SaaS服务共享的特性决定了用户可信的访问行为对于云服务安全的重要性。而在传统的访问控制中,一旦用户被赋予了某种角色,便会一直拥有该角色所对应的权限,缺乏一定的动态性。针对以上两点,在传统访问控制模型以及用户行为信任值特点分析的基础上,文章提出了一种SaaS模式下基于用户行为的动态访问控制模型(cloud-RBAC)。模型中的租户更好地实现了访问控制中安全域的控制,而用户组和数据范围则更好地实现了粒度的控制,体现了云服务访问控制的灵活性。根据用户访问云服务过程中各行为证据值,模型利用模糊层次分析法,确定其行为信任等级,再根据权限敏感等级,最终确定用户可行使的权限,体现了云服务访问控制的动态性。结果分析表明,文章提出的访问控制模型能够对用户的非法访问行为做出快速的反应,同时又能够有效地控制合法的访问行为,从而保证了云服务的安全性和可靠性。%SaaS shared nature determines the importance of user’s trusted access behavior to cloud services. In the traditional access control model, once the users have been given a role, they will always have the privileges based the role. It lacks dynamic. For the above-mentioned points, this paper presents a dynamic access control model based on user’s behavior in SaaS. It is based on the traditional access control model and the analysis of the characteristics of user’s trusted behavior. The tenants in the model achieve a better control of the security domains. In addition, user groups and the scope of the data achieve a better control of the granularity. This relfects the lfexibility of the access control to cloud service. Based on the evidence value during the user’s visit, this model uses fuzzy analytic hierarchy process to determine the trust level of the behavior. And then according to the sensitivity level, the privileges that the user can exercise will be determined ultimately. This relfects the dynamic. As the results showed, the access control model presented in this paper can respond to user’s illegal behavior quickly. At the same time, it is able to control legitimate access behavior effectively and ensuring the safety and reliability of cloud services.
展开▼
