A Secured Access Control Technique for Cloud Computing Environment Using …€¦ · · 2017-03-06International Journal of Network Security, Vol.19 ... A Secured Access Control

International Journal of Network Security, Vol.19, No.4, PP.559-572, July 2017 (DOI: 10.6633/IJNS.201707.19(4).9) 559

A Secured Access Control Technique for CloudComputing Environment Using Attribute Based

Hierarchical Structure and Token GrantingSystem

Balamurugan Balusamy1, P. Venkata Krishna2, G. S. Tamizh Arasi3, and Victor Chang4

(Corresponding author: Balamurugan Balusamy)

School of Information Technology and Engineering & VIT University1

Vellore, Tamil Nadu, India.

(Email: [email protected])

Department of Computer Science & Sri Padmavathi Mahila Visvavidyalayam, University2

Tirupati, Andhra Pradesh, India

School of Computer Science and Engineering & VIT University3

Vellore, Tamil Nadu, India

Leeds Beckett University, UK4

(Received Mar. 01, 2016; revised and accepted June 10 & July 12, 2016)

Abstract

Cloud computing has drastically condensed the compu-tational and storage costs of outsourced data. The ex-isting access control techniques offer users access provi-sions centered on the common user attributes like Roles,which reduces the fine-grained access measure. The pa-per defines a Storage Correctness and Fine-grained AccessProvision (SCFAP) scheme, that provides the user an ex-clusive access through the use of a hierarchical structurewhich is a combination of users unique and common at-tributes. Also, we deploy the concept of Token Grantingsystem that allows the users to verify the correctness ofoutsourced data without the retrieval of the respectivefiles. The tokens are derived from the metadata contain-ing file location that helps in the process of storage cor-rectness verification and improvises the storage efficiency.The experimental results show SCFAP has improved stor-age efficiency and error recovery measures than existingtechniques.

Keywords: Access control, access structure, barrier limits,storage efficiency, token granting system

1 Introduction

Cloud computing is one of the widely used emerging tech-nique that offers various methods to acquire and manageIT resources on a large-scale [19, 22]. Cloud comput-ing, in turn, provides different types of services such as

Infrastructure-as-a-service (IaaS) also sometimes called ashardware as a service (HaaS) [1, 7], Platform-as-a-service(PaaS) and Software-as-a-service (SaaS). Cloud comput-ing planning promotes the resource sharing in a pure plugand provides a model that dramatically simplifies its in-frastructure. The major advantage of cloud computingincludes ease-of-use and cost-effectiveness in accessing theresources over the Internet. Employing the resources inthe cloud provides greater expediency to the user becauseof its systematic manner. Cloud helps us to make use ofthe existing technologies such as virtualization, service-orientation and grid computing in large-scale distributedenvironment [4, 5]. To assure the cloud data integrityand availability, efficient approaches that enable storagecorrectness assurance on behalf of cloud users have to bepremeditated. Hence, cloud operations should also im-peratively support the dynamic features that make thesystem design even more challenging.

As Cloud computing is a new emergent technology de-spite having many beneficial factors, it faces many threatsin various ways. It has spread very fast due to its flexibil-ity over ease of access as it eliminates the need for extrahard drives and memory space allocation. As the cloud isa distributed system, the data stored in it is widespreadin distinct locations, and it is accessed anywhere. Thedistributed nature of the data creates the requirement forhigh security over outsourced data as there exists a prob-ability that anyone can exploit the outsourced data. Thehackers [1, 2, 16], can also access the outsourced data byhacking any server virtually, and the statistical results


showed that one-third of the breaches happened fromstolen or lost laptops exposing the data unintentionallyfrom the users or the employee of the organization overthe Internet. Further, nearly 16 percent of this data ex-posure is due to the insider theft. The cloud securityproviders were even trying to provide a solution to secu-rity problems such as security, privacy, reliability, legal is-sues, open standards, compliance, freedom and long-termviability.

Cloud affords three major types of deployment mod-els, which comprises of Public, Private, and HybridCloud. Most-common level people and some organiza-tions make use of the public cloud model in a majorityfor data storage purposes because it consumes less costand correspondingly provides utmost security over theoutsourced data, but there is also a probability of dataleakage in a public cloud environment. The private cloudmodel [9, 13], depends upon a particular firm but foundto be comparatively costlier than the public cloud. Thecombination of either private- public or public-public orprivate-private infrastructure forms the Hybrid cloud en-vironment [12, 15], providing the combined advantage ofboth the private and the public cloud. The significantbenefit of the use of the hybrid cloud involves improvisedsecurity with lesser management costs.

The possession of fine-grained data access control andstorage correctness verification remains to be a mandatoryfeature in any system, which shares the data contentsamong multiple users with different level of trust. Toensure the property of cloud data security, highly trustedcloud users might be allowed with full access rights whilethe other users were assigned partial access rights overthe outsourced data. Efficient management of the fine-grained access provision in a system with users havingdifferent access privileges remains to be a challenging issuein cloud computing.

To provide better security features in cloud comput-ing environment, a novel Storage Correctness and Fine-grained Access Provision Scheme (SCFAP) is given. Itcomprises of two parts, where the first part designatesthe access structures to the users and the second presentsa storage correctness scheme through the use of the accessstructure defined at the preliminaries. A combination ofpublic key, private key, and access structures is assigned toall the users of the system that is derived from the appro-priate user attributes. Through the distributed keys andaccess structures, every single user of the system estab-lishes the secure cloud connection and performs accessesto the cloud data. For every successful cloud data upload,the user is provided with a token, which is used to verifyand validate the storage correctness associated with theoutsourced data thereby improving the storage efficiency.

The paper is organized in the following manner. Thesection next to introduction details the literature survey,the next part, deals with the summary of limitations fol-lowed by preliminary concepts and algorithms, systemdesign, the proposed SCFAP scheme, case study, Imple-mentation Details, Results, and Discussion. The paper is

ended with the conclusion and future work.

2 Related Works

This section describes and analyzes other approaches to-wards facing the challenge of fine-grained access provisionto cloud users. Multiple solutions are examined, afterwhich an overview of their works was given. This sectionalso describes the comparison of two major approachesthat is related to the fine-grained access provision tech-niques.

2.1 Overview

This section presents an overview of the works, which isrelated to the proposed SCFAP scheme.

