FP-International Journal of Computer Science Research (IJCSR)
Volume 2, Issue 1, Pages 32-36, March 2015
Review on the Models of Access Control
For Cloud Computing
Gagandeep Kaur Arvinder Kaur
Department of Computer Science Department of Computer Science
Chandigarh University, Chandigarh University,
Gharuan Punjab, India Gharuan Punjab, India
Geetkhangura10@gmail.com Arvindercse.cgc@gmail.com
ABSTRACT There are the five essential features according to the
Cloud computing is an dominant paradigm which cloud security alliance [2]: on-demand self service,
provides a number of resources and cost effective resource pooling, broad network access, rapid elasticity
software services to their clients on demand such as and measured service. Service and deployment models
Software as a Service, Platform as a Service, provided by cloud computing environment as shown in
Infrastructure as a Service. However these services fig 1:
provides a lot of benefits for their clients, but still there
is a need of data security against unauthorized access of In SaaS (Software as a Service) cloud provider provides
data. So enhancement in security can be done by using the applications over the network which can be use by
access control mechanism for authorized access. So the cloud users, PaaS (Platform as a Service): In this
access control is an important aspect of cloud provider provide the environment in which users create
computing. This paper focus on various access control and deploy their applications, IaaS (Infrastructure as a
mechanisms used in the environment of cloud Service) provides the storage, network capacity to their
computing. This paper gives an insight into, how access customers on demand.
control model enhances the data security. With this aim,
this paper presents a review on the background of
access control for security.
General Terms
Cloud Computing, Access Control Models.
Keywords
Cloud Computing, Access Control, Discretionary
Access Control, Mandatory Access Control, Other
Access Control Models,
1. INTRODUCTION
In modern era cloud computing is an important
paradigm in industry and academia, which provide
ubiquitous computing and offers a on-demand access. Fig 1. Cloud Computing Model [3].
The definition of cloud computing provided by NIST
[1]:Cloud computing is a model for enabling Deployment model can be categorized as: Public cloud:
convenient, on demand network access to a shared pool provides a cloud environment that is publically
of configurable computing resources (e.g., networks, accessible and referred to as off-premise cloud. Private
servers, storage, applications, and services) that can be cloud referred to as on-premise cloud which is owned
rapidly provisioned and released with minimal and maintained by an organization. Community cloud is
management effort or service provider interaction. the composition of public and private cloud according
to the target set of users. In hybrid cloud two or more
Cloud computing has becoming the exciting prospected clouds (private, public, and community) are involved
which is not only brought the opportunities but also that makes a hybrid cloud.
create challenges to secure the data. Access control is
the process that prevents the illegal access of data by The rest of the paper is organized as follows. Section II
granting the permissions to the data stored in cloud. discusses the access control models, section III
System security relies on the access control. discusses the related work. Finally discusses the
conclusion of the paper.
32
� FP-International Journal of Computer Science Research (IJCSR)
Volume 2, Issue 1, Pages 32-36, March 2015
2. ACCESS CONTROL MECHANISM level of user must control the object access being write).
MAC follow the hierarchical approach to control the
Access control is any mechanism or policy that grants cloud data access which is depend on level of security
and denies the access of any system and always and widely used in government and military
identifies the illegal access performed by unauthorized applications.
users [4]. Identity based access control model are
mostly used access control models [4]. A. Role Based Access Control Model
Role based access control RBAC model was first time
Access control was initiate in 1960’s to manage the develop by the American National Standardization
shared information access. Access control is an Technical Committee in 90’s. RBAC method defines
important aspect of data security in which primary the role concepts and reduce the defect of management
features such as confidentiality, integrity and that arises by assigning the permission for access
availability is directly bind (tied). From the perspective directly to user in standard matrix model [9]. Roles in
view of access control cloud provider provide the RBAC acts as a bridge between the permission and user
following: i) control the access to the services based on access [10] which logically separate the permission and
the same policies and purchased customer service level. user access. The procedure of access control: mapping
ii) Control the access of users’ data from other users. of permissions and role and role and user. R Sandhu et
iii) Control the access of both admin function based on al of George proposed RBAC96 mechanism in 1996
privilege and consumer functions. iv) Update and [11] having systemic introduction. After that
maintain policies of access control. So access control ARBAC97 (administrative RBAC) [12] was proposed
ensures the legal access of data resource by limit the by R Sandhu which describe the concepts of
user privilege to access the data or file. management roles and right also modified the
centralized management of role assignment and
Cloud storage access control has becoming a definition.
