucian et al. [38] proposed a hypervisor-based

access control technique, named “Cloud-Police”, for Cloud

paradigm. Several security policies such as tenant isolation,

inter-tenant communication, fair sharing among tenants, rate

limiting tenants and locally initiated connections for intra-

Cloud based environment are identified. Based on these poli-

cies, a policy model is defined that uses predicate logic,

wherein several rules in the form of “if-then” action condi-

tion separated by comparison operator are used.14) SaaS access control research based on UCON [39]:

Junli Zhu et al. [39] have highlighted access control prob-

lem faced by Cloud consumers, which is mandatory for pro-

tecting the user’s sensitive information in SaaS model. Tradi-

tional access control models like attribute based, role based

or fine-grained access models are not sufficient for protecting

the private data of users in Cloud. This system presents a uni-

fied access control model which is designed for preventing

user’s critical data from unauthorized and illegitimate access.

Trust management and digital rights management have also

been identified as the important security problems faced by

today’s business world and IT organizations. In this system,

UCON model has been implemented with its two main prop-

erties of attribute mutability and continuity along with three

main components i.e., authorization, obligations and condi-

tions. Post-obligation model has also been implemented that

can guarantee the fine-grained and secure access control on

customer’s private data. Types of authorization mainly in-

clude PreA, where authorization is performed before granting

any access and OnA, where authorization is executed during

the usage. Similarly, PreB are some mandatory requirements

that should be satisfied before granting access. OnB are those

requirements which needed to be satisfied during the execu-

tion of access control.

