Sticky Policy Based Open Source Security APIs for the Cloud

Lead Research Organisation: University of Kent
Department Name: Sch of Computing


The Internet and telephone are successful because they use open protocols and open interfaces, allowing users to communicate, innovate and share at will. We propose to facilitate this process in cloud computing, by developing a set of open security services, protocols and interfaces (APIs) that will allow cloud resource owners to be able to specify their policies for fine grained access control to their cloud resources, and have these enforced everywhere at all times, regardless of the subsequent location or data processing that has ensued. The ability to securely share data with anyone, anywhere, at any time, will facilitate spontaneous collaborations and ensure confidence in collaborative working. This will be achieved by using "sticky policies", delegation of authority, federated access and attribute based access controls. Sticky policies are policies which are cryptographically linked or "stuck" to the data and meta-data they control, so that access to the data is only granted if the policy is honoured. In order to cater for Internet scale cloud usage, federated access and attribute based access controls are needed. Federated access allows users to identify themselves to a cloud service using their existing credentials, without having to first obtain new ones from the cloud service itself. Attribute based access controls allows access to be specified based on a user's identity attributes rather than simply an identifier, which is typically used today. In order to achieve Internet scale in identifying users and data resources, an ontology is needed that will classify both the data and the users who wish to access it. The authorities who issue identity attributes will also need to be classified. The characteristics of any particular set of data will be held in meta-data that describes or identifies the data, and conforms to the ontology. The meta-data itself will be stuck to the data in a similar way to the sticky policy.

When data is merged or fused with other data, or is split, filtered or reduced, then its meta-data will need to change accordingly, in order to describe the new data. Similarly the sticky policy that controls access to the new data will need to be derived from the original sticky policy(ies). This project will develop a new algebra and algorithms for deriving the new sticky policy from the old, using the ontology and meta-data as a guide. (Note that this project will not be performing the actual data merging or splitting, but simply assumes that trustworthy services are available to do this.)

The protocols and APIs specified in this project will be standardised through an organisation already well versed in cloud APIs, such as the Open Grid Forum or OASIS.

In order to ensure the widest take up of the services and APIs specified in this project, pilot implementations will be developed in Python and distributed as part of the OpenStack suite of software. OpenStack is a community project involving over 135 organisations, ranging from multi-nationals such as HP, Cisco and Intel, to specialist SMEs such as Cloudscaling. This project proposes to harness the energies of the OpenStack community by acting in a leading role to facilitate others in contributing to the development effort.

Planned Impact

Because this research is developing open source application independent security services and APIs for the cloud, then literally anyone who wishes to use the cloud for the secure transfer, storage and processing of data will benefit from this research. The impact can therefore be huge, both in the spread of cloud users who can benefit, and in the number of beneficiaries.

In our previous project, My Private Cloud, we already successfully demonstrated federated access to, and fine grained delegation of access rights from a cloud resource owner to his cloud resources stored in a Eucalyptus S3 service. This application independent implementation does not restrict the type of resources that can be uploaded to the cloud (as files), nor the types of users who can be granted access to them. So the beneficiaries are anyone who wants to store his data in the cloud, and securely share it with others. In the same way, this new project will be data agnostic and thus applicable to a very wide range of user communities who wish to apply sticky policies to their data sets, and have their policies continually enforced regardless of the subsequent processing and transfer of their data around the cloud. By implementing all the APIs in OpenStack, we maximise the potential user base and corresponding impact.

Typical beneficiaries include anyone who has large data sets that will be processed and transferred around a cloud (or clouds) and wants to have confidence that their access control policies will continue to be enforced. Medical data (EHR) immediately springs to mind as a major beneficiary of this research, since moving medical data to public or private clouds should significantly reduce the cost of data ownership to the NHS. But a major worry is that the privacy of patients might be seriously compromised if their data is mistakenly or maliciously released to unauthorised users. Ensuring the cloud system supports and enforces sticky policies, which prevent unauthorised access to medical data, is one way of overcoming this hurdle.

Academics and researchers who wish to store, process and restrictively share their research data in the cloud will similarly benefit. The MoD which processes huge amounts of logistics information, especially in times of conflict, will also benefit from the secure sharing of this data both between divisions and with their allies. But supermarkets and other retail outlets can similarly benefit from the secure storage and processing of their data. Security services that record large amounts of personal data about suspects, their locations, movements, contacts etc. will similarly benefit from being able to share this data securely and confidentially between others in the security services who have a need to know. These are just a few of the many examples that can used to illustrate the benefits of sticky policy based open source security APIs for the cloud.


10 25 50
publication icon
Chadwick D (2013) Adding Federated Identity Management to OpenStack in Journal of Grid Computing

Description We developed a protocol independent way of integrating federated identity management into OpenStack cloud computing. However, we had insufficient time to work on the authorisation/policy API during the project. Fortunately we had the opportunity to work on federated authorisation through follow on funding provided by CAPES, Brazil, and the Royal Academy of Engineering (Newton Research Collaboration Programme) which are listed in other sections of this award's outcomes.
Exploitation Route Since our original work has now been integrated into OpenStack, then the community at large is providing the ongoing support and development of federated identity management in OpenStack. However there is still much to do in terms of providing support for Virtual Organisations, and intercloud federations.
Sectors Aerospace, Defence and Marine,Agriculture, Food and Drink,Chemicals,Communities and Social Services/Policy,Construction,Creative Economy,Digital/Communication/Information Technologies (including Software),Education,Electronics,Energy,Environment,Financial Services, and Management Consultancy,Healthcare,Leisure Activities, including Sports, Recreation and Tourism,Government, Democracy and Justice,Manufacturing, including Industrial Biotechology,Culture, Heritage, Museums and Collections,Pharmace

Description Our work on integrating application independent federated identity management into OpenStack has resulted in this feature being part of the core release of OpenStack, so the long term sustainability of our work is now guaranteed. Since OpenStack is used extensively throughout the world, then ever sector of the economy is positively impacted.
First Year Of Impact 2014
Sector Aerospace, Defence and Marine,Agriculture, Food and Drink,Chemicals,Communities and Social Services/Policy,Construction,Creative Economy,Digital/Communication/Information Technologies (including Software),Education,Electronics,Energy,Environment,Financial Services, and Management Consultancy,Healthcare,Leisure Activities, including Sports, Recreation and Tourism,Government, Democracy and Justice,Manufacturing, including Industrial Biotechology,Culture, Heritage, Museums and Collections,Pharmaceu
Impact Types Economic

Description GEANT Open Call
Amount € 89,000 (EUR)
Funding ID 605243 
Organisation European Commission 
Sector Public
Country European Union (EU)
Start 10/2013 
End 03/2015
Description Newton Research Collaboration Programme 
Organisation Federal University of Pernambuco
Country Brazil 
Sector Academic/University 
PI Contribution The Royal Academy of Engineering funded a project entitled "Security Policy Enforcement in Federated Open Source Clouds" that allowed Prof Carlos Ferraz to travel to the UK for 3 months (April-July 2015), and Prof Chadwick to travel to Brazil for 3 months (Nov 2015-Feb 2016). One of Prof Carlos's PhD students (Mr Ioram Sette) was working with Prof Chadwick for a year, and this funding allowed us to jointly supervise him face to face and to discuss technical designs and a proof of concept implementation. When I went to Brazil we built a public demo of the system, and I gave a couple of guest lectures to staff and students at the university and its associated spin-out company. We had also planned to have an OpenStack conference in Brazil in February 2016, but during the Christmas break when I had returned to the UK, I was almost killed on my bicycle and was off work for 6 months. Consequently my return to Brazil in January, and the conference in February, had to be cancelled.
Collaborator Contribution Prof Carlos and Ioram Sette helped to design and then implement the system that was proposed in the project. The collaboration produced some blue print design specifications and open source code for OpenStack, as well as the academic paper listed below. Ioram Sette was successfully awarded a PhD in 2016. Unfortunately Ioram's code never made it into an OpenStack release as the project (and Ioram's PhD) ended before this could be completed.
Impact Ioram S Sette, David W Chadwick, Carlos A G Ferraz.'Authorization Policy Federation in Heterogeneous Multicloud Environments', IEEE Cloud Computing, Vol 4, Issue 4, July/Aug 2017.
Start Year 2015
Description PhD Intern 
Organisation Government of Brazil
Department Coordination of Higher Education Personnel Training (CAPES)
Country Brazil 
Sector Public 
PI Contribution We designed and built the original federated access to OpenStack, to which Ioram added the OpenID protocol. This encouraged him to apply to CNPq to work with me for a year, in order to further research federated access to clouds. I helped Ioram in the conceptual design of his ideas, and Kent provided the networking and server infrastructure for him to build his first prototype system.
Collaborator Contribution CAPES funded Mr Ioram Sette to work with me for one year, from Sept 2014 to Sept 2015, during his study for his PhD at the University of Pernambuco, Brazil. As a result of Kent's work on designing and implementing protocol independent federated access to OpenStack, in early 2014 Ioram added a protocol (OpenID) to our implementation during his PhD in Brazil. As a result of this we exchanged emails and he then applied for CAPES funding to continue this research. Whilst Ioram was in Kent he made a great contribution to my team, by helping to add the ABFAB protocol suite to OpenStack and building the first federated authorisation infrastructure for OpenStack.
Impact Alejandro Perez-Mendez, Gabriel Lopez-Millan, Rafael Marin-Lopez, David W. Chadwick, Ioram Sette. "Integrating an AAA-based federation mechanism for OpenStack - The CLASSe view". Concurrency and Computation: Practice and Experience. 2017. DOI:10.1002/cpe.4148
Start Year 2014
Title OpenStack Icehouse Release 
Description OpenStack is the leading open source cloud software. We added protocol independent federated access to the Grizzly release as a proof of concept in 2013. This was subsequently adopted by the OpenStack community (with modifications) and became available to the public in the Icehouse and subsequent releases from 2014 onwards. 
Type Of Technology Software 
Year Produced 2014 
Open Source License? Yes  
Impact Federated access is now a key component of OpenStack and is used by many organisations, not least of whom, is CERN in Geneva. 
Description Presentation at OpenStack Summit 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact The talk generated significant interest, with the eventual result that Federation became an official project of OpenStack Keystone.

The eventual impact of our work is that Federated Identity Management is now incorporated as part of the official OpenStack code base (as of the Icehouse release, April 2014), which ensures its continuity, and means that its ongoing support and maintenance will now be carried out by the OpenStack community at large.
Year(s) Of Engagement Activity 2012