View
218
Download
2
Embed Size (px)
Citation preview
Marco Casassa [email protected]
Trusted Systems Lab, HP Labs, Bristol, UK
Privacy Policy Enforcement in Enterprises:
Addressing Regulatory Compliance and Governance Needs
• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation
• HP Labs Privacy Management work:• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
Presentation Outline
• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation
• HP Labs Privacy Management work:• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
Presentation Outline
PRIVACY
Regulations (incomplete list …)Regulatory Compliance
(Example of Process)
Privacy: An Important Aspect of Regulatory Compliance
Privacy Legislation(EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …)
Customers’ Expectations
Internal Guidelines
Regulatory ComplianceCustomers’ Satisfaction
Positive Impact onReputation, Brand,Customer Retention
PersonalData
Applications& Services
PEOPLEENTERPRISE
Impact on Enterprises and Opportunities
Policy Development and
Modelling
DataInventory
Gap andRisk
Analysis
PolicyDeployment
PolicyEnforcement Confidential/Personal Data
Systems/Applications/Services
People/RolesMonitoring, Audit,
Reporting andPolicy
Management
Privacy Management: Part of Data Governance
Privacy Policies
Limited Retention
Limited Disclosure
Limited Use
Limited Collection
Consent
Purpose Specification
PrivacyRights
PrivacyPermissions
PrivacyObligations
Privacy For Personal Data: Core Principles
• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation• Current Support for Privacy
• HP Labs Privacy Management work:
• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
Presentation Outline
PersonalData (PII) + Consent
Applications& Services
ENTERPRISE
Definition of the PURPOSES data are collected for
PRIVACY POLICIES:
How data must be managed. What can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects
Data Subject
CONSENT is given by data subjects
for the usage of
their Personal Data (PII)
for predefined
PURPOSES
PersonalDATA +
CONSENT
to access personal data they need to express their INTENT i.e. how they intend to use these data
DataRequestors
Request for DATA +INTENT
Privacy Office & Privacy Admins
Terminology: Consent, Intent, Data Purpose, Privacy Policy
Data Subject
PersonalData andConsent
PersonalDATA +
CONSENT
DataRequestors
Privacy Policy
Enforcement
Request forDATA +
INTENT
ActualAccessed
Data
Privacy Policies
Check Requirements(Intent against
data Purposes andConsent,
etc.)
Failure (no access)
- Audit- Notification- …
Success
- Audit- Notification …
Dictate Access Constraints
- Partial Data Access (filter Data)- Data Transformation/Encryption- Data Subject’s Constraints- …
Actions
Actions
Terminology: Privacy Policy
ENTERPRISE
Limited Retention
Limited Disclosure
Limited Use
Limited Collection
Consent
Purpose Specification
Privacy Policies Pri
vacy E
nfo
rcem
en
t:A
ccess C
on
trol Im
plicati
on
s
Privacy Enforcement for Personal Data: Principles and Implications
It is not just a matter of traditional access control: need to include data purpose, intent and user’s
consentMoving Towards a “Privacy-Aware” Access Control
…
PersonalData
Requestor
ActionsRights
Access Control
Traditional Access Control
Access Control
Privacy Extension
PersonalData
Pu
rpose
Req
uesto
r’s
Inte
nt
Con
str
ain
ts
RequestorActionsRights
Ow
ner’
sC
on
sen
t
Privacy-Aware Access ControlO
ther…
Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”
Table T1 with PII Data and Customers’ Consent
Enterprise Privacy Policies &Customers’ Consent
If role==“empl.” and intent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent)
Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent)
Else Deny Access
2
3
1
ResearchMarketingConsent
xx x
HIVDrug AddictedRob2
HepatitisContagious IllnessJulie3
CirrhosisAlcoholicAlice1
DiagnosisConditionNameuid
Access Table T1(SELECT * FROM T1)Intent = “Marketing”
Privacy PolicyEnforcement
Enforcement: Filter data
Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt
SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES”
T1
T2
HepatitisContagious Illness-3
---2
CirrhosisAlcoholism-1
DiagnosisConditionNameuid
Filtered data
ImplicitPrivacy Policy
Definition and Enforcement
• Embed privacy policies within applications, queries, services/ad-hoc solutions
• Simple Approach
• It does not scale in terms of policy management
• It is not flexible and adaptive to changes
PersonalData
Applications& Services
Privacy policies
Business logic
Implicit Approach to Enforce Privacy Policies: No Flexibility
Explicit
Privacy Policy Definition and Enforcement
• Fully deployed Privacy Management Frameworks
• Explicit Management of Privacy Policies
• Might require major changes to IT and data infrastructure
• Usage of Vertical Solutions
Explicit Approach to Enforce Privacy Policies: Vertical and Invasive
Implicit Explicit
Privacy Policy Definition and Enforcement
HP Approach
• Single solution for explicit management of Privacy Policies
• Privacy Enforcement by Leveraging and Extending HP Select Access Access Control Framework and easy to use management UI
• Does not require major changes to Applications/Services or Data Repositories
HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies
• Modeling of Personal data
• Explicit Definition, Authoring and Management of privacy policies
• Extensible Privacy Policies
• Explicit Deployment and Enforcement of privacy policies
• Integration with traditional Access Control Systems
• Simplicity of usage
• Support for Audit
Summary of Requirements
Presentation Outline• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation
• HP Labs Privacy Management work:• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
Obligations can be very abstract: “Every financial institution has an affirmative and
continuing obligation to respect customer privacy and protect
the security and confidentiality of customer information”
Gramm-Leach-Bliley Act
More refined Privacy Obligations dictate responsibilities with respect of Personal Information:
• Notice Requirements • Enforcement of opt-in/opt-out options
• Limits on reuse of Information and Information Sharing• Data Retention limitations …
Privacy Obligation Refinement: Abstract vs. Refined
Privacy Obligations: A Complex Topic …
“Delete Data XYZ after 7 years”
Short-term
Long-term
Duration
One-time
Ongoing
Enforcement
Context
Dependenton Access Control
Independentfrom Access Control
Data Subject
Setting
Enterprise
TypesTransactionalData
Retention &Handling
OtherEvent-driven
Obligations
“How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions?”
