Name: Adeleke Tolulope A.

Student Id: 14396234

CP5603-Advanced E-Security

No word limits
 It needs to have a title, Introduction, abstract
 Chapters, subtopic, conclusion and reference
 Professional styling, Visual representation of Information (tables, graphs,
diagrams)
 Pay attention to paragraphs
 bullet points to site, intext citations,
 Check: IEEE Xplore

1
 Exploring Contemporary Approaches to Authentication And Authorization Models In
Cloud Computing Systems - A Comprehensive Review Of Current Research

Abstract

Cloud computing has become a paradigm-shifting force in the information technology industry
because of its scalable and adaptable solutions for a wide range of applications. As cloud
computing's capability and services grow, controlling access to these services is more complex,
increasing security breaches. This is mostly due to the open, dynamic, heterogeneous, and
dispersed cloud environment's introduction of new requirements and limitations. The studies that
are now accessible do not offer a thorough analysis of these needs and the mechanisms that
satisfy them, even though recognizing these requirements is crucial for developing and accessing
access control models. This study set out to review the body of literature on published works that
addressed the methods and requirements for cloud access control. Focus is given on the
authorization and authentication models for cloud computing infrastructures. The review
identifies cloud access control security requirements and the access control mechanisms that
will mitigate issues found. The suggested solutions reviewed in this study will help researchers,
scholars, and practitioners evaluate the efficacy of cloud access control models and pinpoint any
areas that need to be given attention. This research also demonstrated the existing cloud access
control methods that are employed to fulfil these needs.
Keywords: cloud computing; multitenancy model; attribute-based encryption model; role-based
access control; access control requirements; access control models.

1. Introduction

Cloud computing is a well-known paradigm that offers affordable, on-demand services like
Infrastructure as a Service (IAAS), Platform as a Service (PAAS), and Software as a Service
(SAAS) [1]. Notwithstanding these benefits, there are still several issues with the cloud
computing paradigm, such as misuse of cloud services, cyberattacks, and data security and
privacy. Cloud computing is the leveraging and pools of computing resources to minimize costs
and maximize compute efficiency. Here's why cloud computing is such a game changer in
business. In the past hosting applications and data at an enterprise level meant renting or building
data center space to house the millions of dollars worth of hardware and software assets you
needed to buy. Now we have affordable and powerful on-demand options in the form of cloud
computing platforms. Cloud platforms provide the ability to leverage remote systems on demand
over the open internet. The ability to pay for only the resources that you use and the ability to

2
scale up and scale back as needed. Cloud computing might seem new, but it's really an evolution
of two rising technologies. Timesharing and distributed computing. Time-sharing allows users to
share the computing resources of large systems. Distributed computing decentralizes computing
resources and shares the workload among many computers across a network which could be in
the same room or in a completely different location. Let's take a closer look at the details of what
cloud computing is. Cloud computing has the following characteristics. It's on-demand and self-
service. Use it when you need it. And you can launch the resources from an admin portal or
script. It has ubiquitous network access so you can connect to it via the internet. It utilizes
resource pooling. So your computing, storage and other infrastructure are used and released
when you're done for others to use. It features rapid elasticity so you can quickly scale up or
scale down. And it's a paper use, which means you aren't going to pay for a data centre full of
unneeded under-utilized computing power. Cloud comes in five deployment models. Private
cloud, public cloud, community cloud, multi-cloud and hybrid cloud. And finally, delivery
models. There are three main ones. Software as a service or SaaS. Platform as a service or PaaS.
And infrastructure as a service or IaaS. We'll talk in-depth about what each of these means later
in the course. Ultimately the biggest advantage of cloud computing is that it allows you to only
pay for the resources that you need when you need them. There is no need to purchase hardware
and software well ahead of demand. The cloud allows you to deal with demand elastically.
Meaning you can scale the resources up and down according to need. Just as importantly, you
only pay for the resources you use. These developments in cloud computing are leading us to the
establishment of cloud computing as a common practice in technology. This means that cloud
computing has become pervasive in IT and it is another tool in the shed. The developments also
are leading us to the emergence of new cloud capabilities such as machine learning and big data
analytics [2]. And one last place they are leading is to the mass migration of applications and
data to cloud-based platforms. As a result, we'll see a lot of projects based on that goal.
Ultimately the promise that cloud computing delivers is flexibility. It can dynamically scale up
or down to meet your organization's computer hardware, software and cost demands.

3
 Security challenges of cloud computing [3]

2. Review of Related Works

2.1 Cloud Access Control Requirements

Only a few papers [4-6] have established security needs in the context of cloud computing, with
the majority of research concentrating on establishing the general requirements of access control
models. These specifications, however, have been established from a particular standpoint of
cloud models, implementation, or kind of service offered.

The developer of cloud access control model must take into account various security criteria and
viewpoints to create a more secure and efficient cloud authentication and authorisation method
[5]. The published articles addressed the requirements as follows.

