Skip to main content
SpringerLink
Log in

An insider threat aware access control for cloud relational databases

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

The request-response paradigm that consists of policy decision points (PDPs) and policy enforcement points (PEPs) is used for access control in Cloud computing. The model uses PEP-side caching to increase the availability and reduce the processing overhead on PDP. This paper shows that using PEP-side caching can be exploited by insiders to bypass cloud access control mechanisms, which increases insider threat in cloud computing. To overcome this problem, the paper proposes a manageable model that detects and prevents insider threat at PEP side with minimum overhead on the performance of PEP and PDP. The model has been extensively tested and the results show its effectiveness in mitigating insider threat. Moreover, the experiments demonstrate that the overhead posed by the model on PEP and PDP is low. Lemmas, theorems and algorithm have been provided to show the correctness and the applicability of the proposed approach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22

Similar content being viewed by others

References

  1. Brackney, R., Anderson, R.: Understanding the insider threat. Technical report. RAND Corporation, Santa Monica (2004)

  2. Bishop, M., Gates, C.: Defining the insider threat. In: Proceedings of the 4th Annual Workshop on Cyber Security and iNformation Intelligence Research, Oak Ridge (2008)

  3. Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matznera, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T.: Analysis and detection of malicious insiders. In: Proceedings of the International Conference on Intelligence Analysis, McLean (2005)

  4. Magklaras, G., Furnell, S., Brooke, P.: Towards an insider threat prediction specification language. J. Inf. Manag. Comput. Secur. 14(4), 361–381 (2006)

    Article  Google Scholar 

  5. Pfleeger, C., Pfleeger, S.: Security in Computing, 4th edn. Prentice Hall, Upper Saddle River (2006)

    MATH  Google Scholar 

  6. Richardson, R.: Computer crime and security survey. Internet. http://gatton.uky.edu/FACULTY/PAYNE/ACC324/ CSISurvey2010.pdf (2016). Accessed 12 Oct 2016

  7. Forrester Corporatoin: The value of corporate secrets. Internet. https://www.nsi.org/pdf/reports/The%20Value%20of%20Corporate%20Secrets.pdf (2016). Accessed 12 Oct 2015

  8. InforSecurity Europe and PwC: Information security breaches survey. Technical Report. Internet (2016), http://www.pwc.co.uk/eng/publications/isbs_survey_2010.html. Accessed 12 Oct 2016

  9. Yaseen, Q., Panda, B.: Organizing access privileges: maximizing the availability and mitigating the threat of insiders knowledgebase. In: Proceedings of the 4th International Conference on Network and System Security, Melbourne ((2010)

  10. Yaseen, Q., Panda, B.: Predicting and preventing insider threat in relational database systems. In: Proceedings of the 4th Workshop on Information Security Theory and Practice, Passau (2010)

  11. Yaseen, Q., Panda, B.: Malicious modification attacks by insiders in relational databases: prediction and prevention. In: Proceedings of the 2nd IEEE International Conference on Privacy, Security, Risk and Trust, Minneapolis (2010)

  12. Farkas, C., Toland, T.S., Eastman, C.M.: The inference problem and updates in relational databases. In: Proceedings of the 15th Annual Working Conference on Database and Application Security, Ontario (2001)

  13. Yaseen, Q., Panda, B.: Tackling insider threat in relational database systems. In: Proceedings of the 5th IEEE/ACM International Conference on Utility and Cloud Computing, Chicago (2012)

  14. Yaseen, Q., Althebyan, Q., Jararweh, Y.: PEP side caching: an insider threat port. In: Proceedings of the 14th IEEE International Conference on Information Reuse and Integration, San Francisco (2013)

  15. Oracle Corporation: Fine grained authorization: technical Insights for using Oracle entitlements server. Internet (2016), http://www.oracle.com/technetwork/middleware/oes/oes-product-white-paper-405854.pdf. Accessed 12 Oct 2016

  16. Amazon Relational Database. Internet. http://aws.amazon.com/rds/oracle/ (2016). Accessed 12 Oct 2016

  17. Nicomette, V., Deswarte, Y.: An authorization scheme for distributed object systems. In: Proceedings of the IEEE Symposium on Security and Privacy, Los Alamitos (1997)

  18. Borders, K., Zhao,,X., Prakash, A.: CPOL: high-performance policy evaluation. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, New York (2005)

  19. ENTRUST: GetAccess Design and Administration Guide. Entrust, Dallas (1999)

    Google Scholar 

  20. NETEGRIT: Siteminder concepts guide. Technical report, Netegrity, Waltham (2000)

  21. Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proceedings of the 8th USENIX Security Symposium. USENIX Berkeley (1999)

  22. Thuraisingham, B.: Developing and Securing the Cloud. CRC Press, London (2013)

    Book  Google Scholar 

  23. DeMichiel, L., Yalcinalp, L., Krishnan, S.: Enterprise JavaBeans Specification. Version 2.0. Sun Microsystems (2001)

  24. Karjoth, G.: Access control with IBM Tivoli Access Manager. ACM Trans. Inf. Syst. Secur. 6(2), 232–257 (2003)

    Article  Google Scholar 

  25. OMG. CORBA services: common object services specification. Security service specification v1.8 (2002)

  26. Crampton, J., Leung, W., Beznosov, K.: Secondary and approximate authorizations model and its application to Bell-LaPadula Policies. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe (2006)

