Research on Access Control Security in Cloud Computing Environment

2017 2nd _{International Conference on Computer Science and Technology (CST 2017)} ISBN: 978-1-60595-461-5

Research on Access Control Security in

Cloud Computing Environment

You-yan DUAN

_{and Ke HAN}

1, * _{School of Electrical Engineering Kunming Metallurgy College Kunming China, 650300}

a_{[email protected]}

*Corresponding author

Keywords: Cloud computing, Cloud security, Access control, Access control policy, Access control model;

Abstract. With the popularization and development of cloud computing. Safety problem more and more get the attention of the researchers. Especially the access control security is particularly important. In this paper, we give a review of the the access control technology based on cloud computing environment. In the first section, the basic theory of access control theory has been introduced. Then, the paper expounds the main access control model Amazon Cloud platform, Windows Azure, Google Cloud and BaiduCloud in section 2; in section 3 the paper analyzes the mainstream open source cloud platform and different components on access control; in section 4 mainly study the cloud computing environment; In section 5 the paper proposes a system that implements a hypervisor-based access control mechanism. Finally, the advantages and disadvantages of this research are analyzed, and perspectives for further study are also suggested.

Introduction

With the development of cloud computing, cloud security has become an increasingly critical problem. In the cloud computing environment, whether the data and computing is under control, whether the data is protected, the calculation of the task is properly executed the user cannot be determined, so we need to design the corresponding security mechanism and architecture to protect the confidentiality, integrity and usability of user data [1,2-5]. This paper analyzes the framework of access control technology in cloud computing environment. The access control problem is reviewed from the cloud computing access control model, and the access control mechanism of the cloud service provider is researched. Finally, the future research trend is forecasted.

Cloud Access Control Model

assigning the corresponding security credentials to the user and managing their permissions. 2) ACL (Account-level access control policy). That is, access rights are based resource permissions. The center is object and bucket as which defines the Amazon account to access the object and barrel. 3) Bucket Policy. Both user level and account level control strategy, bucket strategy can not only control Users who access the bucket can also control access to specific source IP addresses. In addition, the Bucket Policy allows other accounts to be uploaded to the bucket to implement cross-account access control. Figure 1 shows the difference between IAM Policy and Bucket Policy. 4) Query string authentication. This mechanism uses URL to share data objects with other users by accessing the shared data by attaching signatures and expiration dates in the URL.

Windows Azure, Microsoft cloud which defines three kinds of data storage methods: Blob, Table and Queue. Among them, Blob used to store large data (such as pictures, video, etc.), Table provides maintenance service status of structured storage, and Queue provides asynchronous task data distribution. Windows Azure has two main aspects on access control management: 1) shared access signature. In a specific time, interval, three kinds of data storage methods access the shared data through the URL and its additional signature and the validity period. 2) Blob policy. Use the Blob container-level access policy to provide additional control levels for shared access signatures from the server side. Container-level access policies group the shared access signatures and further restrict the policy Constrained signatures. The user can use the container-level access policy to change the start time, expiration time, or license of the signature, or revoke the signature after issuing the signature.

On the other hand, Microsoft is also committed to access to control the development of products [14]. With VMware put forward NVGRE (network virtual GRE) and VXLAN (virtual extensible LAN), to solve cross-data center to solve large-scale VLAN communication, Virtual machine migration and other problems. The former use of L2oUDP encapsulation, support 16M tenant ID; the latter using the L2oGRE package supports 16M tenant ID.

The main features of these two technologies are that the beginning and end of the tunnel is on the Switch, rather than on a physical switch, in order to achieve rapid deployment and the flexibility to create a virtualized network. Both proposals address the same problem: the VLAN has a maximum of 4,094 and cannot support multiple cloud tenants and applications. The difference is that the location of the storage destination address.

account, the mechanism is similar to the Amazon query string authentication, which also accesses shared data by attaching signatures and expiration dates in the URL.

The BaiduCloud Storage (BCS) service supports two ways to access storage resources currently: 1) URL signature: Identify the identity of the visitor by signing the URL to enable user authentication [12]. The developer can sign the request according to the Access Key and Secure Key. The BCS will determine the user’s identity who initiated the request according to the signature. 2) The access control authority of the bucket and objects is managed by ACL, which sets the bucket and object policy. The cloud storage users can allocate control permissions to other users by setting policy [13].

Access Control Technologies and Open Source Cloud Platforms

At present, the mainstream open source cloud platform is mainly concentrated in the Open Stack, Cloud Stack and Eucalyptus [6-9] . The three products, one of the most popular are Open stack. This open source cloud platform is a very attractive choice in the access control performance for the market customers who seeking flexibility and customization of the cloud environment. The three has very high security, can ensure the effective distinction between the different user level and permissions. That the virtual machine can be accessed by strict control policy. The three built a group of security rules (ACLs or IP tables). The administrator and authorized user can control the virtual machine's access flow use to achieve the effect of access control through the security rules.

There are many differences on Access control components, user-level distinction, virtual machine and network access. Keystone components of Open stack, which uses a unified token authentication method, from authentication to apply for virtual machines, mirroring, and network services the user confirm the various Module on the token. Open stack can allocate the corresponding identity authorization to the users through the confirmation of the token. Figure 1 is Access control flow of Keystone in Open stack.

Figure 1. Access control flow of Keystone in Openstack.

The Hypervisor Implement Virtual Machine Access Control

And the UCON model can be used to the access control the management access modeling in cloud computing. Manage the evidence exchange, the authorization, and other issues to ensure that cloud virtual machine access control was achieved by the hypervisor through the UCON model.

We propose a multi-tenant access control mechanism based on the hypervisor. This approach for the access control of the cloud has better scalability and robustness. The hypervisor can dynamically change the virtual machine access control strategy, according to the communication situation between the source virtual machine to destination virtual machine. The access control policies including tenant isolation, tenant, tenant services and fair sharing rate limit, and so on. The concrete implementation plan of the figure 2 is Cloud Access Police, its main idea is: when the arrival of data flow, source hypervisor send the destination hypervisor a packet control strategy before data stream to the destination hypervisor. The destination hypervisor checks the data packet: the data flow will be accept if the strategy is appropriate; or will reduce the data flow and give the source hypervisor feedback information.

When a new data flow is controlled by a VM, source program to send control packets specified security group target VM; the access control policy to send packets. When destination management programs to receive such control packet, it checks the policy target VM. If policy allows flow, the flow state of target hypervisor to create; the subsequent packet will be forwarded to the destination VM to use this item. If the traffic is not allowed, or speed should be limited, target management program will send the package back to the source program on a virtual machine or prevent flow or the speed limit. By default, the virtual machine is blocked, if the policy does not include the traffic rules.

Figure 2. Workflow of CloudAccees.

We said conditions are not based on traffic is a stateless record state in the past, the rest of the state. Can any record in the form of state; From our example, we put forward a basic set of four kinds of state: the incoming flow, flow quantity, arrival rate and time of input from a given source host/group; input byte: and received the number of bytes from a given source host/group; the output stream: local start flowing; rejected flow: usually refers to the number of local refused a TCP connection port scan.

operating system realize the mandatory access control. The results show that the structure based on the operating system multi-tenant cost less.

Conclusion

The current industry in its cloud platform to achieve some of the basic access control technology[10,11], but there are many common problems: First, cloud platform service providers to provide cloud storage services, although use traditional access control technology to ensure the security of storage data access; Second, based RBAC, most of the cloud platform service providers achieve the access control of the data in the cloud, but did not take into account the new features of cloud computing to the traditional access control technology challenges, the lack of theoretically on the cloud environment access control model .Third, many vendors can provide some of the IaaS-oriented access control services, but without combined access control services and SaaS, so the access to control technology in industry needs to continue to explore and research. is designed to meet the need of access control in the era of cloud computing by providing flexibility for supporting policies in multi-tenant environments, network-independence that decouples access control from the network, and scalability to handle hundreds of thousands of servers and users.

Our work is likely to be the first step to find a public API and access control mechanism, can use multiple cloud providers.We think this is enough and favourable access control to realize the terminal host only, the hypervisor.We suggest CloudAcceesPolice, a new access control mechanism in the hypervisor to provide the above attributes.Because virtual machine monitor has complete software programming, CloudAcceesPolice can provide a wide range of classes for multi-tenant access control policy.In addition, by embedding the access control to the virtual machine monitor, our solution is independent of the network architecture, we avoid unnecessary to the development of access control, a specific protocol and network equipment.

Acknowledgment

This research was supported by with the nature and Science fund from Yunnan province ministry of education of China (No. 2016ZZX241); the nature and science Fund from Yunnan Kunming Metallurgy college (No. 2015XJZD003; No.2015XJQN004)

References

[1] Erik, R. Axiomatics AB. OASIS eXtensible Access Control Markup Language (XACML) Versions 3.0. OASIS Open, 2013.

[4] Yang, K., Jia, X. H., Ren, K., Zhang, B. DAC-MACS: Effective data access control for multi-authority cloud storage systems. In: Proc.of the 2013 IEEE INFOCOM. 2013. [doi: 10.1109/INFCOM.2013.6567100]

[5] Liu, X. J., Xia, Y. J., Jiang, S., Xia, F. B., Wang, Y. B. Hierarchical attribute-based access control with authentication for outsourced data in cloud computing. In: Proc. of the 2013 12th IEEE Int’l Conf. on Trust, Security and Privacy in Computing and Communications.2013. [doi: 10.1109/TrustCom.2013.60 [6] S. Han, K. Jang, K. Park, and S. Moon. PacketShader: a GPU-Accelerated Software Router. In ACM SIGCOMM, 2010

[7] Y.-W. E. Sung, S. Rao, G. Xie, and D. Maltz. Towards Systematic Design of Enterprise Networks. In ACM CoNEXT, 2008.

[8] M. Dobrescu, N. Egi, K. Argyraki, B.-g. Chun, K. Fall, G. Iannaccone, A. Knies, M. Manesh, and S. Ratnasamy. RouteBricks: Exploiting Parallelism to Scale Software Routers. In ACM SOSP, 2009.

[9] P. Garimella, Y.-W. E. Sung, N. Zhang, and S. Rao. Characterizing VLAN usage in an operational network. Workshop on Internet Network Management, 2007.

[10] A. Greenberg, J. Hamilton, D. A. Maltz, and P. Patel. The Cost of a Cloud: Research Problems in Data Center Networks. Comput. Commun. Rev., 2009.

[11] A. Greenberg, J. R. Hamilton, N. Jain, S. Kandula, C. Kim, P. Lahiri, D. A. Maltz, P. Patel, and S. Sengupta. VL2: A Scalable an

[12] A. Shieh, S. Kandula, A. Greenberg, and C. Kim. Seawall: Performance Isolation for Cloud Datacenter Networks. HotCloud, 2010

[13] Srikanth K and Sudipta Sengupta and Albert Greenberg and Parveen Patel and Ronnie Chaiken. The Nature of Datacenter Traffic: Measurements & Analysis. In Internet Measurement Conference. ACM, November 2009.

[14] Y.-W. E. Sung, S. Rao, G. Xie, and D. Maltz. Towards Systematic Design of Enterprise Networks. In ACM CoNEXT, 2008.