Automated Decomposition of Access Control Policies
POLICY '05 Proceedings of the Sixth IEEE International Workshop on Policies for Distributed Systems and Networks
Policy decomposition for collaborative access control
Proceedings of the 13th ACM symposium on Access control models and technologies
Preserving confidentiality of security policies in data outsourcing
Proceedings of the 7th ACM workshop on Privacy in the electronic society
An authorization framework resilient to policy evaluation failures
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Fine-grained disclosure of access policies
ICICS'10 Proceedings of the 12th international conference on Information and communications security
ESPOON: Enforcing Encrypted Security Policies in Outsourced Environments
ARES '11 Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security
Deploy, adjust and readjust: supporting dynamic reconfiguration of policy enforcement
Middleware'11 Proceedings of the 12th ACM/IFIP/USENIX international conference on Middleware
A unified attribute-based access control model covering DAC, MAC and RBAC
DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy
Introducing concurrency in policy-based access control
Proceedings of the 8th Workshop on Middleware for Next Generation Internet Computing
| Hi-index | 0.00 |
This paper presents our work in progress on efficient and confidentiality-aware access control for Software-as-a-Service applications. In SaaS, a tenant organization rents access to a shared, typically web-based application. Access control for these applications requires large amounts of fine-grained data, also from the remaining on-premise applications, of which often sensitive application data. With current SaaS applications the provider evaluates both provider and tenant policies. This forces the tenant to disclose its sensitive access control data and limits policy evaluation performance by having to fetch this data. To address these challenges, we propose to decompose the tenant policies and deploy them across tenant and provider in order to evaluate parts of the policies near the data they require as much as possible, while taking into account the tenant confidentiality constraints. We present a policy decomposition algorithm based on a general attribute-based policy model and describe a supporting middleware system. In the future, we plan to refine this work and evaluate the impact on performance using real-life policies from research projects.