E-GRANT: Enforcing Encrypted Dynamic Security Constraints in the Cloud

Cloud computing is an established paradigm that attracts enterprises for offsetting the cost to more competitive outsource data centres. Considering economic benefits offered by this paradigm, organisations could outsource data storage and computational services. However, data in the cloud environment is within easy reach of service providers. One of the strong obstacles in widespread adoption of the cloud is to preserve confidentiality of the data. Generally, confidentiality of the data could be guaranteed by employing existing encryption schemes. For regulating access to the data, organisations require access control mechanisms. Unfortunately, access policies in clear text might leak information about the data they aim to protect. The major research challenge is to enforce dynamic access policies at runtime, i.e., Enforcement of dynamic security constraints (including dynamic separation of duties and Chinese wall) in the cloud. The main challenge lies in the fact that dynamic security constraints require notion of sessions for managing access histories that might leak information about the sensitive data if they are available as clear text in the cloud. In this paper, we present E-GRANT: an architecture able to enforce dynamic security constraints without relying on a trusted infrastructure, which can be deployed as Software-as-a-Service (SaaS). In E-GRANT, sessions´ access histories are encrypted in such a way that enforcement of constraints is still possible. As a proof-of-concept, we have implemented a prototype and provide a preliminary performance analysis showing a limited overhead, thus confirming the feasibility of our approach.