Privacy-Preserving Access Control in Cloud Federations

A Cloud federation is a collaboration of organizations sharing data hosted on their private cloud infrastructures in order to exploit a common business opportunity. However, the adoption of cloud federations is hindered by member organizations' concerns on sharing their data with potentially competing organizations. For cloud federations to be viable, federated organizations' privacy concerns should be alleviated by providing mechanisms that allow organizations to control which users from other federated organizations can access which data. We propose the architecture of a novel identity and access management system part of FaaS, a cloud federation service developed by the H2020 SUNFISH project. Our system allows federated organizations to enforce attribute-based access control policies on their data in a privacy-preserving fashion. Users are granted access to federated data when their identity attributes match the policies, but without revealing their attributes in clear. The architecture relies on two novel technologies, blockchain and Intel SGX hardware platform to guarantee integrity of the policy evaluation process.