“Notify User via e-mail1 If his Data is Accessed”
• Timeframe (period of validity) of obligations
• Events/Contexts that trigger the need to fulfil obligations
• Target of an obligation (PII data)
• Actions/Tasks/Workflows to be Enforced
• Responsible for enforcing obligations
• Exceptions and special cases
Privacy Obligations: Common Aspects
Current Approaches to Deal with Privacy Obligations:
- P3P (W3C):
- Definition of User’s Privacy Expectations - Explicit Declaration of Enterprise Promises - No Definition of Mechanisms for their Enforcement
- Data Retention Solutions and Document Management Systems.
- Limited in terms of expressiveness and functionalities. - Focusing more on documents/files not personal data
- Ad-hoc Solutions for Vertical Markets
Technical Work in this Space [1/2]
Recent relevant Work done in this Space:
- IBM Enterprise Privacy Architecture, including a policy management system, a privacy enforcement system and audit - Initial work on privacy obligations in the context of Enterprise Privacy Authorization Language (EPAL) lead by IBM
- XACML: similar standard proposal
- No Refined Model of Privacy Obligations - Privacy Obligations Subordinated to AC. Incorrect …
Technical Work in this Space [2/2]
• Deal with Privacy Obligations as “first-class citizens” in the context of Enterprises and Organisations – recognise its importance for Regulatory Compliance
• Recognise the Importance of Separation of Concerns: explore how to explicitly represent, manage and enforce privacy obligations without imposing any dominant view (for example, the authorization perspective)
• Research and Work on Longer-term Issues, such as accountability, stronger associations of obligations to data, obligation versioning and tracking
Privacy Obligations: Suggested Approach
• Explicit Modeling and Representation of privacy obligations
• (Strong) Association of obligations to data
• Mapping obligations into enforceable actions
• Compliance of refined obligations to high-level policies
• Tracking the evolution of obligation policies
• Dealing with Long-term Obligation aspects
• Accountability management and auditing
• Monitoring obligations
• User involvement
• Handling Complexity and Cost of instrumenting Apps and Services
Summary of Requirements
Presentation Outline
• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation
• HP Labs Privacy Management work:• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
HP Select Federation
• Open protocol federation• Automated inter-
organizational user activation & provisioning
• Privacy management• Federation auditing &
governance
HP Select Identity
• Cross-enterprise user life-cycle management
• Provisioning• Workflow• Password
management• Self Service• Delegated
administration
HP Select Access
• Authentication• Policy-based Access
control• Single sign-on• Web Services
Security &Access Mgmt
• Personalization
PropagationRegistration/Creation
Maintenance/Management
Termination
Accounts & Policies
Authentication Authorization
Single Sign-On
Personalization
Compliance Privacy
Federation
HP OpenView Identity Management
Presentation Outline
• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation• Current Support for Privacy
• HP Labs Privacy Management work:
• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
HP IDM Solutions: HPL Privacy Extensions
HP Select Access
HP Select Identity
HP Select Federation
Data Modelling & Management
Privacy-aware Policy Authoring
Privacy-aware Policy Deployment
Privacy-aware Policy Enforcement
(Access Control)
Obligation Management & Enforcement
Audit & Reporting
FederatedEnvironments
FederatedEnvironments
FederatedEnvironments
Supported Can Be Extended Not Relevant HPL Work
Presentation Outline• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation• Current Support for Privacy
• HP Labs Privacy Management work:
• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
Validator(Policy
Decision)
Policy Builder
AccessControl Policies
Audit
PolicyRepository
EnforcerPlug -in
EnforcerPlug -in
EnforcerPlug -in
Access Request
Grant/Deny
WebServices
Personal Data + Owners’ Consent
Applications,Services,…
HPLPlug-ins
HPLPlug-ins
+ Privacy Policies
(intent, purpose, consent,
constraints…)Data
Modelling&
Privacy Policy
Authoring
HPLPlug-ins
HPLPlug-ins
PrivacyPolicy
Deployment &
Decisions
Privacy-awareAccess to Data
HPLData Enforcer
Requestor’sIntent + Request to Access Data
Privacy-awareDecision
Data Access
Privacy- awareAccess Request
PrivacyPolicy
EnforcementOn
PersonalData
Privacy Enforcement in HP Select Access
Data Resources Added to Policy Builder
Modelling Data Resources in SA Policy Builder:
1
Select Access: Privacy Extension [1/4]
Author Privacy Policies in SA Policy Builder via SA Plug-ins:
• Add Privacy Constraints on “Data Resources”: checking Intent vs. Purpose, Consent, etc.
