Hierarchical Role-Based Access Control with Homomorphic Encryption for Database as a Service

Database as a service provides services for accessing and managing customers data which provides ease of access, and the cost is less for these services. There is a possibility that the DBaaS service provider may not be trusted, and data may be stored on untrusted server. The access control mechanism can restrict users from unauthorized access, but in cloud environment access control policies are more flexible. However, an attacker can gather sensitive information for a malicious purpose by abusing the privileges as another user and so database security is compromised. The other problems associated with the DBaaS are to manage role hierarchy and secure session management for query transaction in the database. In this paper, a role-based access control for the multitenant database with role hierarchy is proposed. The query is granted with least access privileges, and a session key is used for session management. The proposed work protects data from privilege escalation and SQL injection. It uses the partial homomorphic encryption (Paillier Encryption) for the encrypting the sensitive data. If a query is to perform any operation on sensitive data, then extra permissions are required for accessing sensitive data. Data confidentiality and integrity are achieved using the role-based access control with partial homomorphic encryption.Comment: 11 Pages,4 figures, Proceedings of International Conference on ICT for Sustainable Developmen

Identity and Access Management System: a Web-Based Approach for an Enterprise

Managing digital identities and access control for enterprise users and applications remains one of the greatest challenges facing computing today. An attempt to address this issue led to the proposed security paradigm called Identity and Access Management (IAM) service based on IAM standards. Current approaches such as Lightweight Directory Access Protocol (LDAP), Central Authentication Service (CAS) and Security Assertion Markup Language (SAML) lack comprehensive analysis from conception to physical implementation to incorporate these solutions thereby resulting in impractical and fractured solutions. In this paper, we have implemented Identity and Access Management System (IAMSys) using the Lightweight Directory Access Protocol (LDAP) which focuses on authentication, authorization, administration of identities and audit reporting. Its primary concern is verification of the identity of the entity and granting correct level of access for resources which are protected in either the cloud environment or on-premise systems. A phased approach methodology was used in the research where it requires any enterprise or organization willing to adopt this must carry out a careful planning and demonstrated a good understanding of the technologies involved. The results of the experimental evaluation indicated that the average rating score is 72.0 % for the participants involved in this study. This implies that the idea of IAMSys is a way to mitigating security challenges associated with authentication, authorization, data protection and accountability if properly deployed

Secure data sharing and processing in heterogeneous clouds

The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs. © 2015 The Authors

Exploring Predicate Based Access Control for Cloud Workflow Systems

Authentication and authorization are the two crucial functions of any modern security and access control mechanisms. Authorization for controlling access to resources is a dynamic characteristic of a workflow system which is based on true business dynamics and access policies. Allowing or denying a user to gain access to a resource is the cornerstone for successful implementation of security and controlling paradigms. Role based and attribute based access control are the existing mechanisms widely used. As per these schemes, any user with given role or attribute respectively is granted applicable privileges to access a resource. There is third approach known as predicate based access control which is less explored. We intend to throw light on this as it provides more fine-grained control over resources besides being able to complement with existing approaches. In this paper we proposed a predicate-based access control mechanism that caters to the needs of cloud-based workflow systems

Network isolation for Kubernetes hard multi-tenancy

Over the past decade, containerization is increasingly popular due to its advantages in performance compared to virtualization. The rise in the use of containers leads to the emergence of container orchestration tools. Kubernetes is one of the top widely used tools serving this purpose. One critical point in the design of this tool is that one cluster can only serve one tenant. As the number of Kubernetes users is continuously increasing, this model generates considerate management overheads and resource fragmentation to the cluster. As a result, multi-tenancy was introduced as an alternative model. However, the major problem of this approach is the isolation between tenants. This thesis aims to tackle this isolation issue. While many cluster resources need to be isolated, we concentrate on handling one crucial feature in Kubernetes hard multi-tenancy: Network isolation. Our solution for this problem is intended to work regardless of the implementation flexibility of the Kubernetes network. The solution can also pass most of our security tests. The remaining issues are not significant, and one of them is solvable. Besides, our performance experiments recorded that this solution generated delays in cluster activities. However, in most cases, this delay is noticeable but nevertheless acceptable. The proposed method can potentially be a part of real Kubernetes multi-tenant systems where network isolation is one of the essential requirements