A COMPLIANCE AWARE INFRASTRUCTURE AS A SERVICE

International Journal of Services Computing (ISSN 2330-4472)

Vol. X, No. Y, Month Year

A COMPLIANCE AWARE INFRASTRUCTURE AS A SERVICE Shakil M. Khan, Lorraine M. Herger, Mathew A. McCarthy IBM Corporation [email protected],[email protected],[email protected]

Abstract

With cloud eclipsing the $100B mark, it is clear that the main driver is no longer strictly cost savings. The focus now is to exploit the cloud for innovation, utilizing the agility to expand resources to quickly build out new designs, products, simulations and analysis. Companies will use this agility and speed as competitive advantage. An example of the agility is the adoption by enterprises of the software-defined datacenter (SDDC) model, required to support the changing workloads and dynamic patterns of the enterprise. Often, security and compliance become an 'after thought', bolted on later when problems arise. In this paper, we will discuss our experience in developing and deploying a centralized management system for public, as well as an Openstack based cloud platform in SoftLayer, with an innovative, analytics-driven 'security compliance as a service' that constantly adjusts to varying compliance requirements based on workload, security and compliance requirements. Keywords: SDDC, GRC, Ontology, IaaS, Compliance, OWL, SWRL, Cloud

__________________________________________________________________________________________________________________ company and the other to accelerate the response to change 1. INTRODUCTION creates tension, frustration, and conflict. Companies are increasingly going “cloudwards” using both public providers and private datacenters because of the business agility that Infrastructure as a Service (IaaS) enables. Full IT automation, self-service provisioning, and metered usage billing helps companies accelerate the development of their products and services, and improves organizational efficiency. Unfortunately, many companies are struggling to accelerate the most important parts of their business due to the challenges of securing these highly dynamic environments. Use of cloud service does not automatically guarantee strong security or required compliance. Although some providers provide optional security capabilities that can be used to help reach the required security and compliance posture, it is the user’s obligations to ensure secure, compliant workloads running on cloud. This is a fact which is often forgotten in the haste to bring an application or service online. IBM Research has collaborative research projects with clients, ranging from internal business units to external clients - such as government and almost all vertical market segments. Researchers need to run their experiments with innovative architectures and algorithms in a datacenter environment modeled around the ‘living lab’ concept in order to pilot solutions for highly dynamic and volatile markets in a timely fashion. This introduces tremendous challenges in supporting heterogeneity in workloads as well as security and compliance requirements. In most cases the researchers who need to move fast and implement change run into very legitimate barriers and concerns from their IT and “governance” teams when they bring their ideas to the table. The groups responsible for creating and supporting applications and solutions are chartered with ensuring that data and intellectual property are secure, privacy laws and other regulations are complied with, and that the solutions are “future proof” and smart investments. The stewardship of one group to protect the

2. BRIDGING

THE CHASM AGILITY AND SECURITY

BETWEEN

With the acquisition of SoftLayer , IBM Research is being encouraged to use it to power its research workloads. Unfortunately, SoftLayer does not automatically guarantee strong security or required compliance. In order to stay relevant and competitive, research needs to respond to market forces almost immediately. Capabilities such as service catalog with standardized offerings and tiered SLA, automated workload aware provisioning in private, public and hybrid clouds, proactive incident and problem management, IT cost transparency and chargeback helped unlock the efficiency, agility and benefits of cloud. Yet reliability, security and compliance stand as formidable barriers in the path of turning these benefits into true potentials for achieving innovations at the speed of the business. Manual security and compliance as an “afterthought” pose the following challenges to the researchers:  Need-specific, piecemeal solutions bolted on to existing infrastructures create silos, drives up cost, impedes innovations.  Users lack expertise in security and compliance. Often the changes in regulations are not communicated outside security and compliance functions leading to contextually invalid security implementations by users.  Data theft and intellectual property theft due to lack of security and compliance expertise.  ’Home grown’ research solutions that meet business requirements but fall short of security and compliance audit requirements.

