SAFAX: an extensible authorization service for cloud environments

Cloud storage services have become increasingly popular in recent years. Users are often registered to multiple cloud storage services that suit different needs. However, the ad hoc manner in which data sharing between users is implemented lead to issues for these users. For instance, users are required to define different access control policies for each cloud service that they use and are responsible for synchronizing their policies across different cloud providers. Users do not have access to a uniform and expressive method to deal with authorization. Current authorization solutions cannot be applied as-is, since they cannot cope with challenges specific to cloud environments. In this paper, we analyze the challenges of data sharing in multi-cloud environments and propose SAFAX, an XACML-based authorization service designed to address these challenges. SAFAX’s architecture allows users to deploy their access control policies in a standard format, in a single location, and augment policy evaluation with information from user selectable external trust services. We describe the architecture of SAFAX, a prototype implementation based on this architecture, illustrate the extensibility through external trust services and discuss the benefits of using SAFAX from both the user’s and cloud provider’s perspectives

A certification-aware service-oriented architecture

The widespread development of Service-Oriented Architecture (SOA) and web services is changing the traditional view of information technology. Today, software applications are increasingly distributed and consumed as a service, and business processes are implemented by selecting and composing services provided by different suppliers at run-time and with a minimal human intervention. In this scenario, where services are usually selected on the basis of clients\u2019 functional preferences, the risk of providing powerful but insecure applications raises, and the problem of guaranteeing and preserving the security of services and business processes becomes stringent. To this aim, we put forward the idea that security certification techniques can be adopted to provide the evidence that a service system has some security properties and behaves as expected. However, existing security certification techniques are not well-suited to the service scenario, since they are designed for static and monolithic software and then cannot support the intrinsic SOA dynamics. In this chapter, we discuss recent developments in the area of extending security certifications to web services. In particular, we first review current certification approaches, and highlight requirements and challenges for applying them to the service ecosystem. We then present an advanced methodology for security certification based on testing, as a crucial part of a novel approach for security certification developed in the context of the FP7 EU project Advanced Security Service cERTificate for SOA (Assert4Soa)

A quantitative analysis of common criteria certification practice

The Common Criteria (CC) certification framework defines a widely recognized, multi-domain certification scheme that aims to provide security assurances about IT products to consumers. However, the CC scheme does not prescribe a monitoring scheme for the CC practice, raising concerns about the quality of the security assurance provided by the certification and questions on its usefulness. In this paper, we present a critical analysis of the CC practice that concretely exposes the limitations of current approaches. We also provide directions to improve the CC practice

Towards a linked data vocabulary for the certification of software properties

In order to cater for a growing user base that requires varied functionalities and owns multiple devices, software providers are using cloud solutions as the preferred technical means. In fact, all major operating systems come with a tight integration to cloud services. Software solutions that have such integration with cloud services should disclose (transparency) this to the consumer. Furthermore, with mounting concerns over the security of software, consumers are demanding assurance over the software being used. Software certification can address both issues: security and transparency of software; thereby providing comprehensive assurance to consumers. However current software certifications are tailored for human consumption and represented in natural language, a major issue that hinders automated reasoning to be performed on them. Focused research efforts in the past few years have resulted in a Digital Certification concept, a machine processable representation of certifications, that can cater to different software provisioning models. We extend the notion of a Digital Certification by using the Linked Data vocabulary to express general characteristics of software systems that benefits from existing and future knowledge from the Linked Data community. This greatly increases the usability of such Digital Certifications and has a wider impact on the Software certification landscape