160 likes | 268 Views
Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments. Hassan Takabi and James Joshi April 19, 2012 ICA CON 2012. Laboratory of Education and Research in Security Assured Information Systems (LERSAIS), University of Pittsburgh, Pittsburgh, PA, USA.
E N D
Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments Hassan Takabi and James Joshi April 19, 2012 ICA CON 2012 Laboratory of Education and Research in Security Assured Information Systems (LERSAIS), University of Pittsburgh, Pittsburgh, PA, USA
Outline • Motivation • Use case scenario • Semantic Based Policy Specification • Semantic Based Policy Management Framework • Conclusion & Future Work
Motivation • No single authorization/ policy language • Each CSP employs its own access control • Authorization is bound to CSP • Policies composed in incompatible languages • CSPs don’t understand each other
Use Case Scenarios • IaaS: Amazon S3 and FlexiScale • PaaS: Google App Engine and LoadStorm • collaboration and interoperation is not easy/possible • unless a common understanding of policies is provided.
Semantic Based Policy Specification • Semantic Web and Policy Management • provide a common understandable semantic basis for policy specification • semantic based policy specification language (SBPSL) • Use OWL to model this specification language
Ontologies • Subjectrdfs:subClassOfowl:Thing • Rolerdfs:subClassOfowl:Thing • Objectrdfs:subClassOfowl:Thing • Actionrdfs:subClassOfowl:Thing • Attributerdfs:subClassOfowl:Thing • Providerrdfs:subClassOfowl:Thing • Servicerdfs:subClassOfowl:Thing
Ontologies • Subject Ontology • Object Ontology • Action Ontology • Provider Ontology • Service Ontology • Attribute Ontology
Subject Ontology • Subject: a user/group/role/process, • modeled as an OWL class Subject. • The instances of this class represent the subjects on which the policies are defined. • The object property and data property of OWL are used to subject describe attributes • hasSubjectAttributeand hasSubjectDataAttribute • hasRole, isAssociatedWithProvider, performsAction,
Rule and Rule Set • Basic policy rules • [Subject, Object, Action] • For multi provider environment: • [Provider, Subject, Object, Action, Service] • P states that S can perform A on O associated with Ser
Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRoleRoleA isAssociatedWithProviderProviderA, SubjectB a sbpsl:Subject hasRoleRoleB isAssociatedWithProviderProviderB, SubjectC a sbpsl:Subject hasRoleRoleC isAssociatedWithProviderProviderC Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProviderProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProviderProviderB, ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProviderProviderC Service ServiceA.1 a sbpsl:ServiceofferedByProviderA, ServiceA.2 a sbpsl:ServiceofferedByProviderA, ServiceB.1 a sbpsl:ServiceofferedByProviderB, ServiceB.2 a sbpsl:ServiceofferedByProviderB, ServiceC.1 a sbpsl:ServiceofferedByProviderC, ServiceC.2 a sbpsl:ServiceofferedByProviderC Policy rule example: [ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
The Architecture • cloud service provider • PAP • PEP • semantic based policy management service • semantic based PDP
Reasoning & Conflict Analysis • The Reasoning Process • Inference • Validation • Querying the ontology • Policy Conflict • when two disjoint properties appear simultaneously • unauthorizedSubject
Conclusion and Future Work • The access control issues particularly heterogeneity and interoperation • proposed a semantic based policy management framework • introduced semantic based policy specification language • Working on prototype implementation
Thanks! Questions?