International Journal of Services Computing (ISSN 2330-4472) This situation can only be overcome by building an IaaS integrated with a fully automated risk assessment and remediation engine in a “Compliance as a Service (CaaS)” model. CaaS treats non-functional security and compliance requirements in a non-proprietary and interoperable way. CaaS functional activities are controlled by a set of dynamic policies. An analytics function constantly interfaces with security information and event management (SIEM) tools, audit logging, etc., to measure the drift and then disseminate policy commands to the policy aware security control components, applications, IaaS, Platform as a Service (PaaS) to fix the drift. Also IaaS, PaaS solicit guidance during provisioning to selected target environment based on compliance requirement and trend analysis. This “infrastructure as code” model (IaaS) integration with “compliance as code” model (CaaS) bridges the gap between agility and security.

3. COMPLIANCE

AS A SERVICE SOLUTION

ARCHITECTURE Figure 1 describes the high level CaaS solution framework that enables security provisioning. Major solution components are: Enterprise Ontology Business Process Models

Organizational Hierarchies

Data Models Contracts Models

operational policies OpenPages Orchestration

OpenPages Analytics

CaaS Controller

OpenPages Policy Lifecycle Management

Policy to Security Control Mapping

Event Correlation

Control to Plan Mapping Compliance provenance BigData Security Analytics

Forensic Analysis

state Extended OpenPages Repository

state RDF Store

state CMDB

Root Cause Analysis Drift Analysis

API

Policy and Management Plan Translation and dissemination Framework

Messaging Bus

VPN HOST IDS Network IDS

Firewall

Asset Mgmt

OpenFlow Controller

Identity Mgmt Patch Mgmt

MetaLayer

IaaS

Ops Mgmt Problem Mgmt Vulnerability Mgmt

Infrastructure and Apps Application Infrastructure Events health Topology Config

underlying security, compliance and risk requirements as declarative policy items. Policy items are then mapped to the security controls and checked periodically through management workflows to ensure policy adherence. Changes in regulations affect the requirements thus also affecting the mapping of security controls and policy items. Therefore, policy will have a process for controlling its overall lifecycle. We enhanced and extended OpenPages security, compliance and operational management plans so that they could be annotated with security controls in a domain agnostic manner. We then integrated the OpenPages orchestration definition functions with CaaS functions that handle policy to control and control to plan mapping. We enhanced OpenPages portal to include CaaS functionalities.

3.2 CaaS Controller This is the centralized management system for security provisioning. The CaaS controller co-ordinates with various distributed policy-aware components to maintain the desired compliance state in a fully automated fashion. The controller continuously polls filtered monitoring data through an event collection framework. It indexes and aggregates the machine produced data, applies security control contexts and persists in the OpenPages repository. It then invokes OpenPages analytics and native algorithms to compute drifts. If components are determined to be out of policy, the controller invokes the OpenPages management plan to remediate the non-compliance. All the compliance state computations are also validated by a metadata driven controller function called the “Compliance provenance function”. It also provides sophisticated agentless monitoring for compromised virtual machines for forensic and root cause analysis. Finally, the controller provides functions to formalize knowledge derived from trend analysis and applies the knowledge to predict compliance drift.

System as Data

API

External Event Collection Framework

Network

Vol. X, No. Y, Month Year

App Dependency

Provisioning Audit Trail

PaaS Provisioning Audit Trail

Brokerage Security and Process Control Remediation

Physical Datacenter

Fig 1: CaaS solution architecture

3.1 OpenPages An IBM solution in the space of governance, risk and compliance management. OpenPages allows describing

3.3 Policy/Plan Translation Framework Management plans in the OpenPages orchestration framework are annotated with security controls in an abstract manner. In order to remediate a component deemed out of policy, there is a need for a semantic layer which knows the component domain, domain specific security control, domain specific policy and domain specific action to take to bring the component out of non-compliance. Success of “Compliance as Code” depends on the policy awareness of the cohorts of components that the CaaS controller interacts with. In reality, it is impractical to expect policy awareness from vast swaths of domain solutions that make up the CaaS solution. Most of the solutions capture policies in the form of static configuration and do not expose any API to manipulate them. This semantic layer also has the function to convert high level OpenPages native policies into an XACML format, then to domain specific source control configurations.

International Journal of Services Computing (ISSN 2330-4472)

3.4 Event Collection Framework The Event collection Framework enables modularized solutions to collect events and alerts from key domains in a common format. The Framework also allows defining domain specific event filters created through a common User Interface.

