A User-Centric Access Control Framework for Cloud Computing

A huge amount of data is generated due to the growth of advanced information technology, online availability and easy access to cloud computing. In cloud computing, user can easily store and share their information across the cloud. With the rapid growth of cloud computing, user’s security and privacy has become a serious concern. Despite various existing security mechanisms, enterprises are still afraid of losing their outsourced data and unauthorized access. In most cases, access control mechanism and authorization rule follow a web application. This makes it limited, tightly bound to web application functionality and also doesn’t complete the security requirements for the individual user that results in poor protection against unauthorized access. To overcome the issue of privacy and protection, a suggestion is given in this study to empower the owner of any piece of data and information to protect their resource according to their own semantics. In this thesis, a new approach is presented that externalize access control policy and empower the user to control access on their data according to their semantics and wishes. The proposed framework provides PKI standard base secure access control mechanism and describes the protocol interface between the different components to enforce user-centric access control policy

A SEMANTIC BASED POLICY MANAGEMENT FRAMEWORK FOR CLOUD COMPUTING ENVIRONMENTS

Cloud computing paradigm has gained tremendous momentum and generated intensive interest. Although security issues are delaying its fast adoption, cloud computing is an unstoppable force and we need to provide security mechanisms to ensure its secure adoption. In this dissertation, we mainly focus on issues related to policy management and access control in the cloud. Currently, users have to use diverse access control mechanisms to protect their data when stored on the cloud service providers (CSPs). Access control policies may be specified in different policy languages and heterogeneity of access policies pose significant problems.An ideal policy management system should be able to work with all data regardless of where they are stored. Semantic Web technologies when used for policy management, can help address the crucial issues of interoperability of heterogeneous CSPs. In this dissertation, we propose a semantic based policy management framework for cloud computing environments which consists of two main components, namely policy management and specification component and policy evolution component. In the policy management and specification component, we first introduce policy management as a service (PMaaS), a cloud based policy management framework that give cloud users a unified control point for specifying authorization policies, regardless of where the data is stored. Then, we present semantic based policy management framework which enables users to specify access control policies using semantic web technologies and helps address heterogeneity issues of cloud computing environments. We also model temporal constraints and restrictions in GTRBAC using OWL and show how ontologies can be used to specify temporal constraints. We present a proof of concept implementation of the proposed framework and provide some performance evaluation. In the policy evolution component, we propose to use role mining techniques to deal with policy evolution issues and present StateMiner, a heuristic algorithm to find an RBAC state as close as possible to both the deployed RBAC state and the optimal state. We also implement the proposed algorithm and perform some experiments to demonstrate its effectiveness

Securing Access to Cloud Computing for Critical Infrastructure

Cloud computing offers cost effective services on-demand which encourage critical infrastructure providers to consider migrating to the cloud. Critical infrastructures are considered as a backbone of modern societies such as power plants and water. Information in cloud computing is likely to be shared among different entities, which could have various degrees of sensitivity. This requires robust isolation and access control mechanisms. Although various access control models and policies have been developed, they cannot fulfil requirements for a cloud based access control system. The reason is that cloud computing has a diverse sets of security requirements and unique security challenges such as multi-tenant and heterogeneity of security policies, rules and domains. This thesis provides a detailed study of cloud computing security challenges and threats, which were used to identify security requirements for various critical infrastructure providers. We found that an access control system is a crucial security requirement for the surveyed critical infrastructure providers. Furthermore, the requirement analysis was used to propose a new criteria to evaluate access control systems for cloud computing. Moreover, this work presents a new cloud based access control model to meet the identified cloud access control requirements. The model does not only ensure the secure sharing of resources among potential untrusted tenants, but also has the capacity to support different access permissions for the same cloud user. Our focused in the proposed model is the lack of data isolation in lower levels (CPU caches), which could lead to bypass access control models to gain some sensitive information by using cache side-channel attacks. Therefore, the thesis investigates various real attack scenarios and the gaps in existing mitigation approaches. It presents a new Prime and Probe cache side-channel attack, which can give detailed information about addresses accessed by a virtual machine with no need for any information about cache sets accessed by the virtual machine. The design, implementation and evaluation of a proposed solution preventing cache side-channel attacks are also presented in the thesis. It is a new lightweight solution, which introduces very low overhead (less than 15,000 CPU cycles). It can be applied in any operating system and prevents cache side-channel attacks in cloud computing. The thesis also presents a new detecting cache side-channel attacks solution. It focuses on the infrastructure used to host cloud computing tenants by counting cache misses caused by a virtual machine. The detection solutions has 0% false negative and 15% false positive