  27. Wei, Q., Ripeanu, M., Beznosov, K.: Cooperative secondary authorization recycling. J. IEEE Trans. Parallel Distrib. Syst. 20(2), 275–288 (2009)

    Article  Google Scholar 

  28. Kaufman, L.: Data security in the world of cloud computing. J. IEEE Secur. Privacy 7(4), 61–64 (2009)

    Article  Google Scholar 

  29. Almutairi, A., Sarfraz, M., Basalamah, S., Aref, W., Ghafoor, A.: A distributed access control architecture for cloud computing. J. IEEE Softw. 29(2), 36–44 (2012)

    Article  Google Scholar 

  30. Takabi, H.: SecureCloud: towards a comprehensive security framework for cloud computing environment. In: Proceedings of the 34th IEEE Conference Computer Software and Applications, Seoul (2010)

  31. Arshad, J., Townend, P., Xu, J.: An automatic intrusion diagnosis approach for clouds. J. Autom. Comput. 8(3), 286–296 (2011)

    Article  Google Scholar 

  32. Wang, C., Wang, Q., Ren, K., Lou, W.: Ensuring Data storage security in cloud computing. In: Proceedings of the 17th International Workshop on Quality of Service, Charleston (2009)

  33. Hwang, K., Kulkarni, S., Hu, Y.: Cloud security with virtualized defense and reputation-based trust management. In: Proceedings of the 8th IEEE Conference in Dependable, Autonomic and Secure Computing, Orlando (2009)

  34. Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proceedings of the ACM Conference on Computer and Communication Security, Chicago (2009)

  35. Hacgm, H., Tatemura, J., Chi, Y., Hsiung, W., Jafarpour, H., Moon, H., Po, O.: CloudDB: a data store for all sizes in the cloud. Internet. http://www.nec-labs.com/dm/CloudDBweb.Pdf (2015). Accessed 12 Oct 2015

  36. Curino, C., Jones, E.P.C., Popa, R.A., Malviya, N., Wu, E., Madden, S., Balakrishnan, H., Zeldovich, N.: Relational cloud: a database service for the cloud. In: Proceedings of the 5th Biennial Conference on Innovative Data Systems Research, Asilomar (2011)

  37. SQL Azure: Internet. http://www.microsoft.com/applicationplatform/en/us/Key-Technologies/SQL-Azure.aspx (2016). Accessed 12 Oct 2016

  38. Wang, H., Yi, X., Bertino, E., Sun, L.: Protecting outsourced data in cloud computing through access management. J. Concurr. Comput. Pract. Exp. 28(3), 600–615 (2016)

    Article  Google Scholar 

  39. Li, M., Sun, X., Wang, J., Zhang, Y., Zhang, L.: Privacy-aware access control with trust management in web service. J. World Wide Web 14(4), 407–430 (2011)

    Article  Google Scholar 

  40. Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Conference on Computer Security Applications, Las Vegas (2003)

  41. Baracaldo, N., Joshi, J.: A trust-and-risk aware RBAC framework: tackling insider threat. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, Newark (2012)

  42. Althebyan, Q., Mohawesh, R., Yaseen, Q., Jararweh, Y.: Mitigating insider threats in a cloud using a knowledgebase approach while maintaining data availability. In: 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), London, pp. 226–231 (2015)

  43. Yaseen, Q., Panda, B.: Insider threat mitigation: preventing unauthorized knowledge acquisition. Int. J. Inf. Secur. 11(4), 269–280 (2012)

    Article  Google Scholar 

  44. Alliance, C.S.: Top threats to cloud computing, version 1.0., Cloud Security Alliance. Technical report. Internet. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2016). Accessed 17 Oct 2016

  45. Claycomb, W., Nicoll, A.: Insider threats to cloud computing:. Directions for New Research Challenges. Technical Report, Carnegie Mellon University: CERT Program (2012)

  46. Kandias, M., Virvilis, N., Gritzalis, D.: The insider threat in cloud computing. In: Proceedings of the 6th International Conference on Critical Infrastructure Security, pp. 93–103 (2013)

  47. Yaseen, Q., Althebyan, Q., Panda, B., Jararweh, Y.: Mitigating insider threat in cloud relational databases. Secur. Commun. Netw. 9(10), 11321145 (2016)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Information Systems, Jordan University of Science and Technology, Irbid, Jordan

    Qussai Yaseen

  2. Department of Computer Science, Jordan University of Science and Technology, Irbid, Jordan

    Yaser Jararweh

  3. Department of Computer Science and Computer Engineering, University of Arkansas, Fayetteville, AR, 72701, USA

    Brajendra Panda

  4. Department of Software Engeneering, Jordan University of Science and Technology, Irbid, Jordan

    Qutaibah Althebyan

Authors
  1. Qussai Yaseen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yaser Jararweh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Brajendra Panda
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qutaibah Althebyan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qussai Yaseen.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yaseen, Q., Jararweh, Y., Panda, B. et al. An insider threat aware access control for cloud relational databases. Cluster Comput 20, 2669–2685 (2017). https://doi.org/10.1007/s10586-017-0810-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-017-0810-y

Keywords

Search

Navigation