More Web Proxy on the site http://driver.im/

short-paper

Towards secure provenance-based access control in cloud environments

Authors:

Masoud Valafar,

Kevin ButlerAuthors Info & Claims

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

Pages 277 - 284

https://doi.org/10.1145/2435349.2435389

Published: 18 February 2013 Publication History

Abstract

As organizations become increasingly reliant on cloud computing for servicing their data storage requirements, the need to govern access control at finer granularities becomes particularly important. This challenge is increased by the lack of policy supporting data migration across geographic boundaries and through organizations with divergent regulatory policies. In this paper, we present an architecture for secure and distributed management of provenance, enabling its use in security-critical applications. Provenance, a metadata history detailing the derivation of an object, contains information that allows for expressive, policy-independent access control decisions. We consider how to manage and validate the metadata of a provenance-aware cloud system, and introduce protocols that allow for secure transfer of provenance metadata between end hosts and cloud authorities. Using these protocols, we develop a provenance-based access control mechanism for Cumulus cloud storage, capable of processing thousands of operations per second on a single deployment. Through the introduction of replicated components, we achieve overhead costs of just 14%, demonstrating that provenance-based access control is a practical and scalable solution for the cloud.

References

[1]

Amazon. Amazon Simple Storage Service (S3), 2011.

[2]

Amazon. Amazon Web Services: Risk and Compliance. http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf, 2012.

[3]

D. Bell and L. LaPadula. Secure Computer Systems: Mathematical Foundations and Model. Technical Report M74-244, MITRE Corporation, Bedford, MA, 1973.

[4]

K. J. Biba. Integrity Considerations for Secure Computer Systems. Proceedings of the 4th Annual Symposium on Computer Architecture, 5(7):135--140, 1977.

[5]

U. Braun, S. Garfinkel, D. A. Holland, K. Muniswamy-Reddy, and M. Seltzer. Issues in Automatic Provenance Collection. In Proceedings of the 2006 International Provenance and Annotation Workshop, Chicago, Illinois, May 2006.

Digital Library

[6]

U. Braun, A. Shinnar, and M. Seltzer. Securing Provenance. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec), San Jose, CA, 2008.

Digital Library

[7]

D. F. C. Brewer and M. J. Nash. The Chinese Wall Security Policy. In Proceedings of the 10th IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1989.

[8]

T. Cadenhead, V. Khadilkar, M. Kantarcioglu, and B. Thuraisingham. A Language for Provenance Access Control. In CODASPY'11: Proceedings of the First ACM Conference on Data and Application Security and Privacy, pages 133--144, San Antonio, TX, USA, 2011. ACM Press.

Digital Library

[9]

M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In Proceedings of the 20th USENIX Security Symposium, 2011.

Digital Library

[10]

J. Freire, D. Koop, E. Santos, and C. T. Silva. Provenance for Computational Tasks: A Survey. Computing in Science and Engineering, 10(3):11--21, 2008.

Digital Library

[11]

J. Galante, O. Karif, and P. Alpeyav. Sony's Network Breach Shows Amazon Cloud's Appeal for Hackers. Bloomberg News, 16 May 2011.

[12]

R. Gellman. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing. World Privacy Forum, pages 1--26, 2009.

[13]

R. Hasan, R. Sion, and M. Winslett. Introducing Secure Provenance: Problems and Challenges. In Proceedings of the 2007 ACM Workshop on Storage Security and Survivability, StorageSS'07, pages 13--18, New York, NY, USA, 2007. ACM.

Digital Library

[14]

R. Hasan, R. Sion, and M. Winslett. The Case of the Fake Picasso: Preventing History Forgery with Secure Provenance. In FAST'09: Proceedings of the 7th USENIX Conference on File and Storage Technologies, 2009.

Digital Library

[15]

D. A. Holland and M. Seltzer. PQL - Path Query Language. http://www.eecs.harvard.edu/syrah/pql/, 2011.

[16]

J. Lyle and A. Martin. Trusted Computing and Provenance: Better Together. In TaPP'10: Proceedings of the 2nd USENIX Workshop on the Theory and Practice of Provenance, Berkeley, CA, USA, 2010.

