Related Web site
Download
Report
Transcript Related Web site
Towards a Semantic Based Policy
Management Framework for
Interoperable Cloud
Environments
Hassan Takabi and James Joshi
April 19, 2012
ICA CON 2012
Laboratory of Education and Research in Security Assured
Information Systems (LERSAIS),
University of Pittsburgh,
Pittsburgh, PA, USA
1
Outline
Motivation
Use case scenario
Semantic Based Policy Specification
Semantic Based Policy Management
Framework
Conclusion & Future Work
2
Motivation
No single authorization/ policy language
Each CSP employs its own access control
Authorization is bound to CSP
Policies composed in incompatible
languages
CSPs don’t understand each other
3
Use Case Scenarios
IaaS: Amazon S3 and FlexiScale
PaaS: Google App Engine and LoadStorm
collaboration and interoperation is not
easy/possible
◦ unless a common understanding of policies is
provided.
4
Semantic Based Policy Specification
Semantic Web and Policy Management
provide a common understandable
semantic basis for policy specification
semantic based policy specification
language (SBPSL)
Use OWL to model this specification
language
5
Ontologies
Subject rdfs:subClassOf owl:Thing
Role rdfs:subClassOf owl:Thing
Object rdfs:subClassOf owl:Thing
Action rdfs:subClassOf owl:Thing
Attribute rdfs:subClassOf owl:Thing
Provider rdfs:subClassOf owl:Thing
Service rdfs:subClassOf owl:Thing
6
Ontologies
Subject Ontology
Object Ontology
Action Ontology
Provider Ontology
Service Ontology
Attribute Ontology
7
Subject Ontology
Subject: a user/group/role/process,
◦ modeled as an OWL class Subject.
◦ The instances of this class represent the subjects
on which the policies are defined.
The object property and data property of
OWL are used to subject describe attributes
◦ hasSubjectAttribute and hasSubjectDataAttribute
◦ hasRole, isAssociatedWithProvider,
performsAction,
8
Rule and Rule Set
Basic policy rules
◦ [Subject, Object, Action]
For multi provider environment:
◦ [Provider, Subject, Object, Action, Service]
◦ P states that S can perform A on O associated
with Ser
9
Roles
Objects
RoleA a sbpsl:Role,
ObjectA a sbpsl:Object
RoleB a sbpsl:Role,
isAssociatedWithService ServiceA.1
RoleC a sbpsl:Role
isOwnedByProvider ProviderA,
Subjects
ObjectB a sbpsl:Object
SubjectA a sbpsl:Subject
isAssociatedWithService ServiceB.1
hasRole RoleA
isOwnedByProvider ProviderB,
isAssociatedWithProvider ProviderA,
ObjectC a sbpsl:Object
SubjectB a sbpsl:Subject
isAssociatedWithService ServiceC.1
hasRole RoleB
isOwnedByProvider ProviderC
isAssociatedWithProvider ProviderB,
SubjectC a sbpsl:Subject
hasRole RoleC
Service
isAssociatedWithProvider ProviderC
ServiceA.1 a sbpsl:Service offeredBy ProviderA,
ServiceA.2 a sbpsl:Service offeredBy ProviderA,
Actions
ServiceB.1 a sbpsl:Service offeredBy ProviderB,
Read a sbpsl:Action, Write ServiceB.2
a sbpsl:Action,
a sbpsl:Service offeredBy ProviderB,
Execute a sbpsl:Action
ServiceC.1 a sbpsl:Service offeredBy ProviderC,
Provider
ServiceC.2 a sbpsl:Service offeredBy ProviderC
ProviderA a sbpsl:Provider,
ProviderB a sbpsl:Action, Policy rule example:
ProviderC a sbpsl:Action [ProviderA, SubjectB, ObjectA, Read, ServiceA.1]
10
Semantic Based Policy Management
Framework
11
The Architecture
cloud service provider
◦ PAP
◦ PEP
semantic based policy management
service
◦ semantic based PDP
12
Access Request Processing
13
Reasoning & Conflict Analysis
The Reasoning Process
◦ Inference
◦ Validation
◦ Querying the ontology
Policy Conflict
◦ when two disjoint properties appear
simultaneously
◦ unauthorizedSubject
14
Conclusion and Future Work
The access control issues particularly
heterogeneity and interoperation
proposed a semantic based policy
management framework
introduced semantic based policy
specification language
Working on prototype implementation
15
Thanks!
Questions?
16