2.1.1 Cloud based Access Control Techniques

[24] presents a data access control scheme called DAC-MAC for the multi authority cloud storage system. Itprovides a multi-authority CP-ABE scheme with efficientdata decryption and user revocation functions. This workfurther offers an Extensive Data Access Control Scheme(EDAC-MACS) that provides secured user data accesseven at weaker security assumptions. The security anal-ysis results of this scheme prove that this scheme is col-lusion resistance but lacks at the property of fine-grainedaccess provision to the individual users of the system. Inwork done by [25, 10], integration of cryptographic tech-niques with RBAC techniques was made and it uses rolekeys for data decryption. Further this work presents a hy-brid cloud architecture, where the public cloud containsthe basic level details and most sensitive information overthe private cloud. This work separates the property ofuser delegation to active and passive types and establisheseffective role management through the use of delegationservers and protocols. The Cipher text-Policy Attribute-Based Encryption was given by; it realizes the complex ac-cess control mechanisms over the encrypted data [23, 14].Here the attributes expressed solitarily the user creden-tials and the person who encrypts the data could fix theaccess limit to the users for data decryption. Throughthe use of this scheme, the data stored could be kept con-fidential even though it resides on the untrusted server.The ID-based cryptographic scheme [8], makes use of theuser attributes such as user id for encryption and decryp-tion process of the outsourced data. The development ofID-based cryptographic scheme provides the secured datastorage over the public cloud and improved client autho-rization for other users to access the data content.

2.1.2 Hierarchical Based Access ControlSchemes

In HASBE [17, 21], the user access rights were providedby the hierarchical access structure framed for each user of


the system. This scheme ensures the property of scalabil-ity through the extension of ASBE (Attribute-Set BasedEncryption) technique [6]. It defines a hierarchical struc-ture that delegates the operation of trusted authority andprivate key generation to the domain authorities of thelower level. Here the user attributes were converted intothe stable structure of the recursive type that permits theusers to define constraints dynamically by representinga different combination of attributes, which satisfies theuser access policy. That ensures the property of flexibil-ity and fine-grained access control over HASBE systems.The concept of Hierarchical Based Access Structure is ex-tended to form the Hierarchical Structure used in thispaper.

2.1.3 Token Based Access Verification Systems

[20] proposed a flexible distributed storage integrity au-diting mechanism that consists of homomorphic tokensand erasure-coded data. Tokens are provided to the usersfrom randomly chosen block indices from each data vec-tor space analogous to the memory location of the userrequested file in the cloud. The use of erasure coded datatechnique protects the user data and eliminates the sys-tem errors such as data redundancy, fault tolerance andserver crashes. In Privacy-Preserving Public Auditing forSecure Cloud Storage by [18, 11] comprises a third-partyauditor (TPA) for auditing the integrity of outsourceddata; this eradicates the new threats and realizes the dataprivacy. This scheme uses random masking technique in-tegrated with a homomorphic authenticator that ensuresthe privacy of public auditing. Flexible distributed stor-age integrity checking mechanism is proposed by [3] usinghomomorphic tokens and it avoids security problems likeidentifying unknown users. Through the use of homomor-phic tokens and distributed erasure coded data, users werepermitted to audit the outsourced data. This auditing al-lows the users to identify both the improper data accessand cloud server misbehaviors. This scheme even ensuresthe cloud data security, which allows the users to performdynamic operations efficiently over the outsourced data.Experimental analysis of their proposed scheme provesthat it provides high efficiency against Byzantine failure,unknown user attacks and attacks on cloud data modifi-cation. Access control schemes based on the token systemwere developed to provide greater security over the cloudstorage systems.

2.2 Comparison of Related Works

This section presents a brief summary about two majorapproaches relating to the proposed SCFAP scheme. TheHASBE scheme given by [17], and the flexible integrityauditing mechanism provided by Wang Cong et al, weretaken into comparison, and it is described as follows:

2.2.1 Work by Wan Zhiguo et al.

To ensure the property of scalability and flexibility overoutsourced data, a solution is presented in work doneby [17]. This work shows a Hierarchical Attribute-Set-Based Encryption (HASBE) scheme to cloud users, whichextends the property of Cipher-text attribute-set-basedencryption technique. This scheme not only aims in theachievement of scalability, it even inherits the propertyof flexibility and fine-grained access provision throughthe management of compound attributes. The HASBEscheme makes use of multiple value access expiration timeto deal with user revocation problems. The first part ofthis work describes the extension of HASBE from ASBEtechnique using the hierarchical structure. Whereas thesecond part provides a clear demonstration of the imple-mentation of access control scheme based on HASBE forcloud computing.

The cloud computing system considered in this workconsists of five major entities. The cloud service providerprovides services to users. The data owners share theirdata contents through the cloud in an encrypted man-ner. Data consumers decrypt the shared contents to per-form their respective access operations. Each data ownerand data consumer was assigned with a domain authority,where each domain authorities could be managed throughparent domain authorities or trusted domain authorities.The major responsibility of every domain authority is toadminister the domain authorities at next level or thedata owner or consumer in its domain. In HASBE schemethe data users were only assumed to possess read access.All the entities associated with this scheme were organizedin a hierarchical manner to accomplish their tasks.

A recursive set based key structure is formed for everyuser, where each element of the set is either a set or anelement corresponding to a user attribute. The depth ofthe key structure is found using the level of recursionsin the recursive set, which is similar to the definition ofdepth tree. For a key structure of depth 2, members ofthe set can either be sets or attribute elements at depth1.At depth 2 it is mandatory that all the members of theset should be of attribute elements. A unique label forthe user attributes was formed using key structure. Theaccess structure to the users in HASBE was formed ina similar way to the ASBE scheme given by [3]. In ac-cess tree structures the leaf nodes were considered to bethe attributes, and non-leaf nodes represent the thresholdgates. The non-leaf nodes were defined using its childrenand threshold values.

This work provides user access provision with the helpof the hierarchical access structure, and it is formed usingappropriate user key structure and access structures. Itmeans that the user with private key corresponding to at-tributes in key structure would be able to access the data,only when their attributes satisfies the access policies de-fined by the access structure. System Setup, Top-LevelDomain Authority Grant, New Domain Authority/UserGrant, New File Creation, User Revocation, File Access,


and File Deletion are the seven major operations associ-ated with Wan Zhiguo et al HASBE scheme. Each majorsystem operations related to the HASBE scheme invokesthe appropriate algorithms associated with it to accom-plish their tasks, and it works by bilinear mapping con-cepts. Through the use of this operations, every userof the system shares and uses their data contents usingHASBE scheme.

