In the 1970s, there were many papers describing models for authorization in file systems and relational databases. Some of those models are now being rediscovered in the context of cloud systems. This paper presents the management and assurance of security requirements in cloud systems. The authors of this paper appear to ignore the past work on similar subjects and claim that this is a new model because it applies to cloud systems.

The paper is well written and the details of the authors’ approach are interesting, but their model has little to do with cloud systems except that their example considers components executing in different virtual machines. However, this deployment has no effect on the security analysis. The example considers only file protection, and nothing is said about content-dependent authorization, which requires the use of databases. These models have not been implemented in an actual cloud, and it is not clear how they would relate to the infrastructure as a service (IaaS) support of vendors such as IBM, Amazon, or VMware.

I found the paper to be of some pedagogic value for students of security because the development is clear and detailed, but I don’t see much original work here.