SaaS Oriented Access Control Policy Refinement And Conflict Analysis

SaaS(Software as a Service)provide customer the service-oriented application systems customizing and operating platform via the Internet.It is the key to SaaS success that easy to build and reasonable to cost application systems,and the important part of it is access control policy configuration.In distributed network environment,access control often achieve a series of security monitoring techniques used for access control through access paths,such as authentication,filtering,communication confidentiality and communication integrity,only under the consistent polices control can these techniques achieve the access control target.Access control configuration presents the complexity.Policy refinement is the important technique to solve the complexity.Different layer of abstraction system model corresponding to different layer of ion security policy form.Policy refinement transforms the abstract and easy to understand policy step by step automatically into actual system complex configuration policy through the mapping relationship between layers.Policy refinement needs to satisfy consistency and completeness.Consistency means that policies at the same layer and policies at different layers have no conflict,and completeness means that all the upper policies are supported by lower layers.During the policy refinement,the refinement derivation deduce the abstract policy step by step into the actual system configuration policy which form the support policy that conforms to the completeness,the policy conflict analysis ensure the consistency.There might exist multiple types of application system conflict,some policies such as IPSec need analyses the different types of conflict orderly to form a correct result.The conflict resolution rule could be the first match,the last match,negative prior to positive,positive prior to negative,the level of policy,the scope of application system and so on according to the application system requirements.The refinement consistency needs the policy conflict analysis to dispel the conflict policy,this leads to the refinement completeness destroyed,if the dispelled conflict policy has collaborative or combination relation with other policies,then the associate attributes between these policies are also destroyed,it needs to cancel the corresponding policies to correction associate attributes,so as to ensure the policies is effective after refinement,which are in line with the application system collaborative and combination constraints,fit the consistency and completeness of refinement,and prevent redundant authorities that bring security vulnerabilities.The policy conflict analysis ability,such as orderly to analyze different types of policy conflict,the range to choose conflict resolution rule and the associate attributes that can be corrected,determine the range of effective policy refinement.SaaS is the platform for the customer customizing and operating distributed networker application systems,it needs policy refinement service to solve the complexity of customer application system access control policy configuration.In addition,SaaS also needs the policy refinement derivation relationship to present the access control SLA(service-level agreement)which corresponding to the relation of access control target and its implementation.Again,the elastic calculation and dynamic migration are important advantage of customer application systems running in the SaaS platform,and the access control policy configuration related to the platform environment parameters,so the refinement computing requires higher performance to adapt it.However,the existing refinement techniques can't coordinate the multiple access paths policies,can't refine policy which has combinational or mutually exclusive constraint,and can't analyze multiple types of policy conflict orderly,some techniques lack of the abilities to select conflict resolution rule and to present SLA,these limit the range of effective policy refinement of SaaS policy refinement service,the root cause of these problems lies in the lack of the capacity to describe,analyze and process the associate attributes between policies.This paper analyzes the current refinement techniques characteristics and SaaS customer application system suitability and extensibility,analyzes the current policy conflict analysis techniques on analytical ability and SaaS customer application system refinement calculus suitability and extensibility,designs the policy refinement service module that can meet the demand of SaaS customers.Our major contribution includes:1.This paper designs the structure and mechanism of the SaaS customer application system access control policy refinement service module based on the general SaaS architecture and the IETF policy management architecture.The module use the platform real-time monitoring mechanism,which ensure the customer application system access control implementation correctly in the SaaS elastic computing and dynamic migration environment.2.This paper specifies and formally describes the access control policies and there associate attributes,designs the refinement algorithms that include policies and their associate attributes such as combination,refinement derivation and access path coordination.It also designs methods to construct policy refinement trees that record policy and its associate attributes between policies.These provide a computation basis for the analysis and correcting the policies associate attributes.The policy refinement tree can also directly present the access control SLA.3.Policy conflicts detection is the key step in policy refinement.This pap>er designs an algorithm for policy conflicts detection based on a collection of intersection recursive calculation.Experimental simulation and analysis demonstrate that this algorithm has higher computing performance that can increase the computing performance of conflicts resolution and the policies associate attributes correction.It is the base of high performance SaaS customer application systems refinement service.4.This paper adopts the Open Logic R-refutation Calculus to resolve policy conflicts based on conflicts detection and further to correct the failure of policy associate attributes such as combination,mutual exclusion,multiple access paths coordination and refinement derivation based on the associate attributes records on the refinement trees,it can also choose conflict resolution rule according the application need,analyze different types of policy conflict orderly,and prevent unnecessary authorizations that could brought security vulnerabilities.5.This paper analyzes and designs the calculation sequence include the policy form transformation,conflicts detection,conflict resolution and policy associate attributes correction of each layer from top to bottom,ensure the whole application system effective refinement computing.Based on the above research work,the SaaS customer application systems access control policy refinement service module overcomes the shortage of the current refinement techniques,provides customer the freedom to choose the application system conflict resolution rule,can resolve conflicts such as IPSec policies in order,can cooperate multiple paths policies of each application system layer,has the refinement ability of combination and mutual exclusion policies and can present access control SLA.The experimental simulation demonstrates that the techniques'computing performance meets the needs of SaaS custom application system access control policy refinement.