International Journal of Services Computing (ISSN 2330-4472)
Vol. X, No. Y, Month Year
A COMPLIANCE AWARE INFRASTRUCTURE AS A SERVICE Shakil M. Khan, Lorraine M. Herger, Mathew A. McCarthy IBM Corporation
[email protected],
[email protected],
[email protected]
Abstract
With cloud eclipsing the $100B mark, it is clear that the main driver is no longer strictly cost savings. The focus now is to exploit the cloud for innovation, utilizing the agility to expand resources to quickly build out new designs, products, simulations and analysis. Companies will use this agility and speed as competitive advantage. An example of the agility is the adoption by enterprises of the software-defined datacenter (SDDC) model, required to support the changing workloads and dynamic patterns of the enterprise. Often, security and compliance become an 'after thought', bolted on later when problems arise. In this paper, we will discuss our experience in developing and deploying a centralized management system for public, as well as an Openstack based cloud platform in SoftLayer, with an innovative, analytics-driven 'security compliance as a service' that constantly adjusts to varying compliance requirements based on workload, security and compliance requirements. Keywords: SDDC, GRC, Ontology, IaaS, Compliance, OWL, SWRL, Cloud
__________________________________________________________________________________________________________________ company and the other to accelerate the response to change 1. INTRODUCTION creates tension, frustration, and conflict. Companies are increasingly going “cloudwards” using both public providers and private datacenters because of the business agility that Infrastructure as a Service (IaaS) enables. Full IT automation, self-service provisioning, and metered usage billing helps companies accelerate the development of their products and services, and improves organizational efficiency. Unfortunately, many companies are struggling to accelerate the most important parts of their business due to the challenges of securing these highly dynamic environments. Use of cloud service does not automatically guarantee strong security or required compliance. Although some providers provide optional security capabilities that can be used to help reach the required security and compliance posture, it is the user’s obligations to ensure secure, compliant workloads running on cloud. This is a fact which is often forgotten in the haste to bring an application or service online. IBM Research has collaborative research projects with clients, ranging from internal business units to external clients - such as government and almost all vertical market segments. Researchers need to run their experiments with innovative architectures and algorithms in a datacenter environment modeled around the ‘living lab’ concept in order to pilot solutions for highly dynamic and volatile markets in a timely fashion. This introduces tremendous challenges in supporting heterogeneity in workloads as well as security and compliance requirements. In most cases the researchers who need to move fast and implement change run into very legitimate barriers and concerns from their IT and “governance” teams when they bring their ideas to the table. The groups responsible for creating and supporting applications and solutions are chartered with ensuring that data and intellectual property are secure, privacy laws and other regulations are complied with, and that the solutions are “future proof” and smart investments. The stewardship of one group to protect the
2. BRIDGING
THE CHASM AGILITY AND SECURITY
BETWEEN
With the acquisition of SoftLayer , IBM Research is being encouraged to use it to power its research workloads. Unfortunately, SoftLayer does not automatically guarantee strong security or required compliance. In order to stay relevant and competitive, research needs to respond to market forces almost immediately. Capabilities such as service catalog with standardized offerings and tiered SLA, automated workload aware provisioning in private, public and hybrid clouds, proactive incident and problem management, IT cost transparency and chargeback helped unlock the efficiency, agility and benefits of cloud. Yet reliability, security and compliance stand as formidable barriers in the path of turning these benefits into true potentials for achieving innovations at the speed of the business. Manual security and compliance as an “afterthought” pose the following challenges to the researchers: Need-specific, piecemeal solutions bolted on to existing infrastructures create silos, drives up cost, impedes innovations. Users lack expertise in security and compliance. Often the changes in regulations are not communicated outside security and compliance functions leading to contextually invalid security implementations by users. Data theft and intellectual property theft due to lack of security and compliance expertise. ’Home grown’ research solutions that meet business requirements but fall short of security and compliance audit requirements.