challenging subject or issue in area of research and
many scholars have done lots of researches on access M. B. Zhao et al. [13] proposed CCRBAC (cloud
control methods. computing RBAC) model having three constraints
environment, tense and limitation. To enhance the
3. RELATED WORK flexibility of access control mechanism attribute of
subjects and objects were modified and also provided
Traditional access control methods can be categorized the subject role. Subject and object security level and
as DAC (discretionary access control) [5], MAC attribute were also imported into this model.
(mandatory access control) [6], RBAC (role based
access control) [7]. These models are based on Bertino et al [14] proposed the temporal-RBAC
centralized control model which are applied to the (TRBAC) model which considers the run-time role
environment of static single domain. enables and disables according to user requests. In [15],
the authors discussed that sometimes roles need to be
enabled all the time. In the context of this they
DAC (discretionary access control) the object owner
decides and set the permission to access the data for presented a generalized TRBAC (GTRBAC) model that
other users. DAC provides the access of data based on support the activation of roles instead role enabling.
identity of user and authorization that define the When any user assumes a role this role known as role
permission (write/read/execute) for same group member activation. GTRBAC proposed the enabling and
disabling of constraints on the duration of activation
and other group members. User has the total control
assigned to any user. The greater number of role
over the programs. DAC contains the access attributes
and rules. Access attribute provides the distinct activation within a specific interval of time by a single
authorization level and access rules describe the user.
methods to prevent the sensitive data from unauthorized
L. L. Wei [16] proposed a risk based dynamic multi
access. DAC deals with the i) system auditing event ii)
domain access control model. They focused on the
permission inheritance iii) user-based authorization iv)
concepts of risk into access control. The level of risk
admin privileges.
and length visit both were linked together. Thereby they
In MAC (mandatory access control) used by the multi realized the fine grain access control.
level security system where admin decide the access
Q. N. Shen et al. [17] presented a flexible access control
permissions of the system not by any other
mechanism for storage of cloud. This mechanism was
subject.MAC model is based on level of security and
RBAC model based and label of organization and
number of subjects for accessing the objects.
grouping of many security attributes logically were
Traditional MAC security consideration is [8]: read
combined. They ensure the strong isolation of data for
down (current security level of user must control the
the different enterprises and provide proper isolation for
object access being read), write up (current security
33
� FP-International Journal of Computer Science Research (IJCSR)
Volume 2, Issue 1, Pages 32-36, March 2015
internal data of enterprise. They realized the sharing of literature present the entity of trust rank in two ways:
data between the enterprises by importing the concept recommended and direct trust. The attack to
of virtual organization at the same time and restrict the recommended and direct trust were resisted by the
sharing of data between the competitive enterprises by strategies given by this model.
importing the concept of interest conflict. In [25], discussed the idea of trust rank into model of
access control and they analyzed the features of cloud
Y. P. Zhu and J. Zhang [18] proposed an extension of computing security and proposed a trust based multi
RBAC in SaaS (Software as a Service) in multitenant domain access control model based on the management
environment by considering the roles particularity. This of trust and RBAC model. This model built the relation
model contains a tenement role. Another variant of between the user and platform of cloud computing by
access control models for cloud computing proposed analyzing the action of users.
based on the RBAC named as Attribute role based
access control model (ARBAC) [19], where certain C. Access Control Model Based on
attributes and values are assigned to the data objects, a Attribute-Based Encryption
appropriate value for attributes need to be submitted by Elisa Bertino, Mohamed Nabeel [26] proposed fine
the user with a particular role and service provider grained access control system based on attribute among
provides the access to the objects after the completion users group each identified by attributes set. Attribute
of proper validation. based systems needed by a collaborative application for
the distribution and management of group keys.