Privacy: The user’s privacy in the cloud should be preserved such that the user’s location and
identity cannot be tracked as the user moves around the cloud [5]. Furthermore, cloud
cryptography-based solutions are used to protect data without any knowledge about user identity
or attributes [6]. As a result, the identities and attributes of cloud users were unknown to the

4
system at the time of the request. Therefore, controlling access to cloud services is essential,
while maintaining user privacy [7].

Resources Heterogeneity: The quantity of diverse resources from different disciplines grows as
the cloud gets bigger. A heterogeneous cloud environment is produced when service providers
supply their various kinds of resources, including infrastructures, applications, APIs, and
interfaces [6]. Consequently, the quantity of dangers rises in line with that. Moreover, certain
resources and items are unknown in an open environment like the cloud. As such, security
management problems are getting harder and worse. Access to numerous resources of any kind
should therefore be supported by access control [1].

Users Heterogeneity: The characteristics of cloud environment users vary. They can access
cloud services from anywhere at any time [7]. Moreover, in their cloud-consuming organisations,
their roles may fluctuate regularly. Because of this, controlling them against numerous protected
resources becomes quite challenging, and an access control system needs to be able to handle
these users' authorisations and authentications with ease [8].

Contextual Information: When deciding on access control, contextual information is very

important, especially in a dynamic setting like the cloud. Contextual information can include
dynamic subject-object relationships, time, place, and platform limits, as well as content
limitations like in and out parameters [8]. Therefore, while making decisions about access
control, all of these limitations need to be considered to give effective access to resources.
Furthermore, this procedure needs to be automated in accordance with the diversity and
dynamics of these circumstances. This reduces administrative effort and facilitates the
management of security for a vast array of diverse resources and objects [8].

Tenants Should Have Full Control over Their Users: Often, cloud architecture prevents
businesses using cloud services from defining their own access control policies to manage user
access to protected assets [9]. Only the service provider administrator has the ability to assign
roles and add users to tenants in OpenStack. Tenants in AWS are able to control their users.
Moreover, it is often the case that the service provider has no mechanism to facilitate the
enforcement of policies [10]. As a result, the anticipated cloud access control architecture ought
to give the tenant the chance to manage its users, support policy requirements, and appropriately
implement them [9].

5
Access to a Broad Network: Cloud services can be accessed by diverse client devices (e.g.,
laptops, tablets, mobile phones, and workstations) via a variety of networks and traditional
protocols [11]. This makes network access security vulnerable. Denial of service (DoS) attacks,
for instance, can be used against cloud systems to prevent authorised users from accessing their
resources. As a result, AC for network access needs to be controlled [10].

Measured Service: Cloud systems employ an adequate measuring capacity for the type of
service (e.g., processing, storage, bandwidth, active end-user account) to automatically control
and optimise resource consumption [11]. Resource utilisation is monitored, controlled, and
reported to provide transparency to the service provider and the customer. Cloud users should be
able to examine their metering data, but not edit it, to prevent fraudulent payments for cloud
services, as this could compromise resource consumption [11]. Therefore, it makes sense for AC
to take metering data security into account.

Data Sharing: It is not an easy process to share information between multiple organisations
since, in order to do so, a cloud system must comply with the security criteria of the same
organisation [12]. Building trust is crucial in order to facilitate data sharing, and ideas like
federated identity trust and AC characteristics need to be taken into consideration [4,8,10].
Customers are allowed to be responsible for the security of their data on the cloud and who has
access to it, regardless of the service model they choose [11,12]. Therefore, data are never under
the control of cloud service providers and are always in the hands of cloud users (log data being
an exception, but the impact of such data on privacy and security should also be taken into
account). A cloud service provider shouldn't have access to a customer's data, even though it
might end up being its guardian [12]. If cloud administrators are not safeguarded, they can be
able to show customer data. In this case, the customer should be notified right away, and the
service provider should record and mark the customer data as accessible (depending on the
provider's access entitlements to the data) [11].

Auditing: Protecting cloud computing and the access control mechanisms that go along with it
need auditing. Within access control systems, the audit is in charge of monitoring the current
status of the system, documenting any instances in which a decision is not made, either in terms
of granting or refusing access, and reporting any attempts to alter privileges or get around the

6
access policy. It must also monitor and document the capabilities allotted to subjects and any
modifications (such as renaming, copying, and deleting) done to objects [13].

2.2 Cloud Access Control Mechanisms

This section reviews access control models employed in the cloud computing paradigm in
relation to the requirements of the cloud computing environment.

Table 1. Access control mechanisms

Mechanism Description
Discretionary access control (DAC) DAC can make decisions about access control based
on authorisation regulations and identification
Because each user is identified by a distinct identity.
Mandatory access control (MAC) Policy decisions are made by a central authority, not
the owner, regarding access.
Role-based access control (RBAC) Decisions about access control are based on the roles
and responsibilities of the users attempting to access
services or resources that are protected.
Multi-Tenant Access Control (MTAC) The choice to grant access is based on the
characteristics of the tenants, networks, storage, and
other cloud resources.