3.5 IaaS Audit Trail The Software Defined Infrastructure with its “Infrastructure as Code” paradigm introduces such a dynamic environment and scale of operation that the traditional operations model is inadequate to meet the operations requirements. Also it redistributes responsibilities from the lower level of stack to the platforms and applications. Operations are crucial to success, but operations can only succeed to the extent that it collaborates with developers and participates in the development of applications that can monitor and heal themselves. DevOps is an approach which streamlines interdependencies between development and operations through set of protocols and tools. DevOps facilitates an enhanced degree of agility and responsiveness through continuous integration, continuous delivery, and continuous feedback loops between development and operations teams. DevOps tools scan an environment to gather infrastructure components and configuration information and make these available to the deployment engine manifests. The deployment engine then manipulates these configurations through plain text language which, along with deployment artifacts, could easily be version controlled. This provides a powerful framework to make compliance specific security controls available to policy-aware applications in the form of fully traceable configuration parameters. Since DevOps is in the core of the IaaS framework, audit logging of provisioning activities are automatically supported to provide information for security control.

stored. This permits meshing an external information graph with the CMDB knowledge graph through entailment. In the presence of partial information (an essential feature of volatile unstructured data) the output is still a consistent RDF model, which can be successfully processed. CMDB acts as a Trusted Information Management Framework for Master Configuration Data. Topology and Orchestration Specification for Cloud Applications (TOSCA) ensure the portability of a complex cloud application running on complex software and hardware infrastructures. TOSCA’s abstraction level provides a way to describe both applications and infrastructure components at a high level, which enables cloud orchestration that can leverage CMDB for the infrastructure layer. Assembling and orchestrating virtual images into larger structures, and then relating these to existing infrastructure, produces a useful audit trail which could be mined to unearth process flaws that could lead to non-compliance. Also through TOSCA’s lifecycle support beyond deployment, it is possible to provide historical data to measure topology drift.

4. MAPPING NON-IT BUSINESS CONTROLS TO IT/SECURITY CONTROLS A dynamic enterprise is comprised of hierarchical functional layers where business reference model of ideas and goals starts at the top, followed by business functions, business processes, Business services and IT functional model and its realization at the bottom. Each layers comprised of cohorts of domain meta models that represent domain scope, functions, and policies. Policies defined at the top layer to guide business goals, ideas, functions becomes more and more IT implementation specific as it moves towards each successive bottom layer. Contract Optimized IT functional Model Enterprise Ontology Optimized IT Security Confguration Model

3.6 PaaS Audit Trail The Information Technology Infrastructure Library (ITIL) is a framework of best practice approaches intended to facilitate the delivery of high quality information services. In order to facilitate the integration and automation of ITIL best practices, ITIL specifies the use of a Configuration Management Database (CMDB) to leverage a single source of information for all configuration items (CI) such as computer system, operating systems, and software installation. The configuration management process includes performing tasks such as identifying configuration items and their relationships, and adding them to the CMDB. The contextual mapping of CIs stored into CMDB provides the basis for converting the information into a knowledge graph (RDF) based Semantic model. This allows us to traverse the relationship to form pattern-based queries and deduce other implicit relationships, which may not be

Vol. X, No. Y, Month Year

Semantic business Model Inference and Translation Engine

Discrepency between Optimized IT functional Model And realized IT model

Optimized Enterprise Ontology IT Security Confguration Model Realized IT Model Enterprise Ontology

Fig 2: Business controls to IT/Security controls Governance, Risk and Compliance activities in an enterprise relies on measuring state of compliance of business processes using security controls derived from regulatory policies. These controls could be implemented in variety of ways. Now in ever evolving enterprise, business events arising outside IT may very well change the

