An Access Control-based Distributed Cloud Big Data File using an XACML Framework

(1)

An Access Control-based Distributed Cloud Big Data File using an XACML Framework

1,2A. A. Abd El-Aziz, ^1,3Ayman Mohamed Mostafa

1Jouf University, College of Computer and Information Sciences, KSA

2Cairo University, Faculty of Graduate Studies for Statistical Researches, Egypt

3Zagazig University, Faculty of Computers and Informatics, Egypt E-mail: ¹[email protected], ²[email protected], ¹[email protected],

3[email protected]

Abstract

A cloud is a definite IT environment that is designed for the aim of remotely provisioning scalable and measured IT resources. Big data is a manner of describing data issues that are unsolvable using traditional tools. Volumes of big data are starting from dozens of terabytes and petabytes. As a result, it is impossible to store them in local storage and analyze them with traditional tools. The cloud storage is a promoting solution to store the big data files.

However, single cloud storage may cause threats for the stored big data. In this paper, an access control approach based on the XACML framework is proposed to guarantee data se- curity and privacy. The access control of the big data file is ensured by using the XACML framework and proof of ownership (POW) methodology. In the proposed approach, the big data file is stripped into parts which are encrypted and distributed over multiple cloud sto- rage devices.The metadata file that contains the locations of the stripped parts, can access paths using private keys of each stripped file. The metadata file is encrypted and stored in different cloud storage. For maintaining the protection and performance of stripped files, a mirror copy of the stripped files is generated and distributed across several cloud disks.

Moreover, the access of the metadata file is controlled through the XACML framework by generating a security token for sending responses and receiving user requests for decrypting data based on the previously stored attributes in the XACML policy. The security mechanism will be strengthened by deploying a fingerprint biometric authentication parameter. There- fore, the metadata will be accessed only by authorized users through XACML framework.

Moreover, if cloud storage, containing a part file, is breached, the intruder gets only a part of the big data file, hence, he cannot get the whole file. Therefore, the proposed approach ensures the security of a big data file in cloud storage devices.

Keywords:Big data, cloud storage, XACML framework, access control, stripped files

1. Introduction

XML is actually a common place for exchanging the data over the web. It is being progres- sively selected in communication networks. The XML documents embrace essential information, such as scientific and financial data. It is needed to stratify a regulated approach on the XML documents’ contents to save these critical data. Thus, only customers who are ac-

(2)

credited to access parts of the XML documents should be granted to access the data. ”Access control for XML documents should ideally provide expressiveness, modularity, interoperability, and efficiency. The expressiveness assures that a good vary of security policy specifi- cation may be written. Modularity concerns policies composition while interoperability concerns the ability of policies to interact. Finally, efficiency assures the ability to determine whether the access to an element is granted or denied by the security policy” [1]. XML documents can be stored in native XML, relational or hybrid relational XML databases. Many approaches have been proposed to protect native XML databases and to access the control of the XML documents that is stored in relational databases. XACML (eXtensible Access Con- trol Markup Language) is that the result of OASIS (Organization for the Advancement of Structured Information Standards) standardization effort proposing an XML-based language to precise and exchange policies of access control [18]. The standard defines a declarative access control policy language implemented in XML. The policy language is an Attribute Based Access Control (ABAC) model used to build expressions that formulate access control policies, which specify who can do what and when.

In the recent years, cloud computing has become an eminent part of the IT industry. It enables companies, such as Microsoft, Amazon, IBM and Google to supply their services for their users [12]. Due to its benefits, more people are heading towards cloud adoption. Cloud Service Providers (CSPs) are permitting customers to store their applications and data into cloud [2]. Cloud computing is a set of IT resources and services that are offered through the web for customers on their demand basis [6]. Cloud storage is a technology in which customers store their data in sharing computing resources and storage resources of the Internet.

Cloud storage service supports people with quick access to all or any their vital and personal data [19]. Though cloud computing became a new technology for corporations and users, but also it became a new risks of data security. The risk issue of storing data on cloud storage is reliable. Even cloud providers warranty data security by performing security technologies.

