A Security Architecture Research Based on Roles

Security has always been the top issue against the cloud computing, scientific security architecture is the foundation of other security technologies. Comparing existed cloud computing security architectures and traditional security architectures, there are some common ground and new problems. In cloud computing environment, different users need different security requirements, so if we can assign them reasonable authority, there will be great efficiency improvement for data security and system efficiency. Role is an authority division and management method, it gains very good effect for its classification to user and data operations. Inspired by this, a security cloud computing architecture based on role has been designed, the security of the architecture has been evaluated at last.


Introduction
Cloud computing is a type of service that service vendors provide different types of services by a cluster of servers through networking, such as online software services, hardware rental, data storage, calculation etc [1].These resources or services are supplied as the way of water or electricity which only to be paid according to the amount you actually used [2].
The biggest advantage of cloud computing is the elasticity of supply and low cost, the biggest obstacle is data security [3].The security issues include the risk of privacy leakage and data abuse led by remote data storage, data tampering, lacking of censorship on the service provider, imperfect verification mechanism on user login check.For the data actually controlled by service providers, users have no rights to develop specifications on data management and security measures.So the cloud services providers and academia have designed a variety of security cloud computing infrastructure to maximize the security.These architectures should consider the practicality and scalability besides security.
Role is a collection of certain number of privileges.It refers to a collection including resources accessing and appropriate operating permission to complete a task.As an agent layer between user and authority, role is expressed as the relationship between authority and users.All authorities should be given to roles rather than directly to a user or group.So a security cloud computing architecture based on roles is supposed on the following.The architecture will compares existing cloud computing security architectures first, then analyzes characters of roles, including authority division, security requirements division, the security of the architecture will be evaluated at last.

Security Architecture Based on Roles
Sharing property of cloud infrastructure always give users the illusion that data is easier to lose when they are stored in the cloud.In fact, the overall technical architecture of cloud computing provides centralized management by security experts can achieve more security objectives [8] than the decentralized management of individual and non-professional management .
It is different from traditional security architecture who emphasizes border protection.The cloud computing divides logic isolation instead of physical border protection when different users applying their services [9].But there are similarities between the two architectures on corresponding levels.Fig. 1 has shows the comparison between cloud security architecture and traditional security architecture.In cloud computing environment, cloud computing need to incorporate virtualization security precautions, due to the introduction of virtualization technology.In the basic level, sophisticated traditional security technologies can still provide security [11].

Security Architecture Design
Trusted security architecture and isolation architecture have good security, but poor extension.SOA architecture is flexible, but lack of clear secure margin [12], its level of responsibility is not clear enough.
In order to find a secure cloud computing management structure with both flexibility and security, user management and rights assignment should be the key.The concept of role has many good applies in rights management.Such as roles management in database are much successful in categorizing users, unifying licenses and unifying management.The concept of group in windows operating system is a role management too.Roles represent a class of users with same rights.
Certain role has a set of certain rights.
The advantage role management is that designers can focus more attention on division of authority without concerning for someone specific.When the members of role changed, the content of role can still remain unchanged.In the cloud computing environment, the main bodies include cloud service providers, users, distributed hardware and software applications.The cloud service providers are responsible for providing hardware and software services to users and ensuring their data security.Users pay for their actual amount of consumption and storage.This mode allows data separated from the control of their owners, so its the actual reason why users would not save their data in the cloud.
In order to help users actually control their data, we must think more on rights assignment.If rights of cloud service providers and users are clear, they will get their own role, users will trust cloud computing more for their actual control of their data [13].
Here we divide the roles according to storage, data management, data ownership and cloud service providers.
Combining with the cloud computing security architectures above and comparing with the traditional security models, a cloud computing security architecture based on roles has been proposed.as figure 2 From the perspective of roles, cloud service providers are only the role that data kept in them, they are not the data owners and managers.The data owners are the only manager of their data who have all rights to their data management.
Other users must be authorized by the user if they want to access his data.Any other users can not grasp the actual content of his data without his authorization, so data owner is the only administrator of his data.

