Towards a Semantic Based Policy Towards a Semantic Based Policy Management Framework for Management Framework for
Interoperable Cloud Interoperable Cloud EnvironmentsEnvironments
Hassan Takabi and James JoshiApril 19, 2012ICA CON 2012
1
Laboratory of Education and Research in Security Assured Information Systems (LERSAIS),
University of Pittsburgh, Pittsburgh, PA, USA
OutlineOutlineMotivationUse case scenarioSemantic Based Policy
SpecificationSemantic Based Policy
Management FrameworkConclusion & Future Work
2
MotivationMotivationNo single authorization/ policy
languageEach CSP employs its own access
controlAuthorization is bound to CSPPolicies composed in
incompatible languages CSPs don’t understand each
other
3
Use Case ScenariosUse Case ScenariosIaaS: Amazon S3 and FlexiScalePaaS: Google App Engine and
LoadStormcollaboration and interoperation
is not easy/possible ◦unless a common understanding of
policies is provided.
4
Semantic Based Policy Semantic Based Policy SpecificationSpecificationSemantic Web and Policy
Managementprovide a common
understandable semantic basis for policy specification
semantic based policy specification language (SBPSL)
Use OWL to model this specification language
5
OntologiesOntologiesSubject rdfs:subClassOf owl:ThingRole rdfs:subClassOf owl:ThingObject rdfs:subClassOf owl:ThingAction rdfs:subClassOf owl:ThingAttribute rdfs:subClassOf owl:ThingProvider rdfs:subClassOf owl:ThingService rdfs:subClassOf owl:Thing
6
OntologiesOntologiesSubject OntologyObject OntologyAction OntologyProvider OntologyService OntologyAttribute Ontology
7
Subject OntologySubject OntologySubject: a user/group/role/process,
◦modeled as an OWL class Subject. ◦The instances of this class represent the
subjects on which the policies are defined.The object property and data property
of OWL are used to subject describe attributes ◦hasSubjectAttribute and
hasSubjectDataAttribute ◦hasRole, isAssociatedWithProvider,
performsAction,
8
Rule and Rule SetRule and Rule SetBasic policy rules
◦[Subject, Object, Action]For multi provider environment:
◦[Provider, Subject, Object, Action, Service]
◦P states that S can perform A on O associated with Ser
9
10
Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC
Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action
Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC
Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action
Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC
Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC
Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC
Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC
Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
Semantic Based Policy Semantic Based Policy Management FrameworkManagement Framework
11
The ArchitectureThe Architecturecloud service provider
◦PAP◦PEP
semantic based policy management service◦semantic based PDP
12
Access Request Access Request ProcessingProcessing
13
Reasoning & Conflict Reasoning & Conflict AnalysisAnalysisThe Reasoning Process
◦Inference◦Validation◦Querying the ontology
Policy Conflict◦when two disjoint properties appear
simultaneously◦unauthorizedSubject
14
Conclusion and Future Conclusion and Future WorkWorkThe access control issues
particularly heterogeneity and interoperation
proposed a semantic based policy management framework
introduced semantic based policy specification language
Working on prototype implementation
15
Thanks!Questions?
16