Title: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments
1Towards a Semantic Based Policy Management
Framework for Interoperable Cloud Environments
- Hassan Takabi and James Joshi
- April 19, 2012
- ICA CON 2012
Laboratory of Education and Research in Security
Assured Information Systems (LERSAIS), University
of Pittsburgh, Pittsburgh, PA, USA
2Outline
- Motivation
- Use case scenario
- Semantic Based Policy Specification
- Semantic Based Policy Management Framework
- Conclusion Future Work
3Motivation
- No single authorization/ policy language
- Each CSP employs its own access control
- Authorization is bound to CSP
- Policies composed in incompatible languages
- CSPs dont understand each other
4Use Case Scenarios
- IaaS Amazon S3 and FlexiScale
- PaaS Google App Engine and LoadStorm
- collaboration and interoperation is not
easy/possible - unless a common understanding of policies is
provided.
5Semantic Based Policy Specification
- Semantic Web and Policy Management
- provide a common understandable semantic basis
for policy specification - semantic based policy specification language
(SBPSL) - Use OWL to model this specification language
6Ontologies
- Subject rdfssubClassOf owlThing
- Role rdfssubClassOf owlThing
- Object rdfssubClassOf owlThing
- Action rdfssubClassOf owlThing
- Attribute rdfssubClassOf owlThing
- Provider rdfssubClassOf owlThing
- Service rdfssubClassOf owlThing
7Ontologies
- Subject Ontology
- Object Ontology
- Action Ontology
- Provider Ontology
- Service Ontology
- Attribute Ontology
8Subject Ontology
- Subject a user/group/role/process,
- modeled as an OWL class Subject.
- The instances of this class represent the
subjects on which the policies are defined. - The object property and data property of OWL are
used to subject describe attributes - hasSubjectAttribute and hasSubjectDataAttribute
- hasRole, isAssociatedWithProvider,
performsAction,
9Rule and Rule Set
- Basic policy rules
- Subject, Object, Action
- For multi provider environment
- Provider, Subject, Object, Action, Service
- P states that S can perform A on O associated
with Ser
10Roles RoleA a sbpslRole, RoleB a
sbpslRole, RoleC a sbpslRole Subjects
SubjectA a sbpslSubject hasRole RoleA
isAssociatedWithProvider ProviderA, SubjectB a
sbpslSubject hasRole RoleB
isAssociatedWithProvider ProviderB, SubjectC a
sbpslSubject hasRole RoleC
isAssociatedWithProvider ProviderC Actions
Read a sbpslAction, Write a sbpslAction,
Execute a sbpslAction Provider ProviderA a
sbpslProvider, ProviderB a sbpslAction,
ProviderC a sbpslAction
Objects ObjectA a sbpslObject
isAssociatedWithService ServiceA.1
isOwnedByProvider ProviderA, ObjectB a
sbpslObject isAssociatedWithService
ServiceB.1 isOwnedByProvider
ProviderB, ObjectC a sbpslObject
isAssociatedWithService ServiceC.1
isOwnedByProvider ProviderC
Service ServiceA.1 a sbpslService offeredBy
ProviderA, ServiceA.2 a sbpslService offeredBy
ProviderA, ServiceB.1 a sbpslService offeredBy
ProviderB, ServiceB.2 a sbpslService offeredBy
ProviderB, ServiceC.1 a sbpslService offeredBy
ProviderC, ServiceC.2 a sbpslService offeredBy
ProviderC Policy rule example ProviderA,
SubjectB, ObjectA, Read, ServiceA.1
11Semantic Based Policy Management Framework
12The Architecture
- cloud service provider
- PAP
- PEP
- semantic based policy management service
- semantic based PDP
13Access Request Processing
14Reasoning Conflict Analysis
- The Reasoning Process
- Inference
- Validation
- Querying the ontology
- Policy Conflict
- when two disjoint properties appear
simultaneously - unauthorizedSubject
15Conclusion and Future Work
- The access control issues particularly
heterogeneity and interoperation - proposed a semantic based policy management
framework - introduced semantic based policy specification
language - Working on prototype implementation
16