Cloud Computing is an emerging technology. It is receiving significant attention by both research community and industries. The cloud environment is a large open distributed
system Cloud computing security is an important issue due to increasing scale of users.. It is important to preserve the
data, as well as, privacy of users. Access Control methods ensure that authorized users access the data and the system.
Therefore, series of security concepts are required to be revised such as Role-Based Access Control (RBAC) proposed
by the National Institute of Standards and Technology (NIST) which promises to become a more prominent security model today. The aim of this article is to describe Access
Control, RBAC model, its drawback and to identify proposed research work to reduce security risk.
Titre original
IJIRSM Shruthi S Secured Approach Towards Role Based Access Control on Cloud Computing
Cloud Computing is an emerging technology. It is receiving significant attention by both research community and industries. The cloud environment is a large open distributed
system Cloud computing security is an important issue due to increasing scale of users.. It is important to preserve the
data, as well as, privacy of users. Access Control methods ensure that authorized users access the data and the system.
Therefore, series of security concepts are required to be revised such as Role-Based Access Control (RBAC) proposed
by the National Institute of Standards and Technology (NIST) which promises to become a more prominent security model today. The aim of this article is to describe Access
Control, RBAC model, its drawback and to identify proposed research work to reduce security risk.
Cloud Computing is an emerging technology. It is receiving significant attention by both research community and industries. The cloud environment is a large open distributed
system Cloud computing security is an important issue due to increasing scale of users.. It is important to preserve the
data, as well as, privacy of users. Access Control methods ensure that authorized users access the data and the system.
Therefore, series of security concepts are required to be revised such as Role-Based Access Control (RBAC) proposed
by the National Institute of Standards and Technology (NIST) which promises to become a more prominent security model today. The aim of this article is to describe Access
Control, RBAC model, its drawback and to identify proposed research work to reduce security risk.
Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 149
Secured Approach towards
Role-Based Access Control on Cloud Computing
Shruthi S Dept of Computer Science and Engineering YD Institute of Technology Bangalore, India shruthis145@gmail.com
Alopama Vishnupriya Dept of Computer Science and Engineering YD Institute of Technology Bangalore, India alopamavishnupriya29@gmail.com
Ravikumara V Dept of Computer Science and Engineering YD Institute of Technology Bangalore, India ravikumaravrv2@gmail.com
Sadiya Parveen Dept of Computer Science and Engineering YD Institute of Technology Bangalore, India sadiyaparveen17@gmail.com
Abstract
Cloud Computing is an emerging technology. It is receiv- ing significant attention by both research community and industries. The cloud environment is a large open distributed system Cloud computing security is an important issue due to increasing scale of users.. It is important to preserve the data, as well as, privacy of users. Access Control methods ensure that authorized users access the data and the system. Therefore, series of security concepts are required to be re- vised such as Role-Based Access Control (RBAC) proposed by the National Institute of Standards and Technology (NIST) which promises to become a more prominent securi- ty model today. The aim of this article is to describe Access Control, RBAC model, its drawback and to identify pro- posed research work to reduce security risk.
Keywords
Security, Access Control, DAC, MAC and RBAC.
Introduction
The term cloud is analogical to internet. The term cloud computing is based on cloud drawing used in the past to represent telephone networks and later to depict in- ternet in. Cloud computing is internet based computing where virtual shared servers provide software, infrastructure, platform devices and other resources and hosting to customers on pay-as-you-use basis. All information that a digitized Sys- tem has to offer is provided as a service in the cloud compu- ting model. Users can access these services available on the internet cloud without having any previous know-how on managing the resources involved. Thus, users Can concen- trate more on their core business processes rather than spending time and gaining knowledge on resources needed to manage their business processes .Fig 1 shows applications of Cloud Computing. Earlier, in the developing stage, we used to create applica- tions and data storage on the local servers. If local server or local system crashes, the entire system, applications and related data crashes automatically. It was becoming a huge problem all over the world To overcome this problem, the concept of cloud computing was brought out into action. But due to increas- ing scale of users many security related problem arises and then security issues became most common in the interest of researchers. Security models such as Mandatory Access Control and Discretionary Access Control have been the means by which informations were secured and access was regulated. But due to the inflexibility of these models, the rather new security concept of Role-Based Access Control (RBAC) was proposed by the National Institute of Standards and Technology (NIST) which promises to become a more prominent security model. But due to increasing scale of International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 150 users providing significant security has become bottleneck [1].
