J Grid Computing (2012) 10:151–172 DOI 10.1007/s10723-012-9212-9 City on the Sky: Extending XACML for Flexible, Secure Data Sharing on the Cloud Tien Tuan Anh Dinh · Wang Wenqiang · Anwitaman Datta Received: 16 August 2011 / Accepted: 6 March 2012 / Published online: 24 March 2012 © Springer Science+Business Media B.V. 2012 Abstract Sharing data from various sources and of diverse kinds, and fusing them together for sophisticated analytics and mash-up applications are emerging trends, and are prerequisites for re- alizing grand visions such as that of cyber-physical systems enabled smart cities. Cloud infrastructure can enable such data sharing both because it can scale easily to an arbitrary volume of data and computation needs on demand, as well as because of natural collocation of diverse such data sets within the infrastructure. However, in order to convince data owners that their data are well protected while being shared among cloud users, the cloud platform needs to provide flexible mech- anisms for the users to express the constraints (access rules) subject to which the data should be shared, and likewise, enforce them effectively. We study a comprehensive set of practical sce- narios where data sharing needs to be enforced by methods such as aggregation, windowed frame, value constrains, etc., and observe that existing T. T. A. Dinh (B ) · W. Wenqiang · A. Datta Nanyang Technological University, Singapore, Singapore e-mail: ttadinh@ntu.edu.sg W. Wenqiang e-mail: wqwang@ntu.edu.sg A. Datta e-mail: anwitaman@ntu.edu.sg basic access control mechanisms do not provide adequate flexibility to support effective data shar- ing in a secure and controlled manner. In this paper, we thus propose a framework for cloud that extends popular XACML model significantly by integrating flexible access control decisions and data access in a seamless fashion. We have pro- totyped the framework and deployed it on com- mercial cloud environment for experimental runs to test the efficacy of our approach and evaluate the performance of the implemented prototype. Keywords Cloud computing · Access control · Flexible sharing · Fine-grained policies · XACML 1 Introduction The emergence of cloud computing in recent years is rapidly changing the way businesses and govern- ment agencies, as well as individuals, are storing and managing their data as well as workflows. Instead of developing and maintaining individ- ual data management infrastructures and data sharing mechanisms, data owners now leverage on the cloud services to make their data avail- able to users. The fact that data from multiple sources now reside in one logical place, i.e., the cloud, makes it much easier than ever before to develop large scale applications that require data and knowledge from multiple domains and