Cloud providers encrypt data hold on their storage devices employing a key that is used only by them. This may stop data stealing from external intruders; however it does not defend versus any threats that embrace stealing of the encryption key or internal threats. When there are pernicious activities in the storage provider, a consumer data can be harmed easily.

Therefore, a consumer must confidence the declaration of a provider [24]. Moreover, the shortage of reliability in cloud storage heads to a privacy issue. In cloud storage, how can the owner of the data guarantee that his/her data is accessed only by authorized users? When data is stored remotely on cloud storage device, the owner of the data cannot recognize or reveal data accessibility form inside storage provider [24].

In fashionable information technology, big data is a hot issue and its security is turning into one of the major concern [15]. Big data is generated from electronic sensors. Big data are texts, images, sounds and videos. Big data’s size is gigantic, in the level of terabytes or petabytes. The storing, the processing and the analyzing of big data are more difficult, due to its

(3)

enormous size. A method to store the big data is storing it in a cloud storage device [24].

Big data and cloud computing come together. Big data uses distributed cloud storage technology based on cloud computing rather than local storage [15]. Hence, the key problem of cloud storage is the security of big data. To avoid the security problem in cloud storage, the big data file should be encrypted and its access should be controlled; i.e., prevent an unauthorized user or cloud provider from accessing the encrypted data [21]. However, the encryption of a big data file is impossible due to the large size of a big data file. Although, symmetric encryption techniques can be used to encrypt a big data file, which is more capable of processing large amount of data and have high speed for performing encryption and decryption than public encryption techniques[5], the decryption of the encrypted file again to the original form takes long time [24]. The symmetric key distribution is another complex problem, because the sender sends the symmetric key and the cipher text to the receiver to decrypt the cipher [25]. In this paper, we propose a solution to the data security and privacy problem over cloud storage by dividing the big data file into segments and distributing them encrypted over various cloud storage devices. In addition, the metadata is encrypted, stored in different cloud storage and secured by applying XACML framework. The metadata file includes the location of the segments, access paths and secret key of each part file. The encryption of the metadata file is easy, because its size is smaller than the size of the original big data file. Hence, the metadata is accessed only by authorized users and even cloud storage, containing a part file, is breached, the intruder gets only a part of the big data file.

Hence, he cannot remodel the original big data file. The proposed approach controls the access of the metadata file by generating a security token and using fingerprint for consumer’s authentication. The proposed approach will secure the metadata file from accessing by unauthorized users or cloud providers. Hence, the metadata will be confidential even if the cloud storage is breached. In the proposed approach, the XACML access control policy language enhances the integrity and confidentiality of data over the cloud [8]. The remainder of this paper is organized as follows. Related work is introduced in section 2. Section 3 presents a brief introduction about XACML framework. The proposed technique is described in section 4. AComparative Study is presented in section 5. Section 6 shows the experimental results. Section 7 summarizes the conclusion.

2. Related Work

HAIL introduced in [7]. HAIL is a high integrity and availability layer that based on RAID.

HAIL doesn’t concern with data privacy. It’s a distributed system in which a group of servers are permitted to know a client that his stored file is preserved and retrievable. However, the proposed approach provides the privacy and security of a big data file through applying XACML framework.

SCMCS proposed in [22] is a distribution system. In SCMCS, the consumer splits and distributes his data among the available cloud providers in the market. SCMCS ensures a decision for the consumers that providers can be chosen to ensure quality of accessing data of service offered by the providers at the place of data retrieval. However, the decision of SCMCS

(4)

doesn’t ensure that these providers are not breached and doesn’t ensure the privacy of the data.

[4] Proposed DepSky which is an object-store interface. It’s combined with passive storage clouds. DepSky provides data integrity by using cryptographic hashes techniques. DepSky has three parties: cloud providers, readers and writers. The system cannot hack with mali- cious writers, because there’s no active server can be unutilized. Many simultaneously writers are provided by client-side locks. Confidentiality is optionally supported through secret- sharing techniques.

[14] Proposed SeDiCo method that based on the principle of distributed database vertically.