International Journal of Services Computing (ISSN 2330-4472) consistency, definition and implementation of the security controls (For example merger between a Business process oriented Company and a Functionally oriented company) leading to outright non-compliance pertaining to business processes, security etc. Understanding the security compliance behavior through the lenses of regulatory policies and within the containment of business process model and IT oriented models is not sufficient enough. We need a way to factor in impact of business functions, goals, ideas and complex cross business area functional and process interactions described in high level business policies to determine the optimized security configuration. Complicating the situation, enterprises also utilize operating agreement Contracts with customers which cover security and compliance requirements, in a manner similar to procurement, pricing or SLA specifications. However, the security and compliance requirements introduced from these contracts with enterprise clients are also defined in text which is not easily interpreted into IT requirement policies. As with the other aspects of the contract which have been interpreted with xml formats, the security and compliance feature/requirement set can be automatically extracted via a Compliance as a Service model, which can then be interpreted and applied. When read together, these ideas still present several important gaps 1. IT functional models is evaluated against statically defined high level compliance policies to assess impact on low level policies and state of compliance only. Business demand is limited to changing the IT functional model and subsequently compliance state which, current disclosure suggests to correct through manual changes in low level IT policies. 2. IT-Business alignment is interpreted through IT functional model only 3. Criteria for satisfied Compliance is based on evidences between IT System policies and documented security requirement (Compliance policies) only. There is no notion of optimized compliance configuration based on tolerance for risk and budget for security defined though Contracts and Enterprise Architecture(Ontology). 4. Proposed methods ignores Operational goals (Sustainability, Performance, Profitability ). Evidencing that there is no iterative correspondence between Enterprise operational universe and Compliance as a Service solution to negotiate and implement an optimized compliance configuration that balances tolerance for risk and budget for security, We are proposing a fully automated risk assessment and remediation solution in a “Compliance as a Service (CaaS)” model dynamically derives IT functional model from the Enterprise Ontology which essentially captures Organizational goals and operational universe. Contract model within Enterprise ontology decomposes portions of contracts that will require IT commitments into high level policies and dynamically bind with security requirements.

Vol. X, No. Y, Month Year

A semantic representation of the regulations as well as enterprise reference architecture provides the flexibility and extensibility needed for modeling continuously evolving enterprise domains, compliance regulations and capturing their impacts of business goals and ideas on determining state of the compliance. Figure 2 depicts a semantic business model inference and translation engine that reasons over the enterprise ontology constrained by business model and control instances derived from contracts or manual input a manual input in the form of business metrics for Performance, or business metrics on effect of Risk on capital and earning, or business metrics for sustainability, or business metrics on tolerance for risk, or risk scores and vectors, or cost of security etc. to provide one or more outputs on the degree of performance, optimized enterprise architecture, optimized Security configuration, optimized IT functional model, discrepancy between optimized IT functional model and realized IT model as a report to a user. Figure 3 shows a flow diagram for iterative computations of state of compliance using enterprise ontology, contracts, IT functional model etc. Start 100

Org Profile Rules Services Costs

110

Org Profile processes Services Activities Roles Goals Technology

Enterprise profile and rule based contract content analysis

Analysis based visualization of IT relevant parameters 120

IT professional contract modification via visualization assisstant

280 200 Read Enterprise Ontology

210

Read Contract Model Compute

Map portion of contracts to appropriate business semantics (process,activities,roles, goals,technologies etc)

220

230

240

130 Create IT instance from IT functional, Security requirement and implementation model

250

140 Generate and manage High Level Operational Policies

Additional revision from other parties 150 Generate deal specific artifacts

  

IT implementation details Project specific polices IT security and Compliance requirements

160

Disambiguate contextual references ,Map policy to Security controls

Drift? No

Derive IT functional Model Create revised version of contract with known, accepted IT parameter

Deploy and collect evidence

260

270

Annotate security controls with security requirements, generate low level policices

Fig 3: Enterprise Ontology and policy generation

Stop

International Journal of Services Computing (ISSN 2330-4472) In Figure 3, contract analytics with the help of domain experts and Enterprise Ontology (Enterprise profile, Services, rules) and parameterized operational criteria (Sustainability, performance, profitability) e.g. costs, tolerance for security, budget for security as input, decomposes portions of contracts that will require IT commitments into high level policies and requirements (100,101,120,130,140,150,160). An IT functional model is dynamically derived with the help of Enterprise Ontology and artifacts generated from contracts analytics . The IT functional model dynamically bind with security requirements and security implementations and generate deployable policies. The polices are deployed and evidences are collected. The evidences are computed to compare against parameterized enterprise operational goals and requirement thresholds. If drift detected then contractual item/items and Enterprise ontology modification suggested. The process iterates until the the measures reach within a defined tolerance for the threshold ( 200,210,220,230,240,250,260,270,280).