Access control delegation in the clouds

Current market trends need solutions/products to be developed at high speed. To meet those requirements sometimes it requires collaboration between the organizations. Modern workforce is increasingly distributed, mobile and virtual which will incur hurdles for communication and effective collaboration within organizations. One of the greatest benefits of cloud computing has to do with improvements to organizations communication and collaboration, both internally and externally. Because of the efficient services that are being offered by the cloud service providers today, many business organizations started taking advantage of cloud services. Specifically, Cloud computing enables a new form of service in that a service can be realized by components provided by different enterprises or entities in a collaborative manner. Participating parties are usually loosely connected and they are responsible for managing and protecting resources/data entrusted to them. Such scenario demands advanced and innovative mechanisms for better security and privacy protection of data shared among multiple participating parties. In this thesis, we propose an access control delegation approach that achieves federated security services and preserves autonomy and privacy sharing preferences of involved parties. An important feature of our mechanism is that each party will not need to reveal its own sensitive information when making a global decision with other collaborators, which will encourage a wide range of collaboration and create more business opportunities. --Abstract, page iii

Healthcare 5.0 Security Framework: Applications, Issues and Future Research Directions

Healthcare 5.0 is a system that can be deployed to provide various healthcare services. It does these services by utilising a new generation of information technologies, such as Internet of Things (IoT), Artificial Intelligence (AI), Big data analytics, blockchain and cloud computing. Due to the introduction of healthcare 5.0, the paradigm has been now changed. It is disease-centered to patient-centered care where it provides healthcare services and supports to the people. However, there are several security issues and challenges in healthcare 5.0 which may cause the leakage or alteration of sensitive healthcare data. This demands that we need a robust framework in order to secure the data of healthcare 5.0, which can facilitate different security related procedures like authentication, access control, key management and intrusion detection. Therefore, in this review article, we propose the design of a secure generalized healthcare 5.0 framework. The details of various applications of healthcare 5.0 along with the security requirements and threat model of healthcare 5.0 are provided. Next, we discuss about the existing security mechanisms in healthcare 5.0 along with their performance comparison. Some future research directions are finally discussed for the researchers working in healthcare 5.0 domain

Confidential Data with Safeguard Access Control in distributed Cloud Computing

Cloud computing is a safeguard technology which means that privileging permissions for the users   and stowing of data on world wide web. Mainly cloud computing focus on Protection and mystery represent major concerns in the acceptance of cloud technologies for data insertions . A major issue  is how to safe access control policies such that 2 layer encryption can be achieved internally. Solve  these problem by using this proposed in the decentralization process in two layer broadcast encryption schema, by eliminate the group manager preliminary unit of the set, with an advantage of the addition of supporting members to the coordination, does not want any central authorization. Our model is represent AES method for secrecy data management purpose and it will provide accuracy data for authorised person only .That person get main key for access the data this key will be produced by key generation algorithm. In this we are having like search engine. This engine defends on cloud previous engines not provide accurate info and also previous technologies provides inaccurate info and secure data retrieved unauthorised also.    Our coordination assures the confidentiality of the data and preserves the privacy of users from the cloud although delegating most of the access power enforcement to the cloud. Existing market inclination need Products to be developed at elevated swiftness. To meet those requirements sometimes it requires collaboration between the organizations. Since of the proficient services that are being obtainable by the cloud service providers today, lots of business organizations started compelling advantage of cloud services. Specifically, Cloud computing enables a new form of service in that a service can be realized by components provided by different enterprises or entities in a collaborative manner. Contributing parties are commonly loosely connected and they are responsible for managing and protecting resources/data consign to them. Such situation demands advanced and modern mechanisms for better security and privacy protection of data shared among multiple participating parties. In this, we are presented access control policy. This policy is included priveligation function and accurate info function. Our contribution is mainly focus on assures the confidentiality of the data and preserves the privacy of users