References

1. Abadi D J. Data management in the cloud: limitations and opportuni-

ties. IEEE Data Engineering Bulletin, 2009, 32(1): 3–12

2. Rimal B, Choi E, Lumb I. A taxonomy and survey of cloud computing

systems. In: Proceedings of the 5th International Joint Conference on

INC, IMS and IDC. 2009, 44–51

3. Subashini S, Kavitha V. A survey on security issues in service delivery

models of cloud computing. Journal of Network and Computer Appli-

cations, 2011, 34(1): 1–11

4. Bisong A, Rahman M. An overview of the security concerns in enter-

prise cloud computing. International Journal of Network Security & Its

Application, 2011, 3(1): 30–45

5. Popovic K, Hocenski Z. Cloud computing security issues and chal-

lenges. In: Proceedings of the 33rd International Convention on

MIPRO. 2010, 344–349

6. Arasu A, Eguro K, Kaushik R, Ramamurthy R. Querying encrypted

data. In: Proceedings of the IEEE 29th International Conference on

Data Engineering (ICDE). 2013, 1262–1263

7. Simmonds P, Yeomans A, Dobson I, Arnold J, Secombe A, Johnson P,


Tully S, Ramamorthy B, Kumaraswamy S, Mishra R, Lang U, Laun-

drup J, Wilson Y. Security Guidance for Critical Area of Focus in Cloud

Computing v3.0. Cloud Security Alliance (CSA), 2011

8. Lampson B. Dynamic protection structures. In: Proceedings of the

AFIPS Conference. 1969, 27–38

9. Elisa Bertino R. Database security-concepts, approaches, and chal-

lenges. IEEE Transactions on Dependable and Secure Computing,

2005, 2(1): 1–11

10. M. G. Piattini M, Fernandez-Medina E. Secure databases: state of the

art. In: Proceedings of the IEEE 34th Annual International Carnahan

Conference on Security Technology. 2000

11. Sandhu R, Coyne J, Feinstein L, Youman E. Role based access control

models. Computer Journals and Magazines, 1996, 29(2): 38–47

12. Khan A R. Access control in cloud computing environment. ARPN

Journal of Engineering and Applied Science, 2012, 7(5): 613–615

13. Han W, Lei C. A survey on policy languages in network and security

management. Computer Networks, 2012, 56(1): 477–489

14. Baskerville R. Information systems security design methods: implica-

tions for information systems development. ACM Computing Surveys

(CSUR), 1993, 25(4): 375–414

15. McCollum C J, Messing J R, Notargiacomo L. Beyond the pale of

MAC and DAC-defining new forms of access control. In: Proceedings

of the IEEE Computer Society Symposium on Research in Security

and Privacy. 1990, 190–200

16. Lovell R. Introduction to Cloud Computing. Think Grid, Business On-

demand, 2011

17. Zissis D, Dimitrios L. Addressing cloud computing security issues. Fu-

ture Generation Computer Systems, 2012, 28(3): 583–593

18. Borras J, Sabo J. Report on International Cloud Symposium. Technical

report. 2011

19. Halpert B. Auditing Cloud Computing: A Security and Privacy Guide.

John Wiley & Sons, Inc., 1–13

20. IBM. Strategies for Assessing Cloud Security. Technical report. Global

Technology Services. 2010

21. The Sarbanes-oxley Act of 2002: and Current Proposals by Nyse,

Amex and Nasdaq. Price Water House Coopers, 2003

22. Centers Disease Control and Prevention. Hipaa privacy rule and public

health. guidance from CDC and the US department of health and hu-

man services. MMWR: Morbidity and Mortality Weekly Report, 2003,

52 (Suppl. 1): 1–17

23. Pucciarelli C. It Cloud Decision Economic: 10 Best Practices for Pub-

lic It Cloud Decision Economic. Technical report. 2012

24. Masood R, Shibli M A. Comparative analysis of access control systems

on cloud. In: Proceedings of the 13th ACIS International Conference

on Software Engineering, Artificial Intelligence, Networking and Par-

allel & Distributed Computing (SNPD). 2012, 41–46

25. Jansen W. Directions in Security Metrics Research. DIANE Publish-

ing, 2010

26. Hu V C, Ferraiolo D, Kuhn D R. Assessment of Access Control Sys-

tems. US Department of Commerce, National Institute of Standards

and Technology, 2006

27. Sanka S, Hota C, Rajarajan M. Secure data access in cloud computing.

In: Proceedings of the IEEE 4th International Conference on Internet

Multimedia Services Architecture and Application (IMSAA). 2010,

44–51

28. Harnik D, Kolodne E, Ronen S, Satran J, Shulman A, Tal S. Secure ac-

cess mechanism for cloud storage. Scientific International Journal for

Parallel and Distributed Computing, 2011, 12(3): 317–336

29. Lang U. Openpmf scaas: authorization as a service for cloud & soa

applica-tions. In: Proceedings of the IEEE 2nd International Confer-

ence on Cloud Computing Technology and Science (CloudCom). 2010,

634–643

30. Almutairi A, Sarfraz M, Basalamah S, Aref W, Ghafoor A. A dis-

tributed access control architecture for cloud computing software.

IEEE Software Journal, 2012, 29(2): 36–44

31. Sirisha A, Kumari G. Api access control in cloud using the role based

access control model. In: Proceedings of the Trendz in Information

Sciences & Computing (TISC). 2010, 135–137

32. Zhang Y, Chen J L. Access control as a service for public cloud storage.

In: Proceedings of the 32nd Interna-tional Conference on Distributed

Computing Systems Workshops (ICDCSW). 2012, 526–536

33. Mon E, Naing T. The privacy-aware access control system using ar-

bac in private cloud. In: Proceedings of the 45th Hawaii International

Conference on System Sciences. 2011, 44–51

34. Li H, Zhao G, Chen X, Rong D, Li W, Tang L, Tang Y. Fine-grained

data access control systems with user accountability in cloud comput-

ing. In: Proceedings of the IEEE International Conference on Cloud

Computing Technology and Science (CloudCom). 2010, 89–96

35. Lazouski A, Mancini G, Martinelli F, Mori P. Usage control in cloud

systems. In: Proceedings of the International Conference on Internet

Technology And Secured Transactions. 2012, 202–207

36. Yu S, Wang C, KuiRen WL. Achieving secure, scalable, and fine-

grained data access control in cloud computing. In: Proceedings of the

IEEE International Conference on Computer Communications. 2010,

1–9

37. Li X, Shi Y, Guo Y, Ma W. Multi-tenancy based access control in cloud.

In: Proceedings of the International Conference on Computational In-

telligence and Software Engineering (CiSE). 2010, 1–4

38. Popa L, Yu M, Y. Ko S, Ratnasamy S, Stoica I. Cloudpolice: taking

access control out of the network. In: Proceedings of the 9th ACM

SIGCOMM Workshop on Hot Topics in Networks (Hotnets ’10). 2010

39. Zhu J, Wen Q. SaaS access control research based on ucon. In: Pro-

ceedings of the 4th International Conference on Digital Home (ICDH).

