1 / 16

Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

This paper outlines the motivation, use case scenarios, semantic-based policy specification, and management framework for interoperable cloud environments. The proposed framework aims to address the lack of a single authorization/policy language and the lack of understanding between different cloud service providers. It introduces a semantic-based policy specification language and discusses the architecture and reasoning process of the management framework. The conclusion highlights the need for a common understanding of policies and mentions future work on a prototype implementation.

lowry
Download Presentation

Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments Hassan Takabi and James Joshi April 19, 2012 ICA CON 2012 Laboratory of Education and Research in Security Assured Information Systems (LERSAIS), University of Pittsburgh, Pittsburgh, PA, USA

  2. Outline • Motivation • Use case scenario • Semantic Based Policy Specification • Semantic Based Policy Management Framework • Conclusion & Future Work

  3. Motivation • No single authorization/ policy language • Each CSP employs its own access control • Authorization is bound to CSP • Policies composed in incompatible languages • CSPs don’t understand each other

  4. Use Case Scenarios • IaaS: Amazon S3 and FlexiScale • PaaS: Google App Engine and LoadStorm • collaboration and interoperation is not easy/possible • unless a common understanding of policies is provided.

  5. Semantic Based Policy Specification • Semantic Web and Policy Management • provide a common understandable semantic basis for policy specification • semantic based policy specification language (SBPSL) • Use OWL to model this specification language

  6. Ontologies • Subjectrdfs:subClassOfowl:Thing • Rolerdfs:subClassOfowl:Thing • Objectrdfs:subClassOfowl:Thing • Actionrdfs:subClassOfowl:Thing • Attributerdfs:subClassOfowl:Thing • Providerrdfs:subClassOfowl:Thing • Servicerdfs:subClassOfowl:Thing

  7. Ontologies • Subject Ontology • Object Ontology • Action Ontology • Provider Ontology • Service Ontology • Attribute Ontology

  8. Subject Ontology • Subject: a user/group/role/process, • modeled as an OWL class Subject. • The instances of this class represent the subjects on which the policies are defined. • The object property and data property of OWL are used to subject describe attributes • hasSubjectAttributeand hasSubjectDataAttribute • hasRole, isAssociatedWithProvider, performsAction,

  9. Rule and Rule Set • Basic policy rules • [Subject, Object, Action] • For multi provider environment: • [Provider, Subject, Object, Action, Service] • P states that S can perform A on O associated with Ser

  10. Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRoleRoleA isAssociatedWithProviderProviderA, SubjectB a sbpsl:Subject hasRoleRoleB isAssociatedWithProviderProviderB, SubjectC a sbpsl:Subject hasRoleRoleC isAssociatedWithProviderProviderC Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProviderProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProviderProviderB, ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProviderProviderC Service ServiceA.1 a sbpsl:ServiceofferedByProviderA, ServiceA.2 a sbpsl:ServiceofferedByProviderA, ServiceB.1 a sbpsl:ServiceofferedByProviderB, ServiceB.2 a sbpsl:ServiceofferedByProviderB, ServiceC.1 a sbpsl:ServiceofferedByProviderC, ServiceC.2 a sbpsl:ServiceofferedByProviderC Policy rule example: [ProviderA, SubjectB, ObjectA, Read, ServiceA.1]

  11. Semantic Based Policy Management Framework

  12. The Architecture • cloud service provider • PAP • PEP • semantic based policy management service • semantic based PDP

  13. Access Request Processing

  14. Reasoning & Conflict Analysis • The Reasoning Process • Inference • Validation • Querying the ontology • Policy Conflict • when two disjoint properties appear simultaneously • unauthorizedSubject

  15. Conclusion and Future Work • The access control issues particularly heterogeneity and interoperation • proposed a semantic based policy management framework • introduced semantic based policy specification language • Working on prototype implementation

  16. Thanks! Questions?

More Related