Abstract
The request-response paradigm that consists of policy decision points (PDPs) and policy enforcement points (PEPs) is used for access control in Cloud computing. The model uses PEP-side caching to increase the availability and reduce the processing overhead on PDP. This paper shows that using PEP-side caching can be exploited by insiders to bypass cloud access control mechanisms, which increases insider threat in cloud computing. To overcome this problem, the paper proposes a manageable model that detects and prevents insider threat at PEP side with minimum overhead on the performance of PEP and PDP. The model has been extensively tested and the results show its effectiveness in mitigating insider threat. Moreover, the experiments demonstrate that the overhead posed by the model on PEP and PDP is low. Lemmas, theorems and algorithm have been provided to show the correctness and the applicability of the proposed approach.
Similar content being viewed by others
References
Brackney, R., Anderson, R.: Understanding the insider threat. Technical report. RAND Corporation, Santa Monica (2004)
Bishop, M., Gates, C.: Defining the insider threat. In: Proceedings of the 4th Annual Workshop on Cyber Security and iNformation Intelligence Research, Oak Ridge (2008)
Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matznera, S., Hetherington, T., Wood, B., Sibley, C., Marin, J., Longstaff, T.: Analysis and detection of malicious insiders. In: Proceedings of the International Conference on Intelligence Analysis, McLean (2005)
Magklaras, G., Furnell, S., Brooke, P.: Towards an insider threat prediction specification language. J. Inf. Manag. Comput. Secur. 14(4), 361–381 (2006)
Pfleeger, C., Pfleeger, S.: Security in Computing, 4th edn. Prentice Hall, Upper Saddle River (2006)
Richardson, R.: Computer crime and security survey. Internet. http://gatton.uky.edu/FACULTY/PAYNE/ACC324/ CSISurvey2010.pdf (2016). Accessed 12 Oct 2016
Forrester Corporatoin: The value of corporate secrets. Internet. https://www.nsi.org/pdf/reports/The%20Value%20of%20Corporate%20Secrets.pdf (2016). Accessed 12 Oct 2015
InforSecurity Europe and PwC: Information security breaches survey. Technical Report. Internet (2016), http://www.pwc.co.uk/eng/publications/isbs_survey_2010.html. Accessed 12 Oct 2016
Yaseen, Q., Panda, B.: Organizing access privileges: maximizing the availability and mitigating the threat of insiders knowledgebase. In: Proceedings of the 4th International Conference on Network and System Security, Melbourne ((2010)
Yaseen, Q., Panda, B.: Predicting and preventing insider threat in relational database systems. In: Proceedings of the 4th Workshop on Information Security Theory and Practice, Passau (2010)
Yaseen, Q., Panda, B.: Malicious modification attacks by insiders in relational databases: prediction and prevention. In: Proceedings of the 2nd IEEE International Conference on Privacy, Security, Risk and Trust, Minneapolis (2010)
Farkas, C., Toland, T.S., Eastman, C.M.: The inference problem and updates in relational databases. In: Proceedings of the 15th Annual Working Conference on Database and Application Security, Ontario (2001)
Yaseen, Q., Panda, B.: Tackling insider threat in relational database systems. In: Proceedings of the 5th IEEE/ACM International Conference on Utility and Cloud Computing, Chicago (2012)
Yaseen, Q., Althebyan, Q., Jararweh, Y.: PEP side caching: an insider threat port. In: Proceedings of the 14th IEEE International Conference on Information Reuse and Integration, San Francisco (2013)
Oracle Corporation: Fine grained authorization: technical Insights for using Oracle entitlements server. Internet (2016), http://www.oracle.com/technetwork/middleware/oes/oes-product-white-paper-405854.pdf. Accessed 12 Oct 2016
Amazon Relational Database. Internet. http://aws.amazon.com/rds/oracle/ (2016). Accessed 12 Oct 2016
Nicomette, V., Deswarte, Y.: An authorization scheme for distributed object systems. In: Proceedings of the IEEE Symposium on Security and Privacy, Los Alamitos (1997)
Borders, K., Zhao,,X., Prakash, A.: CPOL: high-performance policy evaluation. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, New York (2005)
ENTRUST: GetAccess Design and Administration Guide. Entrust, Dallas (1999)
NETEGRIT: Siteminder concepts guide. Technical report, Netegrity, Waltham (2000)
Spencer, R., Smalley, S., Loscocco, P., Hibler, M., Andersen, D., Lepreau, J.: The flask security architecture: system support for diverse security policies. In: Proceedings of the 8th USENIX Security Symposium. USENIX Berkeley (1999)
