Toward Quantified Risk-Adaptive Access Control for ...

Viewer
Transcript

Toward Quantified Risk-Adaptive Access Control for Multi-tenant Cloud Computing Doudou Fall, Gregory Blanc, Takeshi Okuda, Youki Kadobayashi, and Suguru Yamaguchi Nara Institute of Science and Technology Takayama 8916-5, 630-0101, Ikoma, Nara, Japan {doudou-f,gregory,okuda,youki-k,suguru}@is.naist.jp http://iplab.naist.jp

Abstract. Cloud computing is the new trend in information science that is capable to change drastically the way we were using Internet. Despite all its advantages, users are always reluctant to host their data in the cloud because they are doubtful about its security, particularly the security related to the multi-tenant environment. Traditional access controls were implemented in the cloud in order to make the multi-tenant environment secure. But the issue is those access controls are static while the cloud is dynamic, leading to legitimate doubts on the ability of those to fulfill the security needs of the cloud. We propose to use Risk-Adaptive Access Control, which is a flexible real-time access control model that can naturally support the dynamism of cloud environments. We identified four security risks we will quantify by using tools available in statistical machine learning. Keywords: cloud computing security, multi-tenancy, access control, RAdAC, Risk.

1

Introduction

The history of computer science is marked by technological revolutions that happen every decade. It started with the mainframes in the 1970s, followed by the personal computer era in the 1980s. In the 1990s, we assisted to the birth of the Web that drove a lightning development of the Internet. In the 2000s, the Web 2.0 made its entry to the game and promoted an interactive usage of the Web. Nowadays, the revolution in computer science is cloud computing, which is a technology that is widely used in the Internet although the majority of the users do not know exactly what it is. Actually, in the research community, a commonly agreed definition of cloud computing is given by NIST [1]. That definition states that cloud computing is a model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and servers) that can be rapidly provisioned and released with minimal

2

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

management eﬀort or service provider interaction. This cloud model promotes availability and is composed of five characteristics, three service models (SaaS, PaaS, and IaaS), and four deployments models (Private, Community, Public, and Hybrid clouds). Cloud computing is a promising technology that is why IT companies are investing billion dollars on it. Recently Microsoft published a bulletin where they aﬃrm that they have lost 8.5 billion dollars in their online platform (Online Services Division), but they did not stop it because they know in the future the benefits will cover the past loss. Google is anticipating the future by creating the Chromebook which is a laptop totally dedicated to cloud computing, even the operating system is based on the chrome web browser showing how cloud will influence the laptops of the future. Cloud computing is an important paradigm with the potential to significantly reduce costs through optimization and increased operating and economic eﬃciencies. However as cloud is still in its infancy, its security issues present a strong barrier for users to adopt it. In fact, according to many surveys[28], the first obstacle for the adoption of cloud is security. Users are wondering for security and privacy issues considering that their data is not anymore under their control. Worse, the fact that their data are hosted in a shared environment makes them feel more doubtful. Indeed, by default cloud computing is multi-tenant which automatically implies security issues like confidentiality and integrity. Because in a multi-tenant environment, a tenant can try to access other tenant data illegally. Many research works [1,2, 10-14, 19,20] have been done in cloud multi-tenant security to avoid unauthorized access, and researchers use traditional access controls and their variants. But the problem is those access control models are static whereas the cloud is highly dynamic thus leading to a certain degree of incompatibility. That is why in this paper, we propose an access control model suitable to cloud computing, i.e. flexible and real-time: RAdAC. Risk-Adaptive Access Control is a combination of Attribute-Based Access Control, Policy-Based Access Control, machine learning and heuristics. The rest of this paper is organized as follows. Section 2 is about multi-tenancy in the cloud, in section 3 we explain our motivation, section 4 contains the related work, in section 5 we give some detail about RAdAC, in section 6 we expose our approach, and section 7 conclude this paper by a discussion.

