Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

Leverage Data Security Policies Complexity for Users: An End-to-End Storage Service Management in the Cloud Based on ABAC Attributes

  • Conference paper
  • First Online:
Machine Learning for Networking (MLN 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14525))

Included in the following conference series:

  • 170 Accesses

Abstract

This position paper presents a method to ease the management of data security from the user point of view. Nowadays, users have many ways to access the same data: direct connection to the host, shared filesystem or web drive-like solutions. This leads to complex data access control policies. At the same time, users have more and more liberty in resource instantiation. They can benefit from various self service storage facilities from many Cloud operators in an on-premise or remote way. Moreover, interfaces with these providers are designed in a way that real locations of data are hidden to give an illusion of infinite resources availability. Obviously, Cloud providers have many ways to fine tune resource allocation but users may not be aware of it. With this growth of resource distribution, access control also evolved. Formerly, a simple access control scheme based on identity was sufficient for data security (IBAC). With the complexity increase of access control, new schemes emerged based on roles (RBAC) or attributes (ABAC). We will investigate the last one because attributes rules access control but it also gives information on a user’s profile that may be used to ease the creation and configuration of data services on distributed resources such as Cloud providers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://cri-o.io/.

  2. 2.

    https://opencontainers.org/.

  3. 3.

    https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster.

  4. 4.

    https://aws.github.io/aws-eks-best-practices/security/docs.

  5. 5.

    https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security?tabs=azure-cli.

  6. 6.

    https://cerbos.dev/.

  7. 7.

    https://casdoor.org.

References

  1. National Security Agency. Kubernetes hardening guidance v 1.2. Technical report National Security Agency, Cybersecurity and Infrastructure Security Agency (2022). https://media.defense.gov/2022/Aug/29/2003066362/-%201/-%201/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF

  2. Badger, L., et al.: Practical domain and type enforcement for UNIX. In: Proceedings 1995 IEEE Symposium on Security and Privacy, pp. 66–77. IEEE (1995)

    Google Scholar 

  3. Bell, D.E.,: Secure computer systems: mathematical foundations and model. In: Technical Report ESD-TR-73-278-1 (1973)

    Google Scholar 

  4. Biba, K.: Integrity considerations for secure computing systems. In: Mitre Report MTR-3153, Mitre Corporation, Bedford, MA (1975)

    Google Scholar 

  5. Boebert, W.E.: A practical alternative to hierarchical integrity policies. In: Proceedings of the 8th National Computer Security Conference, 1985 (1985)

    Google Scholar 

  6. Bousquet, A., et al.: Enforcing security and assurance properties in cloud environment. In: 2015 IEEE/ACM 8th International Conference on Utility and Cloud Computing (UCC), pp. 271–280. IEEE (2015)

    Google Scholar 

  7. Brand, S.L.: DoD 5200.28-STD department of defense trusted computer system evaluation criteria (orange book). Nat. Comput. Secur. Center, 1–94 (1985)

    Google Scholar 

  8. Briffaut, J., Lalande, J.-F., Toinard, C.: Formalization of security properties: enforcement for mac operating systems and verification of dynamic mac policies. Int. J. Adv. Secur. 2(4), 325–343 (2009)

    Google Scholar 

  9. Briffaut, J., Lalande, J.-F., Toinard, C.: Security and results of a large-scale high-interaction honeypot. J. Comput. 4(5), 395–404 (2009)

    Article  Google Scholar 

  10. Briffaut, J., et al.: Enforcement of security properties for dynamic MAC policies. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 114–120. IEEE (2009)

    Google Scholar 

  11. Chung et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations (2019). https://doi.org/10.6028/NIST.SP.800-162

  12. Cuppens, F., Cuppens-Boulahia, N.: Modeling contextual security policies. Int. J. Inf. Secur. 7(4), 285–305 (2008)

    Article  Google Scholar 

  13. Denning, P.J.: Fault tolerant operating systems. ACM Comput. Surv. (CSUR) 8(4), 359–389 (1976)

    Article  Google Scholar 

  14. Downs, D.D., et al.: Issues in discretionary access control. In: 1985 IEEE Symposium on Security and Privacy, pp. 208–208. IEEE (1985)

    Google Scholar 

  15. Ennahbaoui, M., Elhajji, S.: Study of access control models. In: Proceedings of the World Congress on Engineering, Vol. 2, pp. 3–5 (2013)

    Google Scholar 

  16. Ferraiolo, D., Cugini, J., Kuhn, D.R., et al.: Role-based access control (RBAC): features and motivations. In: Proceedings of 11th Annual Computer Security Application Conference, pp. 241–48 (1995)

    Google Scholar 

  17. Ferraiolo, D.F., Barkley, J.F., Kuhn, D.R.: A role-based access control model and reference implementation within a corporate intranet. ACM Trans. Inf. Syst. Secur. (TISSEC) 2(1), 34–64 (1999)

    Article  Google Scholar 

  18. Ferrario, D.: Role-based access control. In: Proceedings of 15th National Computer Security Conference, 1992 (1992)

    Google Scholar 

  19. Gros, D., et al.: PIGA-cluster: a distributed architecture integrating a shared and resilient reference monitor to enforce mandatory access control in the HPC environment. In: 2013 International Conference on High Performance Computing & Simulation (HPCS), pp. 273–280. IEEE (2013)

    Google Scholar 

  20. Gupta, E., et al.: Attribute-based access control for NoSQL databases. In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 317–319 (2021)

    Google Scholar 

  21. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)

    Article  Google Scholar 

  22. ITSEC. Information Technology Security Evaluation Criteria (1991)

    Google Scholar 

  23. Jahid, S., et al.: MyABDAC: compiling XACML policies for attribute based database access control. In: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pp. 97–108 (2011)

    Google Scholar 

  24. Kubernetes – see. https://kubernetes.io/.k8s

  25. Lampson, B.W.: Protection. ACM SIGOPS Oper. Syst. Rev. 8(1), 18–24 (1974)

    Article  Google Scholar 

  26. Li, N., Mao, Z.: Administration in role-based access control. In: Proceedings of the 2nd ACM symposium on Information, Computer and Communications Security, pp. 127–138 (2007)

    Google Scholar 

  27. Loscocco, P.A., et al.: The inevitability of failure: the flawed assumption of security in modern computing environments. In: Proceedings of the 21st National Information Systems Security Conference (1998)

    Google Scholar 

  28. Mahmoud, A.A., et al.: A new graph-based reinforcement learning environment for targeted molecular generation and optimization. In: 2023 12th International Conference on Software and Information Engineering (2023)

    Google Scholar 

  29. Mayfield, T., et al.: Integrity in automated information systems. Nat. Secur. Agency, Tech. Rep. 79 (1991)

    Google Scholar 

  30. Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(2), 85–106 (2000)

    Article  Google Scholar 

  31. Rahman, M.U.: Scalable role-based access control using the EOS blockchain. arXiv preprint: arXiv:2007.02163 (2020)

  32. Sandhu, R., et al.: The NIST model for role-based access control: towards a unified standard. In: ACM Workshop on Role-Based Access Control, vol. 10, no. 344287.344301 (2000)

    Google Scholar 

  33. Sandhu, R., Munawer, Q.: How to do discretionary access control using roles. In: Proceedings of the Third ACM Workshop on Role-Based Access Control, pp. 47–54 (1998)

    Google Scholar 

  34. Sandhu, R.S.: The typed access matrix model. In: IEEE Symposium on Security and Privacy, pp. 122–136. Citeseer (1992)

    Google Scholar 

  35. Sandhu, R.S.: The schematic protection model: its definition and analysis for acyclic attenuating schemes. J. ACM (JACM) 35(2), 404–432 (1988)

    Article  Google Scholar 

  36. Sultan, S., Ahmad, I., Dimitriou, T.: Container security: issues, challenges, and the road ahead. IEEE Access 7, 52976–52996 (2019)

    Article  Google Scholar 

  37. Wang, X., Du, J., Liu, H.: Performance and isolation analysis of RunC, gVisor and Kata containers runtimes. Cluster Comput. 25(2), 1497–1513 (2022)

    Article  Google Scholar 

  38. Zhang, Z., Zhang, X., Sandhu, R.: ROBAC: scalable role and organization based access control models. In: 2006 International Conference on Collaborative Computing: Networking, Applications and Worksharing, pp. 1–9. IEEE (2006)

    Google Scholar 

Download references

Acknowledgment

We extend our heartfelt gratitude to the National Institute of Informatics (NII) and the Centre National de la Recherche Scientifique (CNRS) for their invaluable collaboration through the signed MOU, which has paved the way for this impactful joint research.

Funding

This work is funded by the French Ministry of Higher Education and Research in the context of DATACENTER 2023. This is a governmental call for projects to provide a secure deployment of storage services in the Cloud. We would like to thank you the National Institute of Informatics (Japan) for its support for this research.

Author information

Authors and Affiliations

  1. University of Sorbonne Paris North, LIPN - UMR 7030, 99 Avenue JB Clément, 93430, Villetaneuse, France

    Nicolas Greneche

  2. Digital Content and Media Sciences Research Division, National Institute of Informatics, 2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo, 101-8430, Japan

    Frederic Andres

  3. Division of Risk Assessment, Center for Biological Safety and Research, National Institute of Health Sciences, 3-25-26 Tonomachi, Kawasaki-ku, Kawasaki, 210-9501, Japan

    Shihori Tanabe

  4. Faculty of Informatics and Computer Science, AI Group, The British University in Egypt, Suez Desert Road, Cairo, P.O. Box 43, El Sherouk City, 11837, Egypt

    Andreas Pester

  5. College of Information Science and Technology, University of Nebraska at Omaha, Omaha, NE, 68182-0116, USA

    Hesham H. Ali

  6. Faculty of Informatics and Computer Science, Artificial Intelligence Department, The British University in Egypt, Suez Desert Road, El Sherouk City, 11837, Cairo, Egypt

    Amgad A. Mahmoud

  7. University of Sorbonne Paris North, DSI - UNIF, 99 Avenue JB Clément, 93430, Villetaneuse, France

    Dominique Bascle

Authors
  1. Nicolas Greneche
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frederic Andres
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shihori Tanabe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andreas Pester
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Hesham H. Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Amgad A. Mahmoud
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Dominique Bascle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nicolas Greneche .

Editor information

Editors and Affiliations

  1. ESIEE Paris and Gustave Eiffel University, Noisy-le-Grand, France

    Éric Renault

  2. Conservatoire National des Arts et Métiers, Paris, France

    Selma Boumerdassi

  3. Inria, Paris, France

    Paul Mühlethaler

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Greneche, N. et al. (2024). Leverage Data Security Policies Complexity for Users: An End-to-End Storage Service Management in the Cloud Based on ABAC Attributes. In: Renault, É., Boumerdassi, S., Mühlethaler, P. (eds) Machine Learning for Networking. MLN 2023. Lecture Notes in Computer Science, vol 14525. Springer, Cham. https://doi.org/10.1007/978-3-031-59933-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-59933-0_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-59932-3

  • Online ISBN: 978-3-031-59933-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation