Access Control As a Service in Cloud: Challenges, Impact and Strategies

  • Muhammad Awais ShibliEmail author
  • Rahat Masood
  • Umme Habiba
  • Ayesha Kanwal
  • Yumna Ghazi
  • Rafia Mumtaz
Part of the Computer Communications and Networks book series (CCN)


The evolution of service-oriented architecture has given birth to the promising cloud technology, which enables the outsourcing of existing hardware and software information technology (IT) infrastructure via the Internet. Since the cloud offers services to a variety of organizations under the same umbrella, it raises security issues including unauthorized access to resources and misuse of data stored in third-party platform. The fact that the cloud supports multiple tenants is the cause for the biggest concern among organizations: how to prevent malicious users from accessing and manipulating data they have no right to access. In this regard, various access control techniques have been proposed, which concentrate on certain authorization issues like the ease of privilege assignment or the resolution of policy conflicts, while ignoring other important weaknesses such as the lack of interoperability and management issues which arise in the dynamic cloud environment. To cover all these challenges, access control as a service (ACaaS), which stems from its significantly more popular parent, security as a service (SECaaS), is considered a viable solution for mediating cloud service consumers’ access to sensitive data. In this chapter, we assist the cloud community in understanding the various issues associated with providing authorization services in the cloud that may be technical, such as privilege escalation and separation of duties, or managerial, such as the steep requirement of time and money for this purpose. ACaaS is the comprehensive solution to some of the issues highlighted previously. We have also discussed the significance and impact of ACaaS, along with the strategies reported in the literature for providing a secure access to the applications hosted on the cloud. We then holistically cover the authorization requirements of the cloud environment, specifically for software as a service (SaaS) model, evaluating the extant relevant solutions based on certain defined factors from the National Institute of Standards and Technology (NIST)-. The outcome of our research is that an ideal ACaaS should be extensive and holistic, which encompasses all the requisite security and managerial features and provides an efficient and reliable access control mechanism to the cloud consumers that complies with international standards.


Access control as a service Authorization Cloud security Security as a service Software as a service 


  1. 1.
    Ahmad R, Janczewski L (2011, July) Governance life cycle framework for managing security in public cloud: from user perspective. In: IEEE International Conference on Cloud Computing (CLOUD), Washington, DC, 4–9 July 2011, pp 372–379Google Scholar
  2. 2.
    Al-Aqrabi H, Liu L, Xu J, Hill R, Antonopoulos N, Zhan Y (2012, April) Investigation of IT security and compliance challenges in Security-as-a-Service for cloud computing. In: 15th IEEE International symposium on object/component/service-oriented real-time distributed computing workshops (ISORCW), IEEE, Guandong, 11 April 2012, pp 124–129Google Scholar
  3. 3.
    Alhamad M, Dillon T, Chang E (2010, April) Conceptual SLA framework for cloud computing. In: 4th IEEE international conference on digital ecosystems and technologies (DEST), IEEE, Dubai, 13–16 April 2010, pp 606–610Google Scholar
  4. 4.
    Alliance C (2011) Security guidance for critical areas of focus in cloud computing V3.0. Cloud Security Alliance, 2011Google Scholar
  5. 5.
    Almutairi A, Sarfraz M, Basalamah S, Aref W, Ghafoor A (2012) A distributed access control architecture for Cloud computing software. IEEE Softw J 29(2):36–44CrossRefGoogle Scholar
  6. 6.
    Amazon Web Services (2013) AWS identity and access management (IAM). Accessed July 2013
  7. 7.
    American Medical Association Health Insurance Portability and Accountability Act. (2013, September) Accessed May 2013
  8. 8.
    Arasu A, Eguro K, Kaushik R, Ramamurthy R (2013, April) Querying encrypted data. In: IEEE 29th International conference on data engineering (ICDE), Brisbane, 8–12 April 2013, pp 1262–1263Google Scholar
  9. 9.
    Axiomatics Cloud scenarios. Accessed May 2013.
  10. 10.
