An Ontological Framework for Reasoning about Relations between Complex Access Control Policies in Cloud Environments

By embracing the cloud computing paradigm enterprises are able to realise significant cost savings whilst boosting their agility and productivity. Yet, due mainly to security and privacy concerns, many enterprises are reluctant to migrate the storage and processing of their critical assets to the cloud. One way to alleviate these concerns, hence bolster the adoption of cloud computing, is to infuse suitable access control policies in cloud services. Nevertheless, the complexity inherent in such policies, stemming from the dynamic nature of cloud environments, calls for a framework capable of providing assurances with respect to the effectiveness of these policies. The work presented in this paper elaborates on such a framework. In particular, it proposes an approach for generically checking potential subsumption relations between access control policies that incorporate the contextual knowledge that characterises an access request and which needs to be taken into account for granting, or denying, the request. The proposed framework is expressed ontologically hence enabling automated reasoning, through semantic inferencing, about policy subsumption.