Cryptographic role-based access control for secure data storage in cloud systems

With the rapid increase in the amount of digital information that needs to be stored, there has been a growing trend in recent times to store data in the cloud because ofthe benefits it provides such as on-demand access and scalability. Cloud data storage raises the important security issue of how to control and prevent unauthorised access to data stored in the cloud. Access control is required to specify who can create the access policies as well as to determine the access mechanisms needed to control access to the stored data. One well-known access control model is the role-based access control (RBAC) model, which provides flexible controls and security management by having two mappings, users to roles and roles to privileges on data objects. We propose role-based encryption (RBE) schemes, which integrate cryptographic techniques with RBAC models, to enforce RBAC policies for data stored in the cloud. Using RBE schemes, the owners of data can encrypt it in such a way that only users with appropriate roles as specified by the access policy can decrypt and view the content of the data. We then describe the design of a secure RBE-based hybrid cloud storage architecture as well as a practical implementation of the proposed RBE-based architecture and its performance results. In large-scale RBAC systems, decentralising the administration tasks is an important issue as it is usually impractical to centralise the task of managing these users and permissions, and their relationships with roles. We propose a cryptographic administrative model AdC-RBAC to manage and enforce role-based access policies for the RBE schemes in large-scale cloud systems. The AdC-RBAC model uses cryptographic techniques to ensure that administrative tasks such as user, permission, and role management are performed only by authorised administrative roles. We have also demonstrated the suitability of the proposed RBE schemes and the developed architecture in two practical applications, one involving secure data storage in the cloud for a banking organisation and the other concerned with secure storage of patient-centric health records in the cloud. The issue of trust is critical in cloud storage systems and it is necessary to address explicitly trust issues in the enforcement of access policies in cloud data storage as often implicit assumptions are made that the various system entities behave properly. We have developed trust models that can help to reason about the behaviour of users, data owners and role managers, taking into account role hierarchy and permission inheritance. We then describe the design of trust-enhanced secure cloud data storage systems integrating trust models and RBE schemes, which reduce risk and improve the quality of cloud storage services.