Though Wan Zhiguo et al system provides a better so-lution to scalability and flexibility issues, the completesupport for compound values and multiple value assign-ments are measured and found to be lagging in efficiency.Which reduces the level of fine-grained data access. Theproposed SCFAP scheme defines users with their role-based classification. Provides efficient support for com-pound attributes and multiple value assignments. The hi-erarchical structure described in SCFAP scheme improvesthe level of fine-grained access provision associated withindividual users of the system. The HASBE scheme fur-ther does not allow write access to the data users of thesystem. This makes its application inappropriate to crit-ical systems like financial sectors, where several users re-quire write operations to be performed. SCFAP schemeallows the users to perform write operations in an effec-tive manner, and it is achieved through the use of tokengranting system, which preserves the storage correctnessof the outsourced data.

2.2.2 Work by Wang Cong et al.

An approach to form solution for security risks accom-panying the correctness of physical possession over out-sourced data were done by [17]. This work presents aflexible distributed storage integrity auditing mechanism,which ensures the correctness of outsourced data throughthe use of homomorphic token and distributed erasure-coded data. This scheme provides efficient user audit-ing of cloud data with very lightweight communicationand computation cost. The auditing result provides bothstorage correctness guarantee as well as fast data error lo-calization (identification of server misbehaviors). It evenallows user access operations over outsourced data includ-ing block deletion, modification and appends functionali-ties. The overall contributions of this work is summarizedas follows:

1) In comparison to many of its predecessors, thisscheme achieves both the storage correctness insur-ance and data error localizations.

2) This scheme further supports secure and dynamic op-eration over data blocks including update, delete andappend.

3) The work further makes an extensive security analy-sis that shows its resistance towards Byzantine fail-ures and malicious data modification attack andserver colluding attacks.

The flexible integrity auditing mechanism discussed inthis section consists of four major entities, which includesUser, Cloud Service Provider (CSP), Cloud Server (CS)and Third Party Auditor (TPA). Users share their datathrough cloud storage services, and a user can be eitherenterprise or an individual customer. Cloud Server (CS)is managed by the CSP to provide better computationand storage facilities to the users of the system. TPAis an optional entity with expertise qualities that userdoes not possess. TPA assesses and describes the risk ofcloud storage services on behalf of users upon request.This work provides more focus towards file oriented datarather than non-file oriented applications like social net-working systems. Block level operations over user datawere considered as block update, block delete, block in-sert and append operations. The major focus of this workis to identify the key integrity issues like unauthorizeddata modifications and corruptions, caused due to servercompromises and random Byzantine failures.

Users store their valid credential to cloud serversthrough CSPs. The problem of data redundancy couldbe employed through the technique of erasure correct-ing code. This scheme further tolerates faults and servercrashes that happen due to increasing data users. Theusers interact with cloud servers for processing file re-trieval request through CSPs. As it is not feasible forthe users to possess their data locally, it is necessary toverify the correctness and maintenance of the cloud data.The users were provided with the pre-computed tokensthat provide correctness assurance to the users of the sys-tem. Tokens are derived from the subset of file blocksin a random manner. The verification token helps theusers to ensure correctness of data operation request pro-cessed by the CSP. Tokens are issued to the user basedon randomly chosen block indices from each data vectorspace corresponding to memory position of the requestedfile in the cloud and erasure-coded data. In cases of in-appropriate situations like insufficient resources and timethe users can delegate their responsibilities to TPA. Thesystem is designed in such a way that leakages of user?Outsourced data towards auditing protocol were prohib-ited. This work achieves secure data storage through fivemajor steps, which includes file distribution preparation,challenge token pre-computation, correctness verificationand error localization, file retrieving and auditing and fi-nally, towards third party auditing. The algorithms as-sociated with each stage helps in the management of ac-tivities accompanying data storage management and cor-rectness verification processes. This scheme provides anapproach methodology that prevents CSP to process datadynamics without knowing user secret key materials andensures users that dynamic data operation request doneby CSP were processed faithfully. In this manner theproperty of integrity assurance and storage correctnesswhere done in [17] scheme.

Tokens were provided to the users, based upon ran-domly generated block indexes and memory position ofthe file. This makes the property of storage correctness


associated with integrity auditing scheme to be a proba-bilistic feature. The proposed SCFAP scheme solves thisissue by granting tokens to the users in a deterministicmanner. In SCFAP scheme tokens were derived fromMetadata containing file locations and distributed to allthe users of the system during appropriate phases. Herethe major advantage is that as a result of the write op-eration done by the authorized system an updated tokenwould be provided to all the users of the system, throughwhich the property of storage correctness is achieved.

3 Construction of Storage Cor-rectness and Fine-grained Ac-cess Provision Technique

3.1 System Design

This section presents a conceptual design of the novelscheme called Storage Correctness and Fine-grained Ac-cess Provision (SCFAP) scheme, which is described inFigure 1. The proposed SCFAP scheme consists of twoparts. The first part deals with the construction of hi-erarchical based user access structures and the secondpart depicts the algorithmic phases associated with SC-FAP scheme that helps in the achievement of fine-graineddata access and improved storage efficiency across the out-sourced cloud data storage. A set of appropriate crypto-graphic keys and access structures derived from the exactuser attributes were distributed to all the users of the sys-tem. Through the use of the access structures and crypto-graphic keys every user of the system performs the clouddata access in a secure way. As a result of the encryptionprocess, both the data owners and users were providedwith a token, which assists in the process of integrity andsecurity verification over the outsourced data.

Figure 1: System design of SCFAP

The proposed system consists of five major entities andthe description to the entities were given as follows, At-tribute Authority (AA): The major responsibility of theAttribute Authority (AA) is to manage all the attributerelated activities in specialization with the activities con-fining to the management of user roles. This includesmaintenance of role revocation, delegation, key allocationto users and authentication of the user given credentialslike the public key, private key, etc. Cloud server (CS):

Cloud server performs all the computation related activ-ities. This includes the computation of user given inputsand producing corresponding computational results andacknowledgments to the users. Cloud Service Provider(CSP): The Cloud Service Provider (CSP) provides ser-vices to the users of the system and performs the vali-dation of the user given inputs and outputs during theprocess of encryption and decryption. Service Consumers(Users): A Service consumer is also called as the user ofthe system, consumes the services provided by the cloudcomputing environment. Data Owner: Shares valid datacontents over cloud computing environment and fixes dataaccess limits across data users.

3.2 Assumptions

This work assumes an existing data access control modelto build upon, and the proposed design makes use ofthe access control properties defined previously at relatedworks. The hierarchical structure described in this paperis assumed to provide many-to-many data sharing in a se-cured manner through which the property of fine-grainedaccess control, confidentiality, and non-repudiation of theoutsourced data was achieved.

3.3 Key Terminologies

3.3.1 Access Assignment Structure

A summary on Access assignment structure is depicted inFigure 2.

