Secure and Scalable Key and Access Control Management

Cloud storage service provides a new way for user to store and access their files anytime anywhere. It also allows user to share their files or collaborate with other users that is useful to increase the productivity and creativity in the workplace. But this certainly raises the challenge of key management in cloud storage service as the number of encrypted key needed to access the file is increased linearly depending on the number of users have access to it due to public key infrastructure (PKI) as the standard used in the cloud storage service. Access control is also another challenge that needs to be solved by cloud storage service to ensure that only the authorized user can access the files stored in the cloud.

One of the solutions to solve these challenges is attribute-based encryption (ABE). ABE is an encryption type  that uses set of descriptive attributes to secure the data with the encrypted data can only be accessed if attributes of the user fulfils the set of attributes of the encrypted data. It provides encrypted hierarchical and role-based access control and file-level security into the file as only the authorized user with the correct attributes can access the file. We leverage ABE for our multi-cloud storage solution of CloudRAID as it provides secure and scalable key and access control management. For each file stored in the cloud it only requires  one encrypted key that can be accessed if the user has enough attributes to be authorized to access the file.

Multi-Cloud Resource Access Control

Cloud computing presents several attractive benefits such as increased productivity, flexible access to resources and reduced costs. In order to leverage these benefits, a common challenge faced is selection of appropriate cloud services for specific tasks. Multi-cloud platforms have emerged as a way for overcoming this challenge by combining several cloud services in order to maximize the advantages of the cloud. However, multi-cloud systems present several challenges owing to inadequate cross-provider APIs, lack of cloud computing standards and non-unified access control mechanisms. 

 

Our research focuses on mitigating these concerns in the context of access control mechanisms in multi-cloud storage solution of CloudRAID. We propose unified access control model for multi-cloud storage where we leverage different access control models provided by multiple cloud storage services in order to give the access for cloud storage's stakeholders to resources in multiple cloud storage services. We follow privilege separation concept and least privilege principle to ensure that the cloud resources are secured and can only be accessed by its authorized stakeholders with limited allowed actions. And finally we leverage on the concept of "Signed URLs" to provide centralized and unified access control in multiple cloud storage services. These approaches could be deployed as a central authentication system for enterprise multi-cloud platforms with the advantage of seamless integration  with enterprise authentication protocols.