SeDiCo distributes the essential database tables and upload them to various cloud providers.

Reconstructing data back after distribution refers to the In-Memory database method.

[20] Proposed TrustyDrive model. It is a storage model based on several cloud providers to support consumers with data privacy and trustworthy storage. In this model, the data privacy is based on two rules: the user anonymity and the document anonymity. The document anonymity ensures that cloud storage providers do not know about documents stored on them.

The user anonymity secures consumers against connected consumers and stored documents.

To perform this anonymity, consumers split their documents among multiple cloud providers;

hence no provider has the whole document. The division of the documents is performed at the user level.

In [3], the data is divided and distributed over different public clouds. AES with key length of 256 bits is used to partition the data and then sliced encrypted data into pieces. The metadata is stored in a private cloud securely. It contains passwords, secret keys of each file and encrypted access paths. In this approach, the hackers and intruders can’t retrieve the data. In [16], data is divided into sensitive or normal. The normal data is uploaded into a single cloud server. While, the sensitive part is divided into two parts which are uploaded into two cloud servers. In [12], a Dynamic Data Encryption Strategy model is proposed. The model encrypts the data privacy in mobile cloud computing.

[24] Proposed a distribution of a big data file over multiple cloud storage devices. The data owner divides the file into equal segments and shares them on several cloud storage devices.

The system requires less complexity to ensure security. The metadata is stored locally and protected by data owner. In [24], the data owner stores the metadata locally on a machine, hence it may be breached. However, in the proposed technique, the metadata is encrypted and its access is controlled by XACML framework and proof of ownership (POW) methodolo- gies. Hence, the metadata will be secured even if the cloud storage is threatened.

3.Extensible Access Control MarkupLanguage(XACML)

XACML [18] is an XML language for dominant policies for access control policies. The XACML combines two languages called an access control policy and a request/response. The policy language is relied on RBAC model for building policies that control security mechan- isms. The policy language defines the needed constraints and conditions to a subject who need to access a resource and perform an action through a particular environment. The policy

(5)

language is extensible, efficient and expressive to enable access control of resources. The request and response language describes the subjects creating requests for accessing resources and renders the authorization choices whether or not to be granted or denied. The most important benefit of utilizing XACML is that it controls not only the access to the XML documents, but also can access to several resources. Moreover, XACML has standard data types, functions and combining algorithms. The XACML framework contains four main functions explained as follows.

1. Policy Enforcement Point (PEP) receives the view or write request from users and retrieves data records for the requested attribute.

2. Policy Decision Point (PDP) evaluates whether the requested view is to be granted or denied.

3. Policy Administration Point (PAP) performs the policy management process for creating and managing policies.

4. Policy Information Point (PIP) retrieves additional data attributes from the host server to be sent to users if the request is granted.

Figure 1.An XACML Framework The XACML framework is shown in Figure 1 and explained as follows:

1. The user sends a request to the PEP to view or write data process.

2. The PEP performs two operations:

a. Converts the received request to an XACML authorization request.

b. Sends the authorization request to the PDP.

3. The PDP evaluates the requested policy by performing policy management process using PAP.

(6)

4. The PDP retrieves policy attributes from the PIP and sends the final decision whether to grant or deny user request.

a <PolicySet>, a <Policy> and a <Rule> are the primary concepts of policies created by XACML. They create a single policy for access control. Each an XACML policy document starts with a root element which is a <PolicySet>, a <Policy> or a<Rule>. The <Policy> has one <Rule> or more. The essence logic of a policy is contained in the<Rule>. The <Condi- tion> has the decision logic of the rules. it is a Boolean expression which treats the relevancy of the rules. If the <Condition> is fulfilled, the rule will be permitted to the consumers. If the