3.3.2 Hierarchical Structure

The hierarchical structure defines the access policy asso-ciated with the individual users of the system. A hier-archy is framed from the combination of the user uniqueand common attributes. Each hierarchy represents theone to one relationship between the user and their accesspolicies. The access policy defines the set of operations(read or write access) the user could perform over theoutsourced data.

3.3.3 Key Structure

Key structures were designed to preserve the security ofthe outsourced data. Key structures are derivatives fromthe user common attributes like roles. The formation ofkey structure assigns the access privileges to the set of thecommon users over the outsourced data. This states thatusers beneath a particular role were assigned with a keystructure such that they could gain access to a particularset of files.

3.3.4 Access Structure

Access structures were designed to achieve the propertyof fine-grained user access and it is derived from the userunique attributes like user id. It defines the extent towhich an individual user could access the data.


Figure 2: Access assignment structure

3.3.5 Grade

Grade denotes the level of the extent to which the set ofcommon users could gain access to a particular set of files.Each grade formally represents a key structure, such thata user with certain grade could gain access to all the filesthat comes with the scope of a particular grade. Gradeswere derived from the user common attributes like dep id,such that it represents a set of files that belongs to theparticular department. An example of the measure of agrade is described in Figure 3.

Figure 3: Access limits associated with a grade

3.3.6 Barriers

Barriers are restrictions imposed over the grades toachieve the fine-grained user access level. It has beenfound that it is not necessary for a user with a particulargrade to access all the files that come under a particu-lar grade. To solve this issue, barriers were designed andimposed over the user grades.

From Figure 4. It is understood that though the userbelongs to grade1 which provides access rights to threefiles F1, F2, F3. The imposition of the barrier B1 over theparticular user grade G denies the user file access requestto the file F2; such that the user could only be able toaccess the files F1 and F2. It provides the appropriateaccess rights to the users through which the property offine-grained access provision is achieved.

3.3.7 Tokens

Tokens were derived from the metadata containing the filelocation and it acts as a user authentication entity. To-

Figure 4: Barrier generations

kens were issued to the data users as a result of the dataencryption process. Through the use of the tokens, theuser could easily verify the existence of their correspond-ing files in a convenient manner. Since the token repre-sents the Metadata about the file location, it assists in theprocess of easier file retrieval. This improves the storageefficiency of the proposed system. Further, clear descrip-tions about the working of the tokens were described inphase 6, 7 and 8 of the SCFAP scheme. A new methodof mathematical modelling was used to identify the func-tions and variables of the proposed scheme.

4 Preliminary Concepts and Algo-rithms

4.1 KeyGen()

KeyGen() is a basic algorithm for key generation throughwhich all the other keys associated with the data userswere derived. This algorithm is invoked automaticallywhenever the process of key generation is required.

Let us consider the set of keys k such that it contains aset of integers up to n. Such that Kn = {k1, k2, · · · , kn}.

kn :

n∑Z=0

KZ ≈n∑

m=0

dm.

Where d is the set of derived keys. It could be of anyother keylike master key, public key and private key. In


a simpler way the KeyGen algorithm generates randomnumber of keys in accordance to the user given input pa-rameters.

4.2 Formation of Hierarchical AccessStructure

The proposed SCFAP scheme makes use of the hierar-chical access structure to define the user access rights.The basic concept behind the hierarchical access struc-ture was described in the previous section of the paper.In SCFAP scheme each user is assigned with a hierarchi-cal structure, which is derived from their respective keyand access structures.

Key structure is premeditated to preserve the securityof the outsourced data and it represents the access rightsto the group of users with a common identity. The basicconcepts behind the formation of the key structure weregiven in the previous section. It is formed using the usercommon attributes like dep id. In an organization themost important or most secured files could be accessedonly by the personals at the top-most designation order,least important files by the low-level personals and ordi-nary files could be accessed by the mid-level individuals.In correspondence to the user designation order grades fora group of members with common identity (users under aparticular role) is calculated from “grade1.grade n”. Forevery user with a role, grades were allocated with respectto their access privilege that defines the level of extent towhich the users could access the data.

4.2.1 Access Structure

The access structure represents the access rights to theindividual user of the system. Even though a particularuser is assigned with a grade representing the key struc-ture, it is not mandatory that the user could access allthe files that come under a particular grade. The accessstructures associated with the SCFAP scheme were de-signed in such a way that solves the problem of abovementioned issue. The access structure was framed fromthe user barrier limits, which are derived from the userunique attributes like user id. Barriers are restrictionsthat were imposed over the user access grades to achievethe fine-grained access control. The assignment of the ac-cess structure defines the individual access limits over theset of files. In addition to this, phase 3 of the storagecorrectness scheme provides a brief summary about thealgorithmic implementation of the user access structureassignment.

Through the use of the key and access structure dis-cussed above, a hierarchical access structure is formed inthe proposed SCFAP scheme, and it is illustrated in Fig-ure 2.

4.2.2 Token Granting System

The proposed SCFAP scheme makes use of the tokengranting system through which the property of storage

correctness is achieved. As it is described at the previoussection tokens were derived from the Meta data containingthe file location that assist in both ways, through whichthe process of storage correctness as well as the easier re-trieval of the outsourced files could be made. The primeidea behind the use of token granting system in SCFAPscheme is that at the end of every successful data encryp-tion process the data users were provided with the tokens,through which the data users verifies the existence of theoutsourced data. The users could also be able to performthe decryption process only when the Meta data of theuser given token points to the user requested file.

4.3 SCFAP Phases

The storage correctness phases and fine-grained accessprovision scheme consists of nine phases through whichthe property of fine-grained access provision and storagecorrectness verification is achieved. The SCFAP phasesapply the concept of hierarchical access structure and to-ken granting system described in preliminaries part.

4.3.1 Phase 1: SetUp()

It takes the user security parameter λ as an input andgenerates master key mk as an output. This step is doneby the cloud server through automatically invoking theKeyGen algorithm.

K : mk = λ ./ kn. (1)

Equation 1 joins the user security parameter with theunique key generated by KeyGen() algorithm and dis-tributes the master key to the corresponding users of thesystem.

4.3.2 Phase 2: GradeGen(mk, Rid)

This phase is performed by the Attribute Authority andit takes the master key mk and Role id Rid as an input,produces public key pk and grade g as an output. Publickey is derived from the master key mk by manually in-voking the KeyGen() algorithm. Let us consider two sets,R = {R1, R2, R3, · · · , Rn} and G = {g1, g2, g3, · · · , gn}be the set of roles and grades. Such that R ≈ G (meansthat the role R is isomorphic to grade G).

