The well-known semantic web layered architecture2has undergone revisions re-flecting the evolution of layers and their relationship. Semantics-enabled formal policies are formulated as ontology and rule knowledge bases with ontology and rule languages in the semantic web layered architecture. Many operations can be automated, thereby reducing ad-hoc program coding to a minimum, and en-abling automated documentation [12].
An ontology is a formal, explicit specification of a shared conceptualiza-tion [13]. One key aspect of managing policies is the semantic heterogeneity and conflicts among policies. Using ontology as a formal representation of a policy and a meta-policy for solving the policy semantic heterogeneity and conflict are very promising. Furthermore rules empower the policy enforcement for informa-tion sharing and protecinforma-tion once the policy and meta-policy have been described as ontology.
2 http://www.w3.org/2007/03/layerCake.svg
Semantics-enabled Policies for Information Sharing and Protection 5 3.1 Formal Policy Representation
A formal policy is a declarative expression for a legal regulation that can be executed in a computer system without causing semantic ambiguity. A formal policy is created from a policy language, which is a combination of ontology language and rule language. Policy languages, such as Rein [14], KAoS [15], and Protune [12], have also been proposed – to allow agents to understand and enforce policies as intended by their semantics.
A formal policy is composed of ontologies and rules, where ontologies are cre-ated from an ontology language and rules are crecre-ated from a rule language [16].
A formal protection policy aims at representing and enforcing data protection directives and national security principles, where the structures of privacy pro-tection directives and national security principles are modeled as ontologies and the enforcement of these formal protection policies is shown as rules.
Using the policy ontology, a Request for data hasCondition, such as DataUser, Purpose, etc (see Figure 1). If multiple policies are applicable for a data re-quest, we use hasPriority to set an execution priority. Otherwise, Isolated Policy isBelongedTo a TLD (Trusted Legal Domain). When a Request getInTo a TLD (see Section 3.3), the policies for this legal domain will be integrated.
DomainPolicy is a meta-policy and it hasTLD to offer its DataPolicy.
A meta-policy is a policy about policies that provides a set of rules for real-izing services needed for the management of policies [17]. A meta-policy consists of a set of rules for setting up the priority between privacy protection and na-tional security polices. Policy management services are provided in a formal policy framework in Section 3.3. They could be implemented as meta-policies in Rein [14] or as policy administration tools in KAoS [15]. In Protune, the role of meta-policies is to govern policy behavior, to reduce ad-hoc programming efforts, and to improve policy readability and maintainability.
Fig. 1. A policy ontology is used for policy and data usage descriptions of a TLD.
6 Yuh-Jong Hu, Win-Nan Wu, and Jiun-Jan Yang 3.2 Formal Policy Compliance
The cloud computing environment is an international global computer system infrastructure. Once dispersed, computer resources are installed and data is in the cloud, we face the challenges of providing legalized data sharing and pro-tection services across jurisdictions. In the cloud, anyone can use anything from anywhere at anytime, so we must harmonize the laws that come from different jurisdictions. This also raises the regulation compliance issue where the formal policies enforced in the cloud must satisfy the data usage criteria indicated in the related laws.
Obviously current data protection and national security laws are not up-to-date on handling the cloud’s cross-border data sharing and protection problems.
We need to address research issues, not only for a law refinement, but also for a technology re-engineering. The ultimate objective of this study is to empower the use of flexible and agile cloud resources without violating the laws.
Semantics-enabled formal policies are inflexible if they are only compliant with current laws but do not comply with the new laws resulting from emerging information technologies. We propose a formal policy framework with flexible policy deployment, integration, and enforcement. In this framework, semantics-enabled data protection and national security policies are automatically unified to satisfy the purpose of national security enforcement through data sharing.
However, we must also ensure that data protection laws are not violated. In this paper, a formal policy compliance of each data request is based on the data usage context of a user. It is a pre-condition in retrieving shared information that satisfies the laws. The laws that will be applied to a data request in a TLD depends on the data usage context of a data user. The legal boundary of a TLD is also based on the data usage context.
3.3 Formal Policy Framework
A trusted policy framework is essential to facilitate automatic policy integra-tion and to meet the inter-domain’s service-access requirements in the cloud [2].
We need a framework to guarantee that formal policies are compliant with the laws. In addition, they must be properly specified, verified, and enforced for any possible data access across domains.
Based on the trusted virtual domain’s (TVD’s) two-layered infrastructure [18], a semantics-enabled formal policy three-layered framework is presented (see Fig-ure 2):
1. Cloud Machine Domain (CMD) layer
A group of physical cloud computers with various virtual machines (VMs) are established within a trusted machine domain (TMD). A TMD allows a grouping of cloud computers connected by a VLAN switch to be protected as an isolated Intranet. Otherwise, a virtual privacy network (VPN) is set up to use a secure channel for TMDs and to provide secure data transmission between VMs.
