research-article

CloudPolice: taking access control out of the network

Authors:
Lucian Popa

U.C. Berkeley / ICSI

U.C. Berkeley / ICSI
View Profile

,
Minlan Yu

Princeton Univ.

Princeton Univ.
View Profile

,
Steven Y. Ko

Princeton Univ.

Princeton Univ.
View Profile

,
Sylvia Ratnasamy

Intel Labs Berkeley

Intel Labs Berkeley
View Profile

,
Ion Stoica

U.C. Berkeley

U.C. Berkeley
View Profile

Hotnets-IX: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in NetworksOctober 2010Article No.: 7Pages 1–6https://doi.org/10.1145/1868447.1868454

Published:20 October 2010Publication History

Hotnets-IX: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks

Pages 1–6

ABSTRACT

Cloud computing environments impose new challenges on access control techniques due to multi-tenancy, the growing scale and dynamicity of hosts within the cloud infrastructure, and the increasing diversity of cloud network architectures. The majority of existing access control techniques were originally designed for enterprise environments that do not share these challenges and, as such, are poorly suited for cloud environments. In this paper, we argue that it is both sufficient and advantageous to implement access control only within the hypervisors at the end-hosts. We thus propose Cloud-Police, a system that implements a hypervisor-based access control mechanism. We argue that, not only can CloudPolice support more sophisticated access control policies, it can do so in a manner that is simpler, more scalable and more robust than existing network-based techniques.

References

Amazon security white paper. http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf.Google Scholar
Amazon virtual desktop services. http://desktop-client-for-amazon-s3.qarchive.org.Google Scholar
Amazon web services. http://aws.amazon.com.Google Scholar
Appnexus real-time ad platform. http://www.appnexus.com.Google Scholar
Instant Ads Set the Pace on the Web. The New York Times. http://www.nytimes.com/2010/03/12/business/media/12adco.html?emc=etal.Google Scholar
Microsoft Azure. http://www.microsoft.com/windowsazure.Google Scholar
The OpenFlow Switch Consortium: www.openflowswitch.org.Google Scholar
M. Al-Fares, A. Loukissas, and A. Vahdat. A scalable, commodity data center network architecture. In SIGCOMM. ACM, 2008. Google ScholarDigital Library
D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable Internet Protocol (AIP). In ACM SIGCOMM, 2008. Google ScholarDigital Library
K. Argyraki and D. R. Cheriton. Active Internet traffic filtering: Real-time response to Denial-of-Service attacks. In USENIX Annual Tech. Conf., 2005. Google ScholarDigital Library
M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking control of the enterprise. In ACM SIGCOMM, 2007. Google ScholarDigital Library
M. Dobrescu, N. Egi, K. Argyraki, B.-g. Chun, K. Fall, G. Iannaccone, A. Knies, M. Manesh, and S. Ratnasamy. RouteBricks: Exploiting Parallelism to Scale Software Routers. In ACM SOSP, 2009. Google ScholarDigital Library
P. Garimella, Y.-W. E. Sung, N. Zhang, and S. Rao. Characterizing VLAN usage in an operational network. Workshop on Internet Network Management, 2007. Google ScholarDigital Library
A. Greenberg, J. Hamilton, D. A. Maltz, and P. Patel. The Cost of a Cloud: Research Problems in Data Center Networks. Comput. Commun. Rev., 2009. Google ScholarDigital Library
A. Greenberg, J. R. Hamilton, N. Jain, S. Kandula, C. Kim, P. Lahiri, D. A. Maltz, P. Patel, and S. Sengupta. VL2: A Scalable and Flexible Data Center Network. ACM SIGCOMM, August 17--21 2009. Google ScholarDigital Library
C. Guo, G. Lu, D. Li, H. Wu, X. Zhang, Y. Shi, C. Tian, Y. Zhang, and S. Lu. BCube: A High Performance, Server-centric Network Architecture for Modular Data Centers. ACM SIGCOMM, 2009. Google ScholarDigital Library
C. Guo, H. Wu, K. Tan, L. Shi, Y. Zhang, and S. Lu. Dcell: A Scalable and Fault-tolerant Network Structure for Data Centers. In SIGCOMM, 2008. Google ScholarDigital Library
S. Han, K. Jang, K. Park, and S. Moon. PacketShader: a GPU-Accelerated Software Router. In ACM SIGCOMM, 2010. Google ScholarDigital Library
J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In NDDS, 2002.Google Scholar
S. Kandula, J. Padhye, and P. Bahl. Flyways To De-Congest Data Center Networks. In HotNets, 2009.Google Scholar
B. Pfaff, J. Pettit, K. Amidon, M. Casado, T. Koponen, and S. Shenker. Extending Networking into the Virtualization Layer. In HotNets, 2009.Google Scholar
B. Raghavan and A. C. Snoeren. A System for Authenticated Policy-Compliant Routing. In ACM SIGCOMM, 2004. Google ScholarDigital Library
A. Shieh, S. Kandula, A. Greenberg, and C. Kim. Seawall: Performance Isolation for Cloud Datacenter Networks. HotCloud, 2010. Google ScholarDigital Library
Srikanth K and Sudipta Sengupta and Albert Greenberg and Parveen Patel and Ronnie Chaiken. The Nature of Datacenter Traffic: Measurements & Analysis. In Internet Measurement Conference. ACM, November 2009. Google ScholarDigital Library
Y.-W. E. Sung, S. Rao, G. Xie, and D. Maltz. Towards Systematic Design of Enterprise Networks. In ACM CoNEXT, 2008. Google ScholarDigital Library
A. Yaar, A. Perrig, and D. Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In IEEE Symp. on Security and Priv., 2004.Google ScholarCross Ref
X. Yang, D. J. Wetherall, and T. Anderson. A DoS-limiting Network Architecture. In ACM SIGCOMM, 2005. Google ScholarDigital Library
M. Yu, X. Sun, N. Feamster, S. Rao, and J. Rexford. Virtual LAN Usage and Challenges in Campus Networks. Princeton University Technical Report 2010 http://www.cs.princeton.edu/~jrex/papers/vlan10.pdf.Google Scholar

Recommendations

PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Read More
Configuring role-based access control to enforce mandatory and discretionary access control policies

Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Read More
A flexible role-based delegation model using characteristics of permissions
DEXA'05: Proceedings of the 16th international conference on Database and Expert Systems Applications

Role-Based Access Control(RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls.[7] RBAC ensures that only authorized users are given access to protected data or ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
Hotnets-IX: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks
October 2010
136 pages
ISBN:9781450304092
DOI:10.1145/1868447
General Chairs:
Geoffrey Xie
Naval Postgraduate School
,
Robert Beverly
Naval Postgraduate School
,
Program Chairs:
Robert Morris
MIT
,
Bruce Davie
Cisco Systems
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 October 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate110of460submissions,24%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 53
  Total Citations
  View Citations
- 697
  Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

CloudPolice: taking access control out of the network

Hotnets-IX: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks

ABSTRACT

References

Cited By

Recommendations

PBDM: a flexible delegation model in RBAC

Configuring role-based access control to enforce mandatory and discretionary access control policies

A flexible role-based delegation model using characteristics of permissions