Profile-Based Access Control in Cloud Computing ... 3-1 NIST Cloud Computing Reference Architecture ... computing infrastructure can be replaced by cloud infrastructure, local

Embed Size (px)

Text of Profile-Based Access Control in Cloud Computing ... 3-1 NIST Cloud Computing Reference Architecture...

  • Profile-Based Access Control in Cloud Computing

    Environments with applications in Health Care Systems

    By

    Umair Mukhtar Ahmed Naushahi

    A thesis submitted to the Department of Computer Science

    In conformity with the requirements for The degree of Master of Science

    Bishops University Sherbrooke, Quebec, Canada

    February 2016

    Copyright Umair Naushahi, 2016

  • i

    Abstract

    Recently cloud computing has gained tremendous attention among researchers from both

    academia and industry. It has emerged as a promising technology for delivering on

    demand information technology services over the Internet while providing great

    flexibility in enhancing the hardware, software and network infrastructure of

    organizations. Consequently many institutions, organizations and individual users are

    migrating from a traditional computing environment to a cloud computing environment.

    Cloud computing has also been used in providing health care services such as

    information sharing, accessing various health care services, and utilizing resources across

    the board. While cloud computing offers numerous benefits, it also introduces some new

    and recurring challenges such as data computation & communication integrity, security

    and privacy. Due to its potential data security and privacy concerns, adopting a cloud

    based infrastructure for health care domain while meeting the privacy and security

    regulations recommended by HIPAA, PIPEDA and PHIPA is a big challenge. We study

    and analyze the security and privacy requirements of health care systems in a cloud

    computing environment and present a profile based access control system to improve the

    security and privacy of health care data while providing seamless service provisioning.

    We extend the concept of access control list by incorporating the Profile attribute and

    define rules for each profile to grant access to the system and its resources. In addition,

    when user authentication is done, profiles are mapped to the applications running on the

    cloud and eliminate the need of repetitive authentication requests for accessing each

    application. We also decompose the access control list in different parts. Such a

    decomposition helps reduce the management and administration cost, and allows

  • ii

    updating or adding new rules without maintaining complex rule matrices. The profile

    authentication process can be offered as a service to support authentication and system

    availability across different cloud deployments. Simulation results show that our solution

    offers reduced data access time and improves service provisioning while reducing

    authentication requests. Considering the hierarchical organizational structure of health

    care systems, the profile based access control approach best fits its requirements.

  • iii

    Acknowledgements

    Firstly, I would like to express my sincere gratitude to my advisor Prof. Stefan Bruda for

    the continuous support towards my degree and related research, for his patience,

    motivation, timely assistance during meetings constant evaluation of various drafts of my

    work, immense technical knowledge and technical support. His guidance helped me in all

    the time of research and writing of this thesis. I would also like to thank Prof. Nelly

    Khouzam for her support throughout my studies.

    Last but not the least, I would like to thank my family my parents and sisters for

    supporting me spiritually and praying for me throughout writing this thesis.

  • iv

    Table of Contents

    1 Introduction ............................................................................................. 1

    1.1 Cloud Computing ........................................................................................ 2

    1.1.1 The Cloud Service Delivery Models ........................................................................ 4

    1.1.2 Cloud Deployment Models ...................................................................................... 6

    1.2 Design and Security Challenges ................................................................. 7

    1.3 Problem Statement ...................................................................................... 9

    1.4 Research Objective ................................................................................... 10

    1.5 Thesis Organization .................................................................................. 10

    2 Related Work .........................................................................................11

    2.1 Security in Cloud Computing ................................................................... 11

    2.2 Analysis ..................................................................................................... 17

    3 Profile Based Access Control ...............................................................19

    3.1 Preliminaries ............................................................................................. 19

    3.1.1 NIST Cloud Computing Architecture .................................................................... 19

    3.1.2 Intelligent Cloud Computing Security Framework for Private and Public Clouds 21

    3.1.3 Access Control List ................................................................................................ 22

    3.2 Profile Based Access Control System ...................................................... 22

    3.2.1 System Components ............................................................................................... 24

    4 Evaluation Results and Discussion ......................................................30

    4.1 Simulation Environment ........................................................................... 30

    4.2 Simulation Results and Discussion ........................................................... 32

    4.2.1 System Response Time .......................................................................................... 34

    4.2.2 Service Request and Provisioning Time Delay ...................................................... 35

    4.2.3 Communication Overhead ..................................................................................... 36

    5 Conclusion and Future Work ...............................................................38

  • v

    List of Figures

    Figure 3-1 NIST Cloud Computing Reference Architecture ............................................ 20

    Figure 3-2 Proposed Cloud Computing Security Architecture ......................................... 25

    Figure 3-3 System Process Diagram ................................................................................. 26

    Figure 3-4 Profile-based Access Control List ................................................................... 28

    Figure 4-1 Simulation Dashboard and World View of Cloud Environment .................... 33

    Figure 4-2 Comparison of system response time per transaction ..................................... 34

    Figure 4-3 Comparison of system access time delay ........................................................ 36

    Figure 4-4 Comparison of Data Packet overhead ............................................................. 37

  • vi

    List of Abbreviations

    ABE Attribute Based Encryption

    ACL Access Control List

    CURD Create, Update, Retrieve, Delete

    HIPPA Health Insurance Portability and Accountability Act

    IAAS Infrastructure-as-a-Service

    IBE Identity Based Encryption

    IBHMCC Identity-Based Hierarchical Model for Cloud Computing

    IBS Identity Based Signature

    ICT Information and Communication Technology

    NIST National Institute of Standards and Technology

    PAAS Platform-as-a-Service

    PEHR Personal Electronic Health Record

    PHR Personal Health Record

    PIPEDA Personal Information Protection and Electronic Document act

    SAAS Software-as-a- Service

    SAP SSL Authentication Protocol

    SLAs Service Level Agreements

    XACML eXtensible Access Control Markup Language

    http://www.nist.gov/

  • 1

    1 Introduction

    The emergence in information and communication technologies (ICT) has changed the

    way organizations and individuals used to perform their daily workflow and business

    operations. Recently cloud computing has gained tremendous attention among

    researchers from both academia and industry. It has emerged as one of the promising

    technologies that is shifting the computing paradigm from traditional computing into the

    new era of cloud computing. The pervasive access to dynamic unbounded computing

    resources, network and software infrastructure with increased elasticity and flexibility has

    provided computing and communication to users ubiquitously and at an affordable cost.

    Consequently many institutions, organizations and individual users are migrating from

    traditional computing environments to a cloud computing environment. Cloud computing

    has also been introduced to provide health care services such as information sharing,

    accessing various health care services, utilizing resources across the board and improving

    and enhancing overall information and communication infrastructure among its major

    stakeholders such as patients, doctors, and pharmacists.

    While cloud computing offers numerous benefits like dynamic scalability, anytime

    anywher