Fig 1. Cloud Computing Applications
The term cloud computing probably comes from (at least partly) the use of a cloud image to represent the Internet or some large networked environment. We dont care much whats in the cloud or what goes on there except that we depend on reliably sending data to and receiving data from it. Cloud computing is now associated with a higher level abstraction of the cloud. Instead of there being data pipes, routers and servers, there are now services. The underlying hardware and software of networking is of course still there but there are now higher level service capabilities available used to build applications. Behind the services are data and compute resources. A user of the service doesnt necessarily care about how it is implemented, what technologies are used or how its managed. Only that there is access to it and has a level of reliability necessary to meet the application requirements. Cloud computing really is accessing resources and services needed to perform functions with dynamically changing needs. An application or service developer re- quests access from the cloud rather than a specific endpoint or named resource. What goes on in the cloud manages mul- tiple infrastructures across multiple organizations and con- sists of one or more frameworks overlaid on top of the infra- structures tying them together. Frameworks provide mecha- nisms for:
1. self-healing 2. self monitoring 3. resource registration and discovery 4. service level agreement definitions
This paper describe access control, concept of RBAC (Role-based Access Control) model, its drawback and at last we conclude to describe proposed research work to reduce security risk.
Literature Survey
Literature survey is the most important step in software development process. Before developing the tool it is neces- sary to determine the time factor, economy and company strength. Once these things are satisfied, then next steps are to determine which operating system and language can be used for developing the tool. Once the programmers start building the tool, the programmers need lot of external sup- port. This support can be obtained from senior programmers, from books or from websites. Before building the system the above considerations are taken into account for developing the proposed system. Depending on the nature of customers, a cloud can be deployed as a
Private Cloud Community Cloud Public Cloud Hybrid Cloud Cloud computing is essentially a centralized (from the users perspective) computing facility built on a large-scale service model. It has been argued, especially by the aca- demia, that cloud computing is nothing new than its prede- cessors such as autonomic computing, client-server model, grid/cluster computing, mainframe computers, utility com- puting, service-oriented computing, Web 2.0, platform vir- tualization, Service Oriented Architecture (SOA), and peer- to-peer networks, although the resources can be provided on a much larger scale compared to previous applications [3].
Cloud computing has been quickly promoted by the in- dustry during the past five years. Aside from the huge mar- keting efforts, cloud security has been criticized for its un- known privacy and security protection. There could be bene- fits from a security perspective since most customers utiliz- ing cloud may not have the expertise to safeguarding their information assets using traditional IT approaches, and using cloud services could mitigate this problem.
On the other side, companies hosting the cloud services have in general full control over the services they provide. They could control and monitor data essentially as per their choice. There could also be other security issues such as access control, data protection, and management of cloud resources. It has been noted by the research community that confidentiality and audit ability are one of the top 10 obsta- cles to the growth of cloud computing [16].
Security risks in cloud computing environments involve traditional paradigms in information security such as confi- dentiality, integrity, and availability. However they have contextual characteristics in cloud computing. For example, for most service models, the security is largely the respon- sibility of the cloud providers. It is then essential to identify International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 151 risk issues faced by the virtualized systems. These issues include the following [3]:
1. Complexity of configuration: Due to more complex usage of networks and systems, the possibility of im- proper configuration may increase. Such information may not be aware to consumers until some security in- cidents happen.
2. Privilege escalation: An attacker may take advantage of different levels of access controls of Virtual Ma- chines (VM) and escalate its access privileges through the use of hypervisor a virtual machine moni- tor/controller that facilitates hardware virtualization and mediates all hardware access [3].
3. Inactive virtual machines: Data stored in inactive vir- tual machines may contain sensitive information and has the potential to be accessed by unauthorized users.
4. Segregation of duties: Since a VM provides access to different components using different mechanisms, properly identify access roles and segregate their duties could be difficult.
5. Poor access controls: A hypervisor is basically a single point of access. It has the risk of exposing trusted net- work resources through poorly defined access control systems. In addition to these issues, there are also risks related to data encryption, the use of traditional security network pro- tocols, browser security, middleware security, denial of ser- vice attacks, among others [4]. It appears that policy and management issues are more evident and play a bigger role in cloud security. These issues include disaster recovery and business continuity, regulatory compliance, secure design and test process, among others.
