Access Controls for Cloud Security

Access Controls for Cloud Security
Author’s Name
Institutional Affiliation
Course Code and Name
Professor’s Name
Date

Access Controls for Cloud Security
Abstract
Cloud computing allows individuals over the Internet to share computing power and storage resources to achieve more efficient computer system resource allocation. Currently, a vast majority of organizations around the world have adopted this technology to improve the effectiveness and efficiency of their operations. With the widespread cloud computing adoption, the security of this environment becomes more and more crucial. Cloud service is facing numerous different kinds of security issues. This paper focuses on one of the significant security concerns: the access control of the cloud service. In cloud security, access control refers to a system that a company can implement to monitor and regulate data access on its computer network. Indeed, it has become a valuable asset since it prevents unauthorized personnel from accessing the company’s data and facilitates the smooth running of daily operations. This paper discusses multiple solutions today and can be used to prevent unauthorized attackers outside the organization from accessing cloud-based resources and examining the advantages and disadvantages of each model.
Section 1: Introduction
In the 21st century, cloud service security problems or cyber-attacks are inevitable and are frequently happening. Organizations need to implement appropriate policies to prevent cyber breaches. For example, some behaviors that facilitate cloud service security problems include a user copied proprietary data after work hours and uses it after his exit, or a user forgets to log out from a business account in a public environment. Cloud computing is an emerging computing paradigm, and cloud service is becoming increasingly relevant. As such, the biggest concern in this paper is the access control of the cloud service. Access control is one of the most significant security protections in cloud computing. Attribute-based access control allows the data owner to share encrypted data with users who have access to the system. The three primary reasons why access control is used as a service include saving the integrator’s time and money, making the user happy, and creating new business opportunities. In this paper, we will talk about four solutions to access control, namely the secure cloud architecture, CloudPolice, UCON model, and the Nego-UCON model, the work process of each solution, and their merits and demerits.
Section 2
Solution 1
Computing models provide features, such as dynamic infrastructure, on-demand self-service, rapid scalability and elasticity, and ubiquitous network access, which is why they require powerful and continuous control over usage session and control (Tavizi, Shajari, & Dodangeh, 2012). In that light, usage control (UCON) is an effective model that controls access to cloud services and addresses some of the drawbacks of traditional access control models. In particular, leveraging good access control is crucial to protect cloud resources from policy violations and unauthorized access. The diagram below shows a UCON architecture for cloud environments, which can be used to control the access of cloud resources.
Figure 1: A UCON Architecture Model for Cloud Environments.


The UCON model perceives access control as applying an appropriate system to monitor and evaluate all requests against existing policies and security protocols before making the decision to permit or deny user access. The UCON model's primary benefit, which is not present in the secure cloud architecture, is the control of users' usage sessions after they are granted access to the system (Tavizi, Shajari, & Dodangeh, 2012). One of the main features of the UCON model is the attributes' mutability, which means that it can handle the updates of attributes that occur as a side effect. The second feature is the continuity of control that means access decisions are continually evaluated during usage (Tavizi, Shajari, & Dodangeh, 2012). Besides, the UCON model is also known as an attribute-based model. Indeed, it means that the access permissions on cloud resources are based on the subject's predicates or environment attributes, which are defined through obligation policies and authorization (Tavizi, Shajari, & Dodangeh, 2012).
One of the most significant merits of the UCON model is that it evaluates the user's behaviors even after granting him or her access. In that case, if the user is engaging in activities that pose great security risks to the entire system, the network can deny him or her access. Second, the UCON cloud architecture has a decision point, which is the component that evaluates security policies and delivers the authorization decision. The decision point monitors and evaluates all incoming requests from the enforcement point against existing policies in the Policy Manager's database (Tavizi, Shajari, & Dodangeh, 2012). Another advantage of the UCON model is that it has an event handler that receives users' requests and refers them to the appropriate component. Notably, different system users have distinctive preferences, which facilitates the security of cloud resources. For example, the system administrator has more preferences than a supervisor. Event handlers are the ones that ensure every user can access their system preferences and deny them access to cloud services that are not associated with their job positions. Overall, the primary benefit of the UCON model is its ability to monitor users' actions to determine whether access should be allowed or revoked. In contrast, the most significant disadvantage of the UCON model is the lack of a comprehensive system architecture that covers all the components to satisfy novel features (Tavizi, Shajari, & Dodangeh, 2012). In other words, the implementation of this model can be challenging for organizations. As discussed earlier, the two primary features of the UCON model are the continuity of control and attribute mutability. However, the implementation of these components is challenging. Due to the dynamic nature of technology, the attribute manager requires regular updates, which is another demerit of the UCON model. For instance, security protocols must be updated to address current system vulnerabilities, which arise due to system updates and technological advancement.
Solution 2
Specifically, cloud computing refers to a large-scale distributed computing system that is driven by dynamically scalable computing power, platforms, storage, and a pool of abstracted and virtualized services to serve external clients on the web. As such, it is based on Internet services. The Internet's openness leads to numerous probability of threats and attacks, hence a broad range of security problems (Danwei, Xiuli, & Xunyi, 2009). Access control is a crucial security mechanism in the cloud service since it restricts unauthorized access to cloud resources. In that light, the negotiation usage control (Nego-UCON) model is an effective access control mechanism that can be used to safeguard cloud resources. The following diagram shows how the Nego-UCON model can be implemented.
Figure 2: Nego-UCON Cloud Architectural Model.


As shown in figure 2 above, the Nego-UCON model has three primary components: cloud service, cloud user, and the Security Assertion Markup Language (SAML) server. The cloud user initiates the service request. The SAML server has three modules: sensitive attributes protection, negotiation, and the SAML assertion modules. The SAML assertion issues responses and assertions to incoming requests (Danwei, Xiuli, & Xunyi, 2009). Sensitive attributes protection safeguards users’ data based on privacy policies. Additionally, the negotiation module uses the attributes, conditions, and obligations. The cloud service has seven modules. First, the policy enforcement point (PEP) accepts requests from users and executes them based on the decision by the policy decision point (PDP). Second, the PDP authorizes decisions based on security policies. Third, the policy database stores the set security policies. Fourth, the policy information point (PIP) gets entity conditions and attributes and passes them to the PDP for decision making. Fifth, the policy administration point (PAP) creates and manages security policies. Sixth, the eXtensible Access Control Markup Language (XACML) policy expresses policies in a control markup language (Danwei, Xiuli, & Xunyi, 2009). Finally, the negotiation model is used by the cloud user for service negotiations.
The first advantage of the Nego-UCON model is that it is better than traditional access control models, such as role-based access control (RBAC), mandatory access control (MAC), and discretionary access control (DAC). This access control model overcomes the drawbacks of the traditional access control models. Another advantage of the Nego-UCON model is that it allows clou...