    Bates A, Mood B, Valafar M, Butler K (2013) Towards secure provenance-based access control in cloud environments. In: Proceedings of the third ACM conference on data and application security and privacy, ACM, New York, 2013, pp 277–284Google Scholar
  11. 11.
    Bazargan F, Yeun CY, Zemerly MJ (2012) State-of-the-art of virtualization, its security threats deployment models. Int J Inf Secur Res 2(3/4):335–343Google Scholar
  12. 12.
    Behl A (2011, December) Emerging security challenges in cloud computing: an insight to cloud security challenges and their mitigation. In: World congress on information and communication technologies (WICT), IEEE, Mumbai, 11–14 Dec 2011, pp 217–222Google Scholar
  13. 13.
    Bennett CJ (1992) Regulating privacy: data protection and public policy in Europe and the United States. Cornell University, IthacaGoogle Scholar
  14. 14.
    Bhadauria R, Chaki R, Chaki N, Sanyal S (2011) A survey on security issues in cloud computing. arXiv preprint arXiv:1109.5388Google Scholar
  15. 15.
    Bhardwaj A, Kumar V (2011, December) Cloud security assessment and identity management. In: 14th International conference on computer and information technology (ICCIT), IEEE, Dhaka, 22–24 Dec 2011, pp 387–392Google Scholar
  16. 16.
    Biggs S, Vidalis S (2009, November) Cloud computing: the impact on digital forensic investigations. In: International conference for internet technology and secured transactions, ICITST 2009, London, 9–12 Nov 2009, pp 1–6Google Scholar
  17. 17.
    Bisong A, Rahman M (2011) An overview of the security concerns in enterprise cloud computing. Int J Netw Secur Appl 3(1):30–45. arXiv preprint arXiv:1103. 5613Google Scholar
  18. 18.
    Calero JMA, Edwards N, Kirschnick J, Wilcock L, Wray M (2010) Toward a multi-tenancy authorization system for cloud services. Secur Priv IEEE 8(6):48–55. (Threats and Countermeasures for Web Services, 2010)Google Scholar
  19. 19.
    Cloud A (2011) Access management system. Accessed June 2013
  20. 20.
    Cloud Security Alliance (2011) Security as a service defined categories. Accessed July 2013
  21. 21.
    Cloud Security Alliance (2012, September) SECaaS Email security implementation guideline. Accessed June 2013
  22. 22.
    Cloud Security Alliance (2012, September) SECaaS Access control and identity implementation guideline. Accessed June 2013
  23. 23.
    Cloud Security Alliance (2012, September) Web security as a service implementation guideline. Accessed May 2013
  24. 24.
    Cloudera I (2013) Introducing Sentry. Accessed July 2013
  25. 25.
    Cohen JE (2003) DRM and privacy. Commun ACM 46(4):46–49CrossRefGoogle Scholar
  26. 26.
    Council IA (2012) Federal Risk and Authorization Management Program (FedRAMP), 2012Google Scholar
  27. 27.
    Danwei C, Xiuli H, Xunyi R (2009) Access control of cloud service based on UCON. In: Jaatun MJ, Zhao G, Rong C (eds) Cloud computing, vol 5931. Springer, Berlin, pp 559–564Google Scholar
  28. 28.
    Dell software (2013) Access manager. Accessed June 2013.
  29. 29.
    Demchenko Y, Gommans L, de Laat C, Oudenaarde B (2005) Web services and grid security vulnerabilities and threats analysis and model. In: Proceedings of the 6th IEEE/ACM international workshop on grid computing, vol 33(1), IEEE Computer Society, 2005, pp 262–267Google Scholar
  30. 30.
    Dillon T, Wu C, Chang E (2010, April) Cloud computing: issues and challenges. In: 24th IEEE International conference on advanced information networking and applications (AINA), IEEE, Perth, 20–23 April 2010, pp 27–33Google Scholar
  31. 31.
    Dykstra J, Sherman AT (2012) Acquiring forensic evidence from infrastructure-as-a-service cloud computing: exploring and evaluating tools, trust, and techniques. Digit Invest 9:S90–S98CrossRefGoogle Scholar
  32. 32.