• Describe Policies the evaluation of which is: “Allow Access to Data + Privacy Constraints to be Enforced”
2
Rule Editor
Privacy Constraints: - Filtering data - Enforce Consent - Obfuscating data - Transformation of Data …
Select Access: Privacy Extension [2/4]
Purpose-based Decision plug-in
Data Filtering plug-in
Consent Management plug-in
Data Expiration plug-in
Privacy Decisions by SA Validator (PDP):
• Validator Plug-in makes decisions based on Privacy Policies (1-1 correspondence with Policy Builder plug-in)
• Decisions must support Privacy-oriented Constraints (to be enforced): “Allow Access to Data + Constraints to be Enforced”
(e.g. allow access to table “Patients Details”, but strip-out the columns “Name, Surname, Address”)
• The SA Validator is general purpose. It does not examine Confidential Data for performance/logistic reasons.
3
SA Validator
Request:Data Resource + Intent+(Parameters)
Decisions:• NO• YES• YES + Constraints
Plug-in
Select Access: Privacy Extension [3/4]
The SA Web Enforcer focuses on Web Resources. It does not explicitly deal with Data Resources…
Add a SA “Data Enforcer”:• located nearby the Data Repository (performance …)• knows how to access/handle Data and “Queries”• know how to enforce Privacy Constraints • can support “Query rewriting” (i.e. filtering, etc.)
The new SA “Data Enforcer” is designed to have:• A General Purpose Engine (to interact with SA Validator)• Ad-hoc plug-ins for different Data Sources to interpret and enforce privacy decisions (e.g. RDBMS, LDAP servers, virtual directories, meta-directories, …)
4Privacy Constraints enforced by a Data Enforcer …
SA Data
Enforcer(Data Proxy)
Logic
Plug-in
ConstraintEnforcementEngine
ConstraintEnforcementEngine
ConstraintEnforcementEngine
RDBMS
LDAPServer
MetaDirectory
Access Request+ Intent
Valid
ato
r
Data allowed to
access
EnforcerAPI
Select Access: Privacy Extension [4/4]
Original SQL Query:
SELECT * FROM PatientRecords;
SQL Query Transformed by Data Enforcer (Pre-Processing):
SELECT PatientRecords.NAME,PatientRecords.DoB,PatientRecords.GENDER,'-‘ ASSSN,PatientRecords.ADDRESS,PatientRecords.LOCATION,PatientRecords.EMAIL,PatientRecords.COMM,PatientRecords.LIFESTYLE,'-' AS GP,'-' AS HEALTH,'-'AS CONSULTATIONS,'-' AS HOSPITALISATIONS,'-' AS FAMILY,'-' AS Username
FROM PatientRecords,PrivacyPreferences
WHERE PatientRecords.Name=PrivacyPreferences.Name AND PrivacyPreferences.Marketing='Yes';
Data EnforcerSQL Query Transformation
0
5
10
15
20
25
30
35
40
100K 200K 300K 400K 500K
Number of Records
Tim
e (
s)
Original SQL Query
Transformed SQLQuery Without DataEnforcer
Transformed SQLQuery With DataEnforcer
Data Enforcer:Performance Based on Type of Queries
Web Portal
SA Web Enforcer
Web ServicesAccessing PII Data (SQL)
SA Validator + Privacy plug-ins
PrivacyPlug-ins
SA Policy Builder
LDAPDirectories
SA Data Enforcer
JDBCProxy
User’sWeb Browser
Personal Data
Database
PrivacyPlug-ins
Demo: HealthCare Scenario
Effect of applying the privacy policy(data filtering)
Effect ofenforcing
customers’consent
Demo Snapshot
Integration of:
- Resource Management: data, IT resources, web resources, …
- Management of Access Control and Privacy Policies
- Policy Authoring and Administration GUI
- Policy Deployment and Enforcement Framework
Rationalization and Simplification of policy management and enforcement solutions
Rationalization and Simplification of policy management and enforcement solutions
Benefits
• Planned HP Productisation of Privacy Enforcement for HP Select Access
• HP Labs interested in Collaborations for joint Technology Trials
Next Steps
Presentation Outline
• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation• Current Support for Privacy
• HP Labs Privacy Management work:
• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
ObligationManagementFramework
ObligationsScheduling
ObligationsEnforcement
ObligationsMonitoring
PersonalData (PII)
DataSubjects
Administrators
ENTERPRISE
Privacy Obligations
Obligation Management System (OMS): Model
Obligation IdentifierObligation Identifier
ActionsActions
Additional Metadata(Future Extensions)
Additional Metadata(Future Extensions)
Targeted Personal DataTargeted Personal Data
References to storedPII data
e.g. Database query, LDAP reference, etc.
