Marco Casassa Mont [email protected] Trusted Systems Lab, HP Labs, Bristol, UK Privacy Policy Enforcement in Enterprises: Addressing Regulatory

Marco Casassa [email protected]

Trusted Systems Lab, HP Labs, Bristol, UK

Privacy Policy Enforcement in Enterprises:

Addressing Regulatory Compliance and Governance Needs

• Privacy for Identity Management: Setting the Context

• Important Privacy Aspects to be Addressed:• Privacy Policy Enforcement • Privacy Obligation Management

• HP Identity Management Portfolio:

• HP Select Access, HP Select Identity, HP Select Federation

• HP Labs Privacy Management work:• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity

• Conclusions

Presentation Outline






• Conclusions


PRIVACY

Regulations (incomplete list …)Regulatory Compliance

(Example of Process)

Privacy: An Important Aspect of Regulatory Compliance

Privacy Legislation(EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …)

Customers’ Expectations

Internal Guidelines

Regulatory ComplianceCustomers’ Satisfaction

Positive Impact onReputation, Brand,Customer Retention

PersonalData

Applications& Services

PEOPLEENTERPRISE

Impact on Enterprises and Opportunities

Policy Development and

Modelling

DataInventory

Gap andRisk

Analysis

PolicyDeployment

PolicyEnforcement Confidential/Personal Data

Systems/Applications/Services

People/RolesMonitoring, Audit,

Reporting andPolicy

Management

Privacy Management: Part of Data Governance

Privacy Policies

Limited Retention

Limited Disclosure

Limited Use

Limited Collection

Consent

Purpose Specification

PrivacyRights

PrivacyPermissions

PrivacyObligations

Privacy For Personal Data: Core Principles




• HP Select Access, HP Select Identity, HP Select Federation• Current Support for Privacy

• HP Labs Privacy Management work:

• Privacy Policy Enforcement for HP Select Access• Obligation Management System and Integration with HP Select Identity

• Conclusions


PersonalData (PII) + Consent


ENTERPRISE

Definition of the PURPOSES data are collected for

PRIVACY POLICIES:

How data must be managed. What can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects

Data Subject

CONSENT is given by data subjects

for the usage of

their Personal Data (PII)

for predefined

PURPOSES

PersonalDATA +

CONSENT

to access personal data they need to express their INTENT i.e. how they intend to use these data

DataRequestors

Request for DATA +INTENT

Privacy Office & Privacy Admins

Terminology: Consent, Intent, Data Purpose, Privacy Policy

Data Subject

PersonalData andConsent

PersonalDATA +

CONSENT

DataRequestors

Privacy Policy

Enforcement

Request forDATA +

INTENT

ActualAccessed

Data

Privacy Policies

Check Requirements(Intent against

data Purposes andConsent,

etc.)

Failure (no access)

- Audit- Notification- …

Success

- Audit- Notification …

Dictate Access Constraints

- Partial Data Access (filter Data)- Data Transformation/Encryption- Data Subject’s Constraints- …

Actions

Actions

Terminology: Privacy Policy

ENTERPRISE

Limited Retention

Limited Disclosure

Limited Use

Limited Collection

Consent

Purpose Specification

Privacy Policies Pri

vacy E

nfo

rcem

en

t:A

ccess C

on

trol Im

plicati

on

s

Privacy Enforcement for Personal Data: Principles and Implications

It is not just a matter of traditional access control: need to include data purpose, intent and user’s

consentMoving Towards a “Privacy-Aware” Access Control

…

PersonalData

Requestor

ActionsRights

Access Control

Traditional Access Control

Access Control

Privacy Extension

PersonalData

Pu

rpose

Req

uesto

r’s

Inte

nt

Con

str

ain

ts

RequestorActionsRights

Ow

ner’

sC

on

sen

t

Privacy-Aware Access ControlO

ther…

Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”

Table T1 with PII Data and Customers’ Consent

Enterprise Privacy Policies &Customers’ Consent

If role==“empl.” and intent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent)

Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent)

Else Deny Access

2

3

1

ResearchMarketingConsent

xx x

HIVDrug AddictedRob2

HepatitisContagious IllnessJulie3

CirrhosisAlcoholicAlice1

DiagnosisConditionNameuid

Access Table T1(SELECT * FROM T1)Intent = “Marketing”

Privacy PolicyEnforcement

Enforcement: Filter data

Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt

SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES”

