Maarten Decat

Middleware for efficient and confidentiality-aware federation of access control policies

Software-as-a-Service (SaaS) is a type of cloud computing in which a tenant rents access to a shared, typically web-based application hosted by a provider. Access control for SaaS should enable the tenant to control access to data that are located at the provider side, based on tenant-specific access control policies. Moreover, with the growing adoption of SaaS by large enterprises, access control for SaaS has to integrate with on-premise applications, inherently leading to a federated set-up. However, in the state of the art, the provider completely evaluates all policies, including the tenant policies. This (i) forces the tenant to disclose sensitive access control data and (ii) limits policy evaluation performance by having to fetch this policy-specific data. To address these challenges, we propose to decompose the tenant policies and evaluate the resulting parts near the data they require as much as possible while keeping sensitive tenant data local to the tenant environment. We call this concept policy federation. In this paper, we motivate the need for policy federation using an in-depth case study analysis in the domain of e-health and present a policy federation algorithm based on a widely-applicable attribute-based policy model. Furthermore, we show the impact of policy federation on policy evaluation time using the policies from the case study and a prototype implementation of supporting middleware. As shown, policy federation effectively succeeds in keeping the sensitive tenant data confidential and at the same time improves policy evaluation time in most cases.

Security of web mashups: a survey

Web mashups, a new web application development paradigm, combine content and services from multiple origins into a new service. Web mashups heavily depend on interaction between content from multiple origins and communication with different origins. Contradictory, mashup security relies on separation for protecting code and data. Traditional HTML techniques fail to address both the interaction/communication needs and the separation needs. This paper proposes concrete requirements for building secure mashups, divided in four categories: separation, interaction, communication and advanced behavior control. For the first three categories, all currently available techniques are discussed in light of the proposed requirements. For the last category, we present three relevant academic research results with high potential. We conclude the paper by highlighting the most applicable techniques for building secure mashups, because of functionality and standardization. We also discuss opportunities for future improvements and developments.

Toward efficient and confidentiality-aware federation of access control policies

This paper presents our work in progress on efficient and confidentiality-aware access control for Software-as-a-Service applications. In SaaS, a tenant organization rents access to a shared, typically web-based application. Access control for these applications requires large amounts of fine-grained data, also from the remaining on-premise applications, of which often sensitive application data. With current SaaS applications the provider evaluates both provider and tenant policies. This forces the tenant to disclose its sensitive access control data and limits policy evaluation performance by having to fetch this data. To address these challenges, we propose to decompose the tenant policies and deploy them across tenant and provider in order to evaluate parts of the policies near the data they require as much as possible, while taking into account the tenant confidentiality constraints. We present a policy decomposition algorithm based on a general attribute-based policy model and describe a supporting middleware system. In the future, we plan to refine this work and evaluate the impact on performance using real-life policies from research projects.

Characterizing the performance of tenant data management in multi-tenant cloud authorization systems

Multi-tenancy leads to improved efficiency, improved scalability, and lower costs. With the recent evolution of Cloud Computing and Software-as-a-Service (SaaS) in particular, a flexible and scalable multi-tenant architecture is becoming highly important. In multi-tenant applications, each tenant has its own users and administrators and tenants even tend to be divided into multiple subtenants. As the number of tenants grows, the number of users and amount of data grows, thus a scalable architecture for the access control system is needed. The question arises how to distribute the users and data over multiple database instances. In this paper we present a hierarchical data management approach, taking performance metrics into account, for structuring the storage of tenant data in large multi-tenant environments. We introduce a logical representation of the tenants, the tenant tree, and make a mapping to the physical storage by introducing three models for load-balancing. Next, we focus on how to efficiently locate the required data and introduce multiple search approaches. We characterize the impact on the performance both theoretically and experimentally. Experiments confirm that the theoretical analysis is in line with the experimental results. When the amount of data increases significantly, dividing the data over multiple datastores in an efficient way will eliminate the overhead and lead to a performance gain, especially if most of the data is located at the leaf nodes of the tenant tree.

