Object Isolation for Cloud with DOMAIN RBAC

Cloud computing has taken technology into a mix of networking, virtualization and clustering environment which has opened up a new era with lots of opportunities thereby making business highly scalable. However there are several challenges that need to be addressed, in particular, security, which Forrester [1] has listed as being one of the most crucial concerns. One of the most effective and time-tested ways to ensure security is via Role Based Access Control (RBAC) [2]; with emphasis in cloud computing environments on data protection, authentication and authorization. RBAC provides a policy framework to enable delegation of responsibilities of the super user permissions to other users. This framework helps define non-root users with proper authorizations to perform specific system administration tasks. However it does not provide a mechanism to define the set of objects on which these roles could be exercised. By default, all Role based tasks can be performed on all objects of that type. Therefore to address this issue DOMAIN RBAC has been implemented, with object isolation feature included, as an extension of RBAC. Object Isolation marks a boundary across system resources and users by defining which users can access specified resources on the system while the RBAC roles would determine what operations can be performed on the accessible resources. In this paper we present and describe a method by which object isolation has been implemented via DOMAIN RBAC along with a use case. We also illustrate our approach by showing how it is implemented on IBM´s AIX version 7 Operating System which can be leveraged in cloud environment.