Triggering EventsTriggering Events
One or more Eventsthat trigger differentActions potentially involving changes toPII data
e.g. Event: Time-based events
Actions: Delete PII, Notify
Privacy Obligation
Privacy Obligations: Modelling and Representation
<obligation id=“gfrbg7645gt45"> <target>
<database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name=“UserID">oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item>
</data></database>
</target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [firstname,surname] at Aug 15 17:26:21 BST 2007]</description> </metadata> <events> <event>
<type>TIMEOUT</type> <date now="no"> <year>2007</year> <month>08</month>
<day>15</day> <hour>17</hour><minute>26</minute></event>
</events> <actions> <action> <type>DELETE</type> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </action> </actions> </obligationitem></obligation>
Privacy Obligations: Format Example
Obligation Server
ObligationScheduler
ObligationEnforcer
Action Adaptors
Workflows
Obligation Monitoring Service
Monitoring Task Handler
EventsHandler
Info
rmat
ion
Tra
cker
Obligation Store& Versioning
Audit Server
Confidential Data
ObligationDataRef.
DataSubjects
Privacy-enabled Portal
Admins
Admins
EN
TE
RP
RIS
EApplications and Services
Setting Privacy ObligationsOn Personal Data
EnforcingPrivacy
Obligations
MonitoringPrivacy Obligations
OMS: High Level System Architecture
Privacy Obligation Management System:Use Case – Provisioning Management
Explicit Management, Enforcement and Monitoring of Privacy Preferences andConstraints associated to Personal Data and Digital Identities:
Self RegistrationAnd User Account
Management
(HP Select Identity)
Self RegistrationAnd User Account
Management
(HP Select Identity)DataSubject
Personal Data
+Privacy
Preferences
User Provisioning
Turning privacypreferences into Privacy Obligations
ObligationManagement
System
ObligationManagement
SystemPrivacy ObligationEnforcement &Monitoring
EnterpriseData Repositories
Obligation MonitoringFor Compliance
AuditLogs
Obligation Management
System
Identity Data
PrivacyObligations
HP Select Identity
Data Services
JobProcessor
Identity BPServices
ContextEngine
ContextModel
Event Management
AP
IData
Storage &Management
Setting
Obligations
Obligation Handling
ObligationEnforcement
ObligationMonitoring
EventsEvents
HP Labs (Work in Progress): OMS Integration with HP Select Identity
HP
SI
Con
nec
tor
- Integration of User Provisioning and Data Subject’s Preference
Benefits
- Explicit Control, Enforcement and Monitoring of Privacy Obligations
- Explicitly Address Data Subjects’ Preferences and Laws/Enterprise Obligations
Rationalization and Simplification of Management and Enforcement of Obligations
Rationalization and Simplification of Management and Enforcement of Obligations
• Addressing open issues such as obligation life-cycle management, overall efficiency,
stickiness of privacy obligations to PII data
• Further research to be done in the context of the EU PRIME project and HPL (HP Select Identity)
• HPL interest in Collaborations for joint Technology Trials
Next Steps
Presentation Outline• Privacy for Identity Management: Setting the Context
• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management
• HP Identity Management Portfolio:
• HP Select Access, HP Select Identity, HP Select Federation
• HP Labs Privacy Management work:
• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity
• Conclusions
• Privacy Management is an Important Aspect of IT Governance and Regulatory Compliance
• Important Privacy Issues that Need to be Addressed by Enterprises:– Privacy Policy Enforcement– Privacy Obligation Management
• Proof of Concepts: HP Labs’ Privacy Extension of HP Select Access (To Be Productised) and coming Extension of HP Select Identity
• HP Labs keen in Collaborations for Technological Trials and to get Requirements
Conclusions