Modeling Privilege Access using NGAC for Cloud Attack Landscape

Abstract The adoption of public clouds, private clouds, and on-premise environments has grown significantly. This business-critical transformation and migration to the cloud have greatly amplified the risks associated with privileged access mismanagement. Traditional Privileged Access Management (PAM) and Identity and Access Management (IAM) solutions struggle to adequately address sophisticated threats, such as privilege escalations, lateral movements, and misconfigurations. To bridge these critical gaps, we propose an innovative PAM framework using the NIST’s Next Generation Access Control (NGAC) applying Hypergraph semantics. We develop model NGAC policy graph as labeled hypergraphs and hy-peredges and apply set-theoretic semantics to evaluate policies as part of the enforcement engine. We establish multi-source, multi-destination policy graphs based on dynamic graph traversals and constraint validations. This unique approach captures dynamic, multi-dimensional privilege relationships , enabling fine-grained, context-aware policy enforcement across diverse cloud infrastructures. Our comprehensive experimental evaluation demonstrates that NGAC combined with hypergraph representations significantly outperforms conventional Attribute-Based Access Control (ABAC) and traditional NGAC graph models, reducing the complexity of privilege mismanagement use-cases from superlinear O(n k) in traditional methods to logarithmic O(n log(n)) in our case, thus markedly improving scalability. Real-world cloud infrastructure use cases validate our method’s ability to swiftly identify over-privileged users, unauthorized privilege escalations, and potential lateral movement attack pathways. This work introduces a novel theoretical framework for dynamic privilege management, fundamentally altering the landscape of access control in distributed cloud systems. By delivering a robust and scalable solution for privilege management in multi-cloud environments , our research provides a critical advancement in cybersecurity practice, offering actionable insights for mitigating high-risk cloud vulner-abilities in near real-time.