T. Ristenpart et al. [20] presented fine grain ARBAC
Monotonic access control policy over the attributes set
key based mechanism where symmetric or private keys
supported by this system. This system reduce the
are assigned to user to encrypt or decrypt the attribute
requirement of establishing private communication
values that are defined for data objects and privacy of
channels which were expensive.
these objects need to be protected.
Distributed RBAC model was proposed in dynamic J. Bethencour [27] proposed a CP-ABE (ciphertext-
alliance environment named as DRBAC (Distributed policy attribute-based encryption) [28] and AB-ACCS
Role based Access Control for Dynamic Coalition (Attributes Based Access Control for Cloud Storage)
Environments) by Freudenthal et al. [21]. This model access control method. The user was associated to
has three features which makes it different from RBAC attributes group and data was associated to condition of
model named as: numerical attributes, third part attributes group. The decryption of data could be done
appointment and certificate reservation. DRBAC merge if the user satisfied the conditions of attribute. By
the advantages of trust management system and RBAC. controlling the ciphertext attributes of data the access
The user of this model needed to manage the identity authority could managed by the owner of data thus this
information because data and services were stored in model reduced the cost of management of access
the cloud of same type which made the identity authority.
authentication requests of cross-domain complex.
C. Hong et al. [29] presented ciphertext access control
In [22], the author proposed the cloud-RBAC model method based on the algorithm of secret sharing
which serves on platform of cloud computing. The scheme. This method moved the secret key re-
features of RBAC and DRBAC inherited by this model encryption [30] caused by access control strategy
and contain one role of admin. Each user had an change, thereby this mechanism reduced the re-
different cloud-RBAC identity. The supplied resources encryption cost of data owner and also reduced the
without the information included in identity that was a complexity of authority management.
certificate. Each role in this model had a information of
domain and each domain had a specific admin role for Jingxin K. W. et al [31], presented a model for data
the management of internal RBAC. Redundancy of data security and authentication for hybrid cloud. They
due to the superabundant identity information discussed different techniques to protect the data of
management has been reduced by Cloud-RBAC and users from illegal access. This security model contains
also improve the performance of access control system. authentication interface, multilevel virtualization and
single encryption. The main focus of this idea was
B. Trust Based Access Control Model authentication which is based on CA and PKI model.
Z. J. Tan [23] proposed the TBDAC (Trust Based
Dynamic Access Control) model which is the In [32], the author proposed a distributed access control
combination of RBAC and trust management. The light model based on attributes by using the KP-ABE (Key
weight certificate provided by the model by which user policy attribute based encryption) characteristics [33]
certify the validity of identity and the access rights via and CP-ABE. The author analyzed that the model could
information of roles and trust rank in the certificate. The satisfy the requirement of users of constituting multiple
trust model based on vector mechanism [24], the access control strategies. The architecture of
authorization of unified authorization party adopted in
34
� FP-International Journal of Computer Science Research (IJCSR)
Volume 2, Issue 1, Pages 32-36, March 2015
this model and certified the identity of users by using [9] W. P. Zhou and S. N. Lu. (2007). Research on RBAC Access
PKI (Public key infrastructure) to provide the roles Control. computer security, 2, pp.11-16.
public and private key certificate. [10] J. B. D. JOSHI, E. BERTINO, U. LATIF, et al. (2005). A
S. Yu et al. [34] presented the strategies of access Generalized Temporal Role-Based Access Control Model. IEEE
control on the theoretical basis of KP-ABE, Trans on Knowledge and Data Engineering, 17(1), pp. 4-23.
PRE (Proxy Re-encryption) and LRE (Lazy Re- [11] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, et al. (1996). Role-
encryption) [35,36]. This method used the KP-ABE to Based Access Control Models. IEEE Computer, 29(2), pp. 38-
manage the information of secret keys that were 47.
interchangeable between the owner and user of data. [12] R. S. Sandhu, V. Bhamidipati and Q. Munawer. (1999). The
The method of LRE utilized to reduce the cloud ARBAC97 model for role-based administration of roles. ACM
Transaction on Information and System Security, 1, pp. 105-
computational pressure. 135.
