TLBAC: a zero-trust based cloud-edge-endpoint access control system using trusted labels
摘要
With the rapid development of cloud computing, enterprises have increasingly migrated their servers and services from internal networks to cloud environments. Traditional boundary-based protection mechanisms are no longer sufficient for addressing the security requirements of modern cloud-based systems. As cyberattacks continue to evolve, ensuring the long-term, secure, and reliable operation of increasingly complex IT systems has become a significant challenge. Consequently, researchers have proposed various fine-grained access control approaches. Fine-grained access control remains a significant challenge in complex cloud-edge-endpoint collaboration scenarios. Existing approaches often rely on intricate policy definitions to achieve granular control, which can lead to increased computational overhead and degraded system performance. In this paper, we propose a lightweight, Zero-Trust-based Cloud-Edge-Endpoint Access Control System—TLBAC. By embedding trusted labels into TCP packets at the security endpoint (Endpoint), TLBAC enables traffic blocking and forwarding through access control policies issued by the Security Cloud Brain (Cloud) via the Edge Decision Gateway (Edge). This framework achieves fine-grained access control through trusted labels in a cloud-edge-endpoint architecture. To evaluate the effectiveness of TLBAC, four experiments are designed. The first experiment examines the impact of trusted labels insertion on TCP traffic packet transmission behavior. The experimental results show that even under high-latency, significant jitter, and high packet loss conditions in an LTE network, TCP packets with embedded trusted labels maintain stable and reliable data transmission. The second experiment assesses the resource consumption of TLBAC, focusing on CPU and memory overhead. The experimental results indicate that TLBAC’s resource consumption rate is only ± 0.2%. The third experiment simulates a realistic attack environment by launching attacks against the protected system from an adversarial perspective to validate TLBAC’s defensive capabilities. The experimental results demonstrate that TLBAC successfully detected and blocked all attacks in over thirty vulnerability cases involving different components, versions, and exploitation methods. The fourth experiment evaluates the practical operational capability of TLBAC in a multi-tenant environment. The results show that TLBAC can achieve connection-oriented fine-grained access control with low latency, while maintaining policy accuracy and isolation in multi-tenant scenarios.