Advanced authorization model for service and resource protection in distributed systems and cloud computing

Resum

Motivation and Goals Cloud computing is an emerging paradigm where flexible and dynamic services and infrastructures are able to scale and be delivered on demand. However, many potential businesses are still reluctant to adopt this technology due to security and privacy concerns. When data resides in the Cloud, they reside outside the organizational bounds, making users to feel a lost of control over their data. Thus, the access control system becomes a critical aspect, whereas current authorization solutions for Cloud computing usually lack of enough expressiveness to describe advanced authorization and federation rules that enable a secure access control over resources. Moreover, moving data to the Cloud usually implies relying on the Cloud Service Provider (CSP), which also raises security concerns and questions. Is the CSP accessing the data for its own benefit? Is it legitimately applying the authorization rules defined by the user? Although this is usually managed based on Service Level Agreements (SLA), the CSP could potentially access the data or even provide it to third parties. This situation leads to rethink about security and to start considering novel data-centric approaches where data are self-protected with cryptographic security mechanisms wherever they reside. This PhD thesis targets access control in distributed environments with special focus on its application to Cloud computing, trying to provide an advanced policy-based access control model that enables a secure and trustworthy management of security. Thus, this PhD thesis targets the following: " Design an authorization model for distributed systems, with high expressiveness and following a Role-based Access Control scheme (RBAC). " Provide an access control solution that takes into consideration the particularities of Cloud computing environments such as multi-tenancy. " Analyse the application of semantic Web technologies for security policy management and their capability for semantics representation and reasoning. " Develop a data-centric approach that enable to upload data to the Cloud in a secure and reliable manner, where data is cryptographically protected and its access is controlled by means of authorization policies. Methodology During the research work carried out within this PhD thesis, the followed approach started by providing an initial proposal of the authorization model for distributed environments that has been later refined, formalized and contextualized for Cloud environments. Then, it has been cryptographically protected, resulting in a self-protected model for Cloud resource security. Thus, a first work provides an initial approach to the application of semantic Web technologies to manage security policies in distributed systems with multi-tenancy features such as Grid environments. It provides an initial architecture and an initial authorization model with advanced reasoning capabilities that enable performing added value tasks such as policy conflict detection and resolution. In second step, the authorization model is refined and formalized, endowing it with enhanced expressiveness features based on the RBAC scheme. The architecture is particularized and the model adapted to the specific characteristics of the Cloud, including a trust model to support possible federations between tenants. Finally, the authorization model has been mathematically formalized and cryptographically protected to achieve a data-centric approach in which data are self-protected and can be securely managed by any CSP, being it unable to access data or to release it to unauthorized parties. Each one of these three stages correspond to a complete research work in which a proof of concept implementation is also included, together with a set of test results and performance statistics in order to analyse the viability of the proposal in each stage. Results As main result of this PhD thesis, a highly expressive, reliable and secure access control approach suitable for Cloud computing is provided. It has been designed taking into account special characteristics of these environments and enables the management of security by providing advanced authorization features. An advanced and sophisticated access control model is defined to allow the specification of high-level policies, providing high expressiveness and taking into account the domain heterogeneity of Cloud environments. A security architecture is also provided and multi-tenancy is supported, including federation capabilities to support situations in which different users share Cloud resources. The model is based on the RBAC scheme and supports the following expressiveness features: hierarchy of roles (hRBAC), context conditions (cRBAC) and hierarchy of objects (HO). Semantic Web technologies have been applied, achieving a high expressiveness for policy definitions. The logic formalism provided by ontologies endows the authorization model with reasoning capabilities, enabling advanced policy management techniques such as semantic conflict detection that are domain dependent and usually complex to detect. A data-centric approach is also provided, using novel identity-based and proxy re-encryption techniques are used to protect both the data and the authorization model itself. This proposal enables a rule-based approach for authorization in Cloud systems where rules are under control of the data owner and access control computation is delegated to the CSP, but making it unable to grant access to unauthorized parties. During the realization of this PhD thesis, the research results have been published in several scientific publications, including international journal papers classified in the top four quarters of JCR, international conferences and book chapters. It is remarkable that the main research works that conform the core of this PhD thesis directly correspond to papers that have been published or are being reviewed in JCR Q1 international journals.