5. ONTOLOGY

BASED VALIDATION EXAMPLE

COMPLIANCE

Security incidents with data breach present a wide array of legal problems for victim companies. The data breach notification laws pertaining to definition of personal information, identification of notification triggers, method of notification, content of notification, determination of time and acceptable delays etc. widely vary across states. A meta model for compliance validation and evaluation i.e. Compliance-Ontology is proposed, based on which, regulation constraints can be modeled into OWL axioms and SWRL rules. An activity (Data-Sensitivity-AssessmentActivity) from the Data Breach Notification Process Flow has been used to show how state statute provisioned regulatory constraints are applied to validate activity result compliance. This meta model is influenced by “Ontologybased semantic modeling of regulation constraint for automated construction quality compliance checking” ( Zhong, Ding, et al. 2012). Compliance Checking Ontology serves as a meta model, defining the concepts and relations related to the IT Security regulatory compliance checking. Analysis-Task class is the central concept in this Ontology. An Analysis-Task is set according to the specific regulation constraint. An Analysis-Task can be related to the AnalysisObject through the “hasAnalysisObject” property, which indicates that the Analysis-Object will be inspected to make sure their compliance to the relevant regulation constraints through the execution of the Analysis-Task. The AnalysisObject refers to any concepts governed by regulations and indicates what is to be inspected, in the case of IT Security compliance to regulatory requirements domain the entities include identification, evaluation, remediation processes (activities and procedures), the data security products and resources used in analysis. An Analysis-Object may include

Vol. X, No. Y, Month Year

a set of violation Analysis items. These analysis items can be identified from the regulation provisions. For example, The NYS Information Security Breach and Notification Act are comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. Section 899-aa states that “(c) "Breach of the security of the system" shall mean unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such business may consider the following factors, among others: (1) Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information ……………. (d) "Consumer reporting agency" shall mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. 2. Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.”, the analysis items include determination of personal information, identification of notification triggers, method of notification, content of notification, determination of time and acceptable delays etc. widely vary across states, and so on. Furthermore, an Analysis-Task needs a set of AnalysisItem-Checking-Action to test and collect the conformance information/data for the analysis items. Each Analysis-ItemChecking-Action has a Checking-Result, which represents the actual violation/ conformance/ compliance information collected. Similarly, an Analysis-Task needs a set of Evaluation-Task to evaluate the provenance of those Analysis items in accordance with the Evaluation-Criteria. The Evaluation-Criteria is imposed by the regulation provisions or set by the domain experts. Basing on the Checking-Result and the Evaluation-Criteria, the

International Journal of Services Computing (ISSN 2330-4472) Evaluation-Task can be done to judge whether the analysis items are compliant with the regulation constraints. Each Evaluation-Task has an Evaluation-Result, which all together are constituted the Analysis-Report. The AnalysisReport of a particular Analysis-Task for the corresponding Analysis-Object can be documented, based on the Evaluation-Result of all the inspection items. In Compliance Ontology, the Regulation-Constraint constitutes the main the Analysis knowledge, since the focus is the regulationbased compliance analysis. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which the constraint is extracted. Meanwhile, an Analysis-Task must be assigned to a Position as it’s responsibility, who performs the Analysis-Item-CheckingAction and the Evaluation-Task to accomplish the AnalysisTask. In addition, many parameters, such as business process parameters, IT functional and realization Parameters, User behavioral parameters and so on, are used to depict the compliance features/state, in the IT security regulatory compliance domain. As shown in Fig. 3, the Analysis-Object can be the IT functional model, IT Security Model, IT Configuration model, IT Security products, Business processes, or user activities and so on. Here, each main concept indicates one facet of the analysis objects, and can be modeled as the IT Security process ontology. In Compliance Ontology, the Analysis-Object concepts (enveloped with the dashed line, as shown in Fig. 3) are also the concepts of the IT Security process model. Through the Analysis-Object concept, the Compliance Ontology for compliance checking can interact with the IT Security process model the meta mode provides general and common terms and relations common to the IT Security compliance checking against regulatory requirements domain. Basing on the meta model, the specific domain model for the security compliance checking can be obtained via specializing and instantiating the generic concepts and relations in the meta model. Since the metamodel is not limited to any specific IT Security domain, the metamodel can be reused independently of any specific security implementation. Basing on the meta model and the ontology, the constraints knowledge imposed by the regulations can be clearly and unambiguously defined such that they may potentially be interpreted by a machine. Here, Sensitive data breach notification process compliance analysis is presented as an example to demonstrate. Based on Compliance-Ontology, regulation constraints can be modeled into OWL axioms and SWRL rules. An activity (Data-Sensitivity-Assessment-Activity) from the Data Breach Notification Process Flow has been used to show how state statute provisioned regulatory constraints are applied to validate activity result compliance.