Roles Division and Rights Assignment
Here roles are divided into four types including service provider, data administrator, inspector and user.
That is only the user itself has the a F role to his data, other users do not have the role.To the service provider, role i p and inspector role i s , they do not have the a F role, so they don't have rights to operate users' data, that is Because of the openness of the cloud, the user can not only operate their own data, they need to share other users' data or share their data with others.But the sharing degree depends on the authority degree they get or give.The user get authority having the role u F , they can get part or all rights of administrator, this depends on the authority degree by the administrator, so u F is the subset of a F .To any data i d ,  From table1, we can see the roles have no operating authority overlapping except administrator and user, this approach is more conducive to ensure the security of data.For data those role u F has rights to operate, the role a F certainly have rights to operate them.In turn, the data operated by role a F do not mean they can be operated by the role u F unless they get the authority by role a F .So the role value of u F is e , } 1 , 0 { e , when the role get the operating authority 1 e ,else 0 e .In order to ensure the authenticity and legality of the operation among administrators, authorized users and service providers, a trusted third party as an inspector is needed to monitor the operation of the other three roles.The content of monitoring is the authenticity check and operation rights test.The role of inspector has no operating authority to data, but they has the rights to limit some unusual or dangerous operation operated by administrator or user, then give user a warning or terminate the dangerous operation.
The authenticity check is judged by the integrity and the user's operation records.If the user's identification information is incomplete, no logical association with the identification information or the reservation information is incorrect.When the unauthorized operation or dangerous operating application appearing, the role i F will strictly control the user's service request and give a risk warning to the corresponding role a F timely.Each broken access trying of roles p F , a F , and u F will be recorded so that to facilitate judging the safety level of this operation trying by tracking their operating locus.The relationship among the four roles are shown as figure 3.

Security analysis
Considering the complexity and cost of evaluation, the mathematical analysis is undoubtedly the most convenient and efficient methods [14].The following is the security analysis procedure of cloud computing security architecture based role division.
Comparing to the previous architectures, the security architecture based role division has more clearer levels and responsibilities [15].So we compare them from the angle of having roles division and without roles division.The architecture with roles division has the four roles p F , a F , i F , u F , and u F is the subset of a F .We can regard sets p F , a F , i F as three vector spaces.Respectively take any sequence , in the architecture without roles division, there are not always 0 & x * , so there are the danger to users that they may face operation without authority.Through the analysis above, two objects i u , j u both have the role a F , they will be closed to their data operation, so the Cartesian product constituted by different users and their data are orthogonal, that is  From the analysis above we can see architectures without roles division would likely to be confusion on authorization between data owners and those sharing the data or the condition that attackers get the authority of service providers.The attackers can do illegal operation and further damage penetration after they illegally obtain the service providers authority.
But under the architecture with roles division, the attackers can only get one role, so they can't do more harm to others data.It shows that the architecture with roles division can bring higher security.

Conclusion
Existing cloud computing architecture and security model have been summarized and compared to the traditional security structures in this thesis.A cloud computing security architecture based on roles division has been proposed, the architecture combines the common characteristics with other cloud computing security architectures, divides their security levels more clearly, against the different authorities of different roles and their cooperation with each other, the data security and efficiency can work better.

Fig. 1 .
Fig.1.Comparison between cloud security and traditional security The results show that cloud computing has introduced virtualization technology who change the service model, but not overturn the traditional security model.Cloud computing security and traditional security have the same security objectives, system resource type, basic security technologies.The cloud computing has its own specific security issues, including virtualization security and security issues about cloud computing sub-service model[10].Generally speaking, cloud security is the inheritance and development of traditional security in a cloud computing environment.They are substantially similar in the level of security classification.

Fig. 2 .
Fig.2.Security Cloud computing architecture based on roles

Fig. 3 .
Fig.3.Relationship between roles and authority three spaces are orthogonal, so the vectors correspond to a series of authorities, the orthogonal vectors means the their vector spaces have no crossover authorities.But to any two operating series with increasing of data scale.

2 Security Model and Architecture
The relationship among the four types are service providers build cloud environments and provide services, accept service requests, save resources, user apply services and manage his own data, he is only the administrator of his own data, but users to others.