    Evgeny M (2009) The RSA algorithm. Accessed July 2013
  33. 33.
    Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 17(2):281–308CrossRefzbMATHMathSciNetGoogle Scholar
  34. 34.
    Gonzalez N, Miers C, Redígolo F, Simplício M, Carvalho T, Näslund M, Pourzandi M (2012) A quantitative analysis of current security concerns and solutions for cloud computing. J Cloud Comput 1(1):1–18CrossRefGoogle Scholar
  35. 35.
    Goswani B, Singh DS (2012) Enhancing security in cloud computing using public key cryptography with matrices. Int J Eng Res Appl 2(4):339–344Google Scholar
  36. 36.
    Gouglidis A, Mavridis I (2011, January) Towards new access control models for cloud computing systems. In: Kaspersky Lab—IT security for the next generation, conference for Young Professionals, University of Applied Sciences, Erfurt, 28–30 Jan 2011Google Scholar
  37. 37.
    Gowrigolla B, Sivaji S, Masillamani MR (2010, December) Design and auditing of cloud computing security. In: 5th International conference on information and automation for sustainability (ICIAFs), IEEE, Colombo, 17–19 Dec 2010, pp 292–297Google Scholar
  38. 38.
    Gupta S, Horrow S, Sardana A (2012, June) IDS based defense for cloud based mobile infrastructure as a service. In: IEEE eighth world congress on services (SERVICES), Honolulu, 24–29 June 2012, pp 199–202Google Scholar
  39. 39.
    Hamlen KW, Kagal L, Kantarcioglu M (2012) Policy enforcement framework for Cloud data management. IEEE Data Eng Bull 35(4):39–45Google Scholar
  40. 40.
    Harnik D, Kolodner EK, Ronen S, Satran J, Shulman-Peleg A, Tal S (2011) Secure access mechanism for cloud storage. Scalable Comput: Pract Exp 12(3):317–336Google Scholar
  41. 41.
    Howgrave-Graham NA, Smart NP (2001) Lattice attacks on digital signature schemes. Des Codes Cryptogr 23(3):283–290CrossRefzbMATHMathSciNetGoogle Scholar
  42. 42.
    Hu VC, Ferraiolo D, Kuhn DR (2006) Assessment of access control systems. US Department of Commerce, National Institute of Standards and Technology, 2006Google Scholar
  43. 43.
    Hussain M, Abdulsalam H (2011, April) Secaas: security as a service for cloud-based applications. In: Proceedings of the second Kuwait conference on e-Services and e-Systems, ACM, New York, 2011, p 8Google Scholar
  44. 44.
    ISO 270001 Directory An introduction to ISO 27001 (ISO27001). Accessed May 2013
  45. 45.
  46. 46.
    Jain P, Rane D, Patidar S (2011, December) A survey and analysis of cloud model-based security for computing secure cloud bursting and aggregation in renal environment. In: World congress on information and communication technologies (WICT), IEEE, Mumbai, 11–14 Dec 2011, pp 456–461Google Scholar
  47. 47.
    Jansen WA (2011, January) Cloud hooks: security and privacy issues in cloud computing. In: Proceedings of the 44th Hawaii international conference on system sciences (HICSS), Jan 2011, pp 1–10Google Scholar
  48. 48.
    Jensen M, Schwenk J, Gruschka N, Iacono LL (2009) On technical security issues in cloud computing. In: CLOUD’09, IEEE International conference on cloud computing, IEEE, Bangalore, 21–25 Sept 2009, pp 109–116Google Scholar
  49. 49.
    Juniper N (2013) Junos pulse access control service 4.4R1 supported platforms document. Accessed July 2013
  50. 50.
    Kandukuri BR, Paturi VR, Rakshit A (2009, September) Cloud security issues. In: IEEE international conference on services computing, SCC’09, 517–520, Bangalore, 21–25 Sept 2009Google Scholar
  51. 51.
    Kantarcıoǧlu M, Clifton C (2005) Security issues in querying encrypted data. In: Jajodia S, Wijesekera D (eds) Data and Applications Security XIX, vol 3654. Springer, Berlin, pp 325–337Google Scholar
  52. 52.