Thuraisingham, B.: Developing and Securing the Cloud. CRC Press, London (2013)
DeMichiel, L., Yalcinalp, L., Krishnan, S.: Enterprise JavaBeans Specification. Version 2.0. Sun Microsystems (2001)
Karjoth, G.: Access control with IBM Tivoli Access Manager. ACM Trans. Inf. Syst. Secur. 6(2), 232–257 (2003)
OMG. CORBA services: common object services specification. Security service specification v1.8 (2002)
Crampton, J., Leung, W., Beznosov, K.: Secondary and approximate authorizations model and its application to Bell-LaPadula Policies. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies, Lake Tahoe (2006)
Wei, Q., Ripeanu, M., Beznosov, K.: Cooperative secondary authorization recycling. J. IEEE Trans. Parallel Distrib. Syst. 20(2), 275–288 (2009)
Kaufman, L.: Data security in the world of cloud computing. J. IEEE Secur. Privacy 7(4), 61–64 (2009)
Almutairi, A., Sarfraz, M., Basalamah, S., Aref, W., Ghafoor, A.: A distributed access control architecture for cloud computing. J. IEEE Softw. 29(2), 36–44 (2012)
Takabi, H.: SecureCloud: towards a comprehensive security framework for cloud computing environment. In: Proceedings of the 34th IEEE Conference Computer Software and Applications, Seoul (2010)
Arshad, J., Townend, P., Xu, J.: An automatic intrusion diagnosis approach for clouds. J. Autom. Comput. 8(3), 286–296 (2011)
Wang, C., Wang, Q., Ren, K., Lou, W.: Ensuring Data storage security in cloud computing. In: Proceedings of the 17th International Workshop on Quality of Service, Charleston (2009)
Hwang, K., Kulkarni, S., Hu, Y.: Cloud security with virtualized defense and reputation-based trust management. In: Proceedings of the 8th IEEE Conference in Dependable, Autonomic and Secure Computing, Orlando (2009)
Chow, R., Golle, P., Jakobsson, M., Shi, E., Staddon, J., Masuoka, R., Molina, J.: Controlling data in the cloud: outsourcing computation without outsourcing control. In: Proceedings of the ACM Conference on Computer and Communication Security, Chicago (2009)
Hacgm, H., Tatemura, J., Chi, Y., Hsiung, W., Jafarpour, H., Moon, H., Po, O.: CloudDB: a data store for all sizes in the cloud. Internet. http://www.nec-labs.com/dm/CloudDBweb.Pdf (2015). Accessed 12 Oct 2015
Curino, C., Jones, E.P.C., Popa, R.A., Malviya, N., Wu, E., Madden, S., Balakrishnan, H., Zeldovich, N.: Relational cloud: a database service for the cloud. In: Proceedings of the 5th Biennial Conference on Innovative Data Systems Research, Asilomar (2011)
SQL Azure: Internet. http://www.microsoft.com/applicationplatform/en/us/Key-Technologies/SQL-Azure.aspx (2016). Accessed 12 Oct 2016
Wang, H., Yi, X., Bertino, E., Sun, L.: Protecting outsourced data in cloud computing through access management. J. Concurr. Comput. Pract. Exp. 28(3), 600–615 (2016)
Li, M., Sun, X., Wang, J., Zhang, Y., Zhang, L.: Privacy-aware access control with trust management in web service. J. World Wide Web 14(4), 407–430 (2011)
Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Conference on Computer Security Applications, Las Vegas (2003)
Baracaldo, N., Joshi, J.: A trust-and-risk aware RBAC framework: tackling insider threat. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, Newark (2012)
Althebyan, Q., Mohawesh, R., Yaseen, Q., Jararweh, Y.: Mitigating insider threats in a cloud using a knowledgebase approach while maintaining data availability. In: 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), London, pp. 226–231 (2015)
Yaseen, Q., Panda, B.: Insider threat mitigation: preventing unauthorized knowledge acquisition. Int. J. Inf. Secur. 11(4), 269–280 (2012)
Alliance, C.S.: Top threats to cloud computing, version 1.0., Cloud Security Alliance. Technical report. Internet. http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf (2016). Accessed 17 Oct 2016
Claycomb, W., Nicoll, A.: Insider threats to cloud computing:. Directions for New Research Challenges. Technical Report, Carnegie Mellon University: CERT Program (2012)
Kandias, M., Virvilis, N., Gritzalis, D.: The insider threat in cloud computing. In: Proceedings of the 6th International Conference on Critical Infrastructure Security, pp. 93–103 (2013)
Yaseen, Q., Althebyan, Q., Panda, B., Jararweh, Y.: Mitigating insider threat in cloud relational databases. Secur. Commun. Netw. 9(10), 11321145 (2016)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Yaseen, Q., Jararweh, Y., Panda, B. et al. An insider threat aware access control for cloud relational databases. Cluster Comput 20, 2669–2685 (2017). https://doi.org/10.1007/s10586-017-0810-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10586-017-0810-y