Discretionary Access Control (DAC): Every user in DAC is identified specifically by

themselves, and DAC is able to decide how to manage access based on their identities and
authorisation regulations. Each user may only access system objects through the approved access
modes (read, write, and execute), as specified by the authorisation policies in DAC. Therefore,
who can access what is decided by DAC. Access control lists are a feature of every object that
specify who is allowed access in the relevant access mode. An object's owner has the option to
change the access control list and grant other users access [13].

Mandatory Access Control (MAC): In MAC, the owner does not make access decisions; instead,
a central authority does the same as in DAC. Thus, it provides a high level of security and a low

7
level of flexibility, since the subject does not have to control object permissions, and the users
have not had absolute privacy [14]. It is therefore used in government and military systems.

Role-Based Access Control (RBAC): The main goal of RBAC, as outlined by [12], is to address
the complexity of security administration in large organisations by substituting roles for the
subjects in the ACLs paradigm and individually assigning each subject to a role. This implies
that choices about access control are based on the roles and responsibilities of the users
attempting to access resources or services that are protected. RBAC takes advantage of security
assurance concepts like separation of roles (both static and dynamic) and least privilege.

Multi-Tenant Access Control (MTAC): One cloud architecture that is used with SaaS, PaaS, and
IaaS is multi-tenancy. Multi-tenancy access control is essential when multiple tenants in a cloud
share the same resources. Tenants' privacy and security remain unaffected as long as their setup
is applied according to the hardware or software required [14].

References

[1]. Dhanalakshmi, B.K.; Srikantaiah, K.C.; Venugopal, K.R. Carry Forward and Access Control
for Unused Resources in Multi Sharing System of Hybrid Cloud. Future Gener. Comput. Syst.
2020, 110, 282–290.

[2]. Suresha, K.; Vijayakarthick, P.; Dhanasekaran, S.; Murugan, B.S. Threshold Secret Sharing
and Multi-Authority Based Data Access Control in Cloud Computing. Mater. Today Proc. 2021,
in press.

[3] S. J. Bigelow, “What is cloud security management? Guide and best practices,” Security, Oct.
24, 2023. https://www.techtarget.com/searchsecurity/feature/Guide-to-cloud-security-
management-and-best-practices

[4]. Liang, W.; Xie, S.; Cai, J.; Wang, C.; Hong, Y.; Kui, X. Novel Private Data Access Control
Scheme Suitable for Mobile Edge Computing. China Commun. 2021, 18, 92–103.

8
[5]. Wang, H.; He, D.; Han, J. VOD-ADAC: Anonymous Distributed Fine-Grained Access
Control Protocol with Verifiable Outsourced Decryption in Public Cloud. IEEE Trans. Serv.
Comput. 2020, 13, 572–583.

[6]. Zhang, Y.; Deng, R.H.; Xu, S.; Sun, J.; Li, Q.; Zheng, D. Attribute-Based Encryption for
Cloud Computing Access Control: A Survey. ACM Comput. Surv. 2020, 53, 1–41.

[7]. Ahuja, R.; Mohanty, S.K. A Scalable Attribute-Based Access Control Scheme with Flexible
Delegation Cum Sharing of Access Privileges for Cloud Storage. IEEE Trans. Cloud Comput.
2020, 8, 32–44.

[8]. Charanya, R.; Aramudhan, M. Survey on Access Control Issues in Cloud Computing. In
Proceedings of the 2016 International Conference on Emerging Trends in Engineering,
Technology and Science (ICETETS), Pudukkottai, India, 24–26 February 2016.

[9]. Sun, P.J. Security and Privacy Protection in Cloud Computing: Discussions and Challenges.
J. Netw. Comput. Appl. 2020,160, 102642.

[10]. Huang, L.; Xiong, Z.;Wang, G. A Trust-Role Access Control Model Facing Cloud
Computing. In Proceedings of the 2016 35th Chinese Control Conference (CCC), Chengdu,
China, 27–29 July 2016; IEEE Computer Society; pp. 5239–5242.

[11]. Hu, V.C.; Iorga, M.; Bao,W.; Li, A.; Li, Q.; Gouglidis, A. General Access Control
Guidance for Cloud Systems; NIST Special Publication: Gaithersburg, MD, USA, 2020.

[12]. Deng, H.; Qin, Z.;Wu, Q.; Guan, Z.; Deng, R.H.;Wang, Y.; Zhou, Y. Identity-Based
Encryption Transformation for Flexible Sharing of Encrypted Data in Public Cloud. IEEE Trans.
Inf. Forensics Secur. 2020, 15, 3168–3180.

[13]. Rizwan Ghori, M.; Ali Ahmed, A. Review of Access Control Mechanisms in Cloud
Computing. In Journal of Physics: Conference Series; Institute of Physics Publishing: Johor,
Malaysia, 2018; Volume 1049.

[14]. Qi, S.; Zheng, Y. Crypt-DAC: Cryptographically Enforced Dynamic Access Control in the
Cloud. IEEE Trans. Dependable Secur. Comput. 2021, 18, 765–779.