International Journal of Services Computing (ISSN 2330-4472) This situation can only be overcome by building an IaaS integrated with a fully automated risk assessment and remediation engine in a “Compliance as a Service (CaaS)” model. CaaS treats non-functional security and compliance requirements in a non-proprietary and interoperable way. CaaS functional activities are controlled by a set of dynamic policies. An analytics function constantly interfaces with security information and event management (SIEM) tools, audit logging, etc., to measure the drift and then disseminate policy commands to the policy aware security control components, applications, IaaS, Platform as a Service (PaaS) to fix the drift. Also IaaS, PaaS solicit guidance during provisioning to selected target environment based on compliance requirement and trend analysis. This “infrastructure as code” model (IaaS) integration with “compliance as code” model (CaaS) bridges the gap between agility and security.
3. COMPLIANCE
AS A SERVICE SOLUTION
ARCHITECTURE Figure 1 describes the high level CaaS solution framework that enables security provisioning. Major solution components are: Enterprise Ontology Business Process Models
Organizational Hierarchies
Data Models Contracts Models
operational policies OpenPages Orchestration
OpenPages Analytics
CaaS Controller
OpenPages Policy Lifecycle Management
Policy to Security Control Mapping
Event Correlation
Control to Plan Mapping Compliance provenance BigData Security Analytics
Forensic Analysis
state Extended OpenPages Repository
state RDF Store
state CMDB
Root Cause Analysis Drift Analysis
API
Policy and Management Plan Translation and dissemination Framework
Messaging Bus
VPN HOST IDS Network IDS
Firewall
Asset Mgmt
OpenFlow Controller
Identity Mgmt Patch Mgmt
MetaLayer
IaaS
Ops Mgmt Problem Mgmt Vulnerability Mgmt
Infrastructure and Apps Application Infrastructure Events health Topology Config
underlying security, compliance and risk requirements as declarative policy items. Policy items are then mapped to the security controls and checked periodically through management workflows to ensure policy adherence. Changes in regulations affect the requirements thus also affecting the mapping of security controls and policy items. Therefore, policy will have a process for controlling its overall lifecycle. We enhanced and extended OpenPages security, compliance and operational management plans so that they could be annotated with security controls in a domain agnostic manner. We then integrated the OpenPages orchestration definition functions with CaaS functions that handle policy to control and control to plan mapping. We enhanced OpenPages portal to include CaaS functionalities.
3.2 CaaS Controller This is the centralized management system for security provisioning. The CaaS controller co-ordinates with various distributed policy-aware components to maintain the desired compliance state in a fully automated fashion. The controller continuously polls filtered monitoring data through an event collection framework. It indexes and aggregates the machine produced data, applies security control contexts and persists in the OpenPages repository. It then invokes OpenPages analytics and native algorithms to compute drifts. If components are determined to be out of policy, the controller invokes the OpenPages management plan to remediate the non-compliance. All the compliance state computations are also validated by a metadata driven controller function called the “Compliance provenance function”. It also provides sophisticated agentless monitoring for compromised virtual machines for forensic and root cause analysis. Finally, the controller provides functions to formalize knowledge derived from trend analysis and applies the knowledge to predict compliance drift.
System as Data
API
External Event Collection Framework
Network
Vol. X, No. Y, Month Year
App Dependency
Provisioning Audit Trail
PaaS Provisioning Audit Trail
Brokerage Security and Process Control Remediation
Physical Datacenter
Fig 1: CaaS solution architecture
3.1 OpenPages An IBM solution in the space of governance, risk and compliance management. OpenPages allows describing
3.3 Policy/Plan Translation Framework Management plans in the OpenPages orchestration framework are annotated with security controls in an abstract manner. In order to remediate a component deemed out of policy, there is a need for a semantic layer which knows the component domain, domain specific security control, domain specific policy and domain specific action to take to bring the component out of non-compliance. Success of “Compliance as Code” depends on the policy awareness of the cohorts of components that the CaaS controller interacts with. In reality, it is impractical to expect policy awareness from vast swaths of domain solutions that make up the CaaS solution. Most of the solutions capture policies in the form of static configuration and do not expose any API to manipulate them. This semantic layer also has the function to convert high level OpenPages native policies into an XACML format, then to domain specific source control configurations.
International Journal of Services Computing (ISSN 2330-4472)
3.4 Event Collection Framework The Event collection Framework enables modularized solutions to collect events and alerts from key domains in a common format. The Framework also allows defining domain specific event filters created through a common User Interface.