Z : ∀Rid ∈ R|Rid ⊆ R.

Any Rid that belongs to R is the subset of R.

Z : ∀Rid : P (Rid)|Rid < •R. (2)

At least for one value of Rid the value of Rid in R is true.Such that Rid is covered by r where r ∈ R.

∴ Z : ∃Rid → r|r ⇔ G.

There exists G and Rid that implies a role such that therole corresponds to a grade G.


4.3.3 Phase 3: BarrierGen(Uid, rk, pk)

It takes (Uid, rk, pk) use rid, role key, and public key asan input and as a result of computation the barrier limitbl and the private key prk is returned to the users.

The private key is manually generated by role adminthrough the invocation of KeyGen() algorithm.

Let U be the universal set that contains all the users ofthe system and can be written as U = {U1, U2, · · · , Un}and B be the set of barriers such that can be written asB = {b1, b2, · · · , bn}.

Z : ∀Uid ∈ Uid ⊆ U.∀Uid : P (Uid)|Uid ≺ •U.

Similarly from Equation 2 this step is derived.

n∑k=1

Uk∃B|n∑

k=1

Uk ∈ B|n∑

k=1

Uk ⊆ B.

Means that for all the users there exists a barrier limitsuch that all the users in U belong to barriers in B. Sothat U is the subset of B. Such that there exists anUid ∈ B. where

Z : b =∐u∈U

bu :∐u∈U

Ru→ G.

Since, all the users U is the subset of B there exists ab corresponding to the user u, where the barriers can becalculated as a co-product of user and barrier sets.

4.3.4 Phase 4: Encrypt(f, rk, pk)

This phase is done by the CSP and it takes the file f ,role key rk and Public key pk as an input and the outputscipher text cp to the users of the system. Data encryptionis done as a part of file upload.

Z : f × rk × pk ⇔ f (rk,Pk)

Z : f × rk × pk ⇔ c.t|c.t ≈ f (rk,Pk).

Encryption is done as a combination of input parameters.

4.3.5 Phase 5: TokGen(f, rk, pk)

It takes file f , role key rk and Public key pk as an input. Itis the most important part of the encryption process andit is done during the process of file upload. Since tokenswere derived from the data containing file locations, herewe use the concept of reduction to reduce a file to tokens.Let F = {f1, f2, · · · , fn} be the set of files such that byproperty of reduction

if∃f ∈ db • ∀R ∈ F ⇔ f(R) ∈ ti

thenF ≤db ti

F ≤db t Denotes that a file set F can be reduced to tokenti and it is achieved through the data blocks. At the end ofthis phase tokens generated were distributed to the datausers to verify the correctness of the outsourced data.

4.3.6 Phase 6: Token Computation

It is done by the CSP and cloud server as a part of thedata decryption process. Let F = {f1, f2, · · · , fn} be theset of files and Ti = {ti1, ti2, · · · , tin} be the set of tokensassociated with the files. Then,∐

[ti1, ti2, · · · , tin](Fi) = {db[ti1, ti2, · · · , tin]; db ∈ F}.

Where, Fi = {1, 2, · · · , n} (Only the tokens between[ti1, ti2, · · · , tin] can access the files in data blocks). To-kens out of this scope would be computed as corruptedand cannot be accessed. It is based on the projectionproperty. Where,

db[ti1, ti2, · · · , tin] = {(ti, v) ∈ d, t ∈ [ti1, ti2, · · · , tin]}.

Means the remaining set of data blocks corresponds tosome other tokens.

The result of proportion∐

[ti1, ti2, · · · , tin](F ) can befound only if [ti1, ti2, · · · , tin] is ⊆ (F ). It means a filewould be accessed only when token matches with it.

4.3.7 Phase 7: Token Update

Whenever the data user performs the write operation thetokens associated with the users were updated and dis-tributed to all the associated system entities. This is dueto the reason that the process of write operation mayextend or delete some part of the file that leads to thechange of the Meta data containing the file location. Theprocess of token update is described as follows:

newti = ti ./ wc.

Where wc is the newly written content.

4.3.8 Step 8: Token Correctness

It is done as a part of data decryption during the processof file download. It takes (ti, cp) as an input. Let ti, cp bean algebraic function over F then Z : ti ∈ Ti; cp ∈ Cp; letus take an element ti ∈ f . Such that,

Z : (ti, cp1) + (ti, cp1) ∼ (ti1 + ti2 + cp)

Z : (ti, cp1) + (ti, cp1) ∼ (ti1, cp1 + cp2)

Z : f(ti, cp) ∼ (fti, cp) ∼ (ti, fcp)⇔ ti ⊗ cp.

It matches the values in the token and cipher text and re-turns the mismatch thus the token correctness is verified.

4.3.9 Phase 9: Decryption(cp, rk, bl, prk, ti)

Data decryption is done as a part of the file downloadprocess. It takes cipher text, role key, barrier limits, pri-vate key and token as input and returns the plain text tothe users based on their respective access structures.

Z : cp ./ ti =∐

b1(cp ./ ti)

Z : cp ./ ti =∐

b1(cp ./ ti)|(cp ./ ti) =∐

b1(cp ./ ti)⇔ Pt.

It combines the cipher text and token depending upon theuser barrier levels and provides the plain text.


Table 1: Summary of SCFAP phasesPhase No Phase Name Input Output Doneby

1 SetUP( ) λ Mk CS2 GradeGen( ) Mk, Rid Pk, G AA3 BarrierGen( ) Uid, Rk, Pk B,Prk RA4 Encrypt( ) F,Rk, Pk Ct CSP5 TokGen( ) F,Rk, Pk Ti CS,CSP6 TokenComp( ) F, Ti Ct CS,CSP7 TokenUpdate( ) Ti newTi CS,CSP8 TokenCorrectness( ) Ti, Ct File Validity CS,CSP9 Decrypt( ) Ti, Ct, Rk, B, Prk Plaintext CSP

5 Advantages of Proposed SCFAPScheme

1) Through the use of the barrier limits in user hier-archical access structure helps in the achievement offine-grained access rights to the users of the system.

2) The algorithmic deployment of the token grantingsystem helps in the achievement of the storage cor-rectness verification of the outsourced data with im-proved storage efficiency.

3) The tokens were derived from the Meta data contain-ing the file location. This reduces the file retrievaltime associated with the user data access request.

6 Case Study

It has been found that government agencies adopt cloudservices to meet their scaling industrial needs. Thoughsocial networking sites were found to be the major usersof cloud usage, currently banking contributes to the mostactivities in the cloud, utilizing 64% of the overall cloudservices. Factors like modernization, innovation in infor-mation technology, financial products, liberalization andconsolidation of financial markets enforces the transfor-mation of the ordinary banking system to the cloud-basedone.

