Multi-tenant attribute-based access control for cloud infrastructure services

Cloud Computing is developed as a new wave of ICT technologies, offering a common approach to on-demand provisioning of computation, storage and network resources that are generally referred to as infrastructure services. Most of currently available commercial cloud services are built and organized reflecting simple relations between single provider and customers with the simple security and trust model. New architectural models should deliver multi-provider heterogeneous cloud services environments to organizational customers representing multiple user groups. These models need to be enforced by consistent security services operating in virtualized multi-provider cloud environment. They should incorporate complex access control mechanisms and trust relations among cloud actors. In this paper, we analyze cloud services provisioning use-cases and propose an access control model for multi-tenant cloud services using attribute-based access control model. We also extend the model for Intercloud scenarios with the exchanging tokens approach. To facilitate attribute-based policy evaluation and implementing the proposed model, we apply an efficient mechanism to transform complex logical expressions in policies to compact decision diagrams. Our prototype of the multi-tenant attribute-based access control system for Intercloud is developed, tested and integrated into the GEYSERS project. Evaluations prove that our approach has a good performance in terms of numbers of cloud resources and numbers of clients.