Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 149

Secured Approach towards

Role-Based Access Control on Cloud Computing

Shruthi S
Dept of Computer Science and Engineering
YD Institute of Technology
Bangalore, India
shruthis145@gmail.com

Alopama Vishnupriya
Dept of Computer Science and Engineering
YD Institute of Technology
Bangalore, India
alopamavishnupriya29@gmail.com

Ravikumara V
Dept of Computer Science and Engineering
YD Institute of Technology
Bangalore, India
ravikumaravrv2@gmail.com

Sadiya Parveen
Dept of Computer Science and Engineering
YD Institute of Technology
Bangalore, India
sadiyaparveen17@gmail.com



Abstract

Cloud Computing is an emerging technology. It is receiv-
ing significant attention by both research community and
industries. The cloud environment is a large open distributed
system Cloud computing security is an important issue due
to increasing scale of users.. It is important to preserve the
data, as well as, privacy of users. Access Control methods
ensure that authorized users access the data and the system.
Therefore, series of security concepts are required to be re-
vised such as Role-Based Access Control (RBAC) proposed
by the National Institute of Standards and Technology
(NIST) which promises to become a more prominent securi-
ty model today. The aim of this article is to describe Access
Control, RBAC model, its drawback and to identify pro-
posed research work to reduce security risk.

Keywords

Security, Access Control, DAC, MAC and RBAC.

Introduction

The term cloud is analogical to internet. The term
cloud computing is based on cloud drawing used in the
past to represent telephone networks and later to depict in-
ternet in.
Cloud computing is internet based computing where virtual
shared servers provide software, infrastructure, platform
devices and other resources and hosting to customers on
pay-as-you-use basis. All information that a digitized Sys-
tem has to offer is provided as a service in the cloud compu-
ting model. Users can access these services available on the
internet cloud without having any previous know-how on
managing the resources involved. Thus, users Can concen-
trate more on their core business processes rather than
spending time and gaining knowledge on resources needed
to manage their business processes .Fig 1 shows applications
of Cloud Computing.
Earlier, in the developing stage, we used to create applica-
tions and data storage on the local servers. If local server or
local system crashes, the entire system, applications and
related data crashes automatically. It was becoming a huge
problem all over the world
To overcome this problem, the concept of cloud
computing was brought out into action. But due to increas-
ing scale of users many security related problem arises and
then security issues became most common in the interest of
researchers. Security models such as Mandatory Access
Control and Discretionary Access Control have been the
means by which informations were secured and access was
regulated. But due to the inflexibility of these models, the
rather new security concept of Role-Based Access Control
(RBAC) was proposed by the National Institute of Standards
and Technology (NIST) which promises to become a more
prominent security model. But due to increasing scale of
International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com


Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 150
users providing significant security has become bottleneck
[1].


Fig 1. Cloud Computing Applications

The term cloud computing probably comes from (at least
partly) the use of a cloud image to represent the Internet or
some large networked environment. We dont care much
whats in the cloud or what goes on there except that we
depend on reliably sending data to and receiving data from
it. Cloud computing is now associated with a higher level
abstraction of the cloud. Instead of there being data pipes,
routers and servers, there are now services. The underlying
hardware and software of networking is of course still there
but there are now higher level service capabilities available
used to build applications. Behind the services are data and
compute resources. A user of the service doesnt necessarily
care about how it is implemented, what technologies are
used or how its managed. Only that there is access to it and
has a level of reliability necessary to meet the application
requirements. Cloud computing really is accessing resources
and services needed to perform functions with dynamically
changing needs. An application or service developer re-
quests access from the cloud rather than a specific endpoint
or named resource. What goes on in the cloud manages mul-
tiple infrastructures across multiple organizations and con-
sists of one or more frameworks overlaid on top of the infra-
structures tying them together. Frameworks provide mecha-
nisms for:

1. self-healing
2. self monitoring
3. resource registration and discovery
4. service level agreement definitions

This paper describe access control, concept of RBAC
(Role-based Access Control) model, its drawback and at last
we conclude to describe proposed research work to reduce
security risk.

Literature Survey

Literature survey is the most important step in software
development process. Before developing the tool it is neces-
sary to determine the time factor, economy and company
strength. Once these things are satisfied, then next steps are
to determine which operating system and language can be
used for developing the tool. Once the programmers start
building the tool, the programmers need lot of external sup-
port. This support can be obtained from senior programmers,
from books or from websites. Before building the system the
above considerations are taken into account for developing
the proposed system. Depending on the nature of customers,
a cloud can be deployed as a

Private Cloud
Community Cloud
Public Cloud
Hybrid Cloud
Cloud computing is essentially a centralized (from the
users perspective) computing facility built on a large-scale
service model. It has been argued, especially by the aca-
demia, that cloud computing is nothing new than its prede-
cessors such as autonomic computing, client-server model,
grid/cluster computing, mainframe computers, utility com-
puting, service-oriented computing, Web 2.0, platform vir-
tualization, Service Oriented Architecture (SOA), and peer-
to-peer networks, although the resources can be provided on
a much larger scale compared to previous applications [3].

Cloud computing has been quickly promoted by the in-
dustry during the past five years. Aside from the huge mar-
keting efforts, cloud security has been criticized for its un-
known privacy and security protection. There could be bene-
fits from a security perspective since most customers utiliz-
ing cloud may not have the expertise to safeguarding their
information assets using traditional IT approaches, and using
cloud services could mitigate this problem.

On the other side, companies hosting the cloud services
have in general full control over the services they provide.
They could control and monitor data essentially as per their
choice. There could also be other security issues such as
access control, data protection, and management of cloud
resources. It has been noted by the research community that
confidentiality and audit ability are one of the top 10 obsta-
cles to the growth of cloud computing [16].

Security risks in cloud computing environments involve
traditional paradigms in information security such as confi-
dentiality, integrity, and availability. However they have
contextual characteristics in cloud computing. For example,
for most service models, the security is largely the respon-
sibility of the cloud providers. It is then essential to identify
International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 151
risk issues faced by the virtualized systems. These issues
include the following [3]:

1. Complexity of configuration: Due to more complex
usage of networks and systems, the possibility of im-
proper configuration may increase. Such information
may not be aware to consumers until some security in-
cidents happen.

2. Privilege escalation: An attacker may take advantage
of different levels of access controls of Virtual Ma-
chines (VM) and escalate its access privileges through
the use of hypervisor a virtual machine moni-
tor/controller that facilitates hardware virtualization and
mediates all hardware access [3].

3. Inactive virtual machines: Data stored in inactive vir-
tual machines may contain sensitive information and
has the potential to be accessed by unauthorized users.

4. Segregation of duties: Since a VM provides access to
different components using different mechanisms,
properly identify access roles and segregate their duties
could be difficult.

5. Poor access controls: A hypervisor is basically a single
point of access. It has the risk of exposing trusted net-
work resources through poorly defined access control
systems.
In addition to these issues, there are also risks related to
data encryption, the use of traditional security network pro-
tocols, browser security, middleware security, denial of ser-
vice attacks, among others [4]. It appears that policy and
management issues are more evident and play a bigger role
in cloud security. These issues include disaster recovery and
business continuity, regulatory compliance, secure design
and test process, among others.

The concept RBAC has been used with a multi-user
computer system and multi-application online system since
the late 1960s and early 1970s. However, RBAC has rapidly
emerged in the 1990s as a promising technology for manag-
ing and enforcing security in large-scale enterprise-wide
systems, largely because of the non-existing enhancement in
the traditional Mandatory Access Control (MAC) and Dis-
cretionary Access Control (DAC) used in many computer
systems and networks. Thus, RBAC is an alternative to tra-
ditional MAC and DAC policies that is currently attracting
increasing attention, particularly for commercial applications
[2].

RBAC [4] is a family of reference models in which per-
missions are associated with roles, and users are assigned to
appropriate roles. This greatly simplifies management of
permissions. Roles are created for the various job functions
in an organization and users are assigned roles based on their
responsibilities and qualifications. Users can be easily reas-
signed from one role to another. Roles can be granted new
permissions as new applications and systems are incorpo-
rated. Besides that, permissions can be revoked from roles if
necessary. A role hierarchy defines the roles that have
uniquely attributes and may contain other roles, that is,
one role may implicitly include the operation, constraints,
and objects that are associated with another role. Role hier-
archies are a natural way of organizing roles to reflect au-
thority responsibility and competency [3].

Constraints are an important aspect of RBAC, which can
apply to the preceding components that include users, roles,
permissions, or sessions. A common example is the mutually
disjoint roles, such as, a purchasing manager and an ac-
counts payable manager as the same user, is not permitted to
be a member of both roles because this creates a possibility
for committing fraud.

Administration RBAC (ARBAC) involves control over
components such as roles, users, and permissions. These
include creations and deletion of roles, creation and deletion
of permissions, assignment of permissions to roles and their
removal, creation and deletion of users, assignment of use to
roles and their removal. Moreover, definition and mainte-
nance of the role hierarchy, definition and maintenance of
constraints; all of these in turn are for administrative roles
and permissions. It has three components or sub-models:

user-role assignment
permission-role assignment (PRA97)
role-role assignment

Imaging Science and Information System (ISIS) system,
Department of Radiology, the Clinical Economics Research
Unit (CERU) and the Division of Nephrology in the De-
partment of Medicine at Georgetown University Medical
Centre, Washington DC, have joint together to implement
the kidney dialysis system project, named as Phoenix [9].
The objectives of this project are to provide Tele-Medicine
services for kidney dialysis patients including creating, man-
aging, transferring, and using electronic health data to pro-
vide decision support and information services for care-
givers.

System Architecture

RBAC models are more flexible than their discretionary
and mandatory counterparts because users can be assigned
several roles and a role can be associated with several users.
To Create an Architecture which can provide the users of
this system an access control through which they can access
the content of the system. The administrator of the system
can be providing access control by the users of facility. And
then RBAC system has been implemented. Our objective
and motive is to create an Advance RBAC to enhance the
security of entire application. Our objective may also include
reducing the burden of administrator of the system. Fig 2
International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com


Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 152
shows the basic block design for new advance RBAC where
after designing the RBAC architecture, Roles are created and
then restrictions are applied on it. These restrictions are on
number of users, number of transactions and also add a new
feature of backup.






Fig 2. Block Design of RBAC



This system can be divided into three levels:
1) Admin 2) User 3) Hacker

Admin: In an organization admin create the architecture for
system and then generates the roles for all users according to
their privileges and also make restriction on the number of
users per role. Admin also generate users role wise where
restrictions can be made on number of transactions per
day/user/hour. This helps to increase the security level.

User: A new user create new account but according to re-
striction on number of users per role only limited number of
users can create their account and because of this malicious
attacks will be lesser. Already existing users can login and
get access only if they are valid user.

Hacker: No malicious users get access to the system be-
cause numbers of users get restricted in some limit. But if
any case invalid user or hacker get access on the system and
trying to fetch data so, because the restrictions or new archi-
tecture of RBAC only limited number of transactions can be
accessed by him. So, this results minimum loss.us in saving
energy by using SOP for efficient usage.


Methodology

Due to the need for a better security the National Institute
of Standards and Technology (NIST) began a project simply
titled as RBAC Project. Role Based Access Control is an
architecture which provides the authority to restrict the user
if he is not allowed to access particular content .It is affec-
tive in lot of manners. This architecture saves data from un-
authorized access. Admin panel has all the rights to restrict
user to access data and to edit access rights of the user.

RBAC system has two phases in assigning a privilege to
a user: in first phase, user is assigned to one or more roles or
role can have many users; here role represent a specific job
function within organization with responsibilities associated
with it; and in second phase, the roles are checked against
the requested operation [1]. In RBAC permissions are as-
signed to roles rather than user; here permission is an ap-
proval of particular mode of access/operation to one or more
objects in the system [5].

Family of RBAC model as shown in figure 4 defines in
[5] as: RBAC0 is a base model with minimum requirement,
RBAC1 and RBAC2 include RBAC0 with their own inde-
pendent features. RBAC1 include concept of role hierarchies
International Journal of Innovatory Research in Science and Management IJIRSM www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 1, May 2014 153
and RBAC2 include constraints and RBAC3 includes
RBAC1 and RBAC2 and, by transitivity RBAC0.

