Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Cyber Security A Multi-Tenant RBAC Model for Collaborative Cloud Services Bo Tang, Qi Li and Ravi Sandhu Presented by Bo Tang at The 11 th.

Published byDwayne Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "Institute for Cyber Security A Multi-Tenant RBAC Model for Collaborative Cloud Services Bo Tang, Qi Li and Ravi Sandhu Presented by Bo Tang at The 11 th."— Presentation transcript:

1 Institute for Cyber Security A Multi-Tenant RBAC Model for Collaborative Cloud Services Bo Tang, Qi Li and Ravi Sandhu Presented by Bo Tang at The 11 th International Conference on Privacy, Security and Trust (PST) July 12, 2013 Tarragona, Spain © ICS at UTSA World-Leading Research with Real-World Impact! 1

2 OUTLINE  Introduction and Background  A Family of Multi-Tenant RBAC (MT-RBAC) Models  MT-RBAC 0,1,2  Administrative MT-RBAC (AMT-RBAC) model  Constraints  Prototype Implementation and Evaluation  Related Work  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 2

3 OUTLINE  Introduction  A Family of Multi-Tenant RBAC (MT-RBAC) Models  MT-RBAC 0,1,2  Administrative MT-RBAC (AMT-RBAC) model  Constraints  Prototype Implementation and Evaluation  Related Work  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 3

4 Cloud Computing  Shared infrastructure  [$$$] -----> [$|$|$]  Multi-Tenancy  Virtually dedicated resources  Drawbacks:  Data Locked-in o Collaborations can only be achieved through desktop. o E.g.: create/edit Word documents in Dropbox.  How to collaborate in the cloud? © ICS at UTSA World-Leading Research with Real-World Impact! 4 Source:http://blog.box.com/2011/06/box-and-google-docs-accelerating-the-cloud-workforce/

5 Motivation © ICS at UTSA World-Leading Research with Real-World Impact! 5  C1. Charlie as a developer in OS has to access the source code stored in Dev.E to perform his out-sourcing job;  C2. Alice as an auditor in AF requires read-only access to financial reports stored in Acc.E; and  C3. Alice needs read-only accesses to Dev.E and Dev.OS in order to audit the out-sourcing project.

6 Industry Solutions  Microsoft and IBM: Fine-grained data sharing in SaaS using DB schema  Only feasible in DB  NASA: RBAC + OpenStack (Nebula)  Lacks ability to support multi-org collaborations  Salesforce (Force.com): Single Sign-On + SAML  Focus on authentication and simple authorization  Heavy management of certificates © ICS at UTSA World-Leading Research with Real-World Impact! 6 Source:http://msdn.microsoft.com/en-us/library/aa479086.aspx http://nebula.nasa.gov/blog/2010/06/03/nebulas-implementation-role-based-access-control-rbac/ http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.com

7 OUTLINE  Introduction  A Family of Multi-Tenant RBAC (MT-RBAC) Models  MT-RBAC 0,1,2  Administrative MT-RBAC (AMT-RBAC) model  Constraints  Prototype Implementation and Evaluation  Related Work  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 7

8 MT-RBAC World-Leading Research with Real-World Impact! 8 © ICS at UTSA

9 Trust Model World-Leading Research with Real-World Impact! 9 AuthStmts Resources Tenant ATenant B AuthStmts Resources AuthStmts Resources AuthStmts Resources  If B (resource owner) trusts A then A can assign  B’s permissions to A’s roles; and  B’s roles as junior roles to A’s roles.  CanUse(r B ) = {A, B, …} User If No trust If B trust A © ICS at UTSA

10 MT-RBAC 0,1,2 World-Leading Research with Real-World Impact! 10 © ICS at UTSA

11 AMT-RBAC © Bo Tang World-Leading Research with Real-World Impact! 11

12 AMT-RBAC (Contd.) © Bo Tang World-Leading Research with Real-World Impact! 12

13 Constraints  Cyclic Role Hierarchy: lead to implicit role upgrades in the role hierarchy  SoD: conflict of duties  Tenant-level o E.g.: SOX compliance companies may not hire the same company for both consulting and auditing.  Role-level o across tenants  Chinese Wall: conflict of interests among tenants o E.g.: do not share infrastructure with competitors. © ICS at UTSA World-Leading Research with Real-World Impact! 13 Tenant 2 M1M2 Tenant 1 E1E2

14 OUTLINE  Introduction  A Family of Multi-Tenant RBAC (MT-RBAC) Models  MT-RBAC 0,1,2  Administrative MT-RBAC (AMT-RBAC) model  Constraints  Prototype Implementation and Evaluation  Related Work  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 14

15 Policy Specification of MT-RBAC 2 © ICS at UTSA World-Leading Research with Real-World Impact! 15 user = “Charlie”; permission = “(read, /root/)%Dev.E” tr = “Dev.E”; te = “Dev.OS”

16 MTAaaS Platform Prototype  Experiment Settings  CloudStorage: an open source web based cloud storage and sharing system.  Joyent, FlexCloud  Authorization Service  Centralized PDP  Distributed PEP © Bo Tang World-Leading Research with Real-World Impact! 16

17 Evaluation: Performance  MT-RBAC vs RBAC  More policy references incur more decision time  MT-RBAC 2 introduces 16 ms overhead on average. World-Leading Research with Real-World Impact! 17 PDP PerformanceClient-End Performance © ICS at UTSA

18 Evaluation: Scalability  Scalable by changing either  PDP capability; or  Number of PEPs. World-Leading Research with Real-World Impact! 18 PDP Scalability PEP Scalability © ICS at UTSA

19 OUTLINE  Introduction  A Family of Multi-Tenant RBAC (MT-RBAC) Models  MT-RBAC 0,1,2  Administrative MT-RBAC (AMT-RBAC) model  Constraints  Prototype Implementation and Evaluation  Related Work  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 19

20 Characteristics of Cloud  Agility  Collaboration and collaborators are temporary  Centralized Facility  No need to use cryptographic certificates  Homogeneity  Same access control model in each tenant  Out-Sourcing Trust  Collaboration spirit © ICS at UTSA World-Leading Research with Real-World Impact! 20

21 Literature in Multi-org/dom  RBAC  CBAC, GB-RBAC, ROBAC (e.g.: player transfer in NBA)  Require central authority managing collaborations  Delegation Models  dRBAC and PBDM (e.g.: allowing subleasing)  Lacks agility (which the cloud requires)  Grids  CAS, VOMS, PERMIS  Absence of centralized facility and homogeneous architecture (which the cloud has) © ICS at UTSA World-Leading Research with Real-World Impact! 21

22 Literature (Contd.)  Role-based Trust  RT, Traust, RMTN AND RAMARS_TM  Calero et al: towards a multi-tenant authorization system for cloud services o Implementation level PoC o Coarse-grained trust model  MTAS  Suits the cloud (out-sourcing trust) © ICS at UTSA World-Leading Research with Real-World Impact! 22 Critical: trust model

23 Role-Based Trust Model Comp. World-Leading Research with Real-World Impact! 23 © ICS at UTSA

24 OUTLINE  Introduction  A Family of Multi-Tenant RBAC (MT-RBAC) Models  MT-RBAC 0,1,2  Administrative MT-RBAC (AMT-RBAC) model  Constraints  Prototype Implementation and Evaluation  Related Work  Conclusion and Future Work © ICS at UTSA World-Leading Research with Real-World Impact! 24

25 Conclusion  Collaboration needs among cloud services  MT-RBAC model family  Formalization  Administration  Constraints  MTAaaS architecture viable in the cloud  Overhead ≈ 16ms and scalable in the cloud  Comparison of role-based trust models © ICS at UTSA World-Leading Research with Real-World Impact! 25

26 Future Work  Cross-tenant trust models in cloud computing  Other multi-tenant access control models  MT-ABAC  MT-RT  MT-PBAC and more.  Implementation MT-RBAC in OpenStack API. © ICS at UTSA World-Leading Research with Real-World Impact! 26

27 Institute for Cyber Security © ICS at UTSA World-Leading Research with Real-World Impact! 27

28 Institute for Cyber Security © ICS at UTSA World-Leading Research with Real-World Impact! 28

29 Multi-Tenant Authorization as a Service (MTAaaS) © ICS at UTSA World-Leading Research with Real-World Impact! 29 MTAaaS Multi-Tenant Access Control Cross-Tenant Access User IDs Resource Catalogs Authz Policies

Download ppt "Institute for Cyber Security A Multi-Tenant RBAC Model for Collaborative Cloud Services Bo Tang, Qi Li and Ravi Sandhu Presented by Bo Tang at The 11 th."

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.

Institute for Cyber Security ASCAA Principles for Next- Generation Role-Based Access Control Ravi Sandhu Executive Director & Endowed Professor Institute.
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.

A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Trust Management of Services in Cloud Environments:

Trust Management of Services in Cloud Environments:
1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, 2013 © Ravi Sandhu World-Leading.

1 Cloud Computing Prof. Ravi Sandhu Executive Director and Endowed Chair April 12, © Ravi Sandhu World-Leading.
Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services World-Leading Research with Real-World Impact! 1 PhD Dissertation Defense Bo.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,

Secure Cyber Incident Information Sharing UTSA Team Leads Dr. Ram Krishnan, Assistant Professor, ECE Dr. Ravi Sandhu, Executive Director, ICS April 30,
Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.

Institute for Cyber Security Extending OpenStack Access Control with Domain Trust World-Leading Research with Real-World Impact! 1 Bo Tang and Ravi Sandhu.
11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.

11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.

11 World-Leading Research with Real-World Impact! RT-Based Administrative Models for Community Cyber Security Information Sharing Ravi Sandhu, Khalid Zaman.
CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.

CoLaB 22nd December 2005 Secure Access to Service-based Collaborative Workflow for DAME Duncan Russell Informatics Institute University of Leeds, UK.
Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.

Dynasis Secure Group Information Sharing System ADVISOR: DR. AWAIS SHIBLI CO-ADVISOR: DR. ABDUL GHAFOOR GROUP MEMBERS: MANSOOR AHMED SAIF ULLAH YASIR.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.

Distributed Computer Security 8.2 Discretionary Access Control Models - Sai Phalgun Tatavarthy.
SaaS, PaaS & TaaS By: Raza Usmani

SaaS, PaaS & TaaS By: Raza Usmani
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Secure Information and Resource Sharing in CloudSecure Information and Resource Sharing in Cloud References OSAC-SID Model [1]K. Harrison and G. White.

Similar presentations

Ads by Google