Digital Library

[17]

P. McDaniel, K. Butler, S. McLaughlin, R. Sion, E. Zadok, and M. Winslett. Towards a Secure and Efficient System for End-to-End Provenance. In TaPP'10: Proceedings of the 2nd USENIX Workshop on the Theory and Practice of Provenance, 2010.

Digital Library

[18]

L. Moreau, B. Ludascher, I. Altintas, et al. Special Issue: The First Provenance Challenge. Concurrency and Computation: Practice and Experience, 20(5):409--418, 2008.

Digital Library

[19]

M. Mowbray. The Fog over the Grimpen Mire: Cloud Computing and the Law. Scripted Journal of Law, Technology and Society, 6(1), Apr. 2009.

[20]

K. Muniswamy-Reddy, D. A. Holland, U. Braun, and M. Seltzer. Provenance-Aware Storage Systems. In Proceedings of the 2006 USENIX Annual Technical Conference, 2006.

Digital Library

[21]

K. Muniswamy-Reddy, P. Macko, and M. I. Seltzer. Provenance for the Cloud. In FAST'10: Proceedings of the 8th USENIX Conference on File and Storage Technologies, 2010.

Digital Library

[22]

K. Muniswamy-Reddy and M. Seltzer. Provenance as First-Class Cloud Data. In Proceedings of the ACM ACM SIGOPS International Workshop on Large Scale Distributed Systems and Middleware (LADIS), 2009.

[23]

Q. Ni, S. Xu, E. Bertino, R. Sandhu, and W. Han. An Access Control Language for a General Provenance Model. In Secure Data Management, Aug. 2009.

Digital Library

[24]

Z. N. J. Peterson, M. Gondree, and R. Beverly. A Position Paper on Data Sovereignty: The Importance of Geolocating Data in the Cloud. In HotCloud'11: Proceedings of the 3rd USENIX Workshop on Hot Topics in Cloud Computing, June 2011.

Digital Library

[25]

D. Pohly, S. McLaughlin, P. McDaniel, and K. Butler. Hi-Fi: Collecting High-Fidelity Whole-System Provenance. In Proceedings of the 2012 Annual Computer Security Applications Conference, ACSAC'12, Orlando, FL, USA, 2012.

Digital Library

[26]

A. Rosenthal, L. Seligman, A. Chapman, and B. Blaustein. Scalable Access Controls for Lineage. In TaPP'09: Proceedings of the 1st USENIX Workshop on the Theory and Practice of Provenance, San Francisco, CA, USA, 2009.

Digital Library

[27]

G. Shaffer. Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of US Data Privacy Standards. Yale Journal of International Law, 25:1--88, 2000.

[28]

Y. Simmhan, B. Plale, and D. Gannon. A Survey of Data Provenance in e-Science. ACM SIGMOD Record, 34(3):31--36, 2005.

Digital Library

[29]

M. Szomszor and L. Moreau. Recording and Reasoning over Data Provenance in Web and Grid Services. In International Conference on Ontologies, Databases and Applications of SEmantics (ODBASE'03), volume 2888, pages 603--620, 2003.

[30]

J. Widom. Trio: A System for Integrated Management of Data, Accuracy, and Lineage. Technical Report 2004-40, Stanford InfoLab, Aug. 2004.

Cited By

Rathinaeswari SSanthi V(2024)An Intelligent Lightweight Signing Signature and Secured Jellyfish Data Aggregation (LS3JDA) Based Privacy Preserving Model in CloudNew Generation Computing10.1007/s00354-024-00263-442:5(911-946)Online publication date: 14-Jun-2024
https://doi.org/10.1007/s00354-024-00263-4
Bock TAlznauer NJoblin MApel S(2023)Automatic Core-Developer Identification on GitHub: A Validation StudyACM Transactions on Software Engineering and Methodology10.1145/359380332:6(1-29)Online publication date: 30-Sep-2023
https://dl.acm.org/doi/10.1145/3593803
Pan BStakhanova NRay S(2023)Data Provenance in Security and PrivacyACM Computing Surveys10.1145/359329455:14s(1-35)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1145/3593294
Show More Cited By

Index Terms

Towards secure provenance-based access control in cloud environments
1. Information systems
  1. Information retrieval
  2. Information storage systems

