Skip to main content
Log in

City on the Sky: Extending XACML for Flexible, Secure Data Sharing on the Cloud

  • Published:
Journal of Grid Computing Aims and scope Submit manuscript

Abstract

Sharing data from various sources and of diverse kinds, and fusing them together for sophisticated analytics and mash-up applications are emerging trends, and are prerequisites for realizing grand visions such as that of cyber-physical systems enabled smart cities. Cloud infrastructure can enable such data sharing both because it can scale easily to an arbitrary volume of data and computation needs on demand, as well as because of natural collocation of diverse such data sets within the infrastructure. However, in order to convince data owners that their data are well protected while being shared among cloud users, the cloud platform needs to provide flexible mechanisms for the users to express the constraints (access rules) subject to which the data should be shared, and likewise, enforce them effectively. We study a comprehensive set of practical scenarios where data sharing needs to be enforced by methods such as aggregation, windowed frame, value constrains, etc., and observe that existing basic access control mechanisms do not provide adequate flexibility to support effective data sharing in a secure and controlled manner. In this paper, we thus propose a framework for cloud that extends popular XACML model significantly by integrating flexible access control decisions and data access in a seamless fashion. We have prototyped the framework and deployed it on commercial cloud environment for experimental runs to test the efficacy of our approach and evaluate the performance of the implemented prototype.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi, D.J., Carney, D., Cetintemel, U., Cherniack, M., Convey, C., Lee, S., Stonebraker, M., Tatbul, N., Zdonik, S.: Aurora: A New Model and Architecture for Data Stream Management. In: VLDB’03 (2003)

  2. Adamic, L.A., Huberman, B.A.: Zipf’s law and the internet. Glottometrics 3, 143–150 (2002)

    Google Scholar 

  3. Amazon: Amazon Elastic Compute Cloud. http://aws.amazon.com/ec2/. Accessed 2012

  4. Becker, M.Y.: Secpal formalization and extensions. Microsoft Research, Tech. Rep. MSR-TR-2009-127 (2009)

  5. Becker, M.Y.: Specification and analysis of dynamic authorisation policies. In: IEEE Computer Security Foundations Symposium (2009)

  6. Bethencourt, J., Sahai, A., waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy (2007)

  7. Carminati, B., Ferrari, E., Tan, K.L.: Enforcing access control over data streams. In: SACMAT (2007)

  8. Carminati, B., Ferrari, E., Tan, K.L.: Specifying access control policies on data streams. In: DASFAA (2007)

  9. U. Center for Embedded networked sensing: Sensorbase. http://sensorbase.org. Accessed 2012

  10. Dean, J., Ghemawat, S.: Mapreduce: simplified data processing on large clusters. In: NSDI 2004 (2004)

  11. Dwork, C.: Differential privacy. In: 33rd International Colloquium on Automata, Languages and Programming, pp. 1–12 (2006)

  12. G. Inc.: Google fusion tables (beta). http://www.google.com/fusiontables/Home. Accessed 2012

  13. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: CCS (2006)

  14. Kallahalla, M., Riedel, E., Swaminathan, R., Wang, Q., Fu, K.: Plutus: scalable secure file sharing on untrusted storage. In: FAST 2003 (2003)

  15. Klemm, A., Lindemann, C., Vernon, M.K., Waldhorst, O.P.: Characterizing the query behavior in peer-to-peer file sharing systems. In: SIGCOMM 2004, pp. 55–67 (2004)

  16. M. Research: Senseweb. http://research.microsoft.com/en-us/projects/senseweb/. Accessed 2012

  17. Mazzoleni, P., Bertino, E., Crispo, B., Sivasubramanian, S.: Xacml policy integration algorithms: not to be confused with xacml policy combination algorithms! In: 11th ACM Symposium on Access Control Models and Technologies, pp. 219–227 (2006)

  18. Microsoft: Windows azure platform. http://www.microsoft.com/windowsazure/. Accessed 2012

  19. Naor, D., Naor, M., Lotspiech, J.B.: Revocation and tracing schemes for stateless receivers. In: CRYPTO 2001, pp. 41–62. (2001)

  20. Ninghui, L., Wang, Q., Q5rdaji, W., Bertino, E., Rao, P., Lobo, J., Lin, D.: Access control policy combining: theory meets practice. In: 14th ACM Symposium on Access Control Models and Technologies, pp. 135–144 (2009)

  21. OASIS: OASIS eXtensible Access Control Markup Language (XACML) TC (2011). http://www.oasis-open.org/committees/xacml/. Accessed 2012

  22. Okta Inc.: http://okta.com. Accessed 2012

  23. Popa, R.A., Lorch, J.R., Molnar, D., Wang, H.J., Zhuang, L.: Enabling security in cloud storage SLAs with CloudProof. In: USENIX Anual Technical Conference 2011 (2011)

  24. Power, D., Slaymaker, M., Politou, E., Simpson, A.: A secure wrapper for ogsa-dai. In: Advances in Grid Computing, pp. 317–22 (2005)

  25. Ramankrishnan, R., Gehrke, J.: Database Management Systems, 3rd edn. McGraw-Hill Higher Education (2002)

  26. Rao, P., Lin, D., Bertino, E., Li, N., Lobo, L.: An algebra for fine-grained integration of xacml policies. In: 14th ACM Symposium on Access Control Models and Technologies, pp. 63–72 (2009)

  27. Roy, I., Setty, S.T., Kilzer, A., Shmatikov, V., Witchel, E.: Airavat: security and privacy for mapreduce. In: NSDI 2010 (2010)

  28. Security-enhanced Linux. http://fedoraproject.org/wiki/SELinux. Accessed 2012

  29. Sun Microsystem, Inc: Sun’s xacml Implementation. http://sunxacml.sourceforge.net (2004). Accessed 2012

  30. Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable and fine-grained data access control in cloud computing. In: INFOCOM 2010, pp. 534–42 (2010)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Tien Tuan Anh Dinh.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Dinh, T.T.A., Wenqiang, W. & Datta, A. City on the Sky: Extending XACML for Flexible, Secure Data Sharing on the Cloud. J Grid Computing 10, 151–172 (2012). https://doi.org/10.1007/s10723-012-9212-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10723-012-9212-9

Keywords

Navigation