    Karger PA, Zurko ME, Bonin DW, Mason AH, Kahn CE (1990, May) A VMM security kernel for the VAX architecture. In: Proceedings of 1990 IEEE computer society symposium on research in security and privacy, IEEE, Oakland, 7–9 May 1990, pp 2–19Google Scholar
  53. 53.
    Khan AR (2012) Access control in cloud computing environment. ARPN J Eng Appl Sci 7(5):613–615Google Scholar
  54. 54.
    Khan KM, Malluhi Q (2010) Establishing trust in cloud computing. IT Prof 12(5):20–27CrossRefGoogle Scholar
  55. 55.
    Kumaraswamy S, Lakshminarayanan S, Stein MRJ, Wilson Y (2010) Domain 12: guidance for identity & access management V2.3. Cloud security alliance., Accessed Aug 2012
  56. 56.
    Lang U (2010) Openpmf scaas: authorization as a service for cloud & SOA applications. In: 2nd International conference on cloud computing technology and science (CloudCom), IEEE, Indianapolis, 30 Nov–3 Dec 2010, pp 634–643Google Scholar
  57. 57.
    Lang B, Foster I, Siebenlist F, Ananthakrishnan R, Freeman T (2006) A multipolicy authorization framework for grid security. In: Fifth IEEE international symposium on network computing and applications NCA, IEEE, Cambridge, 24–26 July 2006, pp 269–272Google Scholar
  58. 58.
    Lazouski A, Mancini G, Martinelli F, Mori P (2012) Usage control in cloud systems. In: International conference for internet technology and secured transactions, IEEE, London, 10–12 Dec 2012, pp 202–207Google Scholar
  59. 59.
    Li D, Liu C, Wei Q, Liu Z, Liu B (2010) RBAC-based access control for SaaS systems. In: 2nd International conference on information engineering and computer science (ICIECS), IEEE, Wuhan, 25–26 Dec 2010, pp 1–4Google Scholar
  60. 60.
    Li J, Zhao G, Chen X, Xie D, Rong C, Li W, Tang Y (2010) Fine-grained data access control systems with user accountability in cloud computing. In: IEEE second international conference on cloud computing technology and science (CloudCom), IEEE, 2010, pp 89–96Google Scholar
  61. 61.
    Li XY, Shi Y, Guo Y, Ma W (2010) Multi-tenancy based access control in cloud. In: International conference on computational intelligence and software engineering (CiSE), IEEE, Wuhan, 10–12 Dec 2010, pp 1–4Google Scholar
  62. 62.
    Lombardi F, Di Pietro R (2011) Secure virtualization for cloud computing. J Netw Comput Appl 34(4):1113–1122CrossRefGoogle Scholar
  63. 63.
    Lv H, Hu Y (2011, August) Analysis and research about cloud computing security protect policy. In: International conference on intelligence science and information engineering (ISIE), IEEE, Wuhan, 20–21 Aug 2013, pp 214–216Google Scholar
  64. 64.
    Mahmood Z (2011, September) Data Location and Security Issues in Cloud Computing. In: International conference on emerging intelligent data and web technologies (EIDWT), IEEE, Tirana, 7–9 Sept 2011, pp 49–54Google Scholar
  65. 65.
    Mather T, Kumaraswamy S, Latif S (2009) Cloud security and privacy: an enterprise perspective on risks and compliance. O’Reilly, Gravenstein, USAGoogle Scholar
  66. 66.
    Mell P, Grance T (2011) The NIST definition of cloud computing, version 15. National Institute of Standards and Technology (NIST), Information Technology Laboratory, Accessed 7 Oct 2011
  67. 67.
    Microsoft (2011) ACS overview. Accessed June 2013
  68. 68.
    Microsoft (2013) Introduction to the AppFabric access control service 2.0. Accessed May 2013
  69. 69.
    Microsoft (2013) Server and cloud platform. Accessed June 2013
  70. 70.
    Microsoft (2013) Identity and access management. Accessed May 2013
  71. 71.
