Doctoral Symposium of ESSoS 12 vol:834 edition:1 pages:43-48
Doctoral Symposium of ESSoS 12 edition:1 location:Eindhoven, The Netherlands date:15 February 2012
With Software-as-a-Service (SaaS), a centrally hosted web-based application is offered to a large number of customer organizations called tenants, each using multiple applications. The tenant and provider each work in their own authoritative and administrative domain, leading to a federated architecture and raising the bar for security and access control. Access control with SaaS applications is about protecting the tenant's data at the provider's side using the tenant's policies and user information. In current practice however, all access control policies are evaluated at the provider's side, distributing and fragmenting the tenant's policies over the multiple applications it uses. Moreover, all necessary user information now has to be shared with the provider, resulting in the disclosure of confidential tenant data. Therefore, we propose the concept of federated authorization, a combination of externalized authorization and federated access control techniques whereby the tenant's access control policies are evaluated at the tenant's side using local data.