3.5 IaaS Audit Trail The Software Defined Infrastructure with its “Infrastructure as Code” paradigm introduces such a dynamic environment and scale of operation that the traditional operations model is inadequate to meet the operations requirements. Also it redistributes responsibilities from the lower level of stack to the platforms and applications. Operations are crucial to success, but operations can only succeed to the extent that it collaborates with developers and participates in the development of applications that can monitor and heal themselves. DevOps is an approach which streamlines interdependencies between development and operations through set of protocols and tools. DevOps facilitates an enhanced degree of agility and responsiveness through continuous integration, continuous delivery, and continuous feedback loops between development and operations teams. DevOps tools scan an environment to gather infrastructure components and configuration information and make these available to the deployment engine manifests. The deployment engine then manipulates these configurations through plain text language which, along with deployment artifacts, could easily be version controlled. This provides a powerful framework to make compliance specific security controls available to policy-aware applications in the form of fully traceable configuration parameters. Since DevOps is in the core of the IaaS framework, audit logging of provisioning activities are automatically supported to provide information for security control.
stored. This permits meshing an external information graph with the CMDB knowledge graph through entailment. In the presence of partial information (an essential feature of volatile unstructured data) the output is still a consistent RDF model, which can be successfully processed. CMDB acts as a Trusted Information Management Framework for Master Configuration Data. Topology and Orchestration Specification for Cloud Applications (TOSCA) ensure the portability of a complex cloud application running on complex software and hardware infrastructures. TOSCA’s abstraction level provides a way to describe both applications and infrastructure components at a high level, which enables cloud orchestration that can leverage CMDB for the infrastructure layer. Assembling and orchestrating virtual images into larger structures, and then relating these to existing infrastructure, produces a useful audit trail which could be mined to unearth process flaws that could lead to non-compliance. Also through TOSCA’s lifecycle support beyond deployment, it is possible to provide historical data to measure topology drift.
4. MAPPING NON-IT BUSINESS CONTROLS TO IT/SECURITY CONTROLS A dynamic enterprise is comprised of hierarchical functional layers where business reference model of ideas and goals starts at the top, followed by business functions, business processes, Business services and IT functional model and its realization at the bottom. Each layers comprised of cohorts of domain meta models that represent domain scope, functions, and policies. Policies defined at the top layer to guide business goals, ideas, functions becomes more and more IT implementation specific as it moves towards each successive bottom layer. Contract Optimized IT functional Model Enterprise Ontology Optimized IT Security Confguration Model
3.6 PaaS Audit Trail The Information Technology Infrastructure Library (ITIL) is a framework of best practice approaches intended to facilitate the delivery of high quality information services. In order to facilitate the integration and automation of ITIL best practices, ITIL specifies the use of a Configuration Management Database (CMDB) to leverage a single source of information for all configuration items (CI) such as computer system, operating systems, and software installation. The configuration management process includes performing tasks such as identifying configuration items and their relationships, and adding them to the CMDB. The contextual mapping of CIs stored into CMDB provides the basis for converting the information into a knowledge graph (RDF) based Semantic model. This allows us to traverse the relationship to form pattern-based queries and deduce other implicit relationships, which may not be
Vol. X, No. Y, Month Year
Semantic business Model Inference and Translation Engine
Discrepency between Optimized IT functional Model And realized IT model
Optimized Enterprise Ontology IT Security Confguration Model Realized IT Model Enterprise Ontology
Fig 2: Business controls to IT/Security controls Governance, Risk and Compliance activities in an enterprise relies on measuring state of compliance of business processes using security controls derived from regulatory policies. These controls could be implemented in variety of ways. Now in ever evolving enterprise, business events arising outside IT may very well change the
International Journal of Services Computing (ISSN 2330-4472) consistency, definition and implementation of the security controls (For example merger between a Business process oriented Company and a Functionally oriented company) leading to outright non-compliance pertaining to business processes, security etc. Understanding the security compliance behavior through the lenses of regulatory policies and within the containment of business process model and IT oriented models is not sufficient enough. We need a way to factor in impact of business functions, goals, ideas and complex cross business area functional and process interactions described in high level business policies to determine the optimized security configuration. Complicating the situation, enterprises also utilize operating agreement Contracts with customers which cover security and compliance requirements, in a manner similar to procurement, pricing or SLA specifications. However, the security and compliance requirements introduced from these contracts with enterprise clients are also defined in text which is not easily interpreted into IT requirement policies. As with the other aspects of the contract which have been interpreted with xml formats, the security and compliance feature/requirement set can be automatically extracted via a Compliance as a Service model, which can then be interpreted and applied. When read together, these ideas still present several important gaps 1. IT functional models is evaluated against statically defined high level compliance policies to assess impact on low level policies and state of compliance only. Business demand is limited to changing the IT functional model and subsequently compliance state which, current disclosure suggests to correct through manual changes in low level IT policies. 2. IT-Business alignment is interpreted through IT functional model only 3. Criteria for satisfied Compliance is based on evidences between IT System policies and documented security requirement (Compliance policies) only. There is no notion of optimized compliance configuration based on tolerance for risk and budget for security defined though Contracts and Enterprise Architecture(Ontology). 4. Proposed methods ignores Operational goals (Sustainability, Performance, Profitability ). Evidencing that there is no iterative correspondence between Enterprise operational universe and Compliance as a Service solution to negotiate and implement an optimized compliance configuration that balances tolerance for risk and budget for security, We are proposing a fully automated risk assessment and remediation solution in a “Compliance as a Service (CaaS)” model dynamically derives IT functional model from the Enterprise Ontology which essentially captures Organizational goals and operational universe. Contract model within Enterprise ontology decomposes portions of contracts that will require IT commitments into high level policies and dynamically bind with security requirements.
Vol. X, No. Y, Month Year
A semantic representation of the regulations as well as enterprise reference architecture provides the flexibility and extensibility needed for modeling continuously evolving enterprise domains, compliance regulations and capturing their impacts of business goals and ideas on determining state of the compliance. Figure 2 depicts a semantic business model inference and translation engine that reasons over the enterprise ontology constrained by business model and control instances derived from contracts or manual input a manual input in the form of business metrics for Performance, or business metrics on effect of Risk on capital and earning, or business metrics for sustainability, or business metrics on tolerance for risk, or risk scores and vectors, or cost of security etc. to provide one or more outputs on the degree of performance, optimized enterprise architecture, optimized Security configuration, optimized IT functional model, discrepancy between optimized IT functional model and realized IT model as a report to a user. Figure 3 shows a flow diagram for iterative computations of state of compliance using enterprise ontology, contracts, IT functional model etc. Start 100
Org Profile Rules Services Costs
110
Org Profile processes Services Activities Roles Goals Technology
Enterprise profile and rule based contract content analysis
Analysis based visualization of IT relevant parameters 120
IT professional contract modification via visualization assisstant
280 200 Read Enterprise Ontology
210
Read Contract Model Compute
Map portion of contracts to appropriate business semantics (process,activities,roles, goals,technologies etc)
220
230
240
130 Create IT instance from IT functional, Security requirement and implementation model
250
140 Generate and manage High Level Operational Policies
Additional revision from other parties 150 Generate deal specific artifacts
IT implementation details Project specific polices IT security and Compliance requirements
160
Disambiguate contextual references ,Map policy to Security controls
Drift? No
Derive IT functional Model Create revised version of contract with known, accepted IT parameter
Deploy and collect evidence
260
270
Annotate security controls with security requirements, generate low level policices
Fig 3: Enterprise Ontology and policy generation
Stop
International Journal of Services Computing (ISSN 2330-4472) In Figure 3, contract analytics with the help of domain experts and Enterprise Ontology (Enterprise profile, Services, rules) and parameterized operational criteria (Sustainability, performance, profitability) e.g. costs, tolerance for security, budget for security as input, decomposes portions of contracts that will require IT commitments into high level policies and requirements (100,101,120,130,140,150,160). An IT functional model is dynamically derived with the help of Enterprise Ontology and artifacts generated from contracts analytics . The IT functional model dynamically bind with security requirements and security implementations and generate deployable policies. The polices are deployed and evidences are collected. The evidences are computed to compare against parameterized enterprise operational goals and requirement thresholds. If drift detected then contractual item/items and Enterprise ontology modification suggested. The process iterates until the the measures reach within a defined tolerance for the threshold ( 200,210,220,230,240,250,260,270,280).