    Microsoft (2013) Threats and countermeasures for web services. Accessed May 2013
  72. 72.
    Mon EE, Naing TT (2011, October) The privacy-aware access control system using attribute-and role-based access control in private cloud. In: 4th IEEE international conference on broadband network and multimedia technology (IC-BNMT), IEEE, Shenzhen, 28–30 Oct 2011, pp 447–45Google Scholar
  73. 73.
    Narayanan HAJ, Gunes MH (2011) Ensuring access control in cloud provisioned healthcare systems. In: Consumer communications and networking conference (CCNC), IEEE, Las Vegas, 9–12 Jan 2011, pp. 247–253Google Scholar
  74. 74.
    Ohta K, Koyama K (1990, January) Meet-in-the-middle attack on digital signature schemes. In: Seberry J, Pieprzyk J (eds) Advances in cryptology—AUSCRYPT’90. Springer, Berlin, pp 140–154Google Scholar
  75. 75.
    PCI SSC Data Security Standards Overview. Accessed June 2013
  76. 76.
    Pearson S, Benameur A (2010, November) Privacy, security and trust issues arising from cloud computing. In: IEEE second international conference on cloud computing technology and science (CloudCom), IEEE, Indianapolis, 3 Nov–3 Dec 2010, pp 693–702Google Scholar
  77. 77.
    Pointcheval D, Stern J (2000) Security arguments for digital signatures and blind signatures. J Cryptol 13(3):361–396CrossRefzbMATHGoogle Scholar
  78. 78.
    Popa L, Yu M, Ko SY, Ratnasamy S, Stoica I (2010) CloudPolice: taking access control out of the network. In: Proceedings of the 9th ACM SIGCOMM workshop on hot topics in networks, ACM, New York, 2010, p 7Google Scholar
  79. 79.
    Popovic K, Hocenski Z (2010, May) Cloud computing security issues and challenges. Paper presented at MIPRO, 2010 proceedings of the 33rd international convention, IEEE, Opatija, 2010, pp 344–349Google Scholar
  80. 80.
    Priebe T, Dobmeier W, Kamprath N (2006) Supporting attribute-based access control with ontologies. In: The first international conference on availability, reliability and security ARES, IEEE, 20–26 April 2006, p 8Google Scholar
  81. 81.
    Reflex (2009) Access control. Accessed May 2013
  82. 82.
    Reflex (2011) VTrust Features. Accessed May 2013
  83. 83.
    Rimal BP, Choi E, Lumb I (2009, August) A taxonomy and survey of cloud computing systems. In: NCM’09, Fifth international joint conference on INC, IMS and IDC, Seoul, 25–27Aug 2009, pp 44–51Google Scholar
  84. 84.
    Rivest RL, Shamir A, Adleman L (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126CrossRefzbMATHMathSciNetGoogle Scholar
  85. 85.
    Rutkowska J (2006) Subverting VistaTM kernel for fun and profit. Black Hat Briefings, Las VegasGoogle Scholar
  86. 86.
    Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32(9):40–48CrossRefGoogle Scholar
  87. 87.
    Sanka S, Hota C, Rajarajan M (2010) Secure data access in cloud computing. In: 4th International conference on internet multimedia services architecture and application (IMSAA), IEEE, Bangalore, 15–17 Dec 2010, pp 1–6Google Scholar
  88. 88.
    Santos N, Gummadi KP, Rodrigues R (2009, June) Towards trusted cloud computing. In: Proceedings of the 2009 conference on hot topics in cloud computing, USENIX Association, Berkeley, 2009, pp 3–8Google Scholar
  89. 89.
    Sato H, Kanai A, Tanimoto S (2010, July) A cloud trust model in a security aware cloud. In: 10th IEEE/IPSJ International symposium on applications and the internet (SAINT), IEEE, Seoul, 19–23 July 2010, pp 121–124Google Scholar
  90. 90.
    SETECS (2010) OneCLOUD PIV Authentication and Authorization System. Accessed May 2013
  91. 91.