In cloud banking systems, the clients could access dif-ferent types of banking services like balance enquiry, fundtransformations, etc. The banking system taken in thisscenario falls under the category of fully electronic basedtransaction systems, where the banking sites exhibit allthe information like bank locations, bank products, loanenquiry, loan eligibility details, transaction details, state-ment of accounts and money transfer facilities.

The management of activities associated with this typeof cloud banking system includes several entities like bankclients, cloud service providers, and entities related to thepayment gateway. In such a case it is not necessary for thesystem management entities with common attributes likesimilar roles to access all the end user provided valid cre-dentials. This creates the need for the application of fine-grained access control scheme over the cloud banking sys-

tem. To solve these issues, the proposed SCFAP schemewere applied to the Cloud banking system that solvedthe problem of fine-grained access level associated withthe individual system entities. Let us consider the situ-ation, where the bank client performs the money trans-action across the cloud banking system. The process ofmoney transfer requires the fulfillment of several essentialdetails including the client’s valid password. Once theclient completes the form filling activity, the client de-tails were transformed to their respective financial insti-tution cloud servers. The client transaction request couldbe processed through various system management entitieslike bank account manager, fund transfer manager, cloudservice provider, etc. Though all the associated entitiespossess the same authority of power, it is not necessaryfor them to process or access all the user given creden-tials. During fund transfer, it is necessary that the fundtransfer manager could access only the required client de-tails like user account balance and eligibility to performthe transaction. But the fund transfer manager is no wayrelated to the user personal and account credentials. Itis appropriate for the account manager to verify and vali-date client account detail apart from the other user giveninputs.In order to implement this restriction, a hierar-chical access structure is formed in a similar way to theSCFAP scheme. In this case, a hierarchy could be formedthrough the system entities, common attributes like orga-nization ID along with their unique user ID. Further, thestorage correctness phases depicted in this paper couldbe applied to the cases resembling the need for data in-tegrity assurance. In cloud banking, during the processof user registration the user uses their valid credentials asan input and as a result of the user registration, a loginid and password were given to them that act as a token.It could be used by the clients to verify the validity of theuser registered details. Thus the storage correctness ofthe user given inputs such as bank details were verified.

The above scenario clearly explains the application ofSCFAP scheme to cloud banking system and it is illus-trated in Figure 5. This scheme can also be applied tosimilar scenarios ranging from the medium-sized to large-sized enterprises. Our system is highly efficient in cases,where a significant number of users with similar rolesneeds the fine-grained access provisions and frequent ver-


Figure 5: Cloud based financial system-A case study

ifications to the outsourced data.

7 Experimental Study

7.1 Deployment of SCFAP Over Eucalyp-tus Cloud

An application is created in Eucalyptus an open sourcecloud platform, which deploys the proposed SCFAPscheme. An interface is developed using JSP to enableusers to authenticate and view the cloud storage. Eu-calyptus consists of several other interfaces like cloud42,tAWSTanacasino, EC2 Dream, but it is not feasiblefor the proposed implementation. MySQL communityserver5.7 is used for storage purposes. The proposed SC-FAP scheme runs at the infrastructure layer of the eu-calyptus, and it works on a layered basis to accomplishits tasks. The SCFAP scheme consists of four layers suchas user registration layer, authentication layer, access se-curity management layer and instance management layeras it is described in Figure 6. The registration layer per-forms the user registration process. Authentication layervalidates the cloudlet credentials, and the access securitymanagement layer allows or denies the user file accessrequests to the virtual machines with the aid of the func-tionalities present in the instance management layer. Theapplication consists of the Command Line User Interface(CUI) using Euca2ools, which allows the users to interactwith the system. Here the users of the system were consid-ered to be the subjects and the files uploaded to the cloudwere assumed to be the objects. Every subject creates the

newer objects and requests their corresponding object ac-cess through the proposed SCFAP scheme that preservesthe storage correctness and fine-grained access provisionof the user data. The security management layer con-trols and directs the access control schemes. The imple-mentation consists of the web interface that possesses theproperty of ease of use through which the Cloud ServiceProviders (CSP) or Attribute Authorities (AA) createsthe restriction over the cloud instances. The implementedSCFAP scheme allows the AA to manage access to cloudresources, instances, virtual machines and common usergroups associated with the cloud computing environment.

The first step associated with the implementation ofSCFAP scheme over eucalyptus cloud consists of the setupphase. Once the subject is registered with the system, theAA adds the subject to the common user groups. Thisstates that all the subjects under the common user groupcontain the common access privileges with particular in-dividual restrictions. These restrictions were imposed onthe subjects through the assignment key structure andaccess structure to the subjects. Every subject can cre-ate new objects and gain access to existing objects basedupon the following access restrictions:

1) Grades Defines the level of the extent to which acommon user group can access.

2) Barriers Defines the level of extent through whichan individual user can access.

3) Tokens Derived from Meta data containing file loca-tion.


Figure 6: Architecture of SCFAP over eucalyptus cloud

Each subject shares their newly created objects to theother subjects of common user groups. The subject canalso share their objects to other Common User groupswhich they were not a member. To gain access to theshared objects and instances the subject accessing theobject could not violate the SCFAP access policy. Eachsubject could ensure the property of integrity over theirrespective subjects through the use of token granting sys-tems. An updated token would be distributed to everysubject associated with the shared object in case of mod-ifications to the shared data objects. In this manner, thesubject could gain access to the outsourced objects.

The implemented SCFAP consists of two distinct typesof interfaces that include subject management and objectmanagement interfaces. The subject management inter-face assists in the management of all the subject relatedactivities that include subject authentication, user com-mon group assignments, subject key allocation, and man-agement. The object management interface is responsiblefor the process of management of all the object-related ac-tivities that include object storage, object retrieval, tokengeneration, token computation, and management.

7.2 Validation of Premises

Built on the open source cloud platform Eucalyptus theapplication of SCFAP scheme to the developed prototypecould be validated through the verification of premisesthat happens in four steps, which are described as follows:

1) Each authenticated subject should be assigned to thecommon user group.

2) Each subject should be assigned with an appropriatehierarchical access structure.

3) Token computation results should match with theuser given token and the user given file access re-quest.

4) Encryption and decryption processes could be per-formed when the subject given inputs are valid.

