provenance-based access control in cloud iaas
DESCRIPTION
Institute for Cyber Security. Provenance-based Access Control in Cloud IaaS. August 23, 2013 Dissertation Proposal Dang Nguyen Institute for Cyber Security University of Texas at San Antonio. Data Provenance in Computer Systems. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/1.jpg)
1
Provenance-based Access Control in Cloud IaaS
August 23, 2013Dissertation Proposal
Dang NguyenInstitute for Cyber Security
University of Texas at San Antonio
Institute for Cyber Security
World-leading research with real-world impact!
![Page 2: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/2.jpg)
2
Data Provenance in Computer Systems
“In computer systems, activities are carried out by processes that take input data, input state, input configuration, and produce output data and output state. Such processes are compositional by nature and can be the result of sophisticated compositions (sequential, parallel, conditional, etc) of simpler processes.” (Luc Moreau, “The Foundation for Provenance on the Web”)
World-leading research with real-world impact!
![Page 3: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/3.jpg)
3
Characteristics of Provenance Data
• Information of operations/transactions performed against data objects and versions– Actions that were performed against data– Acting Users/Subjects who performed actions on data– Data Objects used for actions– Data Objects generated from actions– Additional Contextual Information of the above entities
World-leading research with real-world impact!
• Directed Acyclic Graph (DAG)• Causality dependencies between entities (acting users / subjects,
action processes and data objects)
• Dependency graph can be traced/traversed for the discovery of Origin, usage, versioning info, etc.
![Page 4: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/4.jpg)
4
Provenance and Access Control
o Compared to traditional access control, Provenance-based Access Control (PBAC) provides richer access control mechanisms.
For example: dynamic separation of duties issues.
World-leading research with real-world impact!
![Page 5: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/5.jpg)
5
Provenance Data Model
Base PBAC Model
Contextual PBAC Model
Provenance data sharing approaches
World-leading research with real-world impact!
![Page 6: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/6.jpg)
6
Provenance-aware Systems
• Capturing provenance data• Storing provenance data• Querying provenance data
• Using provenance data• Securing provenance data
World-leading research with real-world impact!
Access Control
Provenance Data Model
![Page 7: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/7.jpg)
7
Open Provenance Model (OPM)• 3 Node Types
– Artifact (ellipse): Object– Process (Rectangle): Action– Agent (Octagon/Hexagon): User/Subject
• 5 Causality dependency edge Types (not a dataflow)– U: Used(Role)– G: wasGeneratedBy(Role)– C: wasControlledBy(Role)
– wasDerivedFrom– wasTriggeredBy
World-leading research with real-world impact!
![Page 8: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/8.jpg)
8
OPM Example
World-leading research with real-world impact!
Cake
TwoEggs
100gButter
100gFlour
100g Sugar John
Bake
wasDerivedFromwasGeneratedBy
wasControlledByused
![Page 9: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/9.jpg)
9
Provenance Data Model
World-leading research with real-world impact!
• 4 Node Types– Object (Artifact)– Action (Process)– Subject (Agent)– Attribute
• 5 Causality dependency edge Types (not a dataflow) and Attribute Edge
![Page 10: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/10.jpg)
10
Capturing Provenance Data
World-leading research with real-world impact!
(Subject1, Grade1, HW1, GradedHW1, ContextualInfoSet-Grade1)
(Grade1, u, HW1)(Grade1, c, Subject1)
(GradedHW1, g, Grade1)
(Grade1, t[actingUser], Alice)(Grade1, t[activeRole], TA)
(Grade1, t[weight], 2)(Grade1, t[object-size], 10MB)
![Page 11: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/11.jpg)
11
Provenance Graph
World-leading research with real-world impact!
HW1_GGrade1
Sub1
HW1
Alice TA 2 10MB
u g
c
t(actUser) t(…) t(…) t(…)
![Page 12: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/12.jpg)
12
Storing and QueryingProvenance Data
• Resource Description Framework (RDF) provides natural representation of triples.
• RDF-format triples can be stored in databases.
• Utilizes SPARQL Protocol and RDF Query Language for extracting useful provenance information.– Starting Node: any entities (not attribute nodes)– A matching path pattern: combination of dependency edges
World-leading research with real-world impact!
![Page 13: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/13.jpg)
13
Provenance Graph
World-leading research with real-world impact!
HW1_GGrade1
Sub1
HW1
Alice TA 2 10MB
u g
c
t(actUser) t(…) t(…) t(…)
![Page 14: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/14.jpg)
14
Provenance Graph
World-leading research with real-world impact!
HW1_GGrade1
Sub1
HW1
Alice TA 2 10MB
u gc
t(actUser) t(…) t(…) t(…)
SELECT ?agent WHERE { HW1_G [g:c] ?agent}
![Page 15: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/15.jpg)
15
Provenance Graph
World-leading research with real-world impact!
HW1-GGrade1
Sub1
HW1
Alice TA 2 10MB
u g
c
t(actUser) t(…) t(…) t(…)
SELECT ?user WHERE { HW1_G [g:t[actUser]] ?user}
![Page 16: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/16.jpg)
16
Provenance Graph
World-leading research with real-world impact!
HW1_GGrade1
Sub1
HW1
Alice TA 2 10MB
ug
c
t(actUser) t(…) t(…) t(…)
HW1_G’Grade2 gu
Sub2
c
SELECT ?user WHERE { HW1_G’ [g:u:g:c] ?user}
{ HW1_G’ [[g:u]*:g:c] ?user}
![Page 17: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/17.jpg)
17
PBAC Model Components
World-leading research with real-world impact!
![Page 18: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/18.jpg)
18
PBACC : PBACB + Contextual Info.
World-leading research with real-world impact!
![Page 19: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/19.jpg)
19
PBAC_C in Cloud IaaS
World-leading research with real-world impact!
![Page 20: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/20.jpg)
20
Capturing Provenance Data
World-leading research with real-world impact!
(Subject1, Create1, VMI1, ContextualInfoSet-Create1)
Create1, c, Subject1)(VMI1, g, Create1)
Create1, t[tenant], “Development”)
![Page 21: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/21.jpg)
21
Single- vs Multi-Cloud (IaaS)
• Most single-cloud CSP provides centralized service.– Facilitates data sharing (provenance).
• Multi-cloud CSPs require collaboration for sharing data.
World-leading research with real-world impact!
![Page 22: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/22.jpg)
22
Multi-cloud PBAC
World-leading research with real-world impact!
Cloud 1 Cloud 2 Cloud 3
![Page 23: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/23.jpg)
23
Provenance Data Sharing
World-leading research with real-world impact!
![Page 24: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/24.jpg)
24
Provenance Data Sharing
World-leading research with real-world impact!
Centralized Provenance and PBAC Services
![Page 25: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/25.jpg)
25
Single MT-Cloud PBAC Architecture
World-leading research with real-world impact!
![Page 26: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/26.jpg)
26
Provenance Service
World-leading research with real-world impact!
![Page 27: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/27.jpg)
27
PBAC Service
World-leading research with real-world impact!
![Page 28: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/28.jpg)
28
Cross-tenant PBAC
World-leading research with real-world impact!
![Page 29: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/29.jpg)
29
OpenStack Authz
World-leading research with real-world impact!
![Page 30: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/30.jpg)
30
Nova Architecture
World-leading research with real-world impact!
![Page 31: Provenance-based Access Control in Cloud IaaS](https://reader036.vdocument.in/reader036/viewer/2022062410/56816295550346895dd30be5/html5/thumbnails/31.jpg)
31
Thank you!!!
• Questions and Comments?
World-leading research with real-world impact!