Scalable Multi-Tenant Authorization in Highly-Collaborative Cloud Applications

Collaborative applications have lately gained extramomentum due to two recent phenomena: data explosion andcloud computing. With more and more data and applicationsbeing hosted in the “cloud”, it becomes easier for organizationswith varying levels of mutual trust to share and collaborate overresources. However, a pressing challenge remains with the need ofeach organization to control access to its resources. Authorization,usually implemented as role-based access control (RBAC), hasbeen recently proposed as a consolidated, multi-tenant cloudservice, whereby RBAC rules of the collaborating organizationsare stored centrally with a trusted authorization provider to maskheterogeneity and to simplify management. A critical factor tothe success of such aggregating approach to access control isthe scalability of the rule store to the number of collaboratingorganizations and to the degree of collaboration.In this paper, we focus on the scalability of the online rulestore, that is, the set of rules that are checked with everyauthorization request, and thus, needs to reside in fast storage(e.g., main memory). We show that the size of the online rule storeincreases quadratically with the number of collaborating organizations in highly-collaborative cloud applications, applicationsin which resources are shared massively across organizations.We propose an authorization system that scales well to thedegree of collaboration and call our system highly-collaborativeauthorization service (HCAS). HCAS is based on role mapping, awell-known RBAC technique that maps roles across collaboratingorganizations. HCAS replaces the inter-domain RBAC rules witha more scalable set of role-mapping tuples. Using simulation,we show that HCAS achieves super-linear savings in the sizeof online rule store. HCAS exhibits a favorable behavior of aslightly decreasing rule set with increasing degree of collaborationin highly-collaborative settings. Scalability of online memoryin RBAC multi-tenant authorization systems enables ef cientsoftware and hardware implementations.