Access control for on-demand provisioned cloud infrastructure services

The evolution of Cloud Computing brings advantages to both customers and service providers to utilize and manage computing and network resources more efficiently with virtualization, service-oriented architecture technologies, and automated on-demand resource provisioning. However, these advantages come with challenges on how to securely and efficiently protect customer resources in cloud environments. Service providers need to provide elastic and flexible cloud resources to their large numbers of customers based on the multi-tenancy model while ensuring reliable isolation on shared infrastructures. In this thesis we propose a multi-tenant access control system with fine-grained authorization for cloud service management. It supports integration with the information model of cloud infrastructure management for providers. The proposed solution allows customers to dynamically create access control service instances together with policy definitions constrained in Service Level Agreements while deploying provisioned clouds. For Intercloud scenarios with clouds across multiple providers, we introduce an authorization token exchange approach to solve distributed, inter-domain authorization and security context management problems. To solve the bottleneck issues when using the XACML policy language in high performance authorization systems, we propose and implement a novel approach that includes modeling, analyzing and optimizing XACML policy elements. It constructs custom decision diagrams for XACML to increase efficiency of policy evaluation. The implementation not only achieves magnitudes of throughputs improvement but also retains original XACML policy semantics and expressiveness.