2

Multi-tenancy in cloud computing

At the beginning of cloud computing, multi-tenancy was considered as a feature unique to it. But actually it is not the case [4], multi-tenancy exists since the mainframe era where people were using terminals to access to the mainframe. With the rise of personal computer, it was thrown to the oblivion and with cloud

Toward Quantified RAdAC for Multi-tenant Cloud Computing

3

computing, it is experiencing a second birth. Multi-tenancy is implemented in the cloud to reduce the cost of delivering the same application to many diﬀerent sets of users. It is considered as the most direct path to spending less and getting more from a cloud application. A multitenant application is able to fulfill the needs of several tenants by using the hardware resources necessary to manage a single software instance. Tenants in a multitenant platform are separated logically and each of them can use and modify an application related to his instance. In most common definitions, cloud computing is comprised of three services models SaaS, PaaS, and IaaS. So naturally we can deduce three level of multitenancy application level, middleware level, and hypervisor level. In our research we mostly focus on the first two mentioned thus in the following we will explain multi-tenancy in SaaS and PaaS. Multi-tenancy in PaaS/SaaS is defined as a continuum between isolation and sharing and can be divided in three approaches as depicted in Fig. 1. Separate database In this approach, each tenant has his own database where are stocked his data but he shares computation resources and application code with other tenants. The key benefits of this approach are that it is easy to meet tenants individual needs and to restore tenants data from backup in case of failure. And the drawbacks are this approach is costly in term of hardware and in term of data backup. Shared database, separate schema Several tenants are sharing the same database, but each of them has his own schema which is a set of tables. This approach is easy to implement but has the same benefits as the previous approach. But the disadvantage is that tenants data cannot be recovered in case of failure because the backup is made at the level of the database and recovering from the backup implies to overwrite all the data of all the tenants while at the beginning only one tenant was concerned. Shared database, shared schema In this approach, the tenants are using the same database and the same set of tables. A table can contain records from multiple tenants identified by the tenants ID. Among the three approaches this one is the less costly but is the less secure to and has the same problem of data backup that the second approaches. Choosing an approach will appeal economic and security considerations but still in each of the approaches we still have a shared environment with diﬀerent degrees of multi-tenancy.

4

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

Fig. 1. Diﬀerent degrees of multi-tenancy in cloud computing

3

Motivation

The multi-tenant aspect of cloud computing raises many security issues. Among them the one that draws our attention is inadvertent or intentional access to sensitive information. It is already demonstrated by Ristenpart et al. [3] that when two tenants share the same infrastructure, one can illegally get access to the others data. In their approach, the attacker allocates a virtual machine that runs in the same physical machine as the victims machine. And then the attacker performs cross VM side-channel attack to violate the confidentiality and the integrity of the victims data. On the other hand, the fact that users are outsourcing their data is another problem because they feel like they lost the control of their data [5]. The administrator of the cloud service provider might abuse them by over accessing their data. Rocha et al. [36] insist on the threats that may arise with misbehaving insiders. They elaborated and implemented four attacks that an insider may utilize to steal confidential data in the cloud. The first attack consists of obtaining a users password. The attacker uses the dump-core command, which is included in the Xen management user interface, to get a memory dump of the targeted VMs. Then he uses a combination of the cat and grep commands to extract the passwords. The second attack is about getting the private key of a pair (public/private) of cryptographic keys. As in the first attack, the attacker

Toward Quantified RAdAC for Multi-tenant Cloud Computing

5

starts by dumping the memory and from dump file, he extracts the private key by using the cold boot attack technique, which he associated with the PKCS#1 and ASN.1 object for keys recognition. In the third attack, the attacker uses the commands of the Linuxs Logical Volume Manager to create a snapshot of the victims VM where a partition mapping will be added. On the following, the attacker makes a scan in order to find the volume group that belongs to the victims VM. Once found, it will be activated and the attacker will have a total control of it. In the fourth attack, the attacker use the remote attestation technique, which is specific to Trusted Platform Module, to mislead the user by making him to chose the attacker server to host his VM. Once this step accomplished, the attacker can easily relocate the users VM using Xen management user interface. To summarize, the problem we face in our threat model is unauthorized access that directly involves confidentiality and integrity issues. Beside the security issues, the dynamism (elasticity), or possibility to quickly add or reduce capacity, of cloud computing plays an important role in the model that we want to propose. It allows us to challenge the suitability of the access control models that are currently used in the cloud, given they are static.

