Noname manuscript No. (will be inserted by the editor) Security policy verification for multi-domains in cloud systems Antonios Gouglidis · Ioannis Mavridis · Vincent C. Hu Received: date / Accepted: date Abstract The cloud is a modern computing paradigm with the ability to support a business model by pro- viding multitenacy, scalability, elasticity, pay as you go and self provisioning of resources by using broad net- work access. Yet, cloud systems are mostly bounded to single domains and collaboration among different cloud systems is an active area of research. Over time, such collaboration schemas are becoming of vital importance since they allow companies to diversify their services on multiple cloud systems to increase both up-time and usage of services. The existence of an efficient manage- ment process for the enforcement of security policies among the participating cloud systems would facilitate the adoption of multi-domain cloud systems. An im- portant issue in collaborative environments is secure inter-operation. Stemmed from the absence of relevant work in the area of cloud computing, we define a model checking technique that can be used as a management service/tool for the verification of multi-domain cloud policies. Our proposal is based on NIST’s (National Institute of Standards and Technology) generic model checking technique and has been enriched with RBAC reasoning. Current approaches, in Grid systems, are ca- pable of verifying and detect only conflicts and redun- dancies between two policies. However, the latter can- A. Gouglidis ( ) · I. Mavridis Department of Applied Informatics University of Macedonia 156 Egnatia Str., 54006, Thessaloniki, Greece E-mail: agougl@uom.gr I. Mavridis E-mail: mavridis@uom.gr V.C. Hu National Institute of Standards and Technology Gaithersburg, MD 20899-8930, USA E-mail: vincent.hu@nist.gov not overcome the risk of privileged user access in multi- domain cloud systems. In this paper, we provide the formal definition of the proposed technique and secu- rity properties that have to be verified in multi-domain cloud systems. Furthermore, an evaluation of the tech- nique through a series of performance tests is provided. Keywords cloud computing · collaboration · multi- domain · RBAC · secure inter-operation · verification 1 Introduction Access control (AC) in modern distributed systems has become even more challenging since they are compli- cated and require the collaboration among domains. A domain can be defined as a protected computing envi- ronment, consisted of users and resources under a same AC policy. AC is an essential process in all systems. The role of an AC system is to control and limit the actions or operations in a system that are performed by a user on a set of resources. Nevertheless, an AC system is considered of three abstractions of control, namely AC policies, AC models, and AC mechanisms. A policy can be defined as a high-level requirement that specifies how a user may access a specific resource and when. AC policies can be enforced in a system through an AC mechanism that is responsible for permitting or denying a user access upon a resource. An AC model can be defined as an abstract container of a collection of AC mechanism implementations, which are capable of preserving support for the reasoning of the system poli- cies through a conceptual framework. Consequently, the AC model is capable of bridging the existing abstrac- tion gap between the mechanism and the policy in a system [9], [48]. *Manuscript Click here to download Manuscript: IJIS_2012.tex Click here to view linked References