Abstract
Sharing data from various sources and of diverse kinds, and fusing them together for sophisticated analytics and mash-up applications are emerging trends, and are prerequisites for realizing grand visions such as that of cyber-physical systems enabled smart cities. Cloud infrastructure can enable such data sharing both because it can scale easily to an arbitrary volume of data and computation needs on demand, as well as because of natural collocation of diverse such data sets within the infrastructure. However, in order to convince data owners that their data are well protected while being shared among cloud users, the cloud platform needs to provide flexible mechanisms for the users to express the constraints (access rules) subject to which the data should be shared, and likewise, enforce them effectively. We study a comprehensive set of practical scenarios where data sharing needs to be enforced by methods such as aggregation, windowed frame, value constrains, etc., and observe that existing basic access control mechanisms do not provide adequate flexibility to support effective data sharing in a secure and controlled manner. In this paper, we thus propose a framework for cloud that extends popular XACML model significantly by integrating flexible access control decisions and data access in a seamless fashion. We have prototyped the framework and deployed it on commercial cloud environment for experimental runs to test the efficacy of our approach and evaluate the performance of the implemented prototype.
Similar content being viewed by others
References
Abadi, D.J., Carney, D., Cetintemel, U., Cherniack, M., Convey, C., Lee, S., Stonebraker, M., Tatbul, N., Zdonik, S.: Aurora: A New Model and Architecture for Data Stream Management. In: VLDB’03 (2003)
Adamic, L.A., Huberman, B.A.: Zipf’s law and the internet. Glottometrics 3, 143–150 (2002)
Amazon: Amazon Elastic Compute Cloud. http://aws.amazon.com/ec2/. Accessed 2012
Becker, M.Y.: Secpal formalization and extensions. Microsoft Research, Tech. Rep. MSR-TR-2009-127 (2009)
Becker, M.Y.: Specification and analysis of dynamic authorisation policies. In: IEEE Computer Security Foundations Symposium (2009)
Bethencourt, J., Sahai, A., waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy (2007)
Carminati, B., Ferrari, E., Tan, K.L.: Enforcing access control over data streams. In: SACMAT (2007)
Carminati, B., Ferrari, E., Tan, K.L.: Specifying access control policies on data streams. In: DASFAA (2007)
U. Center for Embedded networked sensing: Sensorbase. http://sensorbase.org. Accessed 2012
Dean, J., Ghemawat, S.: Mapreduce: simplified data processing on large clusters. In: NSDI 2004 (2004)
Dwork, C.: Differential privacy. In: 33rd International Colloquium on Automata, Languages and Programming, pp. 1–12 (2006)
G. Inc.: Google fusion tables (beta). http://www.google.com/fusiontables/Home. Accessed 2012
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: CCS (2006)
Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: Plutus: scalable secure file sharing on untrusted storage. In: FAST 2003 (2003)
Klemm, A., Lindemann, C., Vernon, M.K., Waldhorst, O.P.: Characterizing the query behavior in peer-to-peer file sharing systems. In: SIGCOMM 2004, pp. 55–67 (2004)
M. Research: Senseweb. http://research.microsoft.com/en-us/projects/senseweb/. Accessed 2012
Mazzoleni, P., Bertino, E., Crispo, B., Sivasubramanian, S.: Xacml policy integration algorithms: not to be confused with xacml policy combination algorithms! In: 11th ACM Symposium on Access Control Models and Technologies, pp. 219–227 (2006)
Microsoft: Windows azure platform. http://www.microsoft.com/windowsazure/. Accessed 2012
Naor, D., Naor, M., Lotspiech, J.B.: Revocation and tracing schemes for stateless receivers. In: CRYPTO 2001, pp. 41–62. (2001)
Ninghui, L., Wang, Q., Q5rdaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: 14th ACM Symposium on Access Control Models and Technologies, pp. 135–144 (2009)
OASIS: OASIS eXtensible Access Control Markup Language (XACML) TC (2011). http://www.oasis-open.org/committees/xacml/. Accessed 2012
Okta Inc.: http://okta.com. Accessed 2012
Popa, R.A., Lorch, J.R., Molnar, D., Wang, H.J., Zhuang, L.: Enabling security in cloud storage SLAs with CloudProof. In: USENIX Anual Technical Conference 2011 (2011)
Power, D., Slaymaker, M., Politou, E., Simpson, A.: A secure wrapper for ogsa-dai. In: Advances in Grid Computing, pp. 317–22 (2005)
Ramankrishnan, R., Gehrke, J.: Database Management Systems, 3rd edn. McGraw-Hill Higher Education (2002)
Rao, P., Lin, D., Bertino, E., Li, N., Lobo, L.: An algebra for fine-grained integration of xacml policies. In: 14th ACM Symposium on Access Control Models and Technologies, pp. 63–72 (2009)
Roy, I., Setty, S.T., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: security and privacy for mapreduce. In: NSDI 2010 (2010)
Security-enhanced Linux. http://fedoraproject.org/wiki/SELinux. Accessed 2012
Sun Microsystem, Inc: Sun’s xacml Implementation. http://sunxacml.sourceforge.net (2004). Accessed 2012
Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable and fine-grained data access control in cloud computing. In: INFOCOM 2010, pp. 534–42 (2010)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Dinh, T.T.A., Wenqiang, W. & Datta, A. City on the Sky: Extending XACML for Flexible, Secure Data Sharing on the Cloud. J Grid Computing 10, 151–172 (2012). https://doi.org/10.1007/s10723-012-9212-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10723-012-9212-9