4

Related Work

Aside from Access Control Lists (ACL), all traditional access controls have been used in the cloud, starting from Role Based Access Control and spreading to Attribute Based Access Control, Identity Based Access Control, Policy Based Access Control and their variants. In this section we will explain briefly those aforementioned access control models and give one or two example(s) of their usage in the context of cloud computing.

4.1

Traditional access control models

RBAC Role-Based Access Control is one the most famous access control model ever developed. The notion of role is primordial because an access to a resource will be determined based on it and it can be defined as the relationship between the requester and the organization or owner of the resource. RBAC also includes three well-known security principles: information hiding, least privilege, and separation of duties. On the topic of RBAC in the cloud, W. Tsai and al. [19] propose the combination of RBAC and role ontology in order to meet the challenge of multi-tenancy security. The ontology is used to define and manage roles via trees models. It also facilitates the establishment of hierarchy given a certain domain.

6

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

ABAC A set of characteristics or attributes, associated with the requester or the environment, is used to make access control decisions in Attribute-Based Access Control. The Policy Decision Point (PDP) will scrutinize each attribute to determine to determine whether or not to allow or deny the access. In this the requester do not need to be known previously by the system or resource s/he want to access as long as his attributes satisfy the necessary criteria. PBAC Policy-Based Access Control is the most used model for designing accountable and fine-grained access control. PBAC can be defined to be an evaluated version of ABAC but most centered to enterprises with well-defined policies. PBAC uses a combination of attributes from the resource, the environment, and the requester under the peculiar circumstances they are, to allow or deny a request.

4.2

Variants

Many researchers derived from the above access control many mechanism always trying to make multi-tenant cloud secure. Kamara and al. [10] argue for designing a virtual private storage service where the data processor begins by indexing data and encrypting it with a symmetric encryption scheme under a unique key. It then encrypts the index using a searchable encryption scheme and encrypts the unique key with an attributebased encryption scheme under an appropriate policy. Finally, it encodes the encrypted data and index in such a way that the data verifier can later verify their integrity using a proof of storage. To use the data from the cloud, the user calls a token generator to generate a token which is sent to the cloud, and then the requested files are downloaded, verified locally and decrypted by a key also generated by the token generator. The data are shared when the users exchange their tokens and decryption keys. They define two cryptographic architectures consumer and enterprise where a credential generator is added in this ladder. It is important to notice that the data are encrypted before being uploaded to the cloud. Zhao and al. [11] propose a mechanism relying on Progressive Elliptic Curve Encryption which allows a piece of data to be encrypted multiple time using diﬀerent keys such that the final cipher text can be decrypted in a single run with a single key. They assume that with this mechanism the data owner only can access to the data and even the cloud provider does not have a clear vision of the data thus implying that it cannot be shared without his permission. The drawback of their proposal is that the client has the role of the key management what exposes him to man of the middle attack. Wang et al. [12] designed a distributed scheme that allows the user to generate a homomorphic pre-computed

Toward Quantified RAdAC for Multi-tenant Cloud Computing

7

token that is erasure-coded and stored locally. This is used to determine the misbehaving server. Calero et al. [13] designed a multitenancy authorization system suitable for middleware service in PaaS. The system is based on a model defining 5-tuple (Issuer, Subject, Privilege, Interface, Object), which incorporates with role-based access control (RBAC), hierarchical RBAC (hRBAC), path-based object hierarchies and federation, OpenID, and x.509 to make the system robust. During an authorization request, it uses all this information to determine if the request is authorized. We can list many problems associated with the aforementioned access controls models and their variants but the one that really interest us is the dynamic aspect of cloud computing. The dynamism or elasticity or again flexibility is the capability to quickly add or reduce capacity in a cloud environment. The access control models used in the cloud until now are static thus they are incompatible with cloud. That is why we propose in this paper the use of Risk-Adaptive Access Control which is a real time flexible access control.