A. Users: Users are both employees and network mecha-
nisms and entities that require access to a specific resource
object.


B. Permission: Permission is an approval of particular mode
of access/operation to one or more objects in the system.

C. Role hierarchy (RH): Role hierarchy is natural way of
organizing roles to reflect the organizations lines of authori-
ty and responsibility. By convention, junior role appear at
bottom of hierarchic role diagrams and senior role at the top
so, hierarchic diagrams are partial order (means reflexive,
transitive and anti symmetric) [5].

D. User assignment (UA): It is many-to-many relation be-
tween users and roles means multiple users can be a member
of many roles; and roles can have many user.

E. Permission assignment (PA): It is also many-to-many
relation between roles and permissions; means role can have
much permission, and the same permission can be assigned
to many roles.

F. Session: Session is a mapping of one user to possibly
many roles. Each session is associated with single user and
the permissions available to user are the union of permission
from all roles activated in that session.

G. Constraints: Constraints are predicates which, applied to
these relations and functions, return value of acceptable or
not acceptable. We can view it as in most organization the
same individual will not be permitted to be a member of
both roles so, here we use constraints to prevent possibility
of committing fraud. RBAC supports three well known secu-
rity principles: Least privilege, separation of duty (static and
dynamic), and data abstraction. Least privilege is also
known as least authority. In RBAC least privilege is assign-
ment of minimum set of privileges to user associated with
role according to their job necessities. Separation of duties is
require for particular set of transactions where no single in-
dividual be allowed to execute all transactions within the set.

Conclusion

Role Based Access Control is a model that provides an
architecture in which system administrator has privilege to
assign/grant, revoke and edit role to users. RBAC offer as an
alternative to traditional Discretionary Access Control
(DAC) and Mandatory Access Control (MAC) policies and
provide improved security mechanism but with all benefits
of RBAC, it has some limitations as: There is no constraint
over role/ user relationship to maximize or minimize number
of user per role. There is no constraint of number of transac-
tion per user. Hereby, it is understood that attending these
limitation will restrict unauthorized access. This in turn will
increase scalability and efficiency of system.

References

1. Wei-Tek Tsai, Qihong Shao, Role-Based Access-
Control Using Reference Ontology in Clouds, in Proc.
Tenth International Symposium on autonomous Decen-
tralized Systems (ISADS), 2011, p. 121-128.
2. Gouglidis Antonios, Towards new access control mod-
els for Cloud Computing Systems, in Proc. Kaspersky
IT Security for the Next Generation European Cup,
2011.
3. David F. Ferraiolo and D. Richard Kuhn, Role-Based
Access Controls, in Proc. 15th National computer Se-
curity Conference, 1992, p.554-563.
4. Michael P.Gallaher, Alan C.O Connor, Brian Kropp,
The Economic Impact Of Role-Based Access Control,
National Institute Of Standards & Technology,
Gaithersburg, RTI project No 07007.012, March 2002
5. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feintein and
Charles E. Youman, Role-Based Access Control Mod-
els, IEEE Computer., vol. 29, no 2, pp. 38-47, Feb
1996.
6. R. Chandramouli, R. Sandhu, Role-Based Access-
Control Features in Commercial Database Management
Systems, in Proc. 21st National Information Systems
Security Conference , Crystal City, Virginia, Oct 1998
7. Dong Xu, Cloud Computing an Emerging Technolo-
gy, in Proc International Conference On Computer
Design And Application, Qiahuangdao, June 2010.
8. D. Richard Kuhn, Mutual Exclusion Of Roles as
Means Of Implementing Seperation Of Duty In Role-
Based Access Control System, in Proc Symposium on
Access Control Models and Technologies, ACM
NewYork, USA, 1997, p. 23-30.
9. Ravi. Sandhu, David Ferraiolo, Richard Kuhn, The
NIST Model For Role-Based Access Control: Towards a
Unified Standard, in Proc Symposium on Access Con-
trol Models and Technologies , ACM NewYork, USA,
2000, p. 47-63.