City on the Sky: Flexible, Secure Data Sharing on the Cloud

TL;DR

This paper proposes a flexible, secure data sharing framework for cloud environments, extending XACML to better enforce access constraints, demonstrated through a prototype in a commercial cloud setting.

Contribution

It introduces an extended XACML-based framework that enhances access control flexibility and enforcement for cloud data sharing scenarios.

Findings

Prototype implementation shows effective enforcement of complex access constraints.

Experimental results demonstrate acceptable performance overhead.

Framework supports diverse data sharing scenarios in cloud environments.

Abstract

Sharing data from various sources and of diverse kinds, and fusing them together for sophisticated analytics and mash-up applications are emerging trends, and are prerequisites for grand visions such as that of cyber-physical systems enabled smart cities. Cloud infrastructure can enable such data sharing both because it can scale easily to an arbitrary volume of data and computation needs on demand, as well as because of natural collocation of diverse such data sets within the infrastructure. However, in order to convince data owners that their data are well protected while being shared among cloud users, the cloud platform needs to provide flexible mechanisms for the users to express the constraints (access rules) subject to which the data should be shared, and likewise, enforce them effectively. We study a comprehensive set of practical scenarios where data sharing needs to be enforced by methods such as aggregation, windowed frame, value constrains, etc., and observe that existing basic access control mechanisms do not provide adequate flexibility to enable effective data sharing in a secure and controlled manner. In this paper, we thus propose a framework for cloud that extends popular XACML model significantly by integrating flexible access control decisions and data access in a seamless fashion. We have prototyped the framework and deployed it on commercial cloud environment for experimental runs to test the efficacy of our approach and evaluate the performance of the implemented prototype.