5

Risk-Adaptive Access Control

Information sharing has always been a subject to controversy, that is why it drew the attention of the security experts very early. Many security mechanisms have been developed for the purpose of Information sharing starting from the basic ACL (Access Control Lists) to MAC (Mandatory Access Control) and DAC (Discretionary AC). But nowadays, we are facing new challenges as the shared infrastructure became dynamic and those aforementioned ACs are not enough flexible to meet these new challenges [8][9]. It becomes urgent to find enough flexible AC mechanisms to handle security in dynamic platforms; the JASON report [35] defines the foundations of the next generation of ACs that must revolve around three guiding principles: – Measure risk: “if you can measure it, you can manage it”. In other words, knowing the risk associated to an event allows to better handle it, – Establish an acceptable risk level, – Make sure that the information is tailored to the level of the acceptable risk. Following these guidelines, an AC that can deal with the reality of today‘s information sharing environment has been proposed. RAdAC (Risk-Adaptive Access Control), to name it, is a real-time, adaptable, risk-aware access control built by a combination of Attribute-Based Access Control, Policy-Based Access Control, Machine Learning, and heuristics. Actually six factors are indispensables to make RAdAC decisions: Operational need: this factor is one of the factors that RAdAC borrowed from traditional ACs. It involves the notion of “need to know”, which mean that a requester should have relation with the object he is requesting.

8

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

Security risk: the cornerstone of RAdAC. This factor requires the use of machine learning for a real time probabilistic determination of risk associated to a request. Situational factors: sometimes the ACs decisions are made depending on the actual situations; it can happen that the “Operational need” outweighs the “Security risk”. Access Control Policy: as in any normal AC, policies need to be enforced. Here the policies should respect the mechanisms of RAdAC by, among others, setting the acceptable level risk and defining the conditions on which the operational need can outweigh the security risk. Heuristics: the goal here is to use past access control decisions to make future decisions. The utilization of past decisions will help to better determine security risk and operational need and will increase the positive number of access control decisions. As depicted in Fig. 2. the RAdAC decision tree is comprised of seven steps: – step 1: This step consists of determining the security risk associated with the access request. – step 2: Once the security risk is quantified, it is compared with the access control policy in charge of the identification of the acceptable level of risk of the object that is accessed. – step 3: This step occurs when the security risk was deemed acceptable. Now the system decides whether it should checks the operational need of the user before granting him the access to the object or not. If yes step five will be solicited, otherwise the access is granted. – step 4: This step occurs when the security risk was deemed unacceptable. In that case, the system checks the operational need of the requestor in order to determine if it can outweigh the security risk or not. If the result is positive the step 5 will be solicited otherwise, the access is denied. – step 5: At this step, the users operational is scrutinized in order to discover how he obtained it and if it is suﬃcient to access the object. – step 6: At this step, the system determines if the operational need of the requestor meets all the requirements defined in the policy. If the result is positive the access is granted, otherwise it is denied. – step 7: All the process that the system went through to make the decision are stored and will be used to make future decisions for the same user.

Toward Quantified RAdAC for Multi-tenant Cloud Computing

9

Fig. 2. RAdAC functioning

6

Initial approach

As stated in the previous sections, the best way to protect customers’ data from unauthorized access is to use access controls. In fact there are a lot of work that have been done about ACs for cloud computing using Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC) and their derivatives. The issue that arises is the mechanism of the aforementioned Access Controls are static and the cloud is highly dynamic, so de facto we can argue that there are incompatibility between traditional Access Controls and the Cloud. We propose the use of Risk-Adaptive Access Control (RAdAC) to overcome this problem. The diﬀerence between RAdAC and traditional ACs is RAdAC’s flexibility and adaptability i.e. it can allow handling any situation at the hand. Below we demonstrate a simple scenario to show how traditional access control models fail in a dynamic environment. Suppose we have two users A and B who are hosting their data into a cloud managed by an administrator C. A traditional access control model is implemented in the system and is defined so that user A can only access his data. Idem for user B, the admin can access both data. Below is a template of access control for the users and for the admin:

10

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

If (requester_privileges = user_privileges_X) Access allowed to space X Else Access denied If (requester_privileges = admin privileges) Access allowed Else Access denied We make the assumption that B illegally gains admin privileges. When he tries to access A’s data, the access control will allow him the access simply because the requester has admin privileges. While in the case of RAdAC, the system would discover the failure because when an access is requested, the system compute the risk associated to the request by checking at first the past access control decisions. And in that case it will notice that in the past this user had no admin privileges and now he has. It might happen something wrong and will look at the operational need of the user in order to have more details on how he becomes suddenly an admin user. Research works [31][32] that have been conducted on RAdAC focus on the risk quantification part and thus, what makes it the most important part. A risk is defined as the likelihood associated with an unwanted outcome, some negative event. Wang et al. [32] quantified the risk associated to a doctor over accessing patients data and they did the experiments in real situation in collaboration with the staﬀ of a hospital and obtained good results. So in our research we will focus on the risk quantification at first before attacking the other parts of RAdAC. We identified four risks (Fig. 3) that we will have to compute: – – – –

The The The The

risk risk risk risk

a tenant accesses illegally other tenants data, a tenant discloses his own data by inadvertence, an administrator accesses tenants data for his benefits, an administrator discloses tenants data by inadvertence.

Our system must be able to quantify the risks mentioned above. We can represent this by using a 3-tuple (Subject, Privilege, Object). Subject represents a tenant or an application running on his behalf, Privilege is the rights a user has on his objects and Object is a piece of information. To compute the risk a tenant access another tenant’s data, we calculate the likelihood that a Subject Si with the Privilege Pi accesses the Object Oj . The process is the same for the risk an administrator who attempts to get access to a tenant’s data. The risk score associated with the risk a tenant releases his data by inadvertence is determined by computing the likelihood related to the event: “a Subject Sk makes unintentionally its Object Ok accessible to any other tenants”. It is almost the same process for the risk an administrator discloses tenants’ data by inadvertence. The computed likelihood is associated with the

Toward Quantified RAdAC for Multi-tenant Cloud Computing

11

event: “ an administrator makes unintentionally the Object Ox of the Subject Sx accessible for everyone”. To quantify those risks, we will be using statistical machine learning techniques. There exist some application of machine learning into the cloud for performance and provisioning. To our knowledge, this research will be the first attempt of using RAdAC in the cloud. There are many works that have been done on quantifying security risk but we do not know yet if those methods will have the same results in the cloud.

Fig. 3. Quantifiable risks in our approach

7

Conclusion and discussion

In this position paper we explained the diﬀerent degrees of multi-tenancy in the cloud and showed some security issues related to multi-tenancy. We stated that access control models used in the cloud until now are not really suitable for this latter. Because the cloud is dynamic and those access controls are static. We proposed to employ RAdAC to develop an access control model much more appropriate to cloud computing. Our next step will be to find the adequate formulas to quantify the aforementioned risks. As in previous works on RAdAC [31][32], we will use at first machine learning to see if it is appropriate with the dimension brought by a multi-tenant cloud environment. We expect to use to the Common Vulnerability Scoring System (CVSS) [33] in order to compare which one will give the more

12

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

accurate formulas. Aside from the problem of risk quantification, we face some other problems many of them technical like how we will apply the policies for the heuristics. In the academic world, XACML [34] seems to be the only one enough flexible, and enough mature to meet with those technical issues. If we reach to quantify the risks and come over the technical part, the model we propose will help to make the cloud more trustful. However it should not be considered as perfect without drawbacks. In our case, we made the assumption that all the tenants and administrators are legitimates. In real environment, an administrator can be victim of identity theft. In that case the hacker can use the admin privileges to do harmful modifications that will be approved by the access control model we propose. The same situation can be applied to the case where a tenant is a victim of an identity theft. In our future work we will see how to improve our model to face those kind of attacks.

References 1. P. Mell and T. Grance, The NIST definition of cloud computing, http://www.nist. gov/itl/cloud/upload/cloud-def-v15.pdf 2. M. Ambrust, A. Fox, R. Griﬃth, A. D. Joseph, R. Katz, A. Konwinsky, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia. A view of cloud computing. In: Communications of the ACM CACM, Volume 53 Issue 4, April 2010 3. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey you get out oﬀ my cloud: Exploring information leakage in third party compute clouds. In CCS09, November 913, 2009, Chicago, Illinois, USA. 4. Y. Chen, V. Paxon, R. H. Katz, technical report. What’s new about cloud computing www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.html 5. R. chow, P Golle, M. Jakobsson, E. Shi, J. Staddon, R. Masuoka, J. Molina. Controlling data in the cloud: Outsourcing computation without outsourcing control. In Proc. ACM Cloud Computing Security Workshop (CCSW), ACM Press, 2009, pp. 85-90. 6. F. Chong, G. Carraro, and R. Wolter. Multi-tenant data architecture. Microsoft Corporation, June 2006.http://msdn.microsoft.com/en-us/library/aa479086.aspx 7. F. Chong, G. Carraro, and R. Wolter. Architecture strategies for catching the long tail. Microsoft Corporation, April 2006.http://msdn.microsoft.com/en-us/ library/aa479069.aspx 8. R. W. McGraw, Risk-Adaptable Access Control (RAdAC). NIST workshop 09. 9. Working draft: A SURVEY OF ACCESS CONTROL MODELS. NIST workshop 09. 10. S. Kamara, and K. Lauter. Cryptographic cloud storage. In Proceedings of the 14th international conference on Financial cryptograpy and data security, FC10, pages 136149, Berlin, Heidelberg, 2010. Springer-Verlag. 11. G. Zhao, C. Rong, J. Li, F. Zhang, and Y. Tang, Trusted data sharing over untrusted cloud storage provider. In Cloud Computing Technology and Science (CloudCom), 2010 IEEE Second International Conference on, 30 2010.

Toward Quantified RAdAC for Multi-tenant Cloud Computing

13

12. C. Wang, Q. Wang, K. Ren, and W. Lou. Ensuring data storage security in cloud computing. In Quality of Service, 2009. IWQoS. 17th International Workshop on, pages 1 9, 2009. 13. J. Calero, N. Edwards, J. Kirschnick, L. Wilcock, and M. Wray. Toward a multitenancy authorization system for cloud services. Security Privacy, IEEE, 8(6):48 55, 2010. 14. C. Wang, Q. Wang, and K. Ren. Ensuring Data Storage Security in Cloud Computing. In Quality of Service, pages 1 - 9 , 2009. IWQoS 17th International Workshop on 15. H. Takabi, J. B. D. Joshi, and G-J. Ahn. Security and privacy challenges in cloud environments. In Security & Privacy, IEEE pages 24-31 2010 . 16. A. Azeez, A. Perera, D. Gamage, R. Linton, P. Siriwardana, D. Leelarante, S. Weerawarana, and P. Fermantle. Multi-tenant SOA middleware for cloud computing. In Cloud Computing (CLOUD), pages 458-465 2010 IEEE 3rd International Conference on . 17. F. Maggi, S. Zanero. Rethinking security in a cloudy world. Technical report, Dipartimento di Elettronica e Informazione, Politecnico di Milano.. 18. L. M. Vaquero, L. R. Merino, and D. Moran. Locking the sky: a survey on IaaS cloud security. In Journal Computing - Cloud Computing Volume 91 Issue 1, January 2011 Springer-Verlag. 19. W-T. Tsai, Q. Shao. Role-Based Access-Control Using Reference Ontology in Clouds. In tenth international Symposium on Autonomous Decentrilized Systems 2011. 20. G. Wang, Q. Liu, and J. Wu. Hierarchical Attribute-Based Encryption for FineGrained Access Control in Cloud Storage Services. In Proceeding CCS ’10 Proceedings of the 17th ACM conference on Computer and communications security. 21. M. Morsy, J. Grundy and I. Muller. An Analysis of The Cloud Computing Security Problem. In Proceedings of APSEC 2010 Cloud Workshop, Sydney, Australia, 30th Nov 2010. 22. Cloud Security Alliance guidance.https://cloudsecurityalliance.org/ csaguide.pdf 23. ENISA Cloud Computing Risk Assessment. http://www.enisa.europa.eu/act/ rm/files/deliverables/cloud-computing-risk-assessment 24. The Force.com Multitenant Architecture. http://www.salesforce.com/au/ assets/pdf/Force.com_Multitenancy_WP_101508.pdf 25. Amazon Web Services: Overview of Security Processes. http://awsmedia.s3. amazonaws.com/pdf/AWS_Security_Whitepaper.pdf 26. Wayne Jansen and Timothy Grance, Guidelines on Security and Privacy in Public Cloud Computing. http://csrc.nist.gov/publications/drafts/800-144/ Draft-SP-800-144_cloud-computing.pdf 27. D. Hubbard, L. J. Hughes Jr., Michael Sutton, Top threats to cloud computing V1.0. Cloud Security Alliance 2010. https://cloudsecurityalliance.org/ topthreats/csathreats.v1.0.pdf 28. M. Zhou, R. Zhang, W. Xie, W. Qiang, and A.Zhou, Security and Privacy in Cloud Computing: A survey. 2010 sixth internationalConference on Semantics, Knowledge and Grids. 29. T. Takahashi, Y. Kadobayashi, and H. Fujiwara, Ontological approach toward cybersecurity in cloud computing. SIN ’10 Proceedings of the 3rd international conference on Security of information and networks.

14

D. Fall, G. Blanc, T. Okuda, Y. Kadobayashi and S. Yamaguchi

30. S. Pearson, and A. Benameur. Privacy, security and trust issues arising from cloud computing. 2nd IEEE international conference on cloud computing technology and science. 31. P. C. Cheng, P. Rohatgi, C. Keser. Fuzzy MLS: An experiment on quantified RiskAdaptive Access Control. 2007 IEEE Symposium on Security and Privacy. 32. Q. Wang, and H. Jin. Quantified Risk-Adaptive Access Control for patient privacy protection in health information systems. ASIACS’11, March 22-24, 2011, Hong Kong, China. 33. P. Mell, K. Scarfone, S. Romanosky. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. http://www.first.org/cvss/cvss-guide.html 34. eXtensible Access Control Markup Language (XACML) Version 3.0. http://docs. oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf 35. Jason Program Oﬃce. Horizontal Integration: Boarder access models for realizing information dominance. The MITRE corporation, 2004. http://www.fas.org/irp/ agency/dod/jason/classpol.pdf 36. F. Rocha and M. Correia. Lucy in the sky without diamonds: stealing confidential data in the cloud. In the proceedings of the first international workshop on dependability of clouds, data centers and virtual computing environments (DCDV, with DSN’11), Hong Kong, June 2011.