4. CONCLUSION [13] M. B. Zhao and Z. Q. Yao. (2011). RBAC-based Access Control
Model in Cloud Computing. Computer Application, 32(S2), pp.
267-270.
In cloud computing access control is major area of
[14] D. Nurmi, R. Wolski, C. Grzegorczyk, S. Soman, L. Youseff
research to enhance the users data security which is and D. Zagorodnov, “The Eucalyptus
stored in cloud computing environment. Various access Open-Source Cloud-Computing System,” Proceedings of the
control methods are discussed that are widely used International Symposium on Cluster
previously and presently. To ensure security of users Computing and the Grid, pp. 124-131, 2009.
data DAC, MAC and RBAC provide the access control [15] B. Shafiq, J. B. D. Joshi, E. Bertino and A. Ghafoor, “Secure
methods. The traditional access control model is DAC, Interoperation in a Multi-domain Environment Employing
RBAC Policies,” IEEE Transactions on Knowledge and Data
MAC and RBAC and some other related access control Engineering, vol. 17, no. 11, pp. 1557-1577, Nov. 2005.
models are discussed. The main focus of this paper is to
[16] L. L. Wei and J. B. Yuan. (2012). Research on the Risks in
understand the different access control methods in crossdomain RBAC model under cloud computing environment.
cloud computing. In access control models always Mini-Micro Computer Systems, 33(12), pp. 2721-2723.
conflicts exists between the resource consumption and
[17] Q. N. Shen, Y. H. Yang, X. Yu, et al. (2011). A multi-tenant
security. For the higher security in access control with cloud storage oriented Access Control Strategy. Mini-Micro
less computation cost and communication and storage Computer Systems, 32(11), pp. 2223-2229.M. B. Zhao and Z.
will be the main focus for researcher for ongoing Q. Yao. (2011). RBAC-based Access Control Model in Cloud
exploration. Computing. Computer Application, 32(S2), pp. 267-270.
[18] Y. P. Zhu and J. Zhang. (2011). Research on Access Control in
5. REFERENCES SaaS.Computer Engineering and Application, 47(24), pp. 12-26.
[19] K. Yang and X. Jia, “Attribute-based Access Control for Multi-
Authority Systems in Cloud Storage,”
[1] P. Mell and T. Grance, ”Draft nist working definition of cloud
Proceedings of the 32nd IEEE International Conference on
computing” ,vol.15, Aug 2009.
Distributed Computing Systems, pp. 536-
[2] Cloud Security Alliance. (2009, Apr. 1). Security Guidance for 545, 2012.
Critical Areas of Focus in Cloud Computing [R/OL]. [20] T. Ristenpart, E. Tromer, H. Shacham and S. Savage, “Hey,
http://www.cloudsecurityalliance.org/guidance/csaguide.v1.0.pd You, Get off my Cloud: Exploring
f.Tavel, P. 2007 Modeling and Simulation Design. AK Peters Information Leakage in Third-Party Compute Clouds,”
Ltd. Proceedings of the 16th ACM Conference on
[3] Jansen W. and Grance T. (2011). Guidelines on security and Computer and Communications Security, pp. 199-212, 2009.
privacy in public cloud computing. NIST Special Publication [21] Eric Freudenthal, Tracy Pesin, Lawrence Port, et al. (2012,
800-144. July). dRBAC: distributed role-based access control for dynamic
[4] Yingjie Xia, Li Kuang and Mingzhe Zhu “A Hierarchical coalition environments. In: Proceedings of the 22nd
Access Control Scheme in Cloud using HHECC” International Conference on Distributed Computing
Information Technology Journal 9 (8): 1598-1606 , 2010. Systems(ICDCS’02), 411-434.
