On dynamic access control in Web 2.0 and beyond: Trends and technologies

Abstract

The Web in the Internet today—especially when it comes to the Internet of Things and cloud computing—is the Web of resources. A photo album, an appointment calendar, a telephone bill, a health record are all resource examples, listed here in the increasing order of expected privacy protection. A few properties of these resources define the roles of three major actors: The resources belong to their owner, they are hosted by the service provider, and they increasingly need to be shared (say, to support mash-up) with consumers. Owners authorize consumers' access to their resources, which providers then grant to the consumers upon authenticating them and checking for proper authorization. In the past, this was achieved by maintaining an access control list for each resource at the service provider. Typically, such a list specifies all consumers along with their privileges. Emerging trends in social networking and cloud computing require elasticity, or, in other words, the ability to grant resource access to new consumers on the fly. Naturally, this comes with ever-increasing requirements for privacy, which dictate strong authentication of all actors involved as well as cryptographic protection of the involved communication sessions. We share the industry expectation that the technology that solves the above problem will be a major enabler for applications based on technologies that range from social networking, to video-on-demand, to health care, to smart metering, and—especially—to cloud computing. This paper reviews the state-of-the-art technologies, including the emerging Open Authorization Protocol (OAuth) 2.0, and presents our own solution in this space, which removes an intermediary and gives the owner of a resource immediate control over defining access to that resource.