Computers & Security

Volume 35, June 2013, Pages 2-24
Computers & Security

ESPOONERBAC: Enforcing security policies in outsourced environments


Data outsourcing is a growing business model offering services to individuals and enterprises for processing and storing a huge amount of data. It is not only economical but also promises higher availability, scalability, and more effective quality of service than in-house solutions. Despite all its benefits, data outsourcing raises serious security concerns for preserving data confidentiality. There are solutions for preserving confidentiality of data while supporting search on the data stored in outsourced environments. However, such solutions do not support access policies to regulate access to a particular subset of the stored data.

For complex user management, large enterprises employ Role-Based Access Controls (RBAC) models for making access decisions based on the role in which a user is active in. However, RBAC models cannot be deployed in outsourced environments as they rely on trusted infrastructure in order to regulate access to the data. The deployment of RBAC models may reveal private information about sensitive data they aim to protect. In this paper, we aim at filling this gap by proposing ESPOONERBAC for enforcing RBAC policies in outsourced environments. ESPOONERBAC enforces RBAC policies in an encrypted manner where a curious service provider may learn a very limited information about RBAC policies. We have implemented ESPOONERBAC and provided its performance evaluation showing a limited overhead, thus confirming viability of our approach.


Encrypted RBAC
Policy protection
Sensitive policy evaluation
Secure cloud storage


Muhammad Rizwan Asghar received his B.Sc. (Hons.) degree in Computer Science from University of the Punjab, Lahore, Pakistan, in 2006. In 2009, he obtained his M.Sc. degree in Information Security Technology from Eindhoven University of Technology, the Netherlands. He joined Create-Net (an international research center based in Trento, Italy) in 2010. Currently, he is a Ph.D. candidate at University of Trento, Italy. His research interests include access controls, applied cryptography, cloud computing, security and privacy.

Mihaela Ion received her B.Sc. in Information Technology and M.Sc. in Computer Science from International University in Germany. During her studies, she conducted various research projects with University of Marseille in France, SAP Waldorf and IBM Research Boeblingen in Germany. She joined CREATE-NET in 2007 where she's been working on various EU and Italian projects. Her research topics include data confidentiality in publish/subscribe systems, privacy for e-health applications, distributed identity and trust management. She is currently a Ph.D. candidate at the University of Trento working on security of publish/subscribe systems.

Giovanni Russello is a lecturer at the University of Auckland, New Zealand, and leads the Security technical group within the iNSPIRE area at CREATE-NET in Trento, Italy. Giovanni received his M.Sc. (summa cum laude) in Computer Science from University of Catania, Italy in 2000. In 2006, he obtained his Ph.D. from the Eindhoven University of Technology. After obtaining his Ph.D., Giovanni moved to the Policy Group in the Department of Computing at Imperial College London. Giovanni's research interests include policy-based security systems, privacy and confidentiality in cloud computing, smartphone security, and applied cryptography.

Bruno Crispo received his Ph.D. in Computer Security from University of Cambridge, UK in 1999, and holds an M.Sc. in Computer of Science (1993) from University of Turin, Italy. He is currently associate professor at University of Trento in Italy. He published more than 100 papers in international journals and in the proceedings of international conferences in the area of security and privacy. His research interests include security protocols and applied cryptography, access control, run-time policy enforcement and more recently smart-phone security and malware detection. He is senior member of IEEE and member of ACM.