Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Scalable Privilege Analysis for Multi-Cloud Big Data Platforms: A Hypergraph Approach

Sai Sitharaman, Hassan Karim, Deepti Gupta, Mudit Tyagi

TL;DR

The paper tackles privileged access mismanagement in multi-cloud environments where ABAC-based PAM is computationally intractable at scale. It introduces NGAC-Hypergraph, integrating NGAC with hypergraph semantics to model multi-attribute privilege relationships, yielding theoretical bounds of $O(\sqrt{n})$ traversal and $O(n \log n)$ detection. The approach is organized around a 3-Dimensional Privilege Analysis framework and a formal NGAC-hypergraph model, with empirical validation showing up to 10× speedups over ABAC and 4× over NGAC-DAG in large AWS-like deployments. The work demonstrates real-time, scalable privilege analysis for cloud security and sets the stage for multi-cloud federation and AI-enhanced anomaly detection in PAM.

Abstract

The rapid adoption of multi-cloud environments has amplified risks associated with privileged access mismanagement. Traditional Privileged Access Management (PAM) solutions based on Attribute-Based Access Control (ABAC) exhibit cubic O(n^3) complexity, rendering real-time privilege analysis intractable at enterprise scale. We present a novel PAM framework integrating NIST's Next Generation Access Control (NGAC) with hypergraph semantics to address this scalability crisis. Our approach leverages hypergraphs with labeled hyperedges to model complex, multi-dimensional privilege relationships, achieving sub-linear O(sqrt n) traversal complexity and O(nlogn) detection time-rigorously proven through formal complexity analysis. We introduce a 3-Dimensional Privilege Analysis framework encompassing Attack Surface, Attack Window, and Attack Identity to systematically identify privilege vulnerabilities. Experimental validation on AWS-based systems with 200-4000 users demonstrates 10x improvement over ABAC and 4x improvement over standard NGAC-DAG, enabling sub-second privilege detection at scale. Real-world use cases validate detection of privilege escalation chains, over-privileged users, and lateral movement pathways in multi-cloud infrastructures.

Scalable Privilege Analysis for Multi-Cloud Big Data Platforms: A Hypergraph Approach

TL;DR

The paper tackles privileged access mismanagement in multi-cloud environments where ABAC-based PAM is computationally intractable at scale. It introduces NGAC-Hypergraph, integrating NGAC with hypergraph semantics to model multi-attribute privilege relationships, yielding theoretical bounds of traversal and detection. The approach is organized around a 3-Dimensional Privilege Analysis framework and a formal NGAC-hypergraph model, with empirical validation showing up to 10× speedups over ABAC and 4× over NGAC-DAG in large AWS-like deployments. The work demonstrates real-time, scalable privilege analysis for cloud security and sets the stage for multi-cloud federation and AI-enhanced anomaly detection in PAM.

Abstract

The rapid adoption of multi-cloud environments has amplified risks associated with privileged access mismanagement. Traditional Privileged Access Management (PAM) solutions based on Attribute-Based Access Control (ABAC) exhibit cubic O(n^3) complexity, rendering real-time privilege analysis intractable at enterprise scale. We present a novel PAM framework integrating NIST's Next Generation Access Control (NGAC) with hypergraph semantics to address this scalability crisis. Our approach leverages hypergraphs with labeled hyperedges to model complex, multi-dimensional privilege relationships, achieving sub-linear O(sqrt n) traversal complexity and O(nlogn) detection time-rigorously proven through formal complexity analysis. We introduce a 3-Dimensional Privilege Analysis framework encompassing Attack Surface, Attack Window, and Attack Identity to systematically identify privilege vulnerabilities. Experimental validation on AWS-based systems with 200-4000 users demonstrates 10x improvement over ABAC and 4x improvement over standard NGAC-DAG, enabling sub-second privilege detection at scale. Real-world use cases validate detection of privilege escalation chains, over-privileged users, and lateral movement pathways in multi-cloud infrastructures.

Paper Structure

This paper contains 30 sections, 3 theorems, 5 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Our Approach and Contributions
  3. Background and Related Work
  4. Privileged Access Management
  5. Next Generation Access Control
  6. Hypergraphs in Access Control
  7. 3-Dimensional Privilege Analysis Framework
  8. Attack Surface
  9. Attack Window
  10. Attack Identity
  11. NGAC-Hypergraph Model
  12. Formal Model Definition
  13. Hypergraph Semantics for PAM
  14. Comparison with Traditional Models
  15. System Scale Parameter
  16. ...and 15 more sections

Key Result

Theorem 1

For ABAC with $n$ entities:

Figures (5)

  • Figure 1: 3-Dimensional Privilege Analysis Framework
  • Figure 2: Hypergraph representation of AWS IAM privilege relationships
  • Figure 3: NGAC policy graph for detection of privilege escalation path
  • Figure 4: Graph size growth vs. number of entities ($n$). The NGAC-DAG exhibits linear growth, the NGAC-Hypergraph displays superlinear growth, and ABAC shows quadratic growth, necessitating a logarithmic scale on the y-axis for comparison.
  • Figure 5: Privilege detection time versus number of entities ($n$). NGAC-Hypergraph demonstrates logarithmic growth, significantly outperforming NGAC-DAG (quadratic growth) and ABAC (cubic growth).

Theorems & Definitions (8)

  • Definition 1: NGAC Policy Hypergraph
  • Definition 1: NGAC Policy Hypergraph
  • Definition 2: Privilege Query
  • Definition 3: Valid Access Path
  • Definition 4: Scale Parameter
  • Theorem 1: ABAC Complexity
  • Theorem 2: NGAC-DAG Complexity
  • Theorem 3: NGAC-Hypergraph Complexity