Vol. X, No. Y, Month Year

hasEvaluationTask

Regulation-Constraint

Parameter

Regulation

hasReference

isRegulatedBy

isRegulatedBy

Evaluation-Criteria

Checking-Result

hasEvaluationCriteria

hasCheckingResult

Deontic-Constraint

hasAnalysisCriteria

Analysis-Task

hasAnalysisItem

Analysis-Item-Checking- ComplianceCheckingAction Analysis2Evaluation Action

Evaluation-Task

hasAnalysisT ask

hasEvaluationResult performEvaluation

performAnalysi s

isResponsibilityOf

Evaluation-Result

Analysis-Object Role

isComposedOf

include include include

Compliance-Report

hasAnalysisReport

resource product

activity

Process Model

Fig 4: Compliance checking Ontology Data Breach Notification Analysis Process

hasActivity

hasActivity

…..

Data-Sensitivity AssessmentActivity

IncidentInvestigationActivity

…..

Restore-SystemSecurity Activity

isdirectlyBefore

isUsedIn

incident 

State – to determine state statutes pertaining to definition of personal information, determination of notification triggers, content of notification etc  Incident-timestamp – to determine acceptable delay

Fig 5: Data breach notification process flow

Notification-Activity

…..

International Journal of Services Computing (ISSN 2330-4472)

Axiom A1. “Analysis-Task hasAnalysisItemComplianceCheckingAction only AnalysisItem-Checking-Action” Axiom A2. “Analysis-Task hasAnalysisItemComplianceCheckingAction min 1” can be expressed in below OWL format

Compliance-Ontology

Regulation

Regulation-Constraint Analysis-Object

AnalysisTask

Role

Vol. X, No. Y, Month Year

Analysis-Item-CheckingEvaluationChecking-Result Evaluation-Task Compliance-Report Action Result

Instance

Ontology

Investigation Personnel Acceptance Standard Evaluation Law Enforcement Criteria Constraint Data-Sensitivity-Checking John Doe Result_1 Data-Security-task1 Data-Sensitivity-Checking Action_1 Data-Sensitivity 1 hasAnalysisItem Checking2Evaluation Data-Breach-Notification- ComplianceCheckingAction hasComplianceEvaluationResult isComposedOf Analysis-task1 Title 15, United States Evaluation-Action_1 Analysis-Report1 hasAnal y si s I t em i s Regul a tedBy Code ComplianceEvaluationAction Fig 6: Compliance Checking Ontology and Data Breach Based on Compliance Ontology and the IT Security process, each compliance analysis task can be modeled as an ontology instance. Fig. 5 shows the Compliance 5.2 Constraints Ontology instance for Sensitive Data breach notification Constraint, “Personal Information must contain process compliance checking. In order to make the ontology consumer’s name and at least one of the following knowledge understandable to both machines and human information: Social Security Number, Driver’s License beings, the ontology knowledge is described in OWL. OWL Number or State Identification Card Number, Credit card is a W3C recommended language for ontology number, debit card number, account number and any codes representation on the semantic web. It offers a relatively or password (from State Data Breach Notification Law)” high level of expressivity while still being decidable. In can be modeled in the following Axiom A: addition, OWL, as a formal language with description logic based semantics, enables automatic reasoning about inconsistencies of concepts, and provides RDF/XML syntax to represent ontology knowledge.