Packet: a privacy-aware access control policy composition method for services composition in cloud environments

Combining different independent cloud services must coordinate their access control policies. Otherwise unauthorized access to composite cloud service can occur when there's a conflict among different cloud service providers' access control policies, and then it will bring serious data security and privacy issues. In this paper, we propose Packet, a novel access control policy composition method that can detect and resolve policy conflicts in cloud service composition, including those conflicts related to privacyaware purposes and conditions. The Packet method is divided into four steps. First, employing a unified description, heterogeneous policies are transformed into a unified attributebased format. Second, to improve the conflict detection efficiency, policy conflicts on the same resource can be eliminated by adopting cosine similarity-based algorithm. Third, exploiting a hierarchical structure approach, policy conflicts related to different resources or privacy-aware purposes and conditions can be detected. Fourth, different conflict resolution techniques are presented based on the corresponding conflict types. We have successfully implemented the Packet method in Openstack platform. Comprehensive experiments have been conducted, which demonstrate the effectiveness of the proposed method by the comparison with the existing XACML-based system at conflict detection and resolution performance.