T1

T2

HepatitisContagious Illness-3

---2

CirrhosisAlcoholism-1

DiagnosisConditionNameuid

Filtered data

ImplicitPrivacy Policy

Definition and Enforcement

• Embed privacy policies within applications, queries, services/ad-hoc solutions

• Simple Approach

• It does not scale in terms of policy management

• It is not flexible and adaptive to changes

PersonalData


Privacy policies

Business logic

Implicit Approach to Enforce Privacy Policies: No Flexibility

Explicit

Privacy Policy Definition and Enforcement

• Fully deployed Privacy Management Frameworks

• Explicit Management of Privacy Policies

• Might require major changes to IT and data infrastructure

• Usage of Vertical Solutions

Explicit Approach to Enforce Privacy Policies: Vertical and Invasive

Implicit Explicit

Privacy Policy Definition and Enforcement

HP Approach

• Single solution for explicit management of Privacy Policies

• Privacy Enforcement by Leveraging and Extending HP Select Access Access Control Framework and easy to use management UI

• Does not require major changes to Applications/Services or Data Repositories

HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies

• Modeling of Personal data

• Explicit Definition, Authoring and Management of privacy policies

• Extensible Privacy Policies

• Explicit Deployment and Enforcement of privacy policies

• Integration with traditional Access Control Systems

• Simplicity of usage

• Support for Audit

Summary of Requirements

Presentation Outline• Privacy for Identity Management: Setting the Context





• Conclusions

Obligations can be very abstract: “Every financial institution has an affirmative and

continuing obligation to respect customer privacy and protect

the security and confidentiality of customer information”

Gramm-Leach-Bliley Act

More refined Privacy Obligations dictate responsibilities with respect of Personal Information:

• Notice Requirements • Enforcement of opt-in/opt-out options

• Limits on reuse of Information and Information Sharing• Data Retention limitations …

Privacy Obligation Refinement: Abstract vs. Refined

Privacy Obligations: A Complex Topic …

“Delete Data XYZ after 7 years”

Short-term

Long-term

Duration

One-time

Ongoing

Enforcement

Context

Dependenton Access Control

Independentfrom Access Control

Data Subject

Setting

Enterprise

TypesTransactionalData

Retention &Handling

OtherEvent-driven

Obligations

“How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions?”

“Notify User via e-mail1 If his Data is Accessed”

• Timeframe (period of validity) of obligations

• Events/Contexts that trigger the need to fulfil obligations

• Target of an obligation (PII data)

• Actions/Tasks/Workflows to be Enforced

• Responsible for enforcing obligations

• Exceptions and special cases

Privacy Obligations: Common Aspects

Current Approaches to Deal with Privacy Obligations:

- P3P (W3C):

- Definition of User’s Privacy Expectations - Explicit Declaration of Enterprise Promises - No Definition of Mechanisms for their Enforcement

- Data Retention Solutions and Document Management Systems.

- Limited in terms of expressiveness and functionalities. - Focusing more on documents/files not personal data

- Ad-hoc Solutions for Vertical Markets

Technical Work in this Space [1/2]

Recent relevant Work done in this Space:

- IBM Enterprise Privacy Architecture, including a policy management system, a privacy enforcement system and audit - Initial work on privacy obligations in the context of Enterprise Privacy Authorization Language (EPAL) lead by IBM

- XACML: similar standard proposal

- No Refined Model of Privacy Obligations - Privacy Obligations Subordinated to AC. Incorrect …

Technical Work in this Space [2/2]

• Deal with Privacy Obligations as “first-class citizens” in the context of Enterprises and Organisations – recognise its importance for Regulatory Compliance

• Recognise the Importance of Separation of Concerns: explore how to explicitly represent, manage and enforce privacy obligations without imposing any dominant view (for example, the authorization perspective)

• Research and Work on Longer-term Issues, such as accountability, stronger associations of obligations to data, obligation versioning and tracking

