Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments Hassan Takabi and James Joshi April 19, 2012 ICA CON 2012 Laboratory of Education and Research in Security Assured Information Systems (LERSAIS), University of Pittsburgh, Pittsburgh, PA, USA 1 Outline Motivation Use case scenario Semantic Based Policy Specification Semantic Based Policy Management Framework Conclusion & Future Work 2 Motivation No single authorization/ policy language Each CSP employs its own access control Authorization is bound to CSP Policies composed in incompatible languages CSPs don’t understand each other 3 Use Case Scenarios IaaS: Amazon S3 and FlexiScale PaaS: Google App Engine and LoadStorm collaboration and interoperation is not easy/possible ◦ unless a common understanding of policies is provided. 4 Semantic Based Policy Specification Semantic Web and Policy Management provide a common understandable semantic basis for policy specification semantic based policy specification language (SBPSL) Use OWL to model this specification language 5 Ontologies Subject rdfs:subClassOf owl:Thing Role rdfs:subClassOf owl:Thing Object rdfs:subClassOf owl:Thing Action rdfs:subClassOf owl:Thing Attribute rdfs:subClassOf owl:Thing Provider rdfs:subClassOf owl:Thing Service rdfs:subClassOf owl:Thing 6 Ontologies Subject Ontology Object Ontology Action Ontology Provider Ontology Service Ontology Attribute Ontology 7 Subject Ontology Subject: a user/group/role/process, ◦ modeled as an OWL class Subject. ◦ The instances of this class represent the subjects on which the policies are defined. The object property and data property of OWL are used to subject describe attributes ◦ hasSubjectAttribute and hasSubjectDataAttribute ◦ hasRole, isAssociatedWithProvider, performsAction, 8 Rule and Rule Set Basic policy rules ◦ [Subject, Object, Action] For multi provider environment: ◦ [Provider, Subject, Object, Action, Service] ◦ P states that S can perform A on O associated with Ser 9 Roles Objects RoleA a sbpsl:Role, ObjectA a sbpsl:Object RoleB a sbpsl:Role, isAssociatedWithService ServiceA.1 RoleC a sbpsl:Role isOwnedByProvider ProviderA, Subjects ObjectB a sbpsl:Object SubjectA a sbpsl:Subject isAssociatedWithService ServiceB.1 hasRole RoleA isOwnedByProvider ProviderB, isAssociatedWithProvider ProviderA, ObjectC a sbpsl:Object SubjectB a sbpsl:Subject isAssociatedWithService ServiceC.1 hasRole RoleB isOwnedByProvider ProviderC isAssociatedWithProvider ProviderB, SubjectC a sbpsl:Subject hasRole RoleC Service isAssociatedWithProvider ProviderC ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, Actions ServiceB.1 a sbpsl:Service offeredBy ProviderB, Read a sbpsl:Action, Write ServiceB.2 a sbpsl:Action, a sbpsl:Service offeredBy ProviderB, Execute a sbpsl:Action ServiceC.1 a sbpsl:Service offeredBy ProviderC, Provider ServiceC.2 a sbpsl:Service offeredBy ProviderC ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, Policy rule example: ProviderC a sbpsl:Action [ProviderA, SubjectB, ObjectA, Read, ServiceA.1] 10 Semantic Based Policy Management Framework 11 The Architecture cloud service provider ◦ PAP ◦ PEP semantic based policy management service ◦ semantic based PDP 12 Access Request Processing 13 Reasoning & Conflict Analysis The Reasoning Process ◦ Inference ◦ Validation ◦ Querying the ontology Policy Conflict ◦ when two disjoint properties appear simultaneously ◦ unauthorizedSubject 14 Conclusion and Future Work The access control issues particularly heterogeneity and interoperation proposed a semantic based policy management framework introduced semantic based policy specification language Working on prototype implementation 15 Thanks! Questions? 16