Extensible Access Control Framework for Cloud Applications
KTH-SEECS
Applied Information Security Lab SEECS NUST
Implementation Perspective
Agenda• Motivation • Background
– XACML– Access control models
• Our Contribution– Research Perspective– Implementation Perspective
• Work in Progress– Implementation Demo
• Q & A Session
Motivation
SECaaS
Email Security aaS
Access control aaS
Cloud Service Consumers
Identity aaS
Network Security aaS
Encryption aaS Data protection aaS
Extensible Access Control Framework for Cloud Applications
Framework: Essential
supporting structure of a
systemAccess Control:
Restrict the illegal access
from resources under
consideration
Extensible: Ability to extend
the system through addition
of new functionality
What we are providing ??
Access
Control
Framework
Extensible
Access Control Models
Holistic solution for deployment of these models??
Any Standard set for
implementation ??
What we need ??
XACML
XACML stands for eXtensible Access Control Markup
Language
Standard which is ratified by standards organization
Existing Solutions
Enhancements in XACML 3.0
ABAC Implementation (Proprietary)
Picket-Link XACML Implementation(Open-source)
XACML PEP in JAVA
XACML Implementation (Open-source)
Extensible Access Control Framework for
Cloud Applications
Our Solution
Why we need 3 ACMs ??
Identities Roles Resources
RBAC Issues
Challenges appears when extended across the domain
Doesn’t consider environment attributes
Not well suited for a highly distributed
environment
Adding, deleting the duties of a role involved updating too many policy stores.
Attribute based Access Control (ABAC)
ProfessorSoftware Teaches (CSP 401)Office (238)Head (SEC lab)
Fine Grained Access Control (FGAC)
Usage based Access Control (UCON)
PreUsage Decisions
PostUsage Decisions
On-Going Usage Decisions
Research Contribution
XACML Profile
• The standard set of OASIS eXtensible Access Control Markup Language (XACML) specifications for implementation of an [xyz] access control is known as the XACML profile for xyz access control.
Development Perspective
Architecture & Workflow
PDPaaS
Policy Repository
PEPaaS
Resources
3rd Party Resources
Application User
1. Authentication 2a. Access Application
Resource
2b. Redirect to PEPaaS
3. Forward XACML Request
6. Return XACML Request to PEPaaS
5.Evaluate
4a. Find Policy4b. Applicable Policy
6. Access Granted
Register User
Exchange Meta-data
Resources
System Administrator
b) After authenticationredirect browser to PAPaaS
a) Authenticate Admin
Attribute Repository
PAPaaS
c) Store d) Retrieve
Policy Repository
e) Store XACML
Policies
System Administrator
Register User
Exchange Meta-data
b) After authen
Redirect browser to PAPaaSa)Authenticate Admin
PDPaaS
Policy Repository
PEPaaS
Resources
3rd Party Resources
Application User
1. Authentication
2a. Access Application Resource
2b. Redirect to PEPaaS
3. Forward XACML Request
6. Return XACML Request to
5.
Evaluate
4a. Find Policy4b. Applicable Policy
Attribute Repository
PAPaaS
c) Store d) Retrieve
6. Access Granted
Workflow
PAP Components1. Subject2. Resource3. Action4. Environment
1. XACML Policy Generation2. XACML PolicySet Generation
1. Condition2. Target3. Rule4. Obligation5. Policy6. Policy Set
Technologies
MVC based Architecture
Implementation Demo
Conclusion
• Deliverables for this Quarter– Version 1.0* will be uploaded on sourcefourge.net.– Report 3: “Unit Testing of ABAC model”.– Initialization of Cloud Instances in AIS lab.
Q & A