[5] R. Sandhu and Q. Munawer. (1998). How to do Discretionary [22] W. L. Deng. (2012). The Application of Access Control System
Access Control Using Roles[C]// ACM. Proceedings of the 1998 in the Cloud Computing Platform. Bulletin of Science and
3rd ACM Workshop on Role-Based Access Control, Fairfax, Technology, 28(12), pp. 214-216.
VA, 1998. NYUSA: ACM, 47-54.
[23] . J. Tan, “Research on Trust-based Access Control Model in the
[6] J. H. Saltzer and M. D. (1975). Schroeder. “ The Protection of Cloud Computing Environment,” Ph.D. dissertation, Hunan
Information in Computer Systems.” Proceedings of the IEEE, University, 2011.Q. N. Shen, Y. H. Yang, X. Yu, et al. (2011).
63(9), pp. 1278-1308. A multi-tenant cloud storage oriented Access Control Strategy.
Mini-Micro Computer Systems, 32(11), pp. 2223-2229.
[7] M. Z. Chen. (2007). “Research on The Application of Role-
based Access Control Model.” Journal of Engineering in [24] H. Jameel, L. X. Hung, U. Kalim, et al. (2005). A Trust Model
Tianjin Normal University, 17(2), pp. 35-37. for Ubiquitous Systems based on Vectors of Trust Values. In:
Proc of 7th IEEE International Symposium on Multimedia.
[8] Ravi S. Sandhu and Pierangela Samarati “Access Washington: IEEE Computer Society Press, 674-679.
Control: Principles and Practice” IEEE Communications
Magazine, September 1994. [25] Y. Y. Bie and G. Y. Lin. (2012). Trust-based Multi-domain
Access Control Strategy in Cloud Computing. Information
Security and Technology, 3(10), pp. 39-52.
35
� FP-International Journal of Computer Science Research (IJCSR)
Volume 2, Issue 1, Pages 32-36, March 2015
[26] M. Nabeel and E. Bertino, “Towards attribute based group key
management,” in Proceedings of the 18th ACM conference on
Computer and communications security, Chicago, Illinois, USA,
2011.
[27] J. Bethencourt, A. Sahai and B. Waters. (2007). Ciphertext-
policy attribute-based encryption[C]//Proc of the 2007 IEEE
Symp on Security and Privacy. Piscataway, NJ: IEEE, pp. 321-
334.
[28] C. Hong, M. Zhang and D. G. Feng. (2010). AB-ACCS: A
Ciphertext Access Control Method for Cloud Storage. Computer
Research and Development, 47(Suppl.), pp. 259-265.
[29] C. Hong, M. Zhang and D. G. Feng. (2011). A Cloud Storage
Oriented Efficient Dynamic Ciphertext Access Control Method.
Journal on Communications, 32(7), pp. 125-132.
[30] M. Blaze, G. Bleumer and M. Sreauss. (1998). Divertible
Protocols and Atomic Proxy Cryptography. Advances in
Cryptology Springer-Verlag, 127-144.
[31] Jingxin K. Wang, XinpeiJia, Data Security and Authentication
in Hybrid Cloud Computing Model, IEEE 2012, Page 117-120.
[32] Z. L. Zhang and C. F. Wang. (2012). Attribute-based
Distributed Access Control Scheme in the Cloud. Computer
Engineering, 38(11), pp. 1-4.
[33] V. Goyal, O. Pandey, A. Sahai, et al. (2006). Attribute-based
encryption for fine-grained access control of encrypted data.
Proceedings of the 13th ACM Conference on Computer and
Communications Security. New York, USA.
[34] S. Yu, C. Wang, K. Ren, et al. (2010). Achieving secure,
scalable, and fine-grained data access control in cloud
computing. In Proceedings of IEEE infocom, pp. 534-542.
[35] M. Kallahalla, E. Riedel, et al. (2003). Plutus: Scalable secure
file sharing on untrusted storage. In Proceedings of the 2nd
USENIX Conference on File and Storage Technologies.
Berkeley: USENIX Association Press, pp. 29-42.
[36] K. Fu. Group sharing and random access in cryptographic
storage file systems. Massachusetts: MIT, 1999.
36