5. ONTOLOGY
BASED VALIDATION EXAMPLE
COMPLIANCE
Security incidents with data breach present a wide array of legal problems for victim companies. The data breach notification laws pertaining to definition of personal information, identification of notification triggers, method of notification, content of notification, determination of time and acceptable delays etc. widely vary across states. A meta model for compliance validation and evaluation i.e. Compliance-Ontology is proposed, based on which, regulation constraints can be modeled into OWL axioms and SWRL rules. An activity (Data-Sensitivity-AssessmentActivity) from the Data Breach Notification Process Flow has been used to show how state statute provisioned regulatory constraints are applied to validate activity result compliance. This meta model is influenced by “Ontologybased semantic modeling of regulation constraint for automated construction quality compliance checking” ( Zhong, Ding, et al. 2012). Compliance Checking Ontology serves as a meta model, defining the concepts and relations related to the IT Security regulatory compliance checking. Analysis-Task class is the central concept in this Ontology. An Analysis-Task is set according to the specific regulation constraint. An Analysis-Task can be related to the AnalysisObject through the “hasAnalysisObject” property, which indicates that the Analysis-Object will be inspected to make sure their compliance to the relevant regulation constraints through the execution of the Analysis-Task. The AnalysisObject refers to any concepts governed by regulations and indicates what is to be inspected, in the case of IT Security compliance to regulatory requirements domain the entities include identification, evaluation, remediation processes (activities and procedures), the data security products and resources used in analysis. An Analysis-Object may include
Vol. X, No. Y, Month Year
a set of violation Analysis items. These analysis items can be identified from the regulation provisions. For example, The NYS Information Security Breach and Notification Act are comprised of section 208 of the State Technology Law and section 899-aa of the General Business Law. Section 899-aa states that “(c) "Breach of the security of the system" shall mean unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such business may consider the following factors, among others: (1) Indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information ……………. (d) "Consumer reporting agency" shall mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. 2. Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.”, the analysis items include determination of personal information, identification of notification triggers, method of notification, content of notification, determination of time and acceptable delays etc. widely vary across states, and so on. Furthermore, an Analysis-Task needs a set of AnalysisItem-Checking-Action to test and collect the conformance information/data for the analysis items. Each Analysis-ItemChecking-Action has a Checking-Result, which represents the actual violation/ conformance/ compliance information collected. Similarly, an Analysis-Task needs a set of Evaluation-Task to evaluate the provenance of those Analysis items in accordance with the Evaluation-Criteria. The Evaluation-Criteria is imposed by the regulation provisions or set by the domain experts. Basing on the Checking-Result and the Evaluation-Criteria, the
International Journal of Services Computing (ISSN 2330-4472) Evaluation-Task can be done to judge whether the analysis items are compliant with the regulation constraints. Each Evaluation-Task has an Evaluation-Result, which all together are constituted the Analysis-Report. The AnalysisReport of a particular Analysis-Task for the corresponding Analysis-Object can be documented, based on the Evaluation-Result of all the inspection items. In Compliance Ontology, the Regulation-Constraint constitutes the main the Analysis knowledge, since the focus is the regulationbased compliance analysis. Each constraint comes from the corresponding provision text in regulations. The relation “hasRegulation” associates the constraint with the provision text from which the constraint is extracted. Meanwhile, an Analysis-Task must be assigned to a Position as it’s responsibility, who performs the Analysis-Item-CheckingAction and the Evaluation-Task to accomplish the AnalysisTask. In addition, many parameters, such as business process parameters, IT functional and realization Parameters, User behavioral parameters and so on, are used to depict the compliance features/state, in the IT security regulatory compliance domain. As shown in Fig. 3, the Analysis-Object can be the IT functional model, IT Security Model, IT Configuration model, IT Security products, Business processes, or user activities and so on. Here, each main concept indicates one facet of the analysis objects, and can be modeled as the IT Security process ontology. In Compliance Ontology, the Analysis-Object concepts (enveloped with the dashed line, as shown in Fig. 3) are also the concepts of the IT Security process model. Through the Analysis-Object concept, the Compliance Ontology for compliance checking can interact with the IT Security process model the meta mode provides general and common terms and relations common to the IT Security compliance checking against regulatory requirements domain. Basing on the meta model, the specific domain model for the security compliance checking can be obtained via specializing and instantiating the generic concepts and relations in the meta model. Since the metamodel is not limited to any specific IT Security domain, the metamodel can be reused independently of any specific security implementation. Basing on the meta model and the ontology, the constraints knowledge imposed by the regulations can be clearly and unambiguously defined such that they may potentially be interpreted by a machine. Here, Sensitive data breach notification process compliance analysis is presented as an example to demonstrate. Based on Compliance-Ontology, regulation constraints can be modeled into OWL axioms and SWRL rules. An activity (Data-Sensitivity-Assessment-Activity) from the Data Breach Notification Process Flow has been used to show how state statute provisioned regulatory constraints are applied to validate activity result compliance.