Privacy Obligations: Suggested Approach

• Explicit Modeling and Representation of privacy obligations

• (Strong) Association of obligations to data

• Mapping obligations into enforceable actions

• Compliance of refined obligations to high-level policies

• Tracking the evolution of obligation policies

• Dealing with Long-term Obligation aspects

• Accountability management and auditing

• Monitoring obligations

• User involvement

• Handling Complexity and Cost of instrumenting Apps and Services

Summary of Requirements







• Conclusions

HP Select Federation

• Open protocol federation• Automated inter-

organizational user activation & provisioning

• Privacy management• Federation auditing &

governance

HP Select Identity

• Cross-enterprise user life-cycle management

• Provisioning• Workflow• Password

management• Self Service• Delegated

administration

HP Select Access

• Authentication• Policy-based Access

control• Single sign-on• Web Services

Security &Access Mgmt

• Personalization

PropagationRegistration/Creation

Maintenance/Management

Termination

Accounts & Policies

Authentication Authorization

Single Sign-On

Personalization

Compliance Privacy

Federation

HP OpenView Identity Management








• Conclusions

HP IDM Solutions: HPL Privacy Extensions

HP Select Access

HP Select Identity

HP Select Federation

Data Modelling & Management

Privacy-aware Policy Authoring

Privacy-aware Policy Deployment

Privacy-aware Policy Enforcement

(Access Control)

Obligation Management & Enforcement

Audit & Reporting

FederatedEnvironments



Supported Can Be Extended Not Relevant HPL Work







• Conclusions

Validator(Policy

Decision)

Policy Builder

AccessControl Policies

Audit

PolicyRepository

EnforcerPlug -in

EnforcerPlug -in

EnforcerPlug -in

Access Request

Grant/Deny

WebServices

Personal Data + Owners’ Consent

Applications,Services,…

HPLPlug-ins

HPLPlug-ins

+ Privacy Policies

(intent, purpose, consent,

constraints…)Data

Modelling&

Privacy Policy

Authoring

HPLPlug-ins

HPLPlug-ins

PrivacyPolicy

Deployment &

Decisions

Privacy-awareAccess to Data

HPLData Enforcer

Requestor’sIntent + Request to Access Data

Privacy-awareDecision

Data Access

Privacy- awareAccess Request

PrivacyPolicy

EnforcementOn

PersonalData

Privacy Enforcement in HP Select Access

Data Resources Added to Policy Builder

Modelling Data Resources in SA Policy Builder:

1

Select Access: Privacy Extension [1/4]

Author Privacy Policies in SA Policy Builder via SA Plug-ins:

• Add Privacy Constraints on “Data Resources”: checking Intent vs. Purpose, Consent, etc.

• Describe Policies the evaluation of which is: “Allow Access to Data + Privacy Constraints to be Enforced”

2

Rule Editor

Privacy Constraints: - Filtering data - Enforce Consent - Obfuscating data - Transformation of Data …


Purpose-based Decision plug-in

Data Filtering plug-in

Consent Management plug-in

Data Expiration plug-in

Privacy Decisions by SA Validator (PDP):

• Validator Plug-in makes decisions based on Privacy Policies (1-1 correspondence with Policy Builder plug-in)

• Decisions must support Privacy-oriented Constraints (to be enforced): “Allow Access to Data + Constraints to be Enforced”

(e.g. allow access to table “Patients Details”, but strip-out the columns “Name, Surname, Address”)

• The SA Validator is general purpose. It does not examine Confidential Data for performance/logistic reasons.

3

SA Validator

Request:Data Resource + Intent+(Parameters)

Decisions:• NO• YES• YES + Constraints

Plug-in


The SA Web Enforcer focuses on Web Resources. It does not explicitly deal with Data Resources…

Add a SA “Data Enforcer”:• located nearby the Data Repository (performance …)• knows how to access/handle Data and “Queries”• know how to enforce Privacy Constraints • can support “Query rewriting” (i.e. filtering, etc.)

The new SA “Data Enforcer” is designed to have:• A General Purpose Engine (to interact with SA Validator)• Ad-hoc plug-ins for different Data Sources to interpret and enforce privacy decisions (e.g. RDBMS, LDAP servers, virtual directories, meta-directories, …)

4Privacy Constraints enforced by a Data Enforcer …

SA Data

Enforcer(Data Proxy)

Logic

Plug-in

ConstraintEnforcementEngine



RDBMS

LDAPServer

MetaDirectory

Access Request+ Intent

Valid

ato

r

Data allowed to

access

EnforcerAPI


Original SQL Query:

SELECT * FROM PatientRecords;

SQL Query Transformed by Data Enforcer (Pre-Processing):

SELECT PatientRecords.NAME,PatientRecords.DoB,PatientRecords.GENDER,'-‘ ASSSN,PatientRecords.ADDRESS,PatientRecords.LOCATION,PatientRecords.EMAIL,PatientRecords.COMM,PatientRecords.LIFESTYLE,'-' AS GP,'-' AS HEALTH,'-'AS CONSULTATIONS,'-' AS HOSPITALISATIONS,'-' AS FAMILY,'-' AS Username

