Skip to main content
SpringerLink
Log in

Adopting Provenance-Based Access Control in OpenStack Cloud IaaS

  • Conference paper
Network and System Security (NSS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8792))

Included in the following conference series:

Abstract

Provenance-based Access Control (PBAC) has recently risen as an effective access control approach that can utilize readily provided history information of underlying systems to enhance various aspects of access control in a computing environment. The adoption of PBAC capabilities to the authorization engine of a multi-tenant cloud Infrastructure-as-a-Service (IaaS) such as OpenStack can enhance the access control capabilities of cloud systems. Toward this purpose, we introduce tenant-awareness to the PBAC C [14] model by capturing tenant as contextual information in the attribute provenance data. Built on this model, we present a cloud service architecture that provides PBAC authorization service and management. We discuss in depth the variations of PBAC authorization deployment architecture within the OpenStack platform and implement a proof-of-concept prototype. We analyze the initial experimental results and discuss approaches for potential improvements.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. https://code.google.com/p/rdflib/

  2. OASIS, Extensible access control markup language (XACML), v2.0 (2005)

    Google Scholar 

  3. Bates, A., Mood, B., Valafar, M., Butler, K.: Towards secure provenance-based access control in cloud environments. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 277–284. ACM, New York (2013)

    Chapter  Google Scholar 

  4. Braun, U., Shinnar, A., Seltzer, M.: Securing provenance. In: The 3rd USENIX Workshop on Hot Topics in Security, USENIX HotSec, pp. 1–5. USENIX Association, Berkeley (2008)

    Google Scholar 

  5. Creeger, M.: Cloud computing: An overview

    Google Scholar 

  6. Hasan, R., Sion, R., Winslett, M.: Introducing secure provenance: problems and challenges. In: Proceedings of the 2007 ACM Workshop on Storage Security and Survivability, StorageSS 2007, pp. 13–18. ACM, New York (2007)

    Chapter  Google Scholar 

  7. Hasan, R., Sion, R., Winslett, M.: Preventing history forgery with secure provenance. Trans. Storage 5(4), 12:1–12:43 (2009)

    Google Scholar 

  8. Jin, X., Krishnan, R., Sandhu, R.: A unified attribute-based access control model covering DAC, MAC and RBAC. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. (eds.) DBSec 2012. LNCS, vol. 7371, pp. 41–55. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Klyne, G., Carroll, J.J.: Resource description framework (RDF): Concepts and abstract syntax. World Wide Web Consortium, Recommendation REC-rdf-concepts-20040210 (February 2004)

    Google Scholar 

  10. Mell, P., Grance, T.: The NIST definition of cloud computing. Special Publication, 800–145 (2011)

    Google Scholar 

  11. Moreau, L., Clifford, B., Freire, J., Futrelle, J., Gil, Y., Groth, P., Kwasnikowska, N., Miles, S., Missier, P., Myers, J., Plale, B., Simmhan, Y., Stephan, E., den Bussche, J.V.: The open provenance model core specification (v1.1), vol. 27, pp. 743–756 (2011)

    Google Scholar 

  12. Nguyen, D., Park, J., Sandhu, R.: Dependency path patterns as the foundation of access control in provenance-aware systems. In: 4th USENIX Workshop on the Theory and Practice of Provenance, TaPP 2012. USENIX Association (June 2012)

    Google Scholar 

  13. Nguyen, D., Park, J., Sandhu, R.: Integrated provenance data for access control in group-centric collaboration. In: 2012 IEEE 13th International Conference on Information Reuse and Integration (IRI), pp. 255–262 (2012)

    Google Scholar 

  14. Nguyen, D., Park, J., Sandhu, R.: A provenance-based access control model for dynamic separation of duties. In: 11th Annual Conference on Privacy, Security and Trust, PST 2013. IEEE (July 2013)

    Google Scholar 

  15. Park, J., Nguyen, D., Sandhu, R.: A provenance-based access control model. In: 10th Annual Conference on Privacy, Security and Trust, PST 2012. IEEE (July 2012)

    Google Scholar 

  16. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  17. Sun, L., Park, J., Sandhu, R.: Engineering access control policies for provenance-aware systems. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, CODASPY 2013, pp. 285–292. ACM, New York (2013)

    Chapter  Google Scholar 

  18. Tan, V., Groth, P.T., Miles, S., Jiang, S., Munroe, S., Tsasakou, S., Moreau, L.: Security issues in a SOA-based provenance system. In: Moreau, L., Foster, I. (eds.) IPAW 2006. LNCS, vol. 4145, pp. 203–211. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Cyber Security, University of Texas at San Antonio, USA

    Dang Nguyen, Jaehong Park & Ravi Sandhu

Authors
  1. Dang Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jaehong Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ravi Sandhu
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computing, Hong Kong Polytechnic University, Hung Hom, Kowloon, Hong Kong

    Man Ho Au

  2. Department of Computer Science and Communication, University of Insubria, Via Mazzini, 5, 21100, Varese, Italy

    Barbara Carminati

  3. Ming Hsieh Department of Electrical Engineering, University of Southern California, 3740 McClintock Avenue, EEB 100, 90089-2560, Los Angeles, CA, USA

    C.-C. Jay Kuo

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Nguyen, D., Park, J., Sandhu, R. (2014). Adopting Provenance-Based Access Control in OpenStack Cloud IaaS. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11698-3_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11697-6

  • Online ISBN: 978-3-319-11698-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation