Last Friday, I presented the paper that I wrote with Prof. Aad van Moorsel on User-Controlled Access Management (aka User-Managed Access Control) at the ICDCS-SPCC 2010: The First Workshop On Security And Privacy In Cloud Computing. The workshop took place in the beautiful city of Genoa in Italy. I didn’t know what to expect from the event but it turned out to be very good! It started with a keynote by Prof. Pierangela Samarati (University of Milano) on “Protecting confidentiality in external data storage” followed by other really good presentations and the “New Research Directions of Security and Privacy in Cloud Computing” panel by Krishna Kant (Intel Research & NSF), Sabrina De Capitani di Vimercati (University of Milano) and Jack Brassil (HP Labs).
After the workshop I had a chance to talk to Prof. Samarati about her recent paper “”. We discussed the proposed approach to including credentials in access control policies. Most importantly, we talked about dialog management for which support within XACML has been discussed extensively. User-Managed Access supports dialog management with claims (see “Claims 2.0” specification). However, it leaves unspecified few crucials things that we need to discuss and incorporate into the specification. What I like in the approach that Prof. Samarati describes in her paper is that anyone can specify required attributes within access control policies but the types of these attributes may not be necessarily communicated to the Requester (and eventually Requesting Party). For example, the policy may define that anyone who can prove themselves to be over 18 years old should be able to access a particular resource. However, this information may not be communicated to the Requester. Rather than that, the authorization server may ask “What’s your age?” and decide based on the provided information. It can even ask “Hey! Tell me about yourself.” and then make an access control decision. The SMART team is planning to look at these features closely and to contribute to the Claims 2.0 specification. And of course, we’ll implement that!
BTW, the slides from my presentation and the final draft of the paper are available here. Want to provide feedback? Let me know!