Cloud computing can solve many enterprise-level data storage and access challenges; but as many companies have discovered, it raises security and access problems. Essentially, a company that uses a cloud solution for its data has to turn over administration of access to that data to the cloud provider, and loses the governance of its outsourced assets. It’s the same situation when you put files into Dropbox or iCloud, for example—you’re trusting the data and its security to Dropbox and Apple (respectively).
Now, in an article titled, “Access control as a service for the Cloud,” recently published in the open access Journal of Internet Services and Applications, four researchers from the Mobile Multimedia Laboratory at the School of Information Science and Technology in Athens, Greece, have conceived, and tested, a possible solution to this conundrum.
The Access Control Provider
What Nikos Fotiou, Apostolis Machas, George C. Polyzos, and George Xylomenos propose in their article is the establishment of a trusted third party—what they call an Access Control Provider (ACP). The ACP, standing as separate from the cloud provider, allows the company to switch among cloud providers (or even concurrently use more than one), enhances end-user privacy, and eliminates the need for complex adaptation protocols.
Testing an implementation
To prove the concept, the authors created a secure file storage service using OpenStack along with a web application that allowed the incorporation of the service in Google Drive. They developed the actual ACP application in PHP on an Apache web server (all very common web technologies). They evaluated their solution for privacy and security, and concluded, “The proposed system adds minimal overhead, does not require any particular Cloud implementation or ACP structure, and therefore, it constitutes a realistic solution to [this] problem.”
You can read the entire study here.