<Condition> is not fulfilled, the PDP will respond to the PEP with Not Applicable value.If the <PolicySet> has multiple <Policy> elements, the PDP will achieve the effects passed from all policies. Hence, the policy-combining algorithm is presented in a <PolicySet>. The final authorization decision of the policy-combining algorithm is achieved by the PDP. Simi- larly, if a<Policy> has multiple <Rule>elements, the PDP will perform decisions passed by all the rules. Hence, the rule-combining algorithm is presented in every <Policy>. In addition, XACML framework presents an element called a <Target>, which has a group of attribute values for a resource, a subject, an action and an environment. The values of the<Target>’s attributes must be satisfied with the attributes of a <PolicySet>, <Policy> or

<Rule> to be relevancy to every request. When the values of the <Target>’s attributes match the attributes of related <PolicySet>, <Policy> or <Rule>, the related<PolicySet>, <Poli- cy>or <Rule> permits the request [13].

4.The Proposed XACML Framework for Distributed Big Data File

If a file of big data is stored in single cloud storage, it may be accessed by illegal users, if the cloud storage is threatened. Moreover, the performance in searching in the entire file will be low. This paper proposes an access control technique for big data files based on XACML framework to guarantee the data security, privacy and performance bystripping the big data file into stripped set of files and store them as encrypted parts over many cloud storage devices. After dividing the file, a metadata file is created [24] for obtaining the parts’ locations, their access paths and the private keys of each part. Moreover, we encrypt the metadata file and store it in a different cloud storage device. The proposed approach controls the access of the metadata file using the XACML framework and proof of ownership (POW) approach.

Therefore, only the legal users can access the metadata of the big data file by using the XACML framework. In the proposed technique, we use a symmetric encryption technique, such as AES to encrypt the metadata and the parts of the big data file. The proposed access control approach based on XACML framework is depicted as in Figure2:

(7)

Figure 2.The Proposed Access Control Approach

As depicted in Figure 2, an enhanced access control technique over encrypted data is proposed based on XACML framework and Proof of Ownership (POW) methodology. The proposed approach is explained as follows:

4.1 Encryption Layer

In the encryption layer, the big data file is divided based on the following processes:

1. The data owner divides the big data files into meta files.

2. The data owner encrypts the stripped files of the big data file and encrypts the metada- tausing AES technique.

3. The data owner creates an XACML policy and specifies the attributes of authorized users ina <Subject> of a <Target>, to determine who can access the metadata file and stores it in a PAP’s database in a cloud.

4. The data owner allocates the parts of the big data files and the metadata file over several clouds storage devices.

(8)

4.2 Authorization Layer

In the authorization layer, the user creates his username, password and publicKey(PUU).

Moreover, the security system generatesa user’sidentificationnumber(UID).

These parameters are stored in thePIP and the private key of the user will be created later by PIP.

4.3 Authentication Layer

In this layer, authentication processes are executed as follows:

1. The user provides his credentials: username, password and user’s identification (UID) with the addition of a biometric authentication fingerprint.

2. The fingerprint will be allocated in the PIP for future authentication.

3. Advanced Encryption Standard (AES) is used to encrypt the user’s identification number (UID) and his fingerprint.

4. The result of AES and the private key are stored in the PAP.

5. The result of AES is encrypted again by the PAP by its public key to create a Security Token.

6. The Security Token is generated based on formula (1) as follows:

E(Token)= E (PUPAP, AES[UID || Finger]) (1)

7. The PAP uses its private key to decrypt the Security Token as shown in formula (2):

Token= D (PRPAP, AES[UID || Finger]) (2)

8. The decrypted Security Token is allocated into an isolated schema in a databaseserver.

9. Private Key Request: The user must pass a private key request (PRU) to thePIP that is u sed as a certificate authority for creating the user’s Private Key.

10. The request of the user is sent based on formula (3) as follows:

Request=[TU || UID] (3)

The TU is the user’s request timestamp and UID is the user’s identification number.

11. The PIP replies the user’s request with the user’s private key (PRU). Now, the user gets a public (PUU) and a private key (PRU).

12. Based on the previous 11, the user sends an access request to the PEP as presented in formula (4):

E(Request) = E(PRU ,[Finger, User Request]) (4)

Where a user’s request and a user’s biometric fingerprint are encrypted using the user’s private key (PRU ) to proof the identity of the sender.