Semantics-enabled Policies for Information Sharing and Protection 7
Fig. 2. A semantics-enabled formal policy framework with three policy domain lay-ers: cloud machine domain (CMD), cloud virtual domain (CVD), and cloud legalized domain (CLD).
In the CMD layer, data centers are operated in the so-called physical cages model, wherein different customers’ IT infrastructure runs on distinct phys-ical resources. A physphys-ical boundary of a TMD depends on whether the hosts belongs to the same LAN within an Intranet. In the same LAN, hosts can communicate directly using the trusted physical link without traffic encryp-tion.
2. Cloud Virtual Domain (CVD) layer
Although a group of of VMs are dispersed across multiple physical cloud computers in TMDs, these VMs are still possibly configured into a virtual zone as a Trusted Virtual Domain (TVD) belongs to a specific customer in a private cloud. A TVD consists of a set of virtual machines, network con-figuration, storage and policies for access control and resource consumption.
Protection policies are created for uniform secure services, such as storage, networking, and TVD membership in a TVD [8].
8 Yuh-Jong Hu, Win-Nan Wu, and Jiun-Jan Yang
The CVD layer allows resource sharing among customers in the logical cages model. This enables a more flexible and efficient management of the data center’s resources [8]. The logical boundary of a TVD is a secure logical domain, where security and storage usage policies are uniformly enforced within a TVD across its members.
3. Cloud Legalized Domain (CLD) layer
Semantics-enabled policies are manually specified and are compliant with the current laws for data sharing and privacy protection in a Trusted Legal Domain (TLD). A TLD has a virtual legal boundary and use law compliant semantics-enabled policies to regulate data access. The semantics-enabled policies are translated into the network security and storage usage policies of a TVD.
In the CLD layer, we use the legal cages model, compared with the logical cages model on the CVD layer, to provide uniformly legalized data sharing and protection services. A legal virtual boundary of a TLD defined for a per-son (or software) has limited data access rights to serve a purpose within a particular data usage context. For example, a national security law enforcer has the right to access any suspect’s Facebook IP and email addresses from the list of friends’ contacts whenever an investigation with certain evidence is allowed to do so. However, whether to grant or deny a data request per-mission still depends on an additional data usage context, such as where is the data requester’s location, which data center is responsible for this data, and what applicable laws are used for this request, etc. Furthermore, the semantics-enabled policies can also define a permissible data flow between any two TLDs and regulate the flow under each TLD’s law.
3.4 Formal Policy Deployment
Semantics-enabled policies are deployed in TLDs and enforced on the CLD layer in a formal policy framework. We aim to represent and enforce the high-level legal compliant semantics-enabled policies of TLDs. Thus the legal compliant policies of TLDs can be flexibly mapped into the security and privacy policies of TVDs. Consecutively, the security and privacy policies of TVDs are mapped into the security services of TMDs. The possible mappings from TLD(s) to TVD(s) are one-to-one, many-to-many that are similar to the mapping situations from TVD(s) to TVD data center(s) (or TVDc) implemented in the Xen Cloud Plat-form (XCP)3 [8].
The legal virtual boundary of a TLD is determined by a particular law that regulates the data disclosure range and level, where the semantics-enabled poli-cies are compliant with the law for this TLD. An intersection area is compliant with applicable laws from multiple TLDs. When a data usage context is initiated for a data user to request information, the possible semantics-enabled policies
3 XCP http://www.xen.org/products/cloudxen.html.
Semantics-enabled Policies for Information Sharing and Protection 9
Fig. 3. A layer structure from legal domain to virtual domain, where the semantics-enabled policy is enforced and managed through meta-data, including domain-policy, meta-policy, to locate the real information.
related to the laws are executed. A data usage context includes a purpose, a data user’s role, a requester location, a data location, and action, etc (see Condition in Figure 1).
In fact, this data usage context is based on the core definitions of data pro-tection laws or national security laws. When a user submits a data request, a data usage context is created for this request with the policy enforcement ensur-ing that all of the information disclosure is legal under the laws. We face a law integration problem that turns into a formal policies integration problem.
In [8], two types of policy govern the cloud security in their TVDs. The first, security policy, limits the flow of networks and the usage of machine storage. The second, membership policy, defines which VM is allowed to join a TVD. Security policy is used for the security enforcement of TVDs on the CVD layer but the real policy enforcement mechanisms are still executed on the CMD layer. Semantics-enabled protection policies leverage the cloud security services of security policies because the CVD layer is unaware of the legal requirements.