Searchable Encryption for Cloud and Distributed Systems

The vast development in information and communication technologies has spawned many new computing and storage architectures in the last two decades. Famous for its powerful computation ability and massive storage capacity, cloud services, including storage and computing, replace personal computers and software systems in many industrial applications. Another famous and influential computing and storage architecture is the distributed system, which refers to an array of machines or components geographically dispersed but jointly contributes to a common task, bringing premium scalability, reliability, and efficiency. Recently, the distributed cloud concept has also been proposed to benefit both cloud and distributed computing. Despite the benefits of these new technologies, data security and privacy are among the main concerns that hinder the wide adoption of these attractive architectures since data and computation are not under the control of the end-users in such systems. The traditional security mechanisms, e.g., encryption, cannot fit these new architectures since they would disable the fast access and retrieval of remote storage servers. Thus, an urgent question turns to be how to enable refined and efficient data retrieval on encrypted data among numerous records (i.e., searchable encryption) in the cloud and distributed systems, which forms the topic of this thesis. Searchable encryption technologies can be divided into Searchable Symmetric Encryption (SSE) and Public-key Encryption with Keyword Search (PEKS). The intrinsical symmetric key hinders data sharing since it is problematic and insecure to reveal one’s key to others. However, SSE outperforms PEKS due to its premium efficiency and is thus is prefered in a number of keyword search applications. Then multi-user SSE with rigorous and fine access control undoubtedly renders a satisfactory solution of both efficiency and security, which is the first problem worthy of our much attention. Second, functions and versatility play an essential role in a cloud storage application but it is still tricky to realize keyword search and deduplication in the cloud simultaneously. Large-scale data usually renders significant data redundancy and saving cloud storage resources turns to be inevitable. Existing schemes only facilitate data retrieval due to keywords but rarely consider other demands like deduplication. To be noted, trivially and hastily affiliating a separate deduplication scheme to the searchable encryption leads to disordered system architecture and security threats. Therefore, attention should be paid to versatile solutions supporting both keyword search and deduplication in the cloud. The third problem to be addressed is implementing multi-reader access for PEKS. As we know, PEKS was born to support multi-writers but enabling multi-readers in PEKS is challenging. Repeatedly encrypting the same keyword with different readers’ keys is not an elegant solution. In addition to keyword privacy, user anonymity coming with a multi-reader setting should also be formulated and preserved. Last but not least, existing schemes targeting centralized storage have not taken full advantage of distributed computation, which is considerable efficiency and fast response. Specifically, all testing tasks between searchable ciphertexts and trapdoor/token are fully undertaken by the only centralized cloud server, resulting in a busy system and slow response. With the help of distributed techniques, we may now look forward to a new turnaround, i.e., multiple servers jointly work to perform the testing with better efficiency and scalability. Then the intractable multi-writer/multi-reader mode supporting multi-keyword queries may also come true as a by-product. This thesis investigates searchable encryption technologies in cloud storage and distributed systems and spares effort to address the problems mentioned above. Our first work can be classified into SSE. We formulate the Multi-user Verifiable Searchable Symmetric Encryption (MVSSE) and propose a concrete scheme for multi-user access. It not only offers multi-user access and verifiability but also supports extension on updates as well as a non-single keyword index. Moreover, revocable access control is obtained that the search authority is validated each time a query is launched, different from existing mechanisms that once the search authority is granted, users can search forever. We give simulation-based proof, demonstrating our proposal possesses Universally Composable (UC)-security. Second, we come up with a redundancy elimination solution on top of searchable encryption. Following the keyword comparison approach of SSE, we formulate a hybrid primitive called Message-Locked Searchable Encryption (MLSE) derived in the way of SSE’s keyword search supporting keyword search and deduplication and present a concrete construction that enables multi-keyword query and negative keyword query as well as deduplication at a considerable small cost, i.e., the tokens are used for both search and deduplication. And it can further support Proof of Storage (PoS), testifying the content integrity in cloud storage. The semantic security is proved in Random Oracle Model using the game-based methodology. Third, as the branch of PEKS, the Broadcast Authenticated Encryption with Keyword Search (BAEKS) is proposed to bridge the gap of multi-reader access for PEKS, followed by a scheme. It not only resists Keyword Guessing Attacks (KGA) but also fills in the blank of anonymity. The scheme is proved secure under Decisional Bilinear Diffie-Hellman (DBDH) assumption in the Random Oracle Model. For distributed systems, we present a Searchable Encryption based on Efficient Privacy-preserving Outsourced calculation framework with Multiple keys (SE-EPOM) enjoying desirable features, which can be classified into PEKS. Instead of merely deploying a single server, multiple servers are employed to execute the test algorithm in our scheme jointly. The refined search, i.e., multi-keyword query, data confidentiality, and search pattern hiding, are realized. Besides, the multi-writer/multi-reader mode comes true. It is shown that under the distributed circumstance, much efficiency can be substantially achieved by our construction. With simulation-based proof, the security of our scheme is elaborated. All constructions proposed in this thesis are formally proven according to their corresponding security definitions and requirements. In addition, for each cryptographic primitive designed in this thesis, concrete schemes are initiated to demonstrate the availability and practicality of our proposal

TACRM: trust access control and resource management mechanism in fog computing

https://hcis-journal.springeropen.com/articles/10.1186/s13673-019-0188-3#Abs1Fog computing network is designed as an extension of the cloud due to the need for a supporting platform capable of ensuring the requirements of Internet of Thing (IoT). The growth of fog based fifth generation mobile communication (5G) system is challenged by the need for data sharing security. In fact, without properly securing access to Fog node resources in IoT network, services providers may not be able to achieve the desired performance. Indeed, fog computing obviously confront numerous security and privacy risks, due to its features, such as huge scale geolocation, heterogeneity and mobility. Thus, we propose a security model that is based on cooperation between IoT and fog. This model integrates an efficient access control process associated with a monitoring scheme to ensure secure cooperation between diverse resources and different operational parts. Indeed, a comprehensive scheduling process and resource allocation mechanism using our security model is proposed to improve the intended performance of the system. In fact, our main contribution is to introduce a distributed access control based on security resource management framework for fog-IoT networks, and proactive security scheme under ultra-trustworthiness and low-latency constraints. After evaluation based on iFogSim, we have proved that our scheme not only provides low latency with high security and privacy, but also reduces the complexity of administration and management of security and resources mechanisms