13. The PEP sends the user’s request to the PDP. The PDP allocates the attributes of the user’s request to the PIP, which stores the user’s credential attributes from steps 1 and 3.

Moreover, the PDP returns the access control policy and the Security Token from the PAP.

14. The PIP passes the user’s attributes (UID, a fingerprint and a public key) to the PDP.

15. The user’s request is decrypted by the PDP based on formula (5):

Request = D(PUU,[Finger, User Request]) (5)

(9)

The decryption process is performed by using the user’s public key (PUU) to extract the user’s biometric fingerprint and the user’s request.

16. The decrypted request is passes to the PAP which allocates the decrypted parameters in- to the database server.

4.4 Proof of Ownership Layer

In this layer, the PDP achieves the POW mechanism over distributed files for matching theuser’s fingerprint to verify whether the user is authorized or not. The matching process is based on two separate encryption and decryption paths to ensure the confidentiality and integrity of data.

1. If the user is legal, the PDP matches between the user request’s attributes and thepolicy target from the PAP to check if the user is permitted or denied to access the stored encrypted metadata file.

2. The permit or deny decision is passed throughout the reverse path from the PDP to the PEP.

3. The PEP responds to the user with grant/deny decision.

4.5 Violation Log File Response

After granting or denying a user request, all denied requests are stored in a violation log file.

If the same user requests the same resource again, the XACML framework must check the violation log file first before performing the proof of ownership process. The violation log file is considered as an early defense system for enhancing the XACML framework.

The XACML framework is built in a cloud side by AT&T XACML 3.0 Implementation in https://github.com/att/XACML or by mapping and storing the policy into a relational database [10]. In addition, there are many open source XACML implementations like SUN- XACML [23], HERAS-AF [9], XEngine [17], enterprise-java-xacml [11] and WSO2 Balana.

The request’s attributes values are compared with the <Target>’s attribute values of the <Pol- icy set> by the PDP. If all the attribute values are matched together, the request is applicable. Hence, the request is further checked against the <Target> of the inner <Policy> and of the inner <Rule> elements. If the requests attribute values and those in the <Target> do not match, the request is not applicable. If an error occurred throughout the evaluation, such as missing attributes, network errors whereas retrieving policies or syntax errors in the decision request or in the policy, the decision of the request is indeterminate.

5. Comparative Study

There are many techniques used for securing the big data file. The following table provides a comparison between the different proposed techniques for storing the big data file over clouds in a securing manner.

(10)

Table 1:A Comparison betweenthe Proposed Technique and Previous Techniques

Technique Privacy Confidentiality Integrity Availability

[24] Yes No Yes Yes

[7] No No Yes Yes

[22] No Yes No Yes

[4] No No Yes No

[14] No No No No

[20] Yes No No No

[3] Yes No Yes Yes

[16] No No No No

[12] Yes No No No

Proposed

Technique Yes Yes Yes Yes

The privacy, confidentiality, integrity and availability are achieved in our technique, due to the complexity of the XACML policy language and using the fingerprint.

[26] Proposed cloud based access control criteria and a list of factors that used for evaluating access control systems in cloud computing. Hence, we use these factors to evaluate the proposed technique. The following table presents a comparison between the different access control models including the proposed model based on the criteria proposed in [26]:

(11)

Table 2: A Comparison between the Different Access Controls Models

Criterion DAC MAC RBAC ABAC R-BAC Proposed Technique

Least privilege principle N N Y Y Y Y

Separation of duties N N Y Y N/A Y

Auditing Y Y Y Y Y Y

Syntactic and semantic support N N N N N Y

Policy Management N N N N Y Y

Flexibilities of configuration N N Y N N N

Operational and situational awareness N N N N Y N

Response time N/A N/A N/A N/A N/A N

Integrated with authentication function N N N N N Y

OS compatibility Y N Y N N Y

Testing and verifying the AC functions N/A N/A N/A N/A N/A Y

Supporting passive and active workflows N N N N N N

Supporting vertical and horizontal scope N/A N/A N/A N/A N/A N

Delegation of capabilities Y N N N N N

Dealing with heterogeneity N N N N Y N/A

Transfer a customer’s credentials across layers N N N N N Y

Scalability N N Y N/A N/A Y

Flexibility in attribute management N/A N/A N/A Y N/A Y

Computation complexity N/A N/A N/A N/A N/A Y

(12)

Where (DAC) means Discretionary AccessControl, (MAC) means Mandatory Access Con- trol, (RBAC) means Role-Based Access Control, (ABAC) means Attribute Based Access Control and (R-BAC) means RiskBased Access Control model.

