Authorization Policy Federation in Heterogeneous Multicloud Environments

Current Infrastructure as a Service (IaaS) cloud platforms have their own authorisation system, containing different access control policies and models. Clients with accounts in multiple cloud providers struggle to manage their rules in order to provide a homogeneous access control experience to users. This work proposes a solution: an Authorisation Policy Federation (APF) of heterogeneous cloud accounts. These federated accounts share a centrally managed policy written in Disjunctive Normal Form (DNF) using a cloud-independent ontology. This shared abstract policy can be translated to local cloud formats, and back again. Prototypes were implemented for OpenStack and Amazon Web Services (AWS) cloud formats, and rules were successfully translated with a Level of Semantic Equivalence (LSE) higher than 80.