FROM PatientRecords,PrivacyPreferences

WHERE PatientRecords.Name=PrivacyPreferences.Name AND PrivacyPreferences.Marketing='Yes';

Data EnforcerSQL Query Transformation

0

5

10

15

20

25

30

35

40

100K 200K 300K 400K 500K

Number of Records

Tim

e (

s)

Original SQL Query

Transformed SQLQuery Without DataEnforcer

Transformed SQLQuery With DataEnforcer

Data Enforcer:Performance Based on Type of Queries

Web Portal

SA Web Enforcer

Web ServicesAccessing PII Data (SQL)

SA Validator + Privacy plug-ins

PrivacyPlug-ins

SA Policy Builder

LDAPDirectories

SA Data Enforcer

JDBCProxy

User’sWeb Browser

Personal Data

Database

PrivacyPlug-ins

Demo: HealthCare Scenario

Demo Snapshot

Effect of applying the privacy policy(data filtering)

Effect ofenforcing

customers’consent

Demo Snapshot

Integration of:

- Resource Management: data, IT resources, web resources, …

- Management of Access Control and Privacy Policies

- Policy Authoring and Administration GUI

- Policy Deployment and Enforcement Framework

Rationalization and Simplification of policy management and enforcement solutions

Rationalization and Simplification of policy management and enforcement solutions

Benefits

• Planned HP Productisation of Privacy Enforcement for HP Select Access

• HP Labs interested in Collaborations for joint Technology Trials

Next Steps








• Conclusions

ObligationManagementFramework

ObligationsScheduling

ObligationsEnforcement

ObligationsMonitoring

PersonalData (PII)

DataSubjects

Administrators

ENTERPRISE

Privacy Obligations

Obligation Management System (OMS): Model

Obligation IdentifierObligation Identifier

ActionsActions

Additional Metadata(Future Extensions)

Additional Metadata(Future Extensions)

Targeted Personal DataTargeted Personal Data

References to storedPII data

e.g. Database query, LDAP reference, etc.

Triggering EventsTriggering Events

One or more Eventsthat trigger differentActions potentially involving changes toPII data

e.g. Event: Time-based events

Actions: Delete PII, Notify

Privacy Obligation

Privacy Obligations: Modelling and Representation

<obligation id=“gfrbg7645gt45"> <target>

<database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name=“UserID">oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item>

</data></database>

</target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [firstname,surname] at Aug 15 17:26:21 BST 2007]</description> </metadata> <events> <event>

<type>TIMEOUT</type> <date now="no"> <year>2007</year> <month>08</month>

<day>15</day> <hour>17</hour><minute>26</minute></event>

</events> <actions> <action> <type>DELETE</type> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </action> </actions> </obligationitem></obligation>

Privacy Obligations: Format Example

Obligation Server

ObligationScheduler

ObligationEnforcer

Action Adaptors

Workflows

Obligation Monitoring Service

Monitoring Task Handler

EventsHandler

Info

rmat

ion

Tra

cker

Obligation Store& Versioning

Audit Server

Confidential Data

ObligationDataRef.

DataSubjects

Privacy-enabled Portal

Admins

Admins

EN

TE

RP

RIS

EApplications and Services

Setting Privacy ObligationsOn Personal Data

EnforcingPrivacy

Obligations

MonitoringPrivacy Obligations

OMS: High Level System Architecture

Privacy Obligation Management System:Use Case – Provisioning Management

Explicit Management, Enforcement and Monitoring of Privacy Preferences andConstraints associated to Personal Data and Digital Identities:

Self RegistrationAnd User Account

Management

(HP Select Identity)

Self RegistrationAnd User Account

Management

(HP Select Identity)DataSubject

Personal Data

+Privacy

Preferences

User Provisioning

Turning privacypreferences into Privacy Obligations

ObligationManagement

System

ObligationManagement

SystemPrivacy ObligationEnforcement &Monitoring

EnterpriseData Repositories

Obligation MonitoringFor Compliance

AuditLogs

Obligation Management

System

Identity Data

PrivacyObligations

HP Select Identity

Data Services

JobProcessor

Identity BPServices

ContextEngine

ContextModel

Event Management

AP

IData

Storage &Management

Setting

Obligations

Obligation Handling

ObligationEnforcement

ObligationMonitoring

EventsEