Three Layer Access Control Integrated with Policy Enforcement Point - Coursework Example

?Three Layer Access Control Integrated with Policy Enforcement Point — The organizations are adopting Cloud, as a cloud computing services are high on demand. The cloud customers may experience less control on the data and its associated procedures that are embedded into cloud based service practices. Therefore, in order to regain maximum data management and access management in cloud services, the end users must use three layer access control Integrated with Policy Enforcement Point framework. This framework can be utilized for addressing security, mapping cloud based procedures and cloud data management. We have seen that organizations are struggling to gain control for some of the features of cloud computing such as, continuous access control, interoperability and multi-tenancy. Likewise, for this reason, cloud computing vendors are compensating data management features in the usage control model for the end users. They are attribute mutability and continuous access control that can be stand alone or can be integrated with the organizational security requirements. In this article we discuss about the three layer access control that is based on the usage control for the cloud services and distributed policy enforcement mechanism (Almutairi et al. 36-44). The paper will discuss techniques associated with access control decision systems. A comprehensive research is discussed in the context of distributed deployment for access control decision systems. Moreover, spaces saving techniques are also discussed, as these techniques incorporate bloom filters that are operational in storage services. Moreover, the method proposed by the Bell-LaPadula that allows estimating former decisions that are based on the request and responses is also discussed. Lastly, secondary and approximate authorization model (SAAM) is discussed that is effective for resolving frequent queries. Index Terms – PEP, SAAM. SDP, RBAC I. Introduction The Policy Enforcement Point (PEP) in the cloud delineates as the architecture that pushes forward each and every request to the Policy Decision Point (PDP) (Jaeger, Lin, and Grimes 269-283). Furthermore, the PDP then investigates the request that is made within the application (Molloy et al. 157). The contemporary access control system depends upon the PEP and PDP. The PDP is generally implemented as a fanatical server that is authorized; in fact, it is located on a different node as compared to the PEP nodes (Molloy et al. 157). In order to implement the policy for all aspects of the system, the cloud computing architecture of the PEP must provide enough capability to connect with the PDP to inquiry decisions otherwise it has to suffer from a single point failure. (Casola et al. 387-401) The significant features that can accelerate the performance of PEP are (Molloy et al. 157): Latency of the communication with the PDP. Consistency and survivability of the connection Collective cost impacts on communication. For instance, cost related to the mobile applications is high priced. II. Related work A. RBAC Access Control Decisions For access control, a detailed research regarding the distributed deployment has been completed. In fact, earlier work is been measured as the PEP caching as mentioned by Wei, Even, and other researchers through caching are supported by a personal access request (Tripunitara and Carbunar 155). The PDP proactively moves on the complete section of the state in the current case that enables to pertain a session at SDP. In parallel, there are other caching techniques that can be utilized, as they were not used before (Tripunitara and Carbunar 155). However, Wei et al believes that such distribution access control enforcement is only proposed for RBAC. Likewise, RBAC also support role based encryption as well (Zhou, Varadharajan, and Hitchens 1675-1687). Wei et al concludes the concept of authentication recycling and resting but no priority is given to the performance aspect. Likewise, the deployment of access management is dependent on high performance, as there is no enslavement on ‘cache warmer’ (Tripunitara and Carbunar 155). B. Bloom Filters The bloom filters are “the space-efficient randomized data structure for representing a set in order to support membership queries” (Lopez-Ortiz and Hamel 77). In addition, they provide space saving techniques by allowing bogus positives that enable to reduce the chances of errors (Talib et al. 120-124). The bloom filters were introduced by Burton Bloom in 1970’s. Since then, it is a world renowned concept, specifically in the data storage market. Moreover, in network literature Bloom Filters are getting wide attention nowadays, as one of the reasons can be its space efficient structure that can be integrated in distributed cloud applications (Moreira et al. 2219-2230). The most visible and prominent factor associated with the increase in size of bloom filters and the reduction on the same time as well. This increase can be related with the aspiration for quick coverage from the false positive rate (Tripunitara and Carbunar 155). The difference between the Cascade Bloom Filters and the Bloomier filters is that the main purpose is to symbolize and test for membership in randomized function while, on the other hand; the aim is to check for the binary access (Kanizo, Hay, and Keslassy 373-385). As a result, with complete functions related to the formation as, well as the insertion of the Cascade Bloom filters is observed. The practical algorithms regarding the general Bloomier filters are still unlearned (Guo et al. 120-133). C. CPOL The high-performance policy assessment remarkably supports RBAC as compared to the Trust Management Systems (Tripunitara and Carbunar 155). The mapping of the Trust Management Scheme to RBAC can be non-trivial as mentioned by the Li and Tripunitara. The reduction in the evaluation time related to the access control queries can be achieved via utilization of caching mechanism and by implementing the policy evaluation framework. Although, the caching advanced only valid if the cache is convinced to return to the central PDP (Tripunitara and Carbunar 155). Furthermore, the cache techniques guarantee proper reliable cache. The concept of access control risks defines the fuzziness of distinction via restricting an access and as a replacement; every access is in relation to the potential impairment and utility. The concept is re utilized for evaluating the potential impact for every access (Tripunitara and Carbunar 155). In disseminated system every node constructs its own cache in association with the other nodes in order to achieve precise cache. Moreover, the cache methodology revisit to a confined decision on a request (Molloy et al. 157). The method proposed by the Bell-LaPadula that allows estimating former decisions that are based on the request and responses presented previously (Molloy et al. 157). The interference techniques demand knowledge associated with the access control model, as they are most effective and intelligent for hierarchical access models and structured access models (Molloy et al. 157). Likewise, the proposed solution incorporates the relationship of objects and subjects in a typical database. However, there is still a requirement for learning the subject and object space. The utilization of machines for making decisions pertaining to access control is also presented, in which the researchers of the proposed solution make note of the behavior of a classifier that reverts a decision after making a conflict at the centralized PDP (Molloy et al. 157). D. SAAM The SDP enforces the theoretical framework SAAM to utilize responses from authorized requests. In addition, if the PDP is unavailable the heuristics supplies a substitute for the conservative authorization responses (Crampton, Leung and Beznosov 111). The SAAM supposes that the caches related to the PDP responses are utilized to deduce accurate replies. Moreover, collecting the comebacks is not an innovative impression within the access control domain. These are utilized for the improvement of systems competency and compatibility. As a result, additional advances only figure out accurate mechanism for authorization that has an effectiveness for resolving frequent queries (Crampton, Leung and Beznosov 111). New queries can be determined by the SAAM with the help of space extensions in order to support the estimated responses. Alternatively SAAM provides a more affluent source for authorization responses as compared to the previous approaches. It offers a methodological approach in order to authorize recycling via generic model of authorization queries and responses (Crampton, Leung and Beznosov 111). Moreover, SAAM also provides responses arrangements and policies. (Crampton, Leung and Beznosov 111) SAAM is basically a domain-specific approach thus providing fault tolerance and performance enhancement for the access control mechanism. Following are the three basic classification of the fault tolerance solution (Crampton, Leung and Beznosov 111) Failure masking via information redundancy for instance correction of errors and checksums. Time redundancy for example repetitive invocations. Physical redundancy such as data replication. The implementation of the physical redundancy is conducted by SAAM when the PDP is not available (Wu et al. 1431-1440). In addition, the fault is covered with the SDP through the demanded decisions for controlling access. The primary physical redundancy methods for the distributed systems are away from the small number of systems. Moreover, if the scale reaches thousand, it became technically and economically less feasible (Crampton, Leung and Beznosov 111). By utilizing SAAM, the authorized responses are cached while the active authorized information is simulated, and linear scalability is allowed for the number of PDPS’s and PEP’s. Now the latest concepts, methods and strategy algorithms are produced that are associated with the new decisions of access. The secondary and approximate authorization model (SAAM) delineates the philosophy of primary vs. secondary and accurate vs. approximate authorizations (Crampton, Leung and Beznosov 111). In fact, the approximate authorization responses are concentrated from the cached initial responses and then offer the other source related to the access control decisions for the servers that are unavailable or slow (Crampton, Leung and Beznosov 111). However, the efficiency to calculate authorizations enhances the consistency and presentation of the access control sub-systems and the application systems (Crampton, Leung and Beznosov 111). System operations incorporating SAAM are dependent on the type of access control policy that it deploys. A research was conducted that proposed a solution for calculating secondary authorizations with compliance of policies mentioned in Bell-LaPadula model. Likewise, a dominance graph is defined along with its formation and usability for developing secondary response to an authorized request (Crampton, Leung and Beznosov 111). (Crampton, Leung and Beznosov 111) Initially, the calculated results regarding the SAAMBLP algorithms reveals that about 30% of the queries related to the authorization are increased and can be hand out to the access control policies without any consultation (Pervez et al. 915-938). III. THE PROPOSED THREE-LAYER ACCESS CONTROL integrated with PEP The cloud computing infrastructure incorporates a service creator that demonstrates access control an policies for the end users associated with the cloud service. Though, the end users of cloud applications have maximum control for managing data and for enforcing the related policies. Likewise, cloud computing service providers provide services to their customer in every anticipated level. Moreover, the access control mechanism for cloud computing must be compatible with all these three requirements. Consequently, the paper defines the three layer architecture that is a proposed solution for cloud computing access control and revocation. Figure 1.1 As shown in fig 1.1, the service layer of the cloud is acting as enforcement for implementing access control policies. The provider layer is also acting as enforcement for access control policies from the vendor side, and tenant layer is also acting as enforcement for end user access control policies. E. THREE-LAYER ARCHITECTURE ("LOOK OUT! the Cloud is Getting Saas-y!" 29) The three layer architecture is considered as the "platform as a service" and securities access control for the services related to SaaS (Guptill and McNee 37-44). As illustrated in Fig. 1.2, the following four elements regarding the suggested access control architecture are mentioned below: Access control service Service provider Cloud provider Identity provider Figure 1.2 F. Identity Provider This component is associated with the end users of the cloud. Likewise, the element identifying the identity for the end users provides the ACS usage. At the initial level, the request for granting access to cloud services is sent to the element. Secondly, the authentication process is triggered and after completion, the security token service generates a token and routes it to the ACS via the end user’s PEP. This concludes that the end user is accountable for the deployment of policies via PEP. G. Cloud Provider Now the next element in this architecture is considered to, be a cloud provider itself. (SecureKey ) In the cloud provider the Transform Security Token Service (T-STS) is the core element of the cloud provider. The main features of T-STS are to translate inter organizations' tokens. When the two elements i.e. token and service providers incorporate together than an interoperability has been found. This can be done via mapping of attribute transformation. However, the T-STS include a set of token that helps to translation policies. These translated policies can further accomplish this mapping process. H. Service Provide The component indicating as a service provider is liable for enforcement via ACS for service creator policies. Consequently, this specific component is not affianced with tenant and vendor policies. Only PEP is utilized for policy enforcement on access request. IV. Study of the proposed method The analysis proposed method is divided into three steps. This architecture that is involving three steps possess some benefits that are mentioned below: Initially, the vendor can mould its services into cloud based services at any point easily without any threats. In fact, for different layers the translation of the attributes has no issues with this method. Similarly, the vendors are allowed to use their way of services to add in cloud computing without keeping in mind the risks for interoperability of the application. The second benefit of cloud computing is that a renter is allowed to implement its own policies for the clients other than the policies that are present in cloud computing. Thus, for the less honoured customer, the vendors are allowed to impose strict policies on the cloud services. This provides more control for the cloud computing end users using these services. Moreover, the renters are less worried about mapping their access control policies. In order to translate the attributes the renters has no difficulty for cloud services. According to the vendors choice, the policies can be imposed other than the cloud service policies. Moreover, in different levels of cloud computing, the renter may implement security policies, as well. The translation of attributes does not harm the scalability and the extendibility