TY - GEN
T1 - Towards secure provenance-based access control in cloud environments
AU - Bates, Adam
AU - Mood, Ben
AU - Valafar, Masoud
AU - Butler, Kevin
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2013
Y1 - 2013
N2 - As organizations become increasingly reliant on cloud computing for servicing their data storage requirements, the need to govern access control at finer granularities becomes particularly important. This challenge is increased by the lack of policy supporting data migration across geographic boundaries and through organizations with divergent regulatory policies. In this paper, we present an architecture for secure and distributed management of provenance, enabling its use in security-critical applications. Provenance, a metadata history detailing the derivation of an object, contains information that allows for expressive, policy-independent access control decisions. We consider how to manage and validate the metadata of a provenance-aware cloud system, and introduce protocols that allow for secure transfer of provenance metadata between end hosts and cloud authorities. Using these protocols, we develop a provenance-based access control mechanism for Cumulus cloud storage, capable of processing thousands of operations per second on a single deployment. Through the introduction of replicated components, we achieve overhead costs of just 14%, demonstrating that provenance-based access control is a practical and scalable solution for the cloud.
AB - As organizations become increasingly reliant on cloud computing for servicing their data storage requirements, the need to govern access control at finer granularities becomes particularly important. This challenge is increased by the lack of policy supporting data migration across geographic boundaries and through organizations with divergent regulatory policies. In this paper, we present an architecture for secure and distributed management of provenance, enabling its use in security-critical applications. Provenance, a metadata history detailing the derivation of an object, contains information that allows for expressive, policy-independent access control decisions. We consider how to manage and validate the metadata of a provenance-aware cloud system, and introduce protocols that allow for secure transfer of provenance metadata between end hosts and cloud authorities. Using these protocols, we develop a provenance-based access control mechanism for Cumulus cloud storage, capable of processing thousands of operations per second on a single deployment. Through the introduction of replicated components, we achieve overhead costs of just 14%, demonstrating that provenance-based access control is a practical and scalable solution for the cloud.
KW - Access control
KW - Provenance
KW - Secure storage
UR - http://www.scopus.com/inward/record.url?scp=84874905603&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84874905603&partnerID=8YFLogxK
U2 - 10.1145/2435349.2435389
DO - 10.1145/2435349.2435389
M3 - Conference contribution
AN - SCOPUS:84874905603
SN - 9781450318907
T3 - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
SP - 277
EP - 284
BT - CODASPY 2013 - Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy
T2 - 3rd ACM Conference on Data and Application Security and Privacy, CODASPY 2013
Y2 - 18 February 2013 through 20 February 2013
ER -