SDAC: A New Software-Defined Access Control Paradigm for Cloud-Based Systems

  • Ruan He
  • Montida Pattaranantakul
  • Zonghua Zhang
  • Thomas Duval
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10631)


A cloud-based system usually runs in multiple geographically distributed datacenters, making the deployment of effective access control models extremely challenging. This paper presents a novel software-defined paradigm, called SDAC, to achieve scoped, flexible and dynamic access control. In particular, SDAC enables the tenant-specific generation of access control model and policy (SMPolicy in short), as well as their dynamic configuration by the cloud-hosting applications. To achieve that, SDAC uses an access control meta-model to initiate and customize different SMPolicies. Also, SDAC is decoupled into control plane and policy plane, allowing the global SMPolicy generated at the control plane to be efficiently propagated to the policy plane and enforced locally in different datacenters. As such, the local SMPolicy of a tenant can be synchronized with its global SMPolicy only when it’s necessary, e.g., a user or a role cannot be identified. To validate the feasibility and effectiveness of SDAC, we implement a prototype in a carrier grade datacenter. The experimental results demonstrate that SDAC can achieve the desirable properties, maintain the throughput at a reasonable level regardless of the varying number of tenants, users, and datacenters, highly preserving scalability and adaptability.


  1. 1.
    Meghanathan, N.: Review of access control models for cloud computing. Comput. Sci. Inf. Technol. 3, 77–85 (2013)Google Scholar
  2. 2.
    Ngo, C., Demchemko, Y., de Laat, C.: Multi-tenant attribute-based access control for cloud infrastructure services. J. Inf. Secur. Appl. 27, 65–84 (2016)Google Scholar
  3. 3.
    Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)CrossRefGoogle Scholar
  4. 4.
    Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)CrossRefGoogle Scholar
  5. 5.
    Kalam, A.A.E., Baida, R.E., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: POLICY 2013, pp. 120–131 (2003)Google Scholar
  6. 6.
    Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A flexible attribute based access control method for grid computing. J. Grid Comput. 7, 169–180 (2009)CrossRefGoogle Scholar
  7. 7.
    Calero, J.M., Edwards, N., Kirschnick, J., Wilcock, L., Wray, M.: Toward a multi-tenancy authorization system for cloud services. IEEE Secur. Priv. 8(6), 48–55 (2010)CrossRefGoogle Scholar
  8. 8.
    IBM: Best practices for access control in multi-tenant cloud solutions using Tivoli Access Manager, May 2011.
  9. 9.
    Almutairi, A.A., Sarfraz, M.I.: A distributed access control architecture for cloud computing. IEEE Softw. 29(2), 36–44 (2012)CrossRefGoogle Scholar
  10. 10.
    Decat, M., Lagaisse, B., Van Landuyt, D., Crispo, B., Joosen, W.: Federated authorization for software-as-a-service applications. In: Meersman, R., Panetto, H., Dillon, T., Eder, J., Bellahsene, Z., Ritter, N., De Leenheer, P., Dou, D. (eds.) OTM 2013. LNCS, vol. 8185, pp. 342–359. Springer, Heidelberg (2013). Scholar
  11. 11.
    Yu, S., Wang, C., Ren, K., Lou, W.: Achieving secure, scalable, and fine-grained data access control in cloud computing. In: IEEE INFOCOM 2010, pp. 1–9 (2010)Google Scholar
  12. 12.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  13. 13.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  14. 14.
    Park, J., Zhang, X., Sandhu, R.: Attribute mutability in usage control. In: Farkas, C., Samarati, P. (eds.) DBSec 2004. IIFIP, vol. 144, pp. 15–29. Springer, Boston, MA (2004). Scholar
  15. 15.
    Pattaranantakul, M., Tseng, Y., He, R., Zhang, Z., Meddahi, A.: A first step towards security extension for NFV orchestrator. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 598–605 August 2016Google Scholar
  16. 16.
    Pattaranantakul, M., He, R., Meddahi, A., Zhang, Z.: SecMANO: towards network functions virtualization (NFV) based security management and orchestration. In: ACM International Workshop on SDN-NFVSec 2017, pp. 25–30, March 2017Google Scholar
  17. 17.
    XACML:3.0: eXtensible access control markup language (XACML) Version 3.0, OASIS Standard (2013).
  18. 18.
    Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012). Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Ruan He
    • 1
  • Montida Pattaranantakul
    • 2
    • 3
  • Zonghua Zhang
    • 2
    • 3
  • Thomas Duval
    • 1
  1. 1.Orange labsChâtillonFrance
  2. 2.IMT Lille DouaiInstitut Mines-TélécomParisFrance
  3. 3.CNRS UMR 5157 SAMOVARParisFrance

Personalised recommendations