File storage is one of the most popular use cases for cloud computing. A cloud-based file sharing service may generally adopt an open-source development model, providing a universal way to access shared files through any Web browser from desktop or mobile devices.
The access control mechanism implemented in a current cloud-based server may use database queries to determine whether an end-user is allowed to create, read, update, delete, or share a document to other users. It may also assume that the access control decisions are based on properties similar to those of a desktop file system. However, in a mobile world where people in different environments have access to different documents, such access control decisions need to take into account richer and changing contextual situations that cannot be predetermined only by the content and user permissions of intended files.
Existing context-aware access control proposals demonstrate the need to support rich context-aware access control requirements for mobile end-users, but they have not yet been applied to cloud-based services. In order to develop a systematic method for integrating a context-aware access control system to a cloud-based application, it is desired to reengineer current cloud servers to replace discretionary access control mechanisms with a more expressive attribute-based access control system.
Further, the Extensible Access Control Markup Language (XACML) is a standard for defining the language for decoratively specifying dynamic access control policies as well as the process to enforce such policies. According to the standard, a policy-based process for access control may provide both Policy Decision Points (PDP) and Policy Administration Points (PAP). The PAP supports the interfaces needed to set up the root policy as a predefined set of rules, while the PDP evaluates the policies that apply to a given access request in order to make the access control decisions.
Additionally, there are many cloud-based services that are accessed by their users using diverse mobile devices. Security mechanisms in those services are usually related to authentication and authorization. Increasingly contextual information from the user devices provides a rich source of information for enhancing security of those services. Enabling context-awareness in security mechanisms of existing cloud-services is a difficult engineering challenge because it is not clear how applications should sense the user context, and how the sensed data should be used.
There is a need, therefore for both policy decision and administration points to be context-aware in order to allow different decisions by policy rules to reflect the context-of-use of the system for which access control is required. Due to the wide adoption of mobile devices, such contextual situations are no longer based on the consent of files. Instead, they need to take into account the values of a range of variables sensed by the devices.
Additional features, advantages, and embodiments of the invention are set forth or apparent from consideration of the following detailed description, drawings and claims. Moreover, it is to be understood that both the foregoing summary of the invention and the following detailed description are exemplary and intended to provide further explanation without limiting the scope of the invention as claimed.