Vol. X, No. Y, Month Year
hasEvaluationTask
Regulation-Constraint
Parameter
Regulation
hasReference
isRegulatedBy
isRegulatedBy
Evaluation-Criteria
Checking-Result
hasEvaluationCriteria
hasCheckingResult
Deontic-Constraint
hasAnalysisCriteria
Analysis-Task
hasAnalysisItem
Analysis-Item-Checking- ComplianceCheckingAction Analysis2Evaluation Action
Evaluation-Task
hasAnalysisT ask
hasEvaluationResult performEvaluation
performAnalysi s
isResponsibilityOf
Evaluation-Result
Analysis-Object Role
isComposedOf
include include include
Compliance-Report
hasAnalysisReport
resource product
activity
Process Model
Fig 4: Compliance checking Ontology Data Breach Notification Analysis Process
hasActivity
hasActivity
…..
Data-Sensitivity AssessmentActivity
IncidentInvestigationActivity
…..
Restore-SystemSecurity Activity
isdirectlyBefore
isUsedIn
incident
State – to determine state statutes pertaining to definition of personal information, determination of notification triggers, content of notification etc Incident-timestamp – to determine acceptable delay
Fig 5: Data breach notification process flow
Notification-Activity
…..
International Journal of Services Computing (ISSN 2330-4472)
Axiom A1. “Analysis-Task hasAnalysisItemComplianceCheckingAction only AnalysisItem-Checking-Action” Axiom A2. “Analysis-Task hasAnalysisItemComplianceCheckingAction min 1” can be expressed in below OWL format
Compliance-Ontology
Regulation
Regulation-Constraint Analysis-Object
AnalysisTask
Role
Vol. X, No. Y, Month Year
Analysis-Item-CheckingEvaluationChecking-Result Evaluation-Task Compliance-Report Action Result
Instance
Ontology
Investigation Personnel Acceptance Standard Evaluation Law Enforcement Criteria Constraint Data-Sensitivity-Checking John Doe Result_1 Data-Security-task1 Data-Sensitivity-Checking Action_1 Data-Sensitivity 1 hasAnalysisItem Checking2Evaluation Data-Breach-Notification- ComplianceCheckingAction hasComplianceEvaluationResult isComposedOf Analysis-task1 Title 15, United States Evaluation-Action_1 Analysis-Report1 hasAnal y si s I t em i s Regul a tedBy Code ComplianceEvaluationAction Fig 6: Compliance Checking Ontology and Data Breach Based on Compliance Ontology and the IT Security process, each compliance analysis task can be modeled as an ontology instance. Fig. 5 shows the Compliance 5.2 Constraints Ontology instance for Sensitive Data breach notification Constraint, “Personal Information must contain process compliance checking. In order to make the ontology consumer’s name and at least one of the following knowledge understandable to both machines and human information: Social Security Number, Driver’s License beings, the ontology knowledge is described in OWL. OWL Number or State Identification Card Number, Credit card is a W3C recommended language for ontology number, debit card number, account number and any codes representation on the semantic web. It offers a relatively or password (from State Data Breach Notification Law)” high level of expressivity while still being decidable. In can be modeled in the following Axiom A: addition, OWL, as a formal language with description logic based semantics, enables automatic reasoning about inconsistencies of concepts, and provides RDF/XML syntax to represent ontology knowledge.