2012, 331–334

40. Bates A, Mood B, Valafar M, Butler K. Towards secure provenance-

based access control in cloud environments. In: Proceedings of the 3rd

ACM Conference on Data and Application Security and Privacy. 2013,

277–284

41. Masood R, Shibli M A, Bilal M, others. Usage control model specifi-

cation in XACML policy language. In: Proceedings of the Computer

Information Systems and Industrial Management. 2012, 68–79

42. Jansen W, Grance T. Guidelines on security and privacy in public cloud

computing. NIST Special Publication, 2011, 800: 144

43. Thomas R, Sandhu R. Towards a task-based paradigm for flexible and

adaptable access control in distributed applications. In: Proceedings of

the 2nd New Security Paradigms Workshop. 1993, 138–142

44. Thomas R, Sandhu R. Conceptual foundations for a model of task

based authorizations. In: Proceedings of the IEEE Computer Security

Foundations Workshop. 1994, 66–79

45. Priebe T, Dobmeier W, Kamprath N. Supporting attribute based access

control with ontologies. In: Proceedings of the 1st International Con-

ference on Availability, Reliability and Security (ARES). 2006, 8

46. Yuan E, Tong J. Attribute based access control, a new access control

320 Front. Comput. Sci., 2015, 9(2): 297–321

approach for service oriented architectures (soa). In: International Con-

ference on Computer Science & Service System (CSSS). 2012, 1405–

1408

47. Cooper A, Martin A. Towards an open, trusted digital rights man-

agement platform. In: Proceedings of the ACM Workshop on Digital

Rights Management. 2006, 79–88

48. Chakraborty S, Ray I. Trustbac: integrating trust relationships into the

rbac model for access control in open systems. In: Proceedings of the

11th ACM Symposium on Access Control Models and Technologies

(SACMAT). 2006, 49–58

49. Kumaraswamy S, Lakshminarayanan S, Stein M R J, Wilson Y. Do-

main 12: Guidance for Identity & Access Management v2. 1. Cloud

Security Alliance (CSA). 2010, 10

50. Junos Pulse Access Control Service 4.4 r1 Supported Platforms Docu-

ment. Technical Report, Juniper Networks. 2013

Rahat Masood completed her MS in

computer & communication security

from School of Electrical Engineer-

ing and Computer Science National

University of Sciences and Technol-

ogy (NUST-SEECS), Pakistan. As a

research fellow at KTH-Applied In-

formation Security Lab, she has con-

ducted research in different domains of

information security particularly including security of unstructured

databases and Cloud computing environments. Her research empha-

sized on designing and developing solutions through state of the art

technologies to protect data and resources, which are being out-

sourced at third part premises. Cloud computing technologies are

currently her area of interest in which she is exploring various se-

curity issues at software and infrastructure layer services. She has

previously done her BS with honours in software engineering from

University of Engineering and Technology, Pakistan.

Muhammad Awais Shibli is an assistant

professor at School of Electrical En-

gineering and Computer Sciences, Na-

tional University of Sciences and Tech-

nology (NUST-SEECS), Pakistan since

2011. He is presently the director of

KTH-SEECS Applied Information Se-

curity Lab, where he oversees research

and development that include solving

major information security issues in Cloud environments, databases

and mobile agent systems. Dr. Shibli received his MS and PhD de-

grees in Information Security from Kungliga Tekniska Högskolan,

Sweden. He has several publications in international journals and

conferences and has acquired large funds for numerous research

projects. He also serves on a number of committees and panels, in-

cluding IEEE, ACM, Springer, ICT and HEC.

Yumna Ghazi graduated from School

of Electrical Engineering and Com-

puter Sciences National University

of Sciences and Technology (NUST-

SEECS), Pakistan in 2013 with a BS

degree in information and communica-

tion systems engineering. For her fi-

nal project in her senior year, she de-

veloped an identity control and access

management solution for cloud-based applications. As a student,

Yumna has always been open to exploring new ideas, and being

a research associate at KTH-SEECS Applied Information Security

Lab gives her the latitude to do so. Her fields of interest include

the various domains under the umbrella of cyber security and cloud

computing.

Ayesha Kanwal has completed her MS

degree in the area of computer and

communication security, from School

of Electrical Engineering and Com-

puter Sciences National University

of Sciences and Technology (NUST-

SEECS), Pakistan. She also holds a BE

degree in software engineering. She is

currently working as a research assis-

tant in KTH-SEECS Applied Information Security Lab, in an ICT

R&D funded project for Cloud based applications. During her re-

search work, she has published several research articles in presti-

gious conferences along with impact factor journal papers. Her cur-

rent research interests include Cloud computing security, design and

development of trust evaluation models, cryptography, digital foren-

sics, Cloud virtualization and trust management in Cloud federation.

Arshad Ali is currently working as the

principal at School of Electrical Engi-

neering and Computer Sciences, Na-

tional University of Sciences and Tech-

nology, Pakistan where he is responsi-

ble for managing administrative, aca-

demic and research affairs. He received

his PhD degree from University of


Pittsburgh, USA in 1992. His research and development concen-

trates in the field of grid computing, distributed computing, mobile

agents and distributed database systems. Among the various grants

that he has received over the years, US-AID, Nokia Research Cen-

ter of China and Koreon Research Development Program are few

to mention. In addition to all these, Arshad Ali has published 112

journals and conference papers, granted five US and Korean patents

and served as a member of different technical program committees.

Documents

2015_-_Rahat_Masood_-_Cloud Authorization Exploring Techniques and Approach to[ Retrieved-2015!11!28]