Article Preview
Top1. Introduction
Recent years have witnessed a growing number of special-purpose communities in which different organizations (or tenants) with common interests and needs interact and share pools of configurable resources governed by a cloud service provider. Community clouds have many advantages. They enable organizations that are technologically different and geographically separated to collaborate in a seamless manner. However, they can be difficult to manage especially when the tenants have differing access policies. The diversity of the policies of the entities may lead to serious obstacles in establishing a safe collaboration within the cloud. An important requirement for precisely achieving this goal is that each entity, tenant as well as cloud service provider, abides by the security, compliance and risk management requirements of the others. Thus, to allow the entities to interact safely, their access policies must necessarily be compared and composed.
In this paper, leveraging the community clouds as an illustrative example, we address the policy composition problem in a broader scenario in which different entities are interested in composing their independently stated policies while retaining their autonomy i.e., maintaining the control over their resources. A non-trivial challenge generally faced in this context is the occurrence of conflicts. Two access policies may apply to same objects and yield upon request of the objects contradictory evaluation results. Access control systems governed by such policies cannot deterministically decide whether to grant access to the requested objects or to deny the access. Consequently, they may even allow certain users to access resources they are not authorized for or deny the access to the legitimate ones. Thus, to enable access policies in individual systems to unambiguously evaluate users requests, many conflict resolution strategies have been proposed (Reeder, Bauer, Cranor, Reiter, & Vaniea, 2009; Cuppens, Cuppens-Boulahia, & Ghorbel, 2007; Dong, Russello, & Dulay, 2008; Jajodia, Samarati, Sapino, & Subramanian, 2001; Moffett & Sloman, 1993; XACML, 2005).
However, in situations where several autonomous entities want to integrate their independent access policies, these strategies are limited. Conflicts that occur in this scenario are difficult to eliminate because of the diversity of the policies of the entities, and more importantly because of the conflict resolution strategies that they use. Currently, no effective technique exists for resolving these conflicts while the policies are being integrated (Mohan & Blough, 2010). An intuitive approach could however be to pick the conflict resolution strategy of a random entity and adopt it as the conflict resolution technique of all the policies. Unfortunately, because each entity enforces the strategy it finds more suitable to its needs, such an approach would result in many cases inconclusive. A typical example is two entities, A that applies the Deny-overrides (XACML, 2005) scheme to restrict access to its resources, and B that uses the Permit-overrides (XACML, 2005) method to ensure the availability of its data. In this case, if the strategy that B uses is applied, then resources of A may be accessed by unauthorized users. Conversely, if we opt for the strategy of A, then access to resources of B may be severely restricted.