7.3 Access Verification Tests

The first test comprises the access request to the objectfrom the subject who is not the member of the any ofthe common user group associated with the developedsystem. The request would be denied by the setup al-gorithm present at the authentication layer. The nexttest comprises the file access request from the subjectwith inappropriate hierarchical access structure. This re-quest is blocked by GradeGen and AccessGen algorithmsfunctioning at the access security management layer. Asubjects access request for an object with invalid usercredentials like invalid tokens and the secret key is de-nied, and the subject is blocked from accessing the ser-vices if he repeats the same for three times. The requestfor encryption or decryption processes with inappropriatecryptographic keys or inputs by the subjects is blockedthrough the several algorithms like Setup, GradeGen,BarrierGen, Token computation and Encrypt or Decryptalgorithm present at the user registration layer, Authen-tication Layer Security management layer and instancemanagement layer of the developed prototype. In this


manner the exception handling capabilities of the devel-oped prototype where clearly described using the systemaccess verification tests.

8 Results and Discussions

The major objective of the experimental implementationis to validate the level of an extent to which the proposedSCFAP scheme provides the property of fine-grained dataaccess to the cloud users. To validate this objective pro-totypes using traditional access control, techniques likeABE and RBAC were implemented, and it is comparedwith the proposed SCFAP scheme. From the results ofthe implementation, a comparison is made regarding bothsystem performance and fine-grained access provision,which is described in Figure 7 and 8. First, a compar-ison is made between the amount of data to be retrievedand file retrieval time to find the system performance. Atclient side, n numbers of client nodes were created, anda large number of files from different client node was up-loaded to the cloud storage. Client file access requestswere given from various nodes and the number of clientrequests per minute was calculated regarding size of thedata files accompanying the client requests and it is keptas X limits. The time taken by the cloud server to respondto user file access requests was calculated in seconds, andthis forms the Y limits. It has been observed that thetime taken for file retrieval on the size of the data file forour SCFAP scheme remains constant up to a particularthreshold. Even though there is a tremendous increase infile size that happens after a particular threshold, the timetaken for file retrieval increases in a consistent manner.But the observation of traditional access control schemeslike ABE and RBAC deviates highly and takes more timefor file retrieval after a particular threshold. This is dueto the inconsistent nature of their underlying access poli-cies. The comparison between SCFAP with traditionalABE and RBAC techniques regarding file retrieval timeproves that the proposed SCFAP scheme takes reducedfile retrieval time than the existing schemes. This is dueto the use of the token granting systems. Since the tokenswere derived from the Meta data containing the file loca-tion, the time taken for file retrieval and storage correct-ness verification has been comparatively improved. Theoverall simulation results depict that the file retrieval hasbeen reduced by 0.5 seconds in comparative to the exist-ing access control techniques. This improves the overallperformance measure of the system.

A measure to the level of fine-graininess associated withthe SCFAP scheme in comparison to the traditional accesscontrol methods like ABE and RBAC were made, whichis depicted in Figure 7.

The level of fine-grained access control is measured bythe extent to which the appropriate access rights wereprovided to the users of the system. User access policiesbased upon SCFAP, ABE and RBAC models were de-signed for each client nodes associated with the system.

Figure 7: Comparison of file retrieval time in SCFAPscheme

Through the implementation of SCFAP scheme over theeucalyptus-cloud and the use of a vast number of the clientnodes, a hierarchy is formed for every user accompanyingthe client node. A comparative measure of fine-grainedaccess level has been made in association with the depthof access structure. The depth of the access structureswas kept in X limits and fine-grained access level in per-centage were fixed at Y limits. It has been found that ourproposed SCFAP scheme provides better fine-grained ac-cess level to the data users even at lesser access structuredepth. The other access control techniques taken intocomparison were found to be lagging inefficiency at thelower level of access structure depth. Achieved throughthe derivation of appropriate hierarchical structures as-sociated with SCFAP scheme, which provides better ac-cess provision even at the lower access structure depth.The existing technique lags at fine-grained access provi-sion through the complex access structure formation. Thetests were conducted using banking research dataset of theFederal Bank of New York.

9 Conclusion

The paper defines an SCFAP scheme that solves theproblem of fine-grained access provision and storage cor-rectness associated with the existing access control tech-niques. The first part of the SCFAP scheme involves theformation of hierarchical structures that fixes the appro-priate access policies to the users; this improves the fine-grained ness associated with the access policy. The nextpart deals with the achievement of storage correctness re-lated to the files, and it is made through the usage ofthe token granting system. In addition to this, the useof token granting system improves the storage efficiency,security, and performance of the proposed system. Asthis paper explains only on the key structure and AccessStructure associated with the plain text but not about theCipher Text Access Structure. In future, this work could


Figure 8: Comparison to fine-grained access provisionmeasure in SCFAP scheme

be extended for outsourced data decryption techniques.

Acknowledgments

The author greatfuly acknowledge the VIT Univerity forproviding us an wonderful work infrastructure.

References

[1] P. Arora, R. C. Wadhawan, and E. S. P. Ahuja,“Cloud computing security issues in infrastructureas a service,” International Journal of Advanced Re-search in Computer Science and Software Engineer-ing, vol. 2, no. 1, pp. 1–7, 2012.

[2] V. Bhangotra and A. Puri, “Enhancing cloud secu-rity by using hybrid encryption scheme,” Interna-tional Journal of Advanced Engineering Technology,vol. 6, no. 4, pp. 34–40, 2015.

[3] R. Bobba, H. Khurana, and M. Prabhakaran,“Attribute-sets: A practically motivated enhance-ment to attribute-based encryption,” in ComputerSecurity (ESORICS’09), pp. 587–604, Springer,2009.

[4] R. Buyya, C. S. Yeo, S. Venugopal, J. Broberg, andI. Brandic, “Cloud computing and emerging it plat-forms: Vision, hype, and reality for delivering com-puting as the 5th utility,” Future Generation Com-puter Systems, vol. 25, no. 6, pp. 599–616, 2009.

[5] Z. Cao, C. Mao, L. Liu, “Analysis of one secure anti-collusion data sharing scheme for dynamic groups inthe cloud,” International Journal of Electronics andInformation Engineering, vol. 5, no. 2, pp. 68–72,2016.

[6] V. Goyal, O. Pandey, A. Sahai, and B. Waters,“Attribute-based encryption for fine-grained accesscontrol of encrypted data,” in Proceedings of the 13th

ACM Conference on Computer and CommunicationsSecurity, pp. 89–98, 2006.

[7] W. Huang, A. Ganjali, B. H. Kim, S. Oh, and D.Lie, “The state of public infrastructure-as-a-servicecloud security,” ACM Computing Surveys, vol. 47,no. 4, pp. 68, 2015.

