towards a semantic based policy management framework for interoperable cloud environments
DESCRIPTION
Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments. Hassan Takabi and James Joshi April 19, 2012 ICA CON 2012. Laboratory of Education and Research in Security Assured Information Systems (LERSAIS), University of Pittsburgh, Pittsburgh, PA, USA. - PowerPoint PPT PresentationTRANSCRIPT
Towards a Semantic Based Policy Towards a Semantic Based Policy Management Framework for Management Framework for
Interoperable Cloud Interoperable Cloud EnvironmentsEnvironments
Hassan Takabi and James JoshiApril 19, 2012ICA CON 2012
1
Laboratory of Education and Research in Security Assured Information Systems (LERSAIS),
University of Pittsburgh, Pittsburgh, PA, USA
OutlineOutlineMotivationUse case scenarioSemantic Based Policy
SpecificationSemantic Based Policy
Management FrameworkConclusion & Future Work
2
MotivationMotivationNo single authorization/ policy
languageEach CSP employs its own access
controlAuthorization is bound to CSPPolicies composed in
incompatible languages CSPs don’t understand each
other
3
Use Case ScenariosUse Case ScenariosIaaS: Amazon S3 and FlexiScalePaaS: Google App Engine and
LoadStormcollaboration and interoperation
is not easy/possible ◦unless a common understanding of
policies is provided.
4
Semantic Based Policy Semantic Based Policy SpecificationSpecificationSemantic Web and Policy
Managementprovide a common
understandable semantic basis for policy specification
semantic based policy specification language (SBPSL)
Use OWL to model this specification language
5
OntologiesOntologiesSubject rdfs:subClassOf owl:ThingRole rdfs:subClassOf owl:ThingObject rdfs:subClassOf owl:ThingAction rdfs:subClassOf owl:ThingAttribute rdfs:subClassOf owl:ThingProvider rdfs:subClassOf owl:ThingService rdfs:subClassOf owl:Thing
6
OntologiesOntologiesSubject OntologyObject OntologyAction OntologyProvider OntologyService OntologyAttribute Ontology
7
Subject OntologySubject OntologySubject: a user/group/role/process,
◦modeled as an OWL class Subject. ◦The instances of this class represent the
subjects on which the policies are defined.The object property and data property
of OWL are used to subject describe attributes ◦hasSubjectAttribute and
hasSubjectDataAttribute ◦hasRole, isAssociatedWithProvider,
performsAction,
8
Rule and Rule SetRule and Rule SetBasic policy rules
◦[Subject, Object, Action]For multi provider environment:
◦[Provider, Subject, Object, Action, Service]
◦P states that S can perform A on O associated with Ser
9
10
Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC
Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action
Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC
Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action
Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC
Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC
Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC
Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC
Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
Semantic Based Policy Semantic Based Policy Management FrameworkManagement Framework
11
The ArchitectureThe Architecturecloud service provider
◦PAP◦PEP
semantic based policy management service◦semantic based PDP
12
Access Request Access Request ProcessingProcessing
13
Reasoning & Conflict Reasoning & Conflict AnalysisAnalysisThe Reasoning Process
◦Inference◦Validation◦Querying the ontology
Policy Conflict◦when two disjoint properties appear
simultaneously◦unauthorizedSubject
14
Conclusion and Future Conclusion and Future WorkWorkThe access control issues
particularly heterogeneity and interoperation
proposed a semantic based policy management framework
introduced semantic based policy specification language
Working on prototype implementation
15
Thanks!Questions?
16