Abstract
Cloud storage services have become increasingly popular in recent years. Users are often registered to multiple cloud storage services that suit different needs. However, the ad-hoc manner in which data sharing between users is implemented leads to issues for these users. For instance, users are required to define different access control policies for each cloud service they use and are responsible for synchronizing their policies across different cloud providers. Users do not have access to a uniform and expressive method to deal with authorization. Current authorization solutions cannot be applied as-is, since they cannot cope with challenges specific to cloud environments. In this paper, we analyze the challenges of data sharing in multi-cloud environments and propose SAFAX, an XACML based authorization service designed to address these challenges. SAFAX's architecture allows users to deploy their access control policies in a standard format, in a single location, and augment policy evaluation with information from user selectable external trust services. We describe the architecture of SAFAX, a prototype implementation based on this architecture, illustrate the extensibility through external trust services and discuss the benefits of using SAFAX from both the user's and cloud provider's perspectives.
Highlights
Recent years have seen an increased adoption of cloud services, mainly driven by the explosive growth of mobile devices that often rely on cloud services (Gartner Inc, 2014)
We describe the message flow by following a concrete scenario that takes place in the context presented in Section 2: Charlie wants to view the health records that Alice stored on a specific domain (AD2) of the domains controller Domains Controller II (DCII)
The Domain Owner (DO) trusts the Domains Controller (DC) for the secure storage of their access control policies, for the correct evaluation of access requests from data consumers and for the enforcement of their policies. This trust model is suitable for very sensitive domains such as military clouds where the storage and evaluation of access control policies cannot be outsourced to an external entity
Summary
Recent years have seen an increased adoption of cloud services, mainly driven by the explosive growth of mobile devices that often rely on cloud services (Gartner Inc, 2014). Current authorization mechanisms implemented by cloud providers are quite primitive, in that users do not have a means of specifying fine-grained access control policies over their data. Each cloud provider uses a custom, often ad hoc, solution for access control This requires end-users to redefine their policies for each cloud storage service, which causes difficulty in synchronizing them across multiple cloud providers. The successful application of federated identity services in cloud environments (Hühnlein et al, 2010), where services allow their users to log-in based on credentials provided by third-party identity providers such as Google and Facebook, indicates that similar approaches in the context of authorization may be able to resolve the issue of data sharing in a multiple clouds setting. We analyze the challenges of sharing data securely in cloud environments and propose SAFAX, a novel XACMLbased architectural framework tailored to the development of extensible authorization services for clouds.
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call