Extensible Access Control Framework for Cloud Applications

KTH-SEECS

Applied Information Security Lab SEECS NUST

Implementation Perspective

Agenda• Motivation • Background

– XACML– Access control models

• Our Contribution– Research Perspective– Implementation Perspective

• Work in Progress– Implementation Demo

• Q & A Session

Motivation

SECaaS

Email Security aaS

Access control aaS

Cloud Service Consumers

Identity aaS

Network Security aaS

Encryption aaS Data protection aaS

Extensible Access Control Framework for Cloud Applications

Framework: Essential

supporting structure of a

systemAccess Control:

Restrict the illegal access

from resources under

consideration

Extensible: Ability to extend

the system through addition

of new functionality

What we are providing ??

Access

Control

Framework

Extensible

Access Control Models

Holistic solution for deployment of these models??

Any Standard set for

implementation ??

What we need ??

XACML

XACML stands for eXtensible Access Control Markup

Language

Standard which is ratified by standards organization

Existing Solutions

Enhancements in XACML 3.0

ABAC Implementation (Proprietary)

Picket-Link XACML Implementation(Open-source)

XACML PEP in JAVA

XACML Implementation (Open-source)

Extensible Access Control Framework for

Cloud Applications

Our Solution

Why we need 3 ACMs ??

Identities Roles Resources

RBAC Issues

Challenges appears when extended across the domain

Doesn’t consider environment attributes

Not well suited for a highly distributed

environment

Adding, deleting the duties of a role involved updating too many policy stores.

Attribute based Access Control (ABAC)

ProfessorSoftware Teaches (CSP 401)Office (238)Head (SEC lab)

Fine Grained Access Control (FGAC)

Usage based Access Control (UCON)

PreUsage Decisions

PostUsage Decisions

On-Going Usage Decisions

Research Contribution

XACML Profile

• The standard set of OASIS eXtensible Access Control Markup Language (XACML) specifications for implementation of an [xyz] access control is known as the XACML profile for xyz access control.

Development Perspective

Architecture & Workflow

PDPaaS

Policy Repository

PEPaaS

Resources

3rd Party Resources

Application User

1. Authentication 2a. Access Application

Resource

2b. Redirect to PEPaaS

3. Forward XACML Request

6. Return XACML Request to PEPaaS

5.Evaluate

4a. Find Policy4b. Applicable Policy

6. Access Granted

Register User

Exchange Meta-data

Resources

System Administrator

b) After authenticationredirect browser to PAPaaS

a) Authenticate Admin

Attribute Repository

PAPaaS

c) Store d) Retrieve

Policy Repository

e) Store XACML

Policies

System Administrator

Register User

Exchange Meta-data

b) After authen

Redirect browser to PAPaaSa)Authenticate Admin

PDPaaS

Policy Repository

PEPaaS

Resources

3rd Party Resources

Application User

1. Authentication

2a. Access Application Resource

2b. Redirect to PEPaaS

3. Forward XACML Request

6. Return XACML Request to

5.

Evaluate

4a. Find Policy4b. Applicable Policy

Attribute Repository

PAPaaS

c) Store d) Retrieve

6. Access Granted

Workflow

PAP Components1. Subject2. Resource3. Action4. Environment

1. XACML Policy Generation2. XACML PolicySet Generation

1. Condition2. Target3. Rule4. Obligation5. Policy6. Policy Set

Technologies

MVC based Architecture

Implementation Demo

Conclusion

• Deliverables for this Quarter– Version 1.0* will be uploaded on sourcefourge.net.– Report 3: “Unit Testing of ABAC model”.– Initialization of Cloud Instances in AIS lab.

Q & A