Introducing concurrency in policy-based access control

Decat, Maarten; Lagaisse, Bert; Joosen, Wouter; Crispo, Bruno

doi:10.1145/2541608.2541611

Cited by 1 publication

(2 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For attribute-based policies, this evaluation duration is mainly determined by the latency of fetching the required attributes [17]. The latency of a remote attribute fetch between tenant and provider will be an order of magnitude larger than a local database call, taking into account the complex data flows in federated applications and the geographical distance between tenant and provider.…”

Section: Overviewmentioning

confidence: 99%

“…Attribute updates can be used to model historybased policies [19], e.g., a separation-of-duty policy that states that a member of the help desk cannot view both insurance and financial documents of a single organization or a policy that limits the number of views of a document. Both attribute updates and history-based policies introduce extra complexity in policy federation because (1) attribute updates require concurrency control in case of distributed policy evaluation [17] and (2) history-based policies are known to have a large impact on performance [19]. Both are therefore interesting tracks for future research.…”

Section: Obligations and Attribute Updatesmentioning

confidence: 99%

See 1 more Smart Citation

Middleware for efficient and confidentiality-aware federation of access control policies

Decat

Lagaisse

Joosen

2014

J Internet Serv Appl

Self Cite

View full text Add to dashboard Cite

Software-as-a-Service (SaaS) is a type of cloud computing in which a tenant rents access to a shared, typically web-based application hosted by a provider. Access control for SaaS should enable the tenant to control access to data that are located at the provider side, based on tenant-specific access control policies. Moreover, with the growing adoption of SaaS by large enterprises, access control for SaaS has to integrate with on-premise applications, inherently leading to a federated set-up. However, in the state of the art, the provider completely evaluates all policies, including the tenant policies. This (i) forces the tenant to disclose sensitive access control data and (ii) limits policy evaluation performance by having to fetch this policy-specific data. To address these challenges, we propose to decompose the tenant policies and evaluate the resulting parts near the data they require as much as possible while keeping sensitive tenant data local to the tenant environment. We call this concept policy federation. In this paper, we motivate the need for policy federation using an in-depth case study analysis in the domain of e-health and present a policy federation algorithm based on a widely-applicable attribute-based policy model. Furthermore, we show the impact of policy federation on policy evaluation time using the policies from the case study and a prototype implementation of supporting middleware. As shown, policy federation effectively succeeds in keeping the sensitive tenant data confidential and at the same time improves policy evaluation time in most cases.

show abstract

Section: Overviewmentioning

confidence: 99%