Achieving security-by-design through ontology-driven attribute-based access control in cloud environments

Abstract

The constantly increasing number of cyberattacks worldwide raise significant security concerns that generally deter small, medium and large enterprises from adopting the cloud paradigm and benefitting from the numerous advantages that it offers. One way to alleviate these concerns is to devise suitable policies that infuse adequate access controls into cloud services. However, the dynamicity inherent in cloud environments, coupled with the heterogeneous nature of cloud services, hinders the formulation of effective and interoperable access control policies that are suitable for the underlying domain of application. To this end, this work proposes an approach to the semantic representation of access control policies and, in particular, to the semantic representation of the context expressions incorporated in such policies. More specifically, the proposed approach enables stakeholders to accurately define the structure of their policies, in terms of relevant knowledge artefacts, and thus infuse into these policies their particular security and business requirements. This clearly leads to more effective policies, whilst it enables semantic reasoning about the abidance of policies by the prescribed structure. In order to alleviate the scalability concerns associated with semantic reasoning, the proposed approach introduces a reference implementation that extends XACML 3.0 with an expert system fused with reasoning capabilities through the incorporation of suitable meta-rules. Keywords: Context-aware security; Ontologies; Access control policies; Data privacy; Security-by-design; Semantic reasoning