Abstract
Provenance-based Access Control (PBAC) has recently risen as an effective access control approach that can utilize readily provided history information of underlying systems to enhance various aspects of access control in a computing environment. The adoption of PBAC capabilities to the authorization engine of a multi-tenant cloud Infrastructure-as-a-Service (IaaS) such as OpenStack can enhance the access control capabilities of cloud systems. Toward this purpose, we introduce tenant-awareness to the PBAC C [14] model by capturing tenant as contextual information in the attribute provenance data. Built on this model, we present a cloud service architecture that provides PBAC authorization service and management. We discuss in depth the variations of PBAC authorization deployment architecture within the OpenStack platform and implement a proof-of-concept prototype. We analyze the initial experimental results and discuss approaches for potential improvements.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
OASIS, Extensible access control markup language (XACML), v2.0 (2005)
Bates, A., Mood, B., Valafar, M., Butler, K.: Towards secure provenance-based access control in cloud environments. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 277–284. ACM, New York (2013)
Braun, U., Shinnar, A., Seltzer, M.: Securing provenance. In: The 3rd USENIX Workshop on Hot Topics in Security, USENIX HotSec, pp. 1–5. USENIX Association, Berkeley (2008)
Creeger, M.: Cloud computing: An overview
Hasan, R., Sion, R., Winslett, M.: Introducing secure provenance: problems and challenges. In: Proceedings of the 2007 ACM Workshop on Storage Security and Survivability, StorageSS 2007, pp. 13–18. ACM, New York (2007)
Hasan, R., Sion, R., Winslett, M.: Preventing history forgery with secure provenance. Trans. Storage 5(4), 12:1–12:43 (2009)
Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)
Klyne, G., Carroll, J.J.: Resource description framework (RDF): Concepts and abstract syntax. World Wide Web Consortium, Recommendation REC-rdf-concepts-20040210 (February 2004)
Mell, P., Grance, T.: The NIST definition of cloud computing. Special Publication, 800–145 (2011)
Moreau, L., Clifford, B., Freire, J., Futrelle, J., Gil, Y., Groth, P., Kwasnikowska, N., Miles, S., Missier, P., Myers, J., Plale, B., Simmhan, Y., Stephan, E., den Bussche, J.V.: The open provenance model core specification (v1.1), vol. 27, pp. 743–756 (2011)
Nguyen, D., Park, J., Sandhu, R.: Dependency path patterns as the foundation of access control in provenance-aware systems. In: 4th USENIX Workshop on the Theory and Practice of Provenance, TaPP 2012. USENIX Association (June 2012)
Nguyen, D., Park, J., Sandhu, R.: Integrated provenance data for access control in group-centric collaboration. In: 2012 IEEE 13th International Conference on Information Reuse and Integration (IRI), pp. 255–262 (2012)
Nguyen, D., Park, J., Sandhu, R.: A provenance-based access control model for dynamic separation of duties. In: 11th Annual Conference on Privacy, Security and Trust, PST 2013. IEEE (July 2013)
Park, J., Nguyen, D., Sandhu, R.: A provenance-based access control model. In: 10th Annual Conference on Privacy, Security and Trust, PST 2012. IEEE (July 2012)
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)
Sun, L., Park, J., Sandhu, R.: Engineering access control policies for provenance-aware systems. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 285–292. ACM, New York (2013)
Tan, V., Groth, P.T., Miles, S., Jiang, S., Munroe, S., Tsasakou, S., Moreau, L.: Security issues in a SOA-based provenance system. In: Moreau, L., Foster, I. (eds.) IPAW 2006. LNCS, vol. 4145, pp. 203–211. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Nguyen, D., Park, J., Sandhu, R. (2014). Adopting Provenance-Based Access Control in OpenStack Cloud IaaS. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-11698-3_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11697-6
Online ISBN: 978-3-319-11698-3
eBook Packages: Computer ScienceComputer Science (R0)