    Sirisha A, Kumari GG (2010) API access control in cloud using the Role Based Access Control Model. In: Trendz in information sciences & computing (TISC), 2010, IEEE, 2010, pp 135–137Google Scholar
  92. 92.
    Somani G, Agarwal A, Ladha S (2012, December) Overhead analysis of security primitives in cloud. In: International symposium on cloud and services computing (ISCOS), Mangalore, 17–18 Dec 2012, pp 129–135Google Scholar
  93. 93.
    Standard OASIS (2013) eXtensible access control markup language (XACML) Version 3.0. 2008. Accessed July 2013
  94. 94.
    Standard OASIS (2013) eXtensible access control markup language (XACML). Accessed June 2011
  95. 95.
    Subashini S, Kavitha V (2011) A survey on security issues in service delivery models of cloud computing. J Netw Comput Appl 34(1):1–11CrossRefGoogle Scholar
  96. 96.
    Suresh NR, Mathew SV (2011, December) Security concerns for cloud computing in aircraft data networks. In: International conference for internet technology and secured transactions (ICITST), IEEE, Abu Dhabi, 11–14 Dec 2011, pp 132–136Google Scholar
  97. 97.
    Takabi H, Joshi JB, Ahn GJ (2010) Security and privacy challenges in cloud computing environments. IEEE Secur Priv 8(6):24–31CrossRefGoogle Scholar
  98. 98.
    Technologies INM IBM Software Value Plus Authorization. Accessed June 2013
  99. 99.
    The identity (2012) Ping identity adds authorization to strengthen enterprise access controls for applications in the cloud. Accessed May 2013
  100. 100.
    The Identity security company (2013) The 4 A’s of cloud identity. Accessed June 2013.
  101. 101.
    The identity security company Enterprise Identity Bridge. Accessed July 2013
  102. 102.
    The Sarbanes-Oxley Act (2002) Accessed June 2013
  103. 103.
    Tripathi A, Mishra A (2011, September) Cloud computing security considerations. In: International conference on signal processing, communications and computing (ICSPCC), IEEE, Xi’an, 14–16 Sept 2011, pp 1–5Google Scholar
  104. 104.
    Phan T (2013) Trusted I FedRAMP Security Authorization Solution. Accessed Dec 2013
  105. 105.
    Wang JJ, Mu S (2011, September) Security issues and countermeasures in cloud computing. In: IEEE International conference on grey systems and intelligent services (GSIS), IEEE, Nanjing, 15–18 Sept 2011, pp 843–846Google Scholar
  106. 106.
    Roberts JC II, Al-Hamdani W (2011, September) Who can you trust in the cloud?: A review of security issues within cloud computing. In Proceedings of the 2011 Information Security Curriculum Development Conference, ACM, pp. 15–19Google Scholar
  107. 107.
    Yu S, Wang C, Ren K, Lou W (2010). Achieving secure, scalable, and fine-grained data access control in cloud computing. In: Proceedings IEEE INFOCOM, IEEE, San Diedo, 14–19 March 2010, pp 1–9Google Scholar
  108. 108.
    Zhang Y, Chen JL (2012) Access control as a service for public cloud storage. In: 32nd International conference on distributed computing systems workshops (ICDCSW), IEEE, Macau, 18–21 June 2012, pp 526–536Google Scholar
  109. 109.
    Zhu J, Wen Q (2012, November) SaaS Access Control Research Based on UCON. In: Fourth international conference on digital home (ICDH), IEEE, 2012, pp 331–334Google Scholar
  110. 110.
    Zissis D, Lekkas D (2012) Addressing cloud computing security issues. Future Gener Comput Syst 28(3):583–592CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2014

Authors and Affiliations

  • Muhammad Awais Shibli
    • 1
    Email author
  • Rahat Masood
    • 1
  • Umme Habiba
    • 1
  • Ayesha Kanwal
    • 1
  • Yumna Ghazi
    • 1
  • Rafia Mumtaz
    • 1
  1. 1.School of Electrical Engineering and Computer Science (SEECS)National University of Sciences and Technology (NUST)IslamabadPakistan

Personalised recommendations