The concept RBAC has been used with a multi-user computer system and multi-application online system since the late 1960s and early 1970s. However, RBAC has rapidly emerged in the 1990s as a promising technology for manag- ing and enforcing security in large-scale enterprise-wide systems, largely because of the non-existing enhancement in the traditional Mandatory Access Control (MAC) and Dis- cretionary Access Control (DAC) used in many computer systems and networks. Thus, RBAC is an alternative to tra- ditional MAC and DAC policies that is currently attracting increasing attention, particularly for commercial applications [2].
RBAC [4] is a family of reference models in which per- missions are associated with roles, and users are assigned to appropriate roles. This greatly simplifies management of permissions. Roles are created for the various job functions in an organization and users are assigned roles based on their responsibilities and qualifications. Users can be easily reas- signed from one role to another. Roles can be granted new permissions as new applications and systems are incorpo- rated. Besides that, permissions can be revoked from roles if necessary. A role hierarchy defines the roles that have uniquely attributes and may contain other roles, that is, one role may implicitly include the operation, constraints, and objects that are associated with another role. Role hier- archies are a natural way of organizing roles to reflect au- thority responsibility and competency [3].
Constraints are an important aspect of RBAC, which can apply to the preceding components that include users, roles, permissions, or sessions. A common example is the mutually disjoint roles, such as, a purchasing manager and an ac- counts payable manager as the same user, is not permitted to be a member of both roles because this creates a possibility for committing fraud.
Administration RBAC (ARBAC) involves control over components such as roles, users, and permissions. These include creations and deletion of roles, creation and deletion of permissions, assignment of permissions to roles and their removal, creation and deletion of users, assignment of use to roles and their removal. Moreover, definition and mainte- nance of the role hierarchy, definition and maintenance of constraints; all of these in turn are for administrative roles and permissions. It has three components or sub-models:
Imaging Science and Information System (ISIS) system, Department of Radiology, the Clinical Economics Research Unit (CERU) and the Division of Nephrology in the De- partment of Medicine at Georgetown University Medical Centre, Washington DC, have joint together to implement the kidney dialysis system project, named as Phoenix [9]. The objectives of this project are to provide Tele-Medicine services for kidney dialysis patients including creating, man- aging, transferring, and using electronic health data to pro- vide decision support and information services for care- givers.
System Architecture
RBAC models are more flexible than their discretionary and mandatory counterparts because users can be assigned several roles and a role can be associated with several users. To Create an Architecture which can provide the users of this system an access control through which they can access the content of the system. The administrator of the system can be providing access control by the users of facility. And then RBAC system has been implemented. Our objective and motive is to create an Advance RBAC to enhance the security of entire application. Our objective may also include reducing the burden of administrator of the system. Fig 2 International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 152 shows the basic block design for new advance RBAC where after designing the RBAC architecture, Roles are created and then restrictions are applied on it. These restrictions are on number of users, number of transactions and also add a new feature of backup.
Fig 2. Block Design of RBAC
This system can be divided into three levels: 1) Admin 2) User 3) Hacker
Admin: In an organization admin create the architecture for system and then generates the roles for all users according to their privileges and also make restriction on the number of users per role. Admin also generate users role wise where restrictions can be made on number of transactions per day/user/hour. This helps to increase the security level.
User: A new user create new account but according to re- striction on number of users per role only limited number of users can create their account and because of this malicious attacks will be lesser. Already existing users can login and get access only if they are valid user.
Hacker: No malicious users get access to the system be- cause numbers of users get restricted in some limit. But if any case invalid user or hacker get access on the system and trying to fetch data so, because the restrictions or new archi- tecture of RBAC only limited number of transactions can be accessed by him. So, this results minimum loss.us in saving energy by using SOP for efficient usage.
Methodology
Due to the need for a better security the National Institute of Standards and Technology (NIST) began a project simply titled as RBAC Project. Role Based Access Control is an architecture which provides the authority to restrict the user if he is not allowed to access particular content .It is affec- tive in lot of manners. This architecture saves data from un- authorized access. Admin panel has all the rights to restrict user to access data and to edit access rights of the user.
RBAC system has two phases in assigning a privilege to a user: in first phase, user is assigned to one or more roles or role can have many users; here role represent a specific job function within organization with responsibilities associated with it; and in second phase, the roles are checked against the requested operation [1]. In RBAC permissions are as- signed to roles rather than user; here permission is an ap- proval of particular mode of access/operation to one or more objects in the system [5].
