Award Abstract # 1423481
TWC: Small: Attribute Based Access Control for Cloud Infrastructure as a Service

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: THE UNIVERSITY OF TEXAS AT SAN ANTONIO
Initial Amendment Date: July 22, 2014
Latest Amendment Date: July 22, 2014
Award Number: 1423481
Award Instrument: Standard Grant
Program Manager: Indrajit Ray
CNS  Division Of Computer and Network Systems
CSE  Directorate for Computer and Information Science and Engineering
Start Date: October 1, 2014
End Date: September 30, 2018 (Estimated)
Total Intended Award Amount: $500,000.00
Total Awarded Amount to Date: $500,000.00
Funds Obligated to Date: FY 2014 = $500,000.00
History of Investigator:
  • RAM KRISHNAN (Principal Investigator)
     ram.krishnan@utsa.edu
  • Ravinderpal Sandhu (Co-Principal Investigator)
Recipient Sponsored Research Office: University of Texas at San Antonio
 1 UTSA CIR
 SAN ANTONIO
 TX  US  78249-1644
(210)458-4340
Sponsor Congressional District: 20
Primary Place of Performance: University of Texas at San Antonio
 One UTSA Circle
 San Antonio
 TX  US  78249-1644
Primary Place of Performance
Congressional District:		 20
Unique Entity Identifier (UEI): U44ZMVYU52U6
Parent UEI: U44ZMVYU52U6
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001415DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 7923, 7434
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

When an organization moves its hardware resources to a cloud infrastructure as a service (IaaS) provider, it faces 2 major issues: (1) cumbersome abstractions of access control facilities provided by the cloud service provider over its virtual assets (compute, storage, networking, etc.), and (2) multi-tenancy and availability concerns arising due to lack of control of virtual resource placement in the physical infrastructure. This project develops a foundational, formal theory of attribute-based access control (ABAC) and constraints specification, and associated enforcement and implementation as means to address these problems. The ABAC models are designed in such a way so as to provide each customer of the cloud service provider autonomy over access control design and specification, and administrative functions involving the customer's virtual resources and users. The constraints specification framework allows for customers to express resource scheduling preferences to mitigate multi-tenancy and availability issues (e.g. do not co-locate virtual machines tagged as sensitive with those of other customers) which are then algorithmically enforced by the service provider. Rigorous evaluation is performed by augmenting OpenStack, widely-deployed open-source cloud IaaS software, with ABAC and studying its expressiveness, user-friendliness and performance on large-scale physical infrastructure. The expected outcome of this research is to gain consensus in the research and practitioner community that ABAC would be a standard and viable approach for effective access control in the multi-billion dollar cloud IaaS industry.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

(Showing: 1 - 10 of 38)
Abdelsalam, Mahmoud and Krishnan, Ram and Huang, Yufei and Sandhu, Ravi "Malware Detection in Cloud Infrastructures using Convolutional Neural Networks" 11th IEEE International Conference on Cloud Computing (CLOUD), San Francisco, CA, July 2-7, 2018 , 2018 Citation Details
Alshehri, Asma and Benson, James and Patwa, Farhan and Sandhu, Ravi "Access Control Model for Virtual Objects (Shadows) Communication for AWS Internet of Things" CODASPY ?18: Eighth ACM Conference on Data and Application Security and Privacy, March 19?21, 2018, Tempe, AZ , 2018 10.1145/3176258.3176328 Citation Details
Asma Alshehri and Ravi Sandhu "Access Control Models for Cloud-Enabled Internet of Things: A Proposed Architecture and Research Agenda" Proceedings of the 2nd IEEE International Conference on Collaboration and Internet Computing (CIC) , 2016
Asma Alshehri and Ravi Sandhu "Access Control Models for Virtual Object Communication in Cloud-Enabled IoT" Proceedings of the 18th IEEE Conference on Information Reuse and Integration (IRI) , 2017
Asma Alshehri and Ravi Sandhu "On the Relationship between Finite Domain ABAM and PreUCONA" International Conference on Network and System Security , 2016
Asma Alshehri, James Benson, Farhan Patwa and Ravi Sandhu "Access Control Model for Virtual Objects (Shadows) Communication for AWS Internet of Things" ACM Conference on Data and Application Security and Privacy , 2018
Bhatt, Smriti and Patwa, Farhan and Sandhu, Ravi "An Access Control Framework for Cloud-Enabled Wearable Internet of Things" 2017 IEEE 3rd International Conference on Collaboration and Internet Computing , 2017 10.1109/CIC.2017.00050 Citation Details
Chakraborty, Shuvra and Sandhu, Ravi and Krishnan, Ram "On the Feasibility of Attribute-Based Access Control Policy Mining" IEEE Conference on Information Reuse and Integration (IRI) , 2019 Citation Details
Gupta, Maanak and Benson, James and Patwa, Farhan and Sandhu, Ravi "Dynamic Groups and Attribute-Based Access Control for Next-Generation Smart Cars" ACM Conference on Data and Application Security and Privacy (CODASPY) , 2019 10.1145/3292006.3300048 Citation Details
Gupta, Maanak and Patwa, Farhan and Sandhu, Ravi "An Attribute-Based Access Control Model for Secure Big Data Processing in Hadoop Ecosystem" ABAC?18: 3rd ACM Workshop on Attribute-Based Access Control, March 19?21, 2018, Tempe, AZ, , 2018 10.1145/3180457.3180463 Citation Details
Gupta, Maanak and Sandhu, Ravi "Authorization Framework for Secure Cloud Assisted Connected Cars and Vehicular Internet of Things" Proceedings of 23rd ACM Symposium on Access Control Models and Technologies (SACMAT?18) , 2018 10.1145/3205977.3205994 Citation Details
(Showing: 1 - 10 of 38)

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

When an organization moves its hardware resources to a cloud infrastructure as a service (IaaS) provider, it faces 2 major issues: (1) cumbersome abstractions of access control facilities provided by the cloud service provider over its virtual assets (compute, storage, networking, etc.) and, (2) multi-tenancy and availability concerns arising due to lack of control of virtual resource placement in the physical infrastructure. This project developed a foundational, formal theory of attribute-based access control (ABAC) and constraints specification, and associated enforcement and implementation as means to address these problems. The ABAC models are designed in such a way so as to provide each customer of the cloud service provider autonomy over access control design and specification, and administrative functions involving the customer’s virtual resources and users. The constraints specification framework allows for customers to express resource scheduling preferences to mitigate multi-tenancy and availability issues (e.g. do not co-locate virtual machines tagged as sensitive with those of other customers) which are then algorithmically enforced by the service provider. Rigorous implementation is performed by augmenting OpenStack, widely-deployed open-source cloud IaaS software, with ABAC and studying its expressiveness, user-friendliness and performance on large-scale cloud infrastructure. It is anticipated that the models and respective analysis developed in this project will serve as the foundation, and gain consensus in the research and practitioner community that ABAC would be a standard and viable approach for effective access control in the cloud industry.


Last Modified: 10/04/2018
Modified by: Ram N Krishnan

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top