[8] N. Kaaniche, A. Boudguiga, and M. Laurent, “ID-based cryptography for secure cloud data storage,” in2013 IEEE Sixth International Conference on CloudComputing, 2013.

[9] R. Ko and R. Choo, The Cloud Security Ecosystem:Technical, Legal, Business and Management Issues,Syngress, 2015.

[10] J. Li, J. Li, X. Chen, C. Jia, and W. Lou, “Identity-based encryption with outsourced revocation incloud computing,” IEEE Transactions on Comput-ers, vol. 64, no. 2, pp. 425–437, 2015.

[11] J. Liu, X. Huang, and J. K. Liu, “Secure shar-ing of personal health records in cloud computing:ciphertext-policy attribute-based signcryption,” Fu-ture Generation Computer Systems, vol. 52, pp. 67–76, 2015.

[12] O. Mazhelis and P. Tyrvainen, “Role of data commu-nications in hybrid cloud costs,” in 2011 37th IEEEEUROMICRO Conference on Software Engineeringand Advanced Applications, pp. 138–145, 2011.

[13] S. Ramgovind, M. M. Eloff, and E. Smith, “The man-agement of security in cloud computing,” in Proceed-ing of IEEE Information Security for South Africa(ISSA’10), pp. 1–7, 2010.

[14] B. D. Revathy, M. P. Ravishankar, and C. I. T.Ponnampet, “Enabling secure and efficient keywordranked search over encrypted data in the cloud,”2015.

[15] P. Samarati and S. De C. di Vimercati, Cloud secu-rity: Issues and concerns, Wiley, New York, 2016.

[16] J. Singh, “Cyber-attacks in cloud computing: A casestudy,” International Journal of Electronics and In-formation Engineering, vol. 1, no. 2, pp. 78–87, 2014.

[17] Z. Wan, J. Liu, and R. H. Deng, “Hasbe: A hierarchi-cal attribute-based solution for flexible and scalableaccess control in cloud computing,” IEEE Transac-tions on Information Forensics and Security, vol. 7,no. 2, pp. 743–754, 2012.

[18] C. Wang, S. M. Chow, Q. Wang, K. Ren, and W.Lou, “Privacy-preserving public auditing for securecloud storage,” IEEE Transactions on Computers,vol. 62, no. 2, pp. 362–375, 2013.

[19] C. Wang, K. Ren, W. Lou, and J. Li, “Toward pub-licly auditable secure cloud data storage services,”IEEE Network, vol. 24, no. 4, pp. 19–24, 2010.

[20] C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou,“Toward secure and dependable storage services incloud computing,” IEEE Transactions on ServicesComputing, vol. 5, no. 2, pp. 220–232, 2012.

[21] S. Wang, J. Zhou, J. K. Liu, J. Yu, J. Chen,and W. Xie, “An efficient file hierarchy attribute-based encryption scheme in cloud computing,” IEEE


Transactions on Information Forensics and Security,vol. 11, no. 6, pp. 1265–1277, 2016.

[22] H. Witti, C. Ghedira, E. Disson, and K. Boukadi,“Security governance in multi-cloud environment: Asystematic mapping study,” in 12th World Congresson Services (SERVICES’16), 2016.

[23] Y. Wu, Z. Wei, and R. Deng, “Attribute-based ac-cess to scalable media in cloud-assisted content shar-ing networks,” IEEE Transactions on Multimedia,vol. 15, no. 4, pp. 778–788, 2013.

[24] K. Yang and X. Jia, “Dac-macs: Effective data accesscontrol for multi-authority cloud storage systems,”in Security for Cloud Storage Systems, pp. 59–83,Springer, 2014.

[25] L. Zhou, V. Varadharajan, and M. Hitchens,“Achieving secure role-based access control on en-crypted data in cloud storage,” IEEE Transactionson Information Forensics and Security, vol. 8, no. 12,pp. 1947–1960, 2013.

Biography

Balamurugan Balusamy is with VIT University asAssociate Professor in School of Information Technologyand Engineering.His research interests has evolved fromcloud computing,cloud security to Big data and Ph.Dthesis is on Cloud Access Control.

P. Venkata Krishna is a Professor at Sri PadmavatiMahila Visvavidyalayam, Tirupati, India. He received hisBTech in Electronics and Communication Engineeringfrom Sri Venkateswara University, Tirupathi, India,MTech in Computer Science and Engineering fromREC, Calicut, India, and he received his PhD from VITUniversity, Vellore, India. Dr. Krishna has several yearsof experience working in academia, research, consultancy,academic administration, and project management roles.His current research interests include mobile and wirelesssystems, QoS, and Cloud computing. He has been therecipient of several academic and research awards, such asthe Cognizant Best Faculty Award for the year 2009-2010and VIT Researcher Award for the year 2009-2010. Hehas authored over 150 research papers in various reputedjournals and conferences. He has delivered severalkeynote addresses in reputed conferences. He is currentlyserving as Editor-in-Chief for IJSGGC, IndersciencePublishers.

G. S. Tamizh Arasi is a PG scholar in VIT Universityand her research interests are Cloud Computing securityand Cloud access control.

Victor Chang is a Senior Lecturer in Computing atLeeds Beckett University. He has been a technicallead in web applications, web services, database, grid,cloud, storage/backup, bioinformatics, financial comput-ing which subsequently have become his research inter-ests. Victor has also successfully delivered many ITprojects in Taiwan, Singapore, Australia, and the UKsince 1998. Victor is experienced in a number of dif-ferent IT subjects and has 27 certifications with 97%on average. He completed PGCert (Higher Education,University Greenwich, 2012) and PhD (C.S, Universityof Southampton, 2013) within four years while workingfull-time, whereby the distance between his work and re-search is about hundreds of miles away. He has over 70published peer-reviewed papers, including several high-quality journals up-to-date. Victor won G20,000 fundingin 2001 (Singapore-Cambridge Trust) and G81,000 fund-ing in 2009 (Department of Health). He was involved inpart of the G6.5 million project in 2004, part of the G5.6million project in 2006 and part of a G300,000 projectin 2013. He is a PI and Co-PI in some projects. Vic-tor is a winner in 2011 European Identity Award in ”OnPremise to Cloud Migration”. He was selected to presenthis research in the House of Commons, UK, in 2011. Hewon the best student paper in CLOSER 2012. Dr VictorChang has taught numerous undergraduate and postgrad-uate modules. In some modules he taught, students likehis teaching and enjoy his labs and lectures.

Documents

A Secured Access Control Technique for Cloud Computing Environment Using …€¦ · · 2017-03-06International Journal of Network Security, Vol.19 ... A Secured Access Control