Family of RBAC model as shown in figure 4 defines in [5] as: RBAC0 is a base model with minimum requirement, RBAC1 and RBAC2 include RBAC0 with their own inde- pendent features. RBAC1 include concept of role hierarchies International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 153 and RBAC2 include constraints and RBAC3 includes RBAC1 and RBAC2 and, by transitivity RBAC0.
A. Users: Users are both employees and network mecha- nisms and entities that require access to a specific resource object.
B. Permission: Permission is an approval of particular mode of access/operation to one or more objects in the system.
C. Role hierarchy (RH): Role hierarchy is natural way of organizing roles to reflect the organizations lines of authori- ty and responsibility. By convention, junior role appear at bottom of hierarchic role diagrams and senior role at the top so, hierarchic diagrams are partial order (means reflexive, transitive and anti symmetric) [5].
D. User assignment (UA): It is many-to-many relation be- tween users and roles means multiple users can be a member of many roles; and roles can have many user.
E. Permission assignment (PA): It is also many-to-many relation between roles and permissions; means role can have much permission, and the same permission can be assigned to many roles.
F. Session: Session is a mapping of one user to possibly many roles. Each session is associated with single user and the permissions available to user are the union of permission from all roles activated in that session.
G. Constraints: Constraints are predicates which, applied to these relations and functions, return value of acceptable or not acceptable. We can view it as in most organization the same individual will not be permitted to be a member of both roles so, here we use constraints to prevent possibility of committing fraud. RBAC supports three well known secu- rity principles: Least privilege, separation of duty (static and dynamic), and data abstraction. Least privilege is also known as least authority. In RBAC least privilege is assign- ment of minimum set of privileges to user associated with role according to their job necessities. Separation of duties is require for particular set of transactions where no single in- dividual be allowed to execute all transactions within the set.
Conclusion
Role Based Access Control is a model that provides an architecture in which system administrator has privilege to assign/grant, revoke and edit role to users. RBAC offer as an alternative to traditional Discretionary Access Control (DAC) and Mandatory Access Control (MAC) policies and provide improved security mechanism but with all benefits of RBAC, it has some limitations as: There is no constraint over role/ user relationship to maximize or minimize number of user per role. There is no constraint of number of transac- tion per user. Hereby, it is understood that attending these limitation will restrict unauthorized access. This in turn will increase scalability and efficiency of system.
References
1. Wei-Tek Tsai, Qihong Shao, Role-Based Access- Control Using Reference Ontology in Clouds, in Proc. Tenth International Symposium on autonomous Decen- tralized Systems (ISADS), 2011, p. 121-128. 2. Gouglidis Antonios, Towards new access control mod- els for Cloud Computing Systems, in Proc. Kaspersky IT Security for the Next Generation European Cup, 2011. 3. David F. Ferraiolo and D. Richard Kuhn, Role-Based Access Controls, in Proc. 15th National computer Se- curity Conference, 1992, p.554-563. 4. Michael P.Gallaher, Alan C.O Connor, Brian Kropp, The Economic Impact Of Role-Based Access Control, National Institute Of Standards & Technology, Gaithersburg, RTI project No 07007.012, March 2002 5. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feintein and Charles E. Youman, Role-Based Access Control Mod- els, IEEE Computer., vol. 29, no 2, pp. 38-47, Feb 1996. 6. R. Chandramouli, R. Sandhu, Role-Based Access- Control Features in Commercial Database Management Systems, in Proc. 21st National Information Systems Security Conference , Crystal City, Virginia, Oct 1998 7. Dong Xu, Cloud Computing an Emerging Technolo- gy, in Proc International Conference On Computer Design And Application, Qiahuangdao, June 2010. 8. D. Richard Kuhn, Mutual Exclusion Of Roles as Means Of Implementing Seperation Of Duty In Role- Based Access Control System, in Proc Symposium on Access Control Models and Technologies, ACM NewYork, USA, 1997, p. 23-30. 9. Ravi. Sandhu, David Ferraiolo, Richard Kuhn, The NIST Model For Role-Based Access Control: Towards a Unified Standard, in Proc Symposium on Access Con- trol Models and Technologies , ACM NewYork, USA, 2000, p. 47-63.