Towards a Semantic Based Policy Towards a Semantic Based Policy Management Framework for Management Framework for

Interoperable Cloud Interoperable Cloud EnvironmentsEnvironments

Hassan Takabi and James JoshiApril 19, 2012ICA CON 2012

1

Laboratory of Education and Research in Security Assured Information Systems (LERSAIS),

University of Pittsburgh, Pittsburgh, PA, USA

OutlineOutlineMotivationUse case scenarioSemantic Based Policy

SpecificationSemantic Based Policy

Management FrameworkConclusion & Future Work

2

MotivationMotivationNo single authorization/ policy

languageEach CSP employs its own access

controlAuthorization is bound to CSPPolicies composed in

incompatible languages CSPs don’t understand each

other

3

Use Case ScenariosUse Case ScenariosIaaS: Amazon S3 and FlexiScalePaaS: Google App Engine and

LoadStormcollaboration and interoperation

is not easy/possible ◦unless a common understanding of

policies is provided.

4

Semantic Based Policy Semantic Based Policy SpecificationSpecificationSemantic Web and Policy

Managementprovide a common

understandable semantic basis for policy specification

semantic based policy specification language (SBPSL)

Use OWL to model this specification language

5

OntologiesOntologiesSubject rdfs:subClassOf owl:ThingRole rdfs:subClassOf owl:ThingObject rdfs:subClassOf owl:ThingAction rdfs:subClassOf owl:ThingAttribute rdfs:subClassOf owl:ThingProvider rdfs:subClassOf owl:ThingService rdfs:subClassOf owl:Thing

6

OntologiesOntologiesSubject OntologyObject OntologyAction OntologyProvider OntologyService OntologyAttribute Ontology

7

Subject OntologySubject OntologySubject: a user/group/role/process,

◦modeled as an OWL class Subject. ◦The instances of this class represent the

subjects on which the policies are defined.The object property and data property

of OWL are used to subject describe attributes ◦hasSubjectAttribute and

hasSubjectDataAttribute ◦hasRole, isAssociatedWithProvider,

performsAction,

8

Rule and Rule SetRule and Rule SetBasic policy rules

◦[Subject, Object, Action]For multi provider environment:

◦[Provider, Subject, Object, Action, Service]

◦P states that S can perform A on O associated with Ser

9

10

Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC

Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action

Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC

Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action

Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC

Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC

Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC

Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]

Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC

Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]

Semantic Based Policy Semantic Based Policy Management FrameworkManagement Framework

11

The ArchitectureThe Architecturecloud service provider

◦PAP◦PEP

semantic based policy management service◦semantic based PDP

12

Access Request Access Request ProcessingProcessing

13

Reasoning & Conflict Reasoning & Conflict AnalysisAnalysisThe Reasoning Process

◦Inference◦Validation◦Querying the ontology

Policy Conflict◦when two disjoint properties appear

simultaneously◦unauthorizedSubject

14

Conclusion and Future Conclusion and Future WorkWorkThe access control issues

particularly heterogeneity and interoperation

proposed a semantic based policy management framework

introduced semantic based policy specification language

Working on prototype implementation

15

Thanks!Questions?

16