Please tick the box to continue:

Page 1: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Towards a Semantic Based Policy Towards a Semantic Based Policy Management Framework for Management Framework for

Interoperable Cloud Interoperable Cloud EnvironmentsEnvironments

Hassan Takabi and James JoshiApril 19, 2012ICA CON 2012


Laboratory of Education and Research in Security Assured Information Systems (LERSAIS),

University of Pittsburgh, Pittsburgh, PA, USA

Page 2: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

OutlineOutlineMotivationUse case scenarioSemantic Based Policy

SpecificationSemantic Based Policy

Management FrameworkConclusion & Future Work


Page 3: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

MotivationMotivationNo single authorization/ policy

languageEach CSP employs its own access

controlAuthorization is bound to CSPPolicies composed in

incompatible languages CSPs don’t understand each



Page 4: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Use Case ScenariosUse Case ScenariosIaaS: Amazon S3 and FlexiScalePaaS: Google App Engine and

LoadStormcollaboration and interoperation

is not easy/possible ◦unless a common understanding of

policies is provided.


Page 5: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Semantic Based Policy Semantic Based Policy SpecificationSpecificationSemantic Web and Policy

Managementprovide a common

understandable semantic basis for policy specification

semantic based policy specification language (SBPSL)

Use OWL to model this specification language


Page 6: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

OntologiesOntologiesSubject rdfs:subClassOf owl:ThingRole rdfs:subClassOf owl:ThingObject rdfs:subClassOf owl:ThingAction rdfs:subClassOf owl:ThingAttribute rdfs:subClassOf owl:ThingProvider rdfs:subClassOf owl:ThingService rdfs:subClassOf owl:Thing


Page 7: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

OntologiesOntologiesSubject OntologyObject OntologyAction OntologyProvider OntologyService OntologyAttribute Ontology


Page 8: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Subject OntologySubject OntologySubject: a user/group/role/process,

◦modeled as an OWL class Subject. ◦The instances of this class represent the

subjects on which the policies are defined.The object property and data property

of OWL are used to subject describe attributes ◦hasSubjectAttribute and

hasSubjectDataAttribute ◦hasRole, isAssociatedWithProvider,



Page 9: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Rule and Rule SetRule and Rule SetBasic policy rules

◦[Subject, Object, Action]For multi provider environment:

◦[Provider, Subject, Object, Action, Service]

◦P states that S can perform A on O associated with Ser


Page 10: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments


Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC

Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action

Roles RoleA a sbpsl:Role, RoleB a sbpsl:Role, RoleC a sbpsl:Role Subjects SubjectA a sbpsl:Subject hasRole RoleA isAssociatedWithProvider ProviderA, SubjectB a sbpsl:Subject hasRole RoleB isAssociatedWithProvider ProviderB,SubjectC a sbpsl:Subject hasRole RoleC isAssociatedWithProvider ProviderC

Actions Read a sbpsl:Action, Write a sbpsl:Action, Execute a sbpsl:Action Provider ProviderA a sbpsl:Provider, ProviderB a sbpsl:Action, ProviderC a sbpsl:Action

Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC

Objects ObjectA a sbpsl:Object isAssociatedWithService ServiceA.1 isOwnedByProvider ProviderA, ObjectB a sbpsl:Object isAssociatedWithService ServiceB.1 isOwnedByProvider ProviderB,ObjectC a sbpsl:Object isAssociatedWithService ServiceC.1 isOwnedByProvider ProviderC

Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC

Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]

Service ServiceA.1 a sbpsl:Service offeredBy ProviderA, ServiceA.2 a sbpsl:Service offeredBy ProviderA, ServiceB.1 a sbpsl:Service offeredBy ProviderB, ServiceB.2 a sbpsl:Service offeredBy ProviderB, ServiceC.1 a sbpsl:Service offeredBy ProviderC, ServiceC.2 a sbpsl:Service offeredBy ProviderC

Policy rule example:[ProviderA, SubjectB, ObjectA, Read, ServiceA.1]

Page 11: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Semantic Based Policy Semantic Based Policy Management FrameworkManagement Framework


Page 12: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

The ArchitectureThe Architecturecloud service provider


semantic based policy management service◦semantic based PDP


Page 13: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Access Request Access Request ProcessingProcessing


Page 14: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Reasoning & Conflict Reasoning & Conflict AnalysisAnalysisThe Reasoning Process

◦Inference◦Validation◦Querying the ontology

Policy Conflict◦when two disjoint properties appear



Page 15: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments

Conclusion and Future Conclusion and Future WorkWorkThe access control issues

particularly heterogeneity and interoperation

proposed a semantic based policy management framework

introduced semantic based policy specification language

Working on prototype implementation


Page 16: Towards a Semantic Based Policy Management Framework for Interoperable Cloud Environments



Related Documents