of the domains in cloud computing. Thus, providing superior interoperability for the cloud computing users. For the access control policy, the ACS is mainly based on two components i.e. built-in and usage control model. Therefore, the specific access control along with mutability is forever present in this model. However, if the policies are not followed significantly during the access the vendor is allowed to terminate the access from the client. V. Conclusion For the cloud services, three layered model related to access control is used in this article. This model is suggested for providing superior cloud services to the clients. In this article, data control model, procedures regarding renters and cross domain operations in cloud computing are discussed. Moreover, for a particular service related to cloud computing the vendors can provide their services at any level to the clients by integration of PEP. This report also illustrates a unique learning and risk based approach for architecture of distributed policy enforcement under ambiguity. Likewise, the tradeoffs along with value of decisions decide the integration of centralized query for PDP or to take them locally. Moreover, three approaches are also discussed i.e. Expected Utility, Risk Adjusted Utility and Independent Risk Constraints, as each of them illustrates dissimilar approach for risk mitigation. Furthermore, the issue associated with time and space efficient access enforcement for the Role based Access Control protection state in cloud computing, as the proposed solution incorporated utilization of novel data structure i.e. cascade Bloom filter. Algorithms are also illustrated for modifying cascade bloom filters along with their declared and completeness characteristics. The RBAC configurations are extracted as a result from empirically validated approach that highlighted the performance of devices with low capability up to thousand access hits every second. In addition, the development of a simulation test bed for evaluating the utility associated with SAAMBLP and utilizes it for developing a random test containing set of authorization requests. Lastly, the measurement of proportions is solved by a traditional PEP that is capable of recycling only specific responses along with the SDP. References Almutairi, Abdulrahman, et al. "A Distributed Access Control Architecture for Cloud Computing." IEEE Software 29.2 (2012): 36-44. Print Casola, Valentina, et al. "The CloudGrid Approach: Security Analysis and Performance Evaluation." Future Generation Computer Systems 29.1 (2013): 387-401. Print. Crampton, J., W. Leung, and K. Beznosov. "The Secondary and Approximate Authorization Model and its Application to Bell-LaPadula Policies}, Booktitle = {Proceedings of the Eleventh ACM Symposium on Access Control Models and Technologies." (2006): 111. Print. Guo, Deke, et al. "The Dynamic Bloom Filters." IEEE Transactions on Knowledge & Data Engineering 22.1 (2010): 120-33. Print. Guptill, Bruce, and William S. McNee. "SaaS SETS THE STAGE FOR 'Cloud Computing' (Cover Story)." Financial Executive 24.5 (2008): 37-44. Print. Jaeger, Paul T., Jimmy Lin, and Justin M. Grimes. "Cloud Computing and Information Policy: Computing in a Policy Cloud?" Journal of Information Technology & Politics 5.3 (2008): 269-83. Print. Lopez-Ortiz, Alejandro, and Angele Hamel. Combinatorial and Algorithmic Aspects of Networking: First Workshop on Combinatorial and Algorithmic Aspects of Networking, CAAN 2004, Banff, Alberta, ... Networks and Telecommunications) . 77. SpringerPrint. "LOOK OUT! the Cloud is Getting Saas-y!" Baseline.112 (2011): 29. Print. Molloy, Ian, et al. "Proceedings of the Second ACM Conference on Data and Application Security and Privacy - CODASKY '12; Risk-Based Security Decisions Under Uncertainty ".2012. 157. Print. Moreira, Marcelo Duffles Donato, et al. "Capacity and Robustness Tradeoffs in Bloom Filters for Distributed Applications." IEEE Transactions on Parallel & Distributed Systems 23.12 (2012): 2219-30. Print. Pervez, Zeeshan, et al. "Oblivious Access Control Policies for Cloud Based Data Sharing Systems." Computing 94.12 (2012): 915-38. Print. SecureKey. "SecureKey Divests Hardware Security Token Group." Business Wire (English) (2013)Print. Tripunitara, Mahesh V., and Bogdan Carbunar. "Proceedings of the 14th ACM Symposium on Access Control Models and Technologies - SACMAT '09; Efficient Access Enforcement in Distributed Role-Based Access Control (RBAC) Deployments ".2009. 155. Print. Talib, Amir Mohamed, et al. "Formulating a Security Layer of Cloud Data Storage Framework Based on Multi Agent System Architecture." International Journal on Computing 1.1 (2010): 120-4. Print. Zhou, Lan, Vijay Varadharajan, and Michael Hitchens. "Enforcing Role-Based Access Control for Secure Data Storage in the Cloud." Computer journal 54.10 (2011): 1675-87. Print. Kanizo, Yossi, David Hay, and Isaac Keslassy. "Access-Efficient Balanced Bloom Filters." Computer Communications 36.4 (2013): 373-85. Print. Wu, Tao, et al. "A Distributed Collaborative Product Design Environment Based on Semantic Norm Model and Role-Based Access Control." Journal of Network & Computer Applications 36.6 (2013): 1431-40. Print. Read More