ABSTRACT
Cloud computing offers most of its services under multi-tenancy environments. To satisfy security requirements among collaborating tenants, each tenant may define a set of access control policies to secure access to shared data. Several cloud solutions make use of XACML to specify such policies. However, existing implementations of XACML perform a brute force search to compare a request to all existing rules in a given XACML policy. This decreases the decision process (i.e., policy evaluation) performance especially for policies with a large number of rules. In this paper, we propose an automata-based approach for an efficient XACML policy evaluation. We implemented our approach in a cloud policy engine called X2Automata. The engine first converts both XACML policies and access requests to automata. Second, it combines the two automata by a synchronous product. Third, it applies an evaluation procedure to the resulting automaton to decide whether an access request is granted or not. To highlight the efficiency of X2Automata, we compare its performance, based on the OpenStack cloud environment, with the XACML implementation named Balana.
- M. Almorsy, J. Grundy, and A. S. Ibrahim. Collaboration-based cloud computing security management framework. In 2011 IEEE International Conference on Cloud Computing, pages 364--371. IEEE, 2011. Google ScholarDigital Library
- P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter. Enterprise privacy authorization language (epal). IBM Research, 2003.Google Scholar
- M. Ayache, M. Erradi, and B. Freisleben. Access control policies enforcement in a cloud environment: OpenStack. In 2015 11th International Conference on Information Assurance and Security (IAS), pages 26--31. IEEE, 2015.Google ScholarCross Ref
- M. Ayache, M. Erradi, and B. Freisleben. curlx: A middleware to enforce access control policies within a cloud environment. In Communications and Network Security (CNS), 2015 IEEE Conference on, pages 771--772. IEEE, 2015.Google ScholarCross Ref
- M. Ayache, M. Erradi, A. Khoumsi, and B. Freisleben. Analysis and verification of XACML policies in a medical cloud environment. Scalable Computing: Practice and Experience, 17 (3): 189--206, 2016.Google ScholarCross Ref
- J. Kabbedijk, C.-P. Bezemer, S. Jansen, and A. Zaidman. Defining multi-tenancy: A systematic mapping study on the academic and the industrial perspective. Journal of Systems and Software, 100: 139--148, 2015. Google ScholarDigital Library
- A. X. Liu, F. Chen, J. Hwang, and T. Xie. Xengine: a fast and scalable xacml policy evaluation engine. ACM SIGMETRICS Performance Evaluation Review, 36 (1): 265--276, 2008. Google ScholarDigital Library
- T. Moses et al. Extensible access control markup language (xacml) version 2.0. Oasis Standard, 200502, 2005.Google Scholar
- A. Mourad and H. Jebbaoui. SBA-XACML: set-based approach providing efficient policy decision process for accessing web services. Expert Systems with Applications, 42 (1): 165--178, 2015. Google ScholarDigital Library
- C. Ngo, Y. Demchenko, and C. de Laat. Decision diagrams for XACML policy evaluation and management. Computers & Security, 49: 1--16, 2015. Google ScholarDigital Library
Index Terms
- Towards an Efficient Policy Evaluation Process in Multi-Tenancy Cloud Environments
Recommendations
Cloud Multi-Tenancy: Issues and Developments
UCC '17 Companion: Companion Proceedings of the10th International Conference on Utility and Cloud ComputingCloud Computing (CC) is a computational paradigm that provides pay-per use services to customers from a pool of networked computing resources that are provided on demand. Customers therefore does not need to worry about infrastructure or storage. Cloud ...
An Attribute-Role Based Access Control Mechanism for Multi-tenancy Cloud Environment
Because of the rapid development of software technology, many enterprises require more high-performance hardware to enhance their competitiveness. Cloud computing is the result of distributed computing, grid computing and is gradually being seen as the ...
Enhance OpenStack Access Control via Policy Enforcement Based on XACML
ICEIS 2014: Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2The cloud computing is driving the future of internet computation, and evolutes the concepts from software to infrastructure. OpenStack is one of promising open-sourced cloud computing platforms. The active developer community and worldwide partners ...
Comments