Recommendations

Secure Overlay Cloud Storage with Access Control and Assured Deletion

We can now outsource data backups off-site to third-party cloud storage services so as to reduce data management costs. However, we must provide security guarantees for the outsourced data, which is now maintained by third parties. We design and ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed Systems

Role-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Domain Administration of Task-role Based Access Control for Process Collaboration Environments
IAS '09: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 01

The fast evolving workflow technologies facilitate organizations to interact and cooperate with each other to achieve their business goals by process collaborations. Task-role based access control is an important security mechanism to protect data and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '13: Proceedings of the third ACM conference on Data and application security and privacy

February 2013

400 pages

ISBN:9781450318907

DOI:10.1145/2435349

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Lujo Bauer
Carnegie Mellon University, USA
,
Publications Chair:
Jaehong Park
University of Texas at San Antonio, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 February 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY'13

Sponsor:

SIGSAC

CODASPY'13: Third ACM Conference on Data and Application Security and Privacy

February 18 - 20, 2013

Texas, San Antonio, USA

Acceptance Rates

CODASPY '13 Paper Acceptance Rate 24 of 107 submissions, 22%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

52
Total Citations
View Citations
759
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)5

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rathinaeswari SSanthi V(2024)An Intelligent Lightweight Signing Signature and Secured Jellyfish Data Aggregation (LS3JDA) Based Privacy Preserving Model in CloudNew Generation Computing10.1007/s00354-024-00263-442:5(911-946)Online publication date: 14-Jun-2024
https://doi.org/10.1007/s00354-024-00263-4
Bock TAlznauer NJoblin MApel S(2023)Automatic Core-Developer Identification on GitHub: A Validation StudyACM Transactions on Software Engineering and Methodology10.1145/359380332:6(1-29)Online publication date: 30-Sep-2023
https://dl.acm.org/doi/10.1145/3593803
Pan BStakhanova NRay S(2023)Data Provenance in Security and PrivacyACM Computing Surveys10.1145/359329455:14s(1-35)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1145/3593294
Inam MChen YGoyal ALiu JMink JMichael NGaur SBates AHassan W(2023)SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179405(2620-2638)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179405
Rudd SCunningham H(2022)Towards Lightweight Authorisation of IoT-Oriented Smart-Farms using a Self-Healing Consensus Mechanism2022 31st Conference of Open Innovations Association (FRUCT)10.23919/FRUCT54823.2022.9770892(265-276)Online publication date: 27-Apr-2022
https://doi.org/10.23919/FRUCT54823.2022.9770892
Hasan R(2022)Towards Strengthening the Security of Healthcare Devices using Secure Configuration Provenance2022 IEEE International Conference on Digital Health (ICDH)10.1109/ICDH55609.2022.00043(228-233)Online publication date: Jul-2022
https://doi.org/10.1109/ICDH55609.2022.00043
Isaac Abiodun OAlawida MEsther Omolara AAlabdulatif A(2022)Data provenance for cloud forensic investigations, security, challenges, solutions and future perspectives: A surveyJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2022.10.01834:10(10217-10245)Online publication date: Nov-2022
https://doi.org/10.1016/j.jksuci.2022.10.018
Tabiban AZhao HJarraya YPourzandi MWang L(2022)VinciDecoder: Automatically Interpreting Provenance Graphs into Textual Forensic Reports with Application to OpenStackSecure IT Systems10.1007/978-3-031-22295-5_19(346-367)Online publication date: 30-Nov-2022
https://dl.acm.org/doi/10.1007/978-3-031-22295-5_19
Sultan SJensen C(2021)Ensuring Purpose Limitation in Large-Scale Infrastructures with Provenance-Enabled Access ControlSensors10.3390/s2109304121:9(3041)Online publication date: 26-Apr-2021
https://doi.org/10.3390/s21093041
Drien OAmarilli AAmsterdamer Y(2021)Managing Consent for Data Access in Shared Databases2021 IEEE 37th International Conference on Data Engineering (ICDE)10.1109/ICDE51399.2021.00182(1949-1954)Online publication date: Apr-2021
https://doi.org/10.1109/ICDE51399.2021.00182
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten