Towards a Semantic Based Policy
Management Framework for
Interoperable Cloud
Environments
Hassan Takabi and James Joshi
April 19, 2012
ICA CON 2012
Laboratory of Education and Research in Security Assured
Information Systems (LERSAIS),
University of Pittsburgh,
Pittsburgh, PA, USA
1
Outline
Motivation
 Use case scenario
 Semantic Based Policy Specification
 Semantic Based Policy Management
Framework
 Conclusion & Future Work

2
Motivation
No single authorization/ policy language
 Each CSP employs its own access control
 Authorization is bound to CSP
 Policies composed in incompatible
languages
 CSPs don’t understand each other

3
Use Case Scenarios
IaaS: Amazon S3 and FlexiScale
 PaaS: Google App Engine and LoadStorm
 collaboration and interoperation is not
easy/possible

◦ unless a common understanding of policies is
provided.
4
Semantic Based Policy Specification
Semantic Web and Policy Management
 provide a common understandable
semantic basis for policy specification
 semantic based policy specification
language (SBPSL)
 Use OWL to model this specification
language

5
Ontologies
Subject rdfs:subClassOf owl:Thing
 Role rdfs:subClassOf owl:Thing
 Object rdfs:subClassOf owl:Thing
 Action rdfs:subClassOf owl:Thing
 Attribute rdfs:subClassOf owl:Thing
 Provider rdfs:subClassOf owl:Thing
 Service rdfs:subClassOf owl:Thing

6
Ontologies
Subject Ontology
 Object Ontology
 Action Ontology
 Provider Ontology
 Service Ontology
 Attribute Ontology

7
Subject Ontology

Subject: a user/group/role/process,
◦ modeled as an OWL class Subject.
◦ The instances of this class represent the subjects
on which the policies are defined.

The object property and data property of
OWL are used to subject describe attributes
◦ hasSubjectAttribute and hasSubjectDataAttribute
◦ hasRole, isAssociatedWithProvider,
performsAction,
8
Rule and Rule Set

Basic policy rules
◦ [Subject, Object, Action]

For multi provider environment:
◦ [Provider, Subject, Object, Action, Service]
◦ P states that S can perform A on O associated
with Ser
9
Roles
Objects
RoleA a sbpsl:Role,
ObjectA a sbpsl:Object
RoleB a sbpsl:Role,
isAssociatedWithService ServiceA.1
RoleC a sbpsl:Role
isOwnedByProvider ProviderA,
Subjects
ObjectB a sbpsl:Object
SubjectA a sbpsl:Subject
isAssociatedWithService ServiceB.1
hasRole RoleA
isOwnedByProvider ProviderB,
isAssociatedWithProvider ProviderA,
ObjectC a sbpsl:Object
SubjectB a sbpsl:Subject
isAssociatedWithService ServiceC.1
hasRole RoleB
isOwnedByProvider ProviderC
isAssociatedWithProvider ProviderB,
SubjectC a sbpsl:Subject
hasRole RoleC
Service
isAssociatedWithProvider ProviderC
ServiceA.1 a sbpsl:Service offeredBy ProviderA,
ServiceA.2 a sbpsl:Service offeredBy ProviderA,
Actions
ServiceB.1 a sbpsl:Service offeredBy ProviderB,
Read a sbpsl:Action, Write ServiceB.2
a sbpsl:Action,
a sbpsl:Service offeredBy ProviderB,
Execute a sbpsl:Action
ServiceC.1 a sbpsl:Service offeredBy ProviderC,
Provider
ServiceC.2 a sbpsl:Service offeredBy ProviderC
ProviderA a sbpsl:Provider,
ProviderB a sbpsl:Action, Policy rule example:
ProviderC a sbpsl:Action [ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
10
Semantic Based Policy Management
Framework
11
The Architecture

cloud service provider
◦ PAP
◦ PEP

semantic based policy management
service
◦ semantic based PDP
12
Access Request Processing
13
Reasoning & Conflict Analysis

The Reasoning Process
◦ Inference
◦ Validation
◦ Querying the ontology

Policy Conflict
◦ when two disjoint properties appear
simultaneously
◦ unauthorizedSubject
14
Conclusion and Future Work
The access control issues particularly
heterogeneity and interoperation
 proposed a semantic based policy
management framework
 introduced semantic based policy
specification language
 Working on prototype implementation

15
Thanks!
Questions?
16