Datasheet
Chapter 1 Internet Era: E-Commerce 31
Authorization
Another important security mechanism that must be implemented in a scalable
way in cloud computing is authorization infrastructure. Similar to any other
resource sharing systems, cloud computing requires resource-specific and
system-specific authorizations. It is particularly important for systems where
the resources are shared between multiple participants, and participant-wide
resource usage patterns are predefined. Each participant can internally have
user-specific resource authorization as well. The authorization systems can be
divided into two categories: virtual host level systems and resource level systems.
Virtual host (VH) level systems have centralized authorization mechanisms
that provide credentials for the users to access the resources. Resource level
authorization systems, on the other hand, allow the users to access the resources
based on the credentials presented by the users.
Virtual host level:
VH level cloud authorization systems provide central-
ized authorization mechanisms for an entire VH. These types of systems
are necessitated by the presence of a VH, which has a set of users, and
several resource providers (RP) who own the resources to be used by the
users of the VH. Whenever users want to access certain resources owned
by an RP, they obtain a credential from the authorization system, which
gives certain rights to the user. The user then presents the credentials to the
resource to gain access to the resource. In this type of system, the resources
hold the final right for allowing or denying users to access them.
Resource level:
Unlike the VH level authorization systems, which provide
a consolidated authorization service for the VH, the resource level autho-
rization systems implement the decision to authorize the access to a set of
resources. Therefore, VH level and resource level authorization systems
look at two different aspects of cloud computing authorization.
Revocation:
Revocation is an integral part of both authentication and
authorization. Revocation is crucial for authentication in case of a com-
promised key, and for authorization when a participant is terminated,
or a user’s proof is compromised or otherwise untrustworthy. There are
two mechanisms to implement revocation:
Active Revocation Mechanism:
In this type of revocation, there is
a communication between the user and the receiver access control
mechanism, based on which the user is denied further access to the
resource. This type of mechanism can operate very quickly and the
revocation can happen as soon as the compromised identity is detected.
In an X.509-based system, this can be done through the use of a cer-
tificate revocation list (CRL) issued by the authority, and the verifying
authority or the access controller needs to check whether a CRL exists
624463c01.indd 31 3/29/11 2:26:36 AM