Purpose-Based Privacy Preserving Access Control for Secure Service Provision and Composition

Two main security issues in software as a service (SaaS) delivery model of cloud environments are access control and privacy preserving in basic web services as well as composite services where we require to infer policies through the automatic composition of the policies specified for their constituting basic services. In this paper, we present a privacy preserving access control model and framework for secure service provision and composition. The model is a combination of an attribute based access control model and a proposed purpose-based privacy model. Following this model, an access request for a service is permitted if the requester's attribute certificates and contextual conditions are in compliance with the access control policies specified by the service provider and simultaneously the privacy preferences of the requester is compatible with the privacy policies of the service provider. In the framework proposed in this paper, for secure service composition, possible chains of composite services are ranked according to the users' preferences and sensitivity level of their data. The security policies of the composite service, established by the chosen chain of services, are inferred by automatic composition of policies specified for the basic services in the chain.