My Vision for an Enhanced Linked Data Architecture – PART 2

In my previous post I discussed two of, what I believe to be, the current stumbling blocks to full adoption of Linked Data integration concepts and patterns in today’s Information Interoperability / Information Sharing space. I also began to address one of these stumbling blocks via additional components (the Enhanced parts) of my proposed Enhanced Linked Data Architecture and its current incarnation as the Enhanced Linkeddata Architecture for Persistent Sharing Environments (ELAPSE)™. With this posting, I will begin to discuss possible data security labeling/classification solutions that may address this stumbling block and how the current “Triple-level” security concerns associated with today’s Semantic Web Technology solutions could also be resolved via my proposed ELAPSE™ Architecture.

A second major stumbling block to full adoption of these concepts is the lack of “Triple-level” security capability that is already built-in to available RDF (i.e. Triple Store or Graph DB) Stores and LinkedData Framework solutions. Today’s Information Interoperability / Information Sharing space requires that actionable shared information be gleamed from numerous different and diverse file format(s) and data types, including traditional structured data sources along with unstructured data, semi-structured data, and raw data sources in both open and proprietary format(s). Each of these data sources, when required, has typically already had appropriate Authentication, Authorization, and Accounting (AAA) policies adopted and implemented. As these data sources are “exposed” as Interlinked Semantic Data, to take advantage of Linked Data integration concepts and patterns, their existing AAA policies must be maintained and enforced.  A recent blog posting by Orri Erlinghere discusses “combined provenance and security label”  and “selective hash join” graph-level access concepts to address access control needs and their associated performance effects.

A prime example of the need to deal with numerous different and diverse file format(s) and data types is the wealth of geospatial data required to be stored and analyzed by the intelligence community. The Open Geospatial Consortium (OGC) standards [i.e. Web Map Service (WMS), Web Feature Service (WFS), Web Coverage Service (WCS), and Web Processing Service (WPS)] were specifically defined to provide open standards based interoperability for access to and exchange of geospatial information across multiple data sources, which typically have existing AAA policies that must be maintained as this data is modeled and exposed as a semantic knowledge base.

A recent paper published on 15 April 2013 in The Institute of Electrical & Electronics Engineers, Inc. (IEEE) Transactions on Dependable and Secure Computing (TDSC) journal, titled “Authorization Control for a Semantic Data Repository Through an Inference Policy Engine,” proposes a powerful multi-layered authorization and access control model. This model is a combination mechanism, including: a ‘security role and labeling technique’ in which many security properties can be determined by the expressiveness of the authorization scheme; a powerful authorization system [26]; and, a multi-clearance paradigm [30] .

Without deeply diving into the usage of Description Logic (DL) when defining the Semantic Web Model (or, semantic knowledge base), this model/knowledge base can be perceived as consisting of Terminological Knowledge Box (TBox) Axioms and Assertional Knowledge Box (ABox) Axioms [18]/[29]. I believe the proposed semantic reasoner based authorization model and its support for content-based access control–in that the authorization requirements are established not only for the model’s concepts in the TBox (conceptional schema) but also for their individuals in the ABox (actual data)–is exactly what is needed to help address today’s security-related adoption stumbling block.

As always, when focused on open standards, some additional existing components (the Enhanced parts) of my proposed ELAPSE™ Architecture that will help address these security concerns may also include:

• Open XML SPIF [a United States Government General Services (US GENSER) Security Policy example is here; and, a nice description of Security Policy, Security Label and Security Clearance Infrastructure & Management is here]
  

• pam_tacplus open source PAM module supporting the Terminal Access Controller Access-Control System Plus (TACACS+) protocol

• jBlocks javascript layout library

My next post will discuss other concerns associated with today’s RDF Stores and Linkeddata Framework solutions that could also be addressed via this ELAPSE™ Architecture.

=david.l.woolfenden

---

IEEE Paper Citations:

Abdullah Alamri, Peter Bertok, James A. Thom, “Authorization Control for a Semantic Data Repository Through an Inference Policy Engine,” IEEE Transactions on Dependable and Secure Computing, 15 April 2013. IEEE computer Society Digital Library. IEEE Computer Society,

• [18] V. Milea, F. Frasincar, and U. Kaymak. tOWL: A temporal web ontology language. Systems, Man, and Cybernetics, Part B: Cybernetics, IEEE Transactions on, 42(1):268 –281, Feb. 2012.

• [26] R. S. Sandhu. Role-based access control. In Advances in Computers. Academic Press, 1994.

• [29] A.-Y. Turhan. Description logic reasoning for semantic web ontologies. In Proceedings of the International Conference on Web Intelligence, Mining and Semantics, WIMS ’11, pages 6:1–6:5, New York, NY, USA, 2011. ACM.

• [30] L. Xu, H. Zhang, X. Du, and C. Wang. Research on mandatory access control model for application system. In Networks  

  Security, Wireless Communications and Trusted Computing, 2009. NSWCTC ’09. International Conference on, volume 2, pages 159 –163, April 2009.