25/ Sep/ 2017
Beatriz Gallego-Nicasio Crespo

EPICA (Efficient and Privacy-respectful Interoperable Cloud-based Authorization) is a software implementation that controls access to resources (either services or data) in multi-tenant cloud environments. EPICA supports an ABAC-based model that extends XACML policies to represent trust relationships between tenants (so called “tenant-aware XACML policies”) in order to govern cross-tenant access to shared cloud resources.

The advances introduced by the primitive implementation, with regards to the current state of the art in the domain of Access Control for Cloud-based environments, are two-fold:

1) EPICA provides specific support for cloud requirements such as multi-tenancy, and is compatible with storage efficiency techniques (i.e. file-based deduplication and compression);

2) EPICA advances the existing implementations of XACML v3, building upon an existing Open Source implementation of the standard, extends it with new functionalities and improves existing ones for a full coverage of the XACML reference architecture.

Besides, EPICA supports high availability and performance deployments, implementing an efficient policy retrieval approach with scalable policy stores.

The architecture of EPICA has been designed taking into account interoperability and privacy concerns, so the information exchanged between the cloud provider and the user, required to perform authorization, remains minimal.

As can be seen in Figure 1 the security primitive has several different components. Some of them have been created from scratch while others have been extended from the original Open Source reference implementation.

EPICA adapts to existing cloud management systems by (a) enabling configuration of different options to adapt to a specific scenario: type of policy store, multi-tenancy model, high-performance mode, policy generation mechanism and distributed attributes mode; (b) the Policy Administration process is supported by a set of operations offered as a REST-full API (c.f. Figure 2); (c) the Policy Enforcement component (PEP) is offered in two forms (.jar file and web service) to facilitate deployment in different cloud environments; the primitive allows for a distributed deployment of the authorization engine and policy store following a pubSub architectural pattern.

EPICA fulfils end-to-end security requirements while preserving critical functional requirements of cloud computing, such as scalability, availability and high performance. Besides, the approach is applicable to Authentication and Authorization for Constrained Environments (ACE), such as IoT or 5G scenarios, where strong fine-grained mutual authentication and authorization schemes are critical to protect frequency and radio/communication resources, to deliver 5G networks services on demand and comply with different regulation constraints.

Keywords:: Security Requirements: Confidentiality; Cloud Functional Requirements: Multi-Tenancy; Cloud Non-Functional Requirements: High Performance, Usability, High Availability