Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

1
Towards a Semantic Based Policy Management
Framework for Interoperable Cloud Environments

• Hassan Takabi and James Joshi
• April 19, 2012
• ICA CON 2012

Laboratory of Education and Research in Security
Assured Information Systems (LERSAIS), University
of Pittsburgh, Pittsburgh, PA, USA
2
Outline

• Motivation
• Use case scenario
• Semantic Based Policy Specification
• Semantic Based Policy Management Framework
• Conclusion Future Work

3
Motivation

• No single authorization/ policy language
• Each CSP employs its own access control
• Authorization is bound to CSP
• Policies composed in incompatible languages
• CSPs dont understand each other

4
Use Case Scenarios

• IaaS Amazon S3 and FlexiScale
• PaaS Google App Engine and LoadStorm
• collaboration and interoperation is not
  easy/possible
• unless a common understanding of policies is
  provided.

5
Semantic Based Policy Specification

• Semantic Web and Policy Management
• provide a common understandable semantic basis
  for policy specification
• semantic based policy specification language
  (SBPSL)
• Use OWL to model this specification language

6
Ontologies

• Subject rdfssubClassOf owlThing
• Role rdfssubClassOf owlThing
• Object rdfssubClassOf owlThing
• Action rdfssubClassOf owlThing
• Attribute rdfssubClassOf owlThing
• Provider rdfssubClassOf owlThing
• Service rdfssubClassOf owlThing

7
Ontologies

• Subject Ontology
• Object Ontology
• Action Ontology
• Provider Ontology
• Service Ontology
• Attribute Ontology

8
Subject Ontology

• Subject a user/group/role/process,
• modeled as an OWL class Subject.
• The instances of this class represent the
  subjects on which the policies are defined.
• The object property and data property of OWL are
  used to subject describe attributes
• hasSubjectAttribute and hasSubjectDataAttribute
• hasRole, isAssociatedWithProvider,
  performsAction,

9
Rule and Rule Set

• Basic policy rules
• Subject, Object, Action
• For multi provider environment
• Provider, Subject, Object, Action, Service
• P states that S can perform A on O associated
  with Ser

10
Roles RoleA a sbpslRole, RoleB a
sbpslRole, RoleC a sbpslRole Subjects
SubjectA a sbpslSubject hasRole RoleA
isAssociatedWithProvider ProviderA, SubjectB a
sbpslSubject hasRole RoleB
isAssociatedWithProvider ProviderB, SubjectC a
sbpslSubject hasRole RoleC
isAssociatedWithProvider ProviderC Actions
Read a sbpslAction, Write a sbpslAction,
Execute a sbpslAction Provider ProviderA a
sbpslProvider, ProviderB a sbpslAction,
ProviderC a sbpslAction
Objects ObjectA a sbpslObject
isAssociatedWithService ServiceA.1
isOwnedByProvider ProviderA, ObjectB a
sbpslObject isAssociatedWithService
ServiceB.1 isOwnedByProvider
ProviderB, ObjectC a sbpslObject
isAssociatedWithService ServiceC.1
isOwnedByProvider ProviderC
Service ServiceA.1 a sbpslService offeredBy
ProviderA, ServiceA.2 a sbpslService offeredBy
ProviderA, ServiceB.1 a sbpslService offeredBy
ProviderB, ServiceB.2 a sbpslService offeredBy
ProviderB, ServiceC.1 a sbpslService offeredBy
ProviderC, ServiceC.2 a sbpslService offeredBy
ProviderC Policy rule example ProviderA,
SubjectB, ObjectA, Read, ServiceA.1
11
Semantic Based Policy Management Framework
12
The Architecture

• cloud service provider
• PAP
• PEP
• semantic based policy management service
• semantic based PDP

13
Access Request Processing
14
Reasoning Conflict Analysis

• The Reasoning Process
• Inference
• Validation
• Querying the ontology
• Policy Conflict
• when two disjoint properties appear
  simultaneously
• unauthorizedSubject

15
Conclusion and Future Work

• The access control issues particularly
  heterogeneity and interoperation
• proposed a semantic based policy management
  framework
• introduced semantic based policy specification
  language
• Working on prototype implementation

16

• Thanks!
• Questions?