The Cloud technology takes Service Oriented Architecture to the next level, where applications and infrastructure can be outsourced over the internet. It affords flexibility to businesses in terms of the on-demand scalability of services as well as the corresponding payment model. However, these advantages do not make up for the inherent security weaknesses in the Cloud. Among various concerns, Cloud providers struggle to provide adequate authorization mechanisms that would protect customer's critical data. In this regard, Usage Control (UCON) is considered to be the next generation model for digital rights management for all the service models of Cloud. Limited literature work exists on the UCON model; however, new tracks need to be laid out to make this model comply with international standards and policy languages. This chapter provides standardized UCON policy specifications, which will help in the effective development of access control for the Cloud environment.
TopIntroduction
Recently, the adoption of Cloud technology has experienced a substantial boom, and many small and medium business organizations have moved to Cloud in order to gain faster access to applications and boost their underlying infrastructure resources at very economical rates. Gartner has predicted that in the next three years Cloud adoption will continue to grow to the point that it will contribute as one of the largest portions of IT expenditure (Heiser & Nicolett, 2008). NIST (Mell & Grance, 2011) has listed five major features of Cloud computing which contribute towards the popularity of the paradigm within the IT industry: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured services. Furthermore, according to NIST, Cloud providers facilitate the delivery of various services through Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) or Infrastructure-as-a-Service (IaaS) delivery models. The SaaS model allows consumers to access the provider’s applications over the internet, for instance Google Apps (Google Apps for Work, n.d.) and Dropbox (Dropbox, n.d.), Microsoft Azure (Azure, n.d.) and Google App Engine (Google App Engine, n.d.) are popular examples of PaaS that enable consumers to deploy their own applications on the Cloud infrastructure. IaaS, on the other hand, allows Cloud providers to lend computing resources and some of the important vendors are RackSpace (RackSpace, n.d.) and IBM SmartCloud (IBM SmartCloud, n.d.), both of which use OpenStack (OpenStack, n.d.) for the Cloud infrastructure.
While the Cloud technology offers numerous advantages, it also comes with a minefield of security issues which require significant exploration and research, thus ensuring its rapid adoption. Some of the most prevalent security issues that need to be addressed include unsecure data management, risks from malicious insiders, attacks on identity management systems, privacy, leakage of confidential data and authorized access to user’s data stored at Cloud. Among the aforementioned concerns, continuous monitoring and authorization of Cloud resources is a very essential security requirement for the Cloud paradigm, and is also one of the most challenging issues. According to a survey conducted in (Masaharu, 2010), 37% of the consumers have declared access control as the major concern in Cloud security. Likewise, another survey has been conducted by Intel among the top IT professionals of four different countries. According to this, 63% of IT experts consider access control as the most challenging and critical issue in the Cloud that needs adequate solutions for protecting the Cloud resources (Intel IT Center, 2012).
In order to properly address this issue, various researchers and professionals have come up with new authorization techniques for the Cloud. Numerous Cloud based access control models have been proposed that specify selective restrictions of access and user’s permissions to Cloud resources in a static way. Each of these access control models has certain limitations and different criteria to define access restrictions (Mon & Naing, 2011). One of the well-known access control models is the Privacy aware access control system (ARBAC) for Cloud which is a combination of two traditional models i.e. role based access control (RBAC) (Sandhu, 1998) and attribute based access control (ABAC) (Lang, Foster, Siebenlist, Ananthakrishnan, & Freeman, 2006). However, ARBAC targets different aspects of Cloud authorization, mainly focusing on providing authorization for particular Cloud scenarios prior to allowing access to the requested resource. Furthermore, models like ARBAC do not facilitate the revocation of privileges during the usage of Cloud resources. In these access control models, the access rights need to be pre-defined and assigned to subjects, before executing any access control request. Likewise, they do not consider the essential environment attributes and consumable rights for access control decisions. In distributed and multi-tenant Cloud environment, there is need for more flexible and dynamic access control models that can meet all the authorization requirements of Cloud resources during the complete usage session.