Abstract
A major barrier to the adoption of cloud Infrastructure-as-a-Service (IaaS) is collaboration, where multiple tenants engage in collaborative tasks requiring resources to be shared across tenant boundaries. Currently, cloud IaaS providers focus on multi-tenant isolation, and offer limited or no cross-tenant access capabilities in their IaaS APIs. In this paper, we present a novel attribute-based access control (ABAC) model to enable collaboration between tenants in a cloud IaaS, as well as more generally. Our approach allows cross-tenant attribute assignment to provide access to shared resources across tenants. Particularly, our tenant-trust authorizes a trustee tenant to assign its attributes to users from a trustor tenant, enabling access to the trustee tenant’s resources. We designate our multi-tenant attribute-based access control model as MT-ABAC. Previously, a multi-tenant role-based access control (MT-RBAC) model has been defined in the literature wherein a trustee tenant can assign its roles to users from a trustor tenant. We demonstrate that MT-ABAC can be configured to enforce MT-RBAC thus subsuming it as a special case.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Amazon AWS. http://aws.amazon.com/es/ec2
OpenStack. http://www.openstack.org/
Abdallah, A.E., Khayat, E.J.: A formal model for parameterized role-based access control. In: Dimitrakos, T., Martinelli, F. (eds.) FAST 2005. IFIP, vol. 173, pp. 233–246. Springer, Heidelberg (2005)
Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proc. of Annual Conf. on Comp. Sec. Applications (ACSAC), pp. 168–176. IEEE (2000)
Coyne, E., Weil, T.R.: ABAC and RBAC: Scalable, flexible, and auditable access management. IT Professional 3, 14–16 (2013)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. TISSEC 4(3), 224–274 (2001)
Fischer, J., Marino, D., Majumdar, R., Millstein, T.: Fine-grained access control with object-sensitive roles. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 173–194. Springer, Heidelberg (2009)
Freudenthal, E., Pesin, T., et al.: dRBAC: distributed role-based access control for dynamic coalition environments. In: Proc. of ICDCS, pp. 411–420. IEEE (2002)
Hu, V.C., Ferraiolo, D., et al.: Guide to attribute based access control (ABAC) definition and considerations. NIST Special Publication 800, 162 (2014)
Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer 2, 85–88 (2015)
Jin, X., Krishnan, R., Sandhu, R.S.: A unified attribute-based access control model covering DAC, MAC and RBAC. DBSec 12, 41–55 (2012)
Jin, X., Sandhu, R., Krishnan, R.: RABAC: role-centric attribute-based access control. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 84–96. Springer, Heidelberg (2012)
Kuhn, D.R., Coyne, E.J., Weil, T.R.: Adding attributes to role-based access control. Computer 6, 79–81 (2010)
Kurmus, A., Gupta, M., Pletka, R., Cachin, C., Haas, R.: A comparison of secure multi-tenancy architectures for filesystem storage clouds. In: Kon, F., Kermarrec, A.-M. (eds.) Middleware 2011. LNCS, vol. 7049, pp. 471–490. Springer, Heidelberg (2011)
Li, Q., Zhang, X., Xu, M., Wu, J.: Towards secure dynamic collaborations with group-based RBAC model. Computers & Security 28(5), 260–275 (2009)
Mell, P., Grance, T.: The NIST definition of cloud computing (2011)
Pustchi, N., Krishnan, R., Sandhu, R.: Authorization federation in IaaS multi cloud. In: Proc. of Security in Cloud Computing, pp. 63–71. ACM (2015)
Sandhu, R.: The authorization leap from rights to attributes: maturation or chaos? In: Proc. of SACMAT, pp. 69–70. ACM (2012)
Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Communications Magazine 32(9), 40–48 (1994)
Smari, W.W., Clemente, P., Lalande, J.-F.: An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system. Future Generation Computer Systems 31, 147–168 (2014)
Tang, B.: Multi-Tenant Access Control for Cloud Services. PhD thesis, University of Texas at San Antonio (2014)
Tang, B., Sandhu, R.: Cross-tenant trust models in cloud computing. In: Proc. of Int. Conf. IRI, pp. 129–136. IEEE (2013)
Tang, B., Sandhu, R.: Extending openstack access control with domain trust. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 54–69. Springer, Heidelberg (2014)
Tang, B., Sandhu, R., Li, Q.: Multi-tenancy authorization models for collaborative cloud services. In: Proc. of CTS, pp. 132–138. IEEE (2013)
Yong, J., Bertino, E., Roberts, M.T.D.: Extended RBAC with role attributes. In: Proc. of PACIS, pages 457–469 (2006)
Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proc. of SACMAT, pp. 149–157. ACM (2003)
Zhang, Z., Zhang, X., Sandhu, R.: ROBAC: Scalable role and organization based access control models. In: Proc. of CollaborateCom, pp. 1–9. IEEE (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Pustchi, N., Sandhu, R. (2015). MT-ABAC: A Multi-Tenant Attribute-Based Access Control Model with Tenant Trust. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)