Application access security control based on cloud data

Source: Internet
Author: User
Keywords Security through or security controls
Tags access access control access control list access security active user application applications apply

One of the cloud computing infrastructures is to provide a reliable and secure data storage center, so storage security is one of the security topics in the Cloud computing field. Storage security in cloud storage applications includes data encryption storage, security policy management, security logging, and auditing. Security logs and audits provide the necessary audit information for both the monitoring system and the active user. Especially the security control of data access is especially important, and the access control mechanism of data is a subject to be studied in the tradeoff of providing security and convenience for users to share.

Amazon S3 's S3, EMC Atmos online, and so on, all provide cloud storage services, which control access to data through access control List ACLs, which can only be accessed by authorized users or applications, but sharing of data is limited by the maximum number of ACLs. The access control strategy based on attribute encryption is proposed by Hassan Takabi. In order to provide users with real-time, off-line, friendly, secure and convenient cloud computing services, the data access control mechanism of this paper is proposed by referring to the data security access mechanism of the Danny Harnik et.

1. Programme design

Apply the following two types of authorization access to user data: Apply access to specific directories under User space;

1.1 Application access to a specific directory

The application accesses a specific directory, which is intended for certain application access, and the lifecycle of this particular directory access is a period of time when the user chooses to use the application to cancel the application. This authorization access mechanism is mainly used for users not online applications.

  

Figure 1 Applying access to a specific directory process

When the user chooses to use this application, there is a corresponding application directory in the user's space, which can be newly created, or can be used with the application public directory. This directory is equivalent to the user-authorized application, so the application can easily access the directory.

(1) When the user chooses the subscription application, the corresponding relationship between the application and the access directory is saved in security/policy management, that is, the Access Control List (ACL).

(2) After the user initiates a use request in the application, the user can either exit the application or go offline.

(3) The application will be to the security/policy management system to obtain access to the directory information, security/policy management system for access to information and other attributes through AES-256 symmetric encryption, some of these properties through the HMACSHA1 algorithm signature, after the encryption is completed and returned to the application.

(4) Apply to the storage data system to initiate the access request, and the encrypted attribute information and signature are transmitted to the storage data system, the system to the attribute information through the HMAC-SHA1 algorithm signature and pass over the signature to compare, see whether meet the requirements.

(5) After the verification is successful, the application can manipulate the object data.

1.2 Apply access to a directory or file that is not specific

The application accesses all files or directories under the user's storage space, and the life cycle of the file or directory access is very short, from user authorization to initiating data requests for a few minutes or a few 10 seconds. This authorization access mechanism is mainly used to use an application in the case of online users. The authorization access mechanism does not need to have permission to use the application in the ACL, and when the user temporarily needs to apply a temporary authorization to process a file, only the logging of the initiating access authorization is saved.

  

Figure 2 Applying access to a non-specific directory or file flow

(1) Users initiate the use of a file for processing, need to send the user access information to the security management system.

(2) The security management system and the access information received by the AES-256 for symmetric encryption, some of these properties through the HMACSHA1 algorithm for signature, the encryption is completed and returned to the client. The security management system records the log information for this authorization.

(3) The client sends the encrypted access information, signature, etc. to the application by redirecting or invoking the applied interface again.

(4) The application will send the access information, the signature and so on to the cloud storage Data system, the system carries on the attribute information through the HMAC-SHA1 algorithm to carry on the signature with passes over the signature to compare, see whether meets the request.

(5) The application can manipulate the data after the verification is successful.

2. End and Outlook

The data access control mechanism presented in this paper can enable users to use real-time processing of data in the storage space quickly and conveniently under the condition of guaranteeing security. There are still many problems in data access security control, which can be further studied in the following work in order to ensure data security and facilitate other applications to use data.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.