Entity-Based Access Control: supporting more expressive access control policies

Access control is an important part of security that restricts the actions that users can perform on resources. Policy models specify how these restrictions are formulated in policies. Over the last decades, we have seen several such models, including role-based access control and more recently, attribute-based access control. However, these models do not take into account the relationships between users, resources and entities and their corresponding properties. This limits the expressiveness of these models. In this work, we present Entity-Based Access Control (EBAC). EBAC introduces entities as a primary concept and takes into account both attributes and relationships to evaluate policies. In addition, we present Auctoritas. Auctoritas is a authorization system that provides a practical policy language and evaluation engine for EBAC. We find that EBAC increases the expressiveness of policies and fits the application domain well. Moreover, our evaluation shows that entity-based policies described in Auctoritas can be enforced with a low policy evaluation latency.

Amusa: middleware for efficient access control management of multi-tenant SaaS applications

Software-as-a-service (SaaS) has been a growing trend in cloud computing for several years. Moreover, SaaS providers are evolving to application-level multi-tenancy, in which all tenants share the application instances, platform and data store with the aim of maximizing resource sharing. For multi-tenant SaaS applications, access control often is the only application-level security mechanism. However, such access control is inherently complex because both the provider and all tenants should be able to specify their access rules for the application. Moreover, these rules must all be securely combined and correctly enforced in the shared multi-tenant application. To address this challenge, we present the Amusa access control middleware. Amusa enables both the provider and all its tenants to efficiently declare their access rules on the SaaS application. To achieve this, Amusa provides incremental three-layered management based on attribute-based tree-structured policies. Afterwards, Amusa securely combines the access rules of all parties and enforces them at run-time with low performance overhead.

On the Need for Federated Authorization in Cross-organizational e-Health Platforms

Health care is currently witnessing increased specialization as well as a need for integrated care delivery. As a result, care organizations should collaborate and in order to facilitate this, e-health collaboration platforms are being created. Access control is a primary concern for such cross-organizational platforms and efficient access control management is crucial to their adoption. Federated access control is a potential technique to achieve this and our experience in multiple research projects shows that federated authorization is an essential building block for future collaboration platforms. However, this technology still faces open research challenges. This paper wants to spark research on these challenges by motivating the need for federated authorization in the context of a real-world collaborative care platform. Based on this case study, we also discuss the state of the art and present a set of key requirements to realize wide-scale adoption of federated authorization in practice.

Scalable and Secure Concurrent Evaluation of History-based Access Control Policies

Many of todays applications are deployed on large-scale distributed infrastructures to handle large amounts of users concurrently. When applying access control to such applications, the access control policies must be evaluated concurrently as well. However, for certain classes of policies such as history-based policies one access decision depends on the previous ones. As a result, concurrency can be exploited to achieve incorrect access decisions and privilege escalation. Moreover, general techniques for concurrency control are not able to scale to the size of current applications and at the same time provide the full consistency required for security. Therefore, we present an efficient concurrency control scheme specifically for access control. By leveraging the specific structure of a policy evaluation, this scheme is able to prevent incorrect decisions due to concurrency and at the same time scale to a large number of machines while incurring only a limited and bounded latency overhead. As such, this work facilitates the adoption of policy-based access control in realistic and large-scale applications.

Privacy and Access Control in Federated Social Networks

Online social networks (OSNs) are increasingly turning mobile and further calling for decentralized social data management. This trend is only going to increase in the near future, based on the increased activity, both by established players like Facebook and new players in the domain such as Google, Instagram, and Pinterest. The increasing adoption of social networks in the workplace has further led to the development of corporate social networks such as those provided by Yammer, which was recently acquired by Microsoft. As individuals from different companies will need to interact as part of joint teams in these federated social networks, questions of privacy and access control arise. This chapter identifies the challenges concerning the above aspects, surveys the state of the art, and identifies directions of future research.

Introducing concurrency in policy-based access control

Policy-based access control aims to decouple access control rules from the application they constrain by expressing these rules in declarative access control policies. Performance of policy-based access control is of growing importance, but concurrent and distributed policy evaluation has received little research attention and current policy evaluation engines are still single-machine and fully sequential to the best of our knowledge. We believe that concurrent policy evaluation is necessary to meet the performance and scalability requirements of next-generation internet applications and aid the maturation of policy-based access control. Therefore, this paper presents an initial exploration of concurrent policy evaluation. We illustrate the performance of current policy evaluation engines, model the performance of policy evaluation in terms of the characteristics of a policy, list opportunities for concurrency, describe the need for concurrency control and specifically show how concurrency can be used to improve throughput based on our prototype.