ABSTRACT
Cloud computing environments impose new challenges on access control techniques due to multi-tenancy, the growing scale and dynamicity of hosts within the cloud infrastructure, and the increasing diversity of cloud network architectures. The majority of existing access control techniques were originally designed for enterprise environments that do not share these challenges and, as such, are poorly suited for cloud environments. In this paper, we argue that it is both sufficient and advantageous to implement access control only within the hypervisors at the end-hosts. We thus propose Cloud-Police, a system that implements a hypervisor-based access control mechanism. We argue that, not only can CloudPolice support more sophisticated access control policies, it can do so in a manner that is simpler, more scalable and more robust than existing network-based techniques.
- Amazon security white paper. http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf.Google Scholar
- Amazon virtual desktop services. http://desktop-client-for-amazon-s3.qarchive.org.Google Scholar
- Amazon web services. http://aws.amazon.com.Google Scholar
- Appnexus real-time ad platform. http://www.appnexus.com.Google Scholar
- Instant Ads Set the Pace on the Web. The New York Times. http://www.nytimes.com/2010/03/12/business/media/12adco.html?emc=etal.Google Scholar
- Microsoft Azure. http://www.microsoft.com/windowsazure.Google Scholar
- The OpenFlow Switch Consortium: www.openflowswitch.org.Google Scholar
- M. Al-Fares, A. Loukissas, and A. Vahdat. A scalable, commodity data center network architecture. In SIGCOMM. ACM, 2008. Google ScholarDigital Library
- D. G. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker. Accountable Internet Protocol (AIP). In ACM SIGCOMM, 2008. Google ScholarDigital Library
- K. Argyraki and D. R. Cheriton. Active Internet traffic filtering: Real-time response to Denial-of-Service attacks. In USENIX Annual Tech. Conf., 2005. Google ScholarDigital Library
- M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking control of the enterprise. In ACM SIGCOMM, 2007. Google ScholarDigital Library
- M. Dobrescu, N. Egi, K. Argyraki, B.-g. Chun, K. Fall, G. Iannaccone, A. Knies, M. Manesh, and S. Ratnasamy. RouteBricks: Exploiting Parallelism to Scale Software Routers. In ACM SOSP, 2009. Google ScholarDigital Library
- P. Garimella, Y.-W. E. Sung, N. Zhang, and S. Rao. Characterizing VLAN usage in an operational network. Workshop on Internet Network Management, 2007. Google ScholarDigital Library
- A. Greenberg, J. Hamilton, D. A. Maltz, and P. Patel. The Cost of a Cloud: Research Problems in Data Center Networks. Comput. Commun. Rev., 2009. Google ScholarDigital Library
- A. Greenberg, J. R. Hamilton, N. Jain, S. Kandula, C. Kim, P. Lahiri, D. A. Maltz, P. Patel, and S. Sengupta. VL2: A Scalable and Flexible Data Center Network. ACM SIGCOMM, August 17--21 2009. Google ScholarDigital Library
- C. Guo, G. Lu, D. Li, H. Wu, X. Zhang, Y. Shi, C. Tian, Y. Zhang, and S. Lu. BCube: A High Performance, Server-centric Network Architecture for Modular Data Centers. ACM SIGCOMM, 2009. Google ScholarDigital Library
- C. Guo, H. Wu, K. Tan, L. Shi, Y. Zhang, and S. Lu. Dcell: A Scalable and Fault-tolerant Network Structure for Data Centers. In SIGCOMM, 2008. Google ScholarDigital Library
- S. Han, K. Jang, K. Park, and S. Moon. PacketShader: a GPU-Accelerated Software Router. In ACM SIGCOMM, 2010. Google ScholarDigital Library
- J. Ioannidis and S. M. Bellovin. Implementing Pushback: Router-Based Defense Against DDoS Attacks. In NDDS, 2002.Google Scholar
- S. Kandula, J. Padhye, and P. Bahl. Flyways To De-Congest Data Center Networks. In HotNets, 2009.Google Scholar
- B. Pfaff, J. Pettit, K. Amidon, M. Casado, T. Koponen, and S. Shenker. Extending Networking into the Virtualization Layer. In HotNets, 2009.Google Scholar
- B. Raghavan and A. C. Snoeren. A System for Authenticated Policy-Compliant Routing. In ACM SIGCOMM, 2004. Google ScholarDigital Library
- A. Shieh, S. Kandula, A. Greenberg, and C. Kim. Seawall: Performance Isolation for Cloud Datacenter Networks. HotCloud, 2010. Google ScholarDigital Library
- Srikanth K and Sudipta Sengupta and Albert Greenberg and Parveen Patel and Ronnie Chaiken. The Nature of Datacenter Traffic: Measurements & Analysis. In Internet Measurement Conference. ACM, November 2009. Google ScholarDigital Library
- Y.-W. E. Sung, S. Rao, G. Xie, and D. Maltz. Towards Systematic Design of Enterprise Networks. In ACM CoNEXT, 2008. Google ScholarDigital Library
- A. Yaar, A. Perrig, and D. Song. SIFF: A stateless Internet flow filter to mitigate DDoS flooding attacks. In IEEE Symp. on Security and Priv., 2004.Google ScholarCross Ref
- X. Yang, D. J. Wetherall, and T. Anderson. A DoS-limiting Network Architecture. In ACM SIGCOMM, 2005. Google ScholarDigital Library
- M. Yu, X. Sun, N. Feamster, S. Rao, and J. Rexford. Virtual LAN Usage and Challenges in Campus Networks. Princeton University Technical Report 2010 http://www.cs.princeton.edu/~jrex/papers/vlan10.pdf.Google Scholar
Recommendations
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
A flexible role-based delegation model using characteristics of permissions
DEXA'05: Proceedings of the 16th international conference on Database and Expert Systems ApplicationsRole-Based Access Control(RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls.[7] RBAC ensures that only authorized users are given access to protected data or ...
Comments