6. Experimental Results

The experiments were conducted on an Intel(R) Core (TM) i5 CPU @ 1.8 GHz machine with 8 GB of RAM. The operating system was Microsoft Windows 10. As presented in Fig- ure 3, a number of users who have access denied response in the XACML framework are tested using the proof of ownership process and the violation log file. As shown, the violation log file achieved low response time when compared to the main proof of ownership process that performs the overall XACML checking mechanism. For a number of 5 users, the average response time for POW and violation file response achieved 28.96ms and 8.65ms respectively. For a number of 10 users, the average response time for POW and violation file response achieved 33.92ms and 11.582ms respectively.

Figure 3.Average Response Time for POW and Violation File Response

7. Conclusions

In this paper, we proposed an access control approach to control the access of a metadata file of a distributed big data file stored in a cloud storage device based on an XACML framework and proof of ownership. The XACML framework is built into the cloud side to protect the encrypted metadata file from unauthorized users or cloud providers. The proposed approach controls the access mechanism over encrypted metadata file by generating a security token and a fingerprint for user authentication. Our approach allows users who want to decryptthe ciphers to send a request. After verifying the user using the security tokens and his fingerprint, the request’s attributes must satisfy the attributes specified in the XACML access control policy language. In our approach, the XACML access control policy language enhances the security of the encrypted metadata file over the cloud.

References

[1] R. Abassi, F. Jacquemard, M. Rusinowitch, and S. G. El Fatmi. XML Access Control:from XACML to Annotated Schemas. In Proceedings of the 2nd International Conference on Communi- cations and Networking (ComNet), pages 1 – 8, 2010.

[2] A. Arora, A. Khanna, A. Rastogi, and A. Agarwal. Cloud security ecosystem for data security and privacy. In Proceeding of the 2017 7th International Conference on Cloud Computing, Data Science Engineering - Conflu- ence, pages 288–292, Jan., 2017.

N=5 N=6 N=7 N=8 N=9 N=10

Proof of Ownership

Response (ms) 28.96 29.59 30.86 31.47 32.87 33.92 Violation Log File

Response (ms) 8.65 8.89 9.15 9.754 10.359 11.582

0 10 20 30 40

Time per Millisecond

(13)

[3] V. R. Balasaraswathi and S. Manikandan. Enhanced security for multicloud storage using cryptographic data splitting with dynamic approach. In Proceeding of 2014 IEEE Int. Conf. Adv. Commun. Control Comput. Technol.

ICACCCT 2014, page 11901194, 2014.

[4] A. Bessani, M. Correia, B. Quaresma, F. Andr, and P. Sousa. Depsky:dependable and secure storage in a cloud- of-clouds. ACM Trans. Storage, 9(4):133, 2013.

[5] A. Bhardwaja, G. Subrahmanyamb, V. Avasthic, and H. Sastryd. Security algorithms for cloud computing. In Proceeding of The International Conference on Computational Modeling and Security (CMS 2016), Procedia Computer Science, 85:535 542, 2016.

[6] M. D. Boomija and S.V. Kasmir Raja. Secure data sharing through additive similarity based elgamal like encryption. In Proceeding of the 2nd International Conference on Advances in Electrical, Electronics, Information, Communication and Bio- Informatics (AEEICB)), pages 652–655, Feb., 2016.

[7] K. D. Bowers, A. Juels, and Alina Oprea. Hail: A high- availability and integrity layer for cloud storage. In Pro- ceeding of the 16th ACM Conf. Comput. Commun. Secur. - CCS’09, page 187, 2009.

[8] E. Damiani, S. D. Vimercati, S. Foresti, and et al. an experimental evaluation of multi-key strategies for data outsourcing. In proceesing of FIP International Information Security Con- ference (SEC 2007), Springer, pages 385–396, May, 2007 2007.

[9] S. Dolski, F Huonder, S. Oberholzer, and HERAS-AF. Xacml 2.0 implementation, technical report, university of applied sci- encesrapperswil. 2007.

[10] A. A. Abd El-Aziz. and A. Kannan. XMLAccess Control: Mapping XACMLPolicies to Relational Database Tables. The International Arab Journal of Information Technology (IAJIT), 11(6), November 2014.

[11] http://code.google.com/p/enterprise-javaxacml Enterprise-Java- XACML.

[12] K. Gai, M. Qiu, and H. Zhao. Privacy-preserving data encryption strategy for big data in mobile cloud computing. IEEE Trans, page 103115, 2017.

[13] G. Hsieh, R. Meeks, and L. Marvel. Supporting Secure Em- bedded Access Control Policy with XACML+XML Security. In Proceedings of the 5th International Conference on Future Information Technology (FutureTech), pages 1 – 6, 21-23 May, 2010.

[14] J. Kohler and T. Specht. Analysis of the join-problem in vertically distributed databases. Int. J. Adapt. Resilient Auton. Syst., 6(2):6587, 2015.

[15] K. Kumari and M. Mrunalini. A survey on big data security: Issues, challenges and techniques. International Jour- nal of System and Software Engineering, 6(6):23–36, Dec., 2018.

[16] Y. Li, K. Gai, L. Qiu, M. Qiu, and H. Zhao. Intelligent cryptography approach for secure distributed big data storage in cloud computing. Inf. Sci.(Ny), 387:103115, 2017.

[17] A. Liu, F. Chen, J. Hwang, and T. Xie. esigning fast and scalable xacml policy evaluation engines”. IEEE Trans Computers.

[18] B. Parducci and H. Lockhart. eXtensible Access Con- trol Markup Language (XACML) Version 3.0. OA- SIS Standard, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core- spec-os-en.pdf, 22 Jan., 2013.

[19] N. Patel and K. B. Kansara. Ubmuvm approach for preventing insider data theft from cloud storage. In Proceeding of 2018 5th International Symposium on Emerging Trends and Technologies in Libraries and Information Servic- es (ETTLIS), pages 36–40, Feb., 2018.

[20] R. Pottier and J. M. Menaud. Trustydrive, a multi-cloud storage service that protects your privacy. In Proceeding of the IEEE Int. Conf. Cloud Comput. CLOUD, page 937940, 2017.

[21] F. Shahzada. State-of-the-art survey on cloud computing security challenges, approaches and solutions. In Pro- ceeding of the 6th International Symposium on Applications of Ad hoc and Sensor Networks (AASNET14), Pro- cedia Computer Science, 37:357 362, 2014.

[22] Y. Singh, F. Kandah, and W. Zhang. A secured cost- effective multicloud storage in cloud computing. In Proceed- ing of 2011 IEEE Conf. Comput. Commun. Work. INFOCOM WKSHPS 2011, page 619624, 2011.

[23] http://sunxacml.sourceforge.net/ Suns XCAML Implementa- tion.

[24] P. Suwansrikham and K. She. Asymmetric secure storage scheme for big data on multiple cloud providers. 2018 IEEE 4th International Conference on Big Data Security on Cloud (BigDataSecurity), pages 121–125, May, 2018.

[25] Y. Wang, Q. Sun, Y. Ma, J. Zhang, Z. Liu, and J. Xue.Security enhanced cloud storage access control system based on attribute based encryption. In proceeding of 2108 International Conference on 2018 Big Data and Artificial Intelligence.

[26] Y. A. Younis, K. Kifayat, and M. Merabti. A novel evaluation criteria to cloud based access control models. 2015 11th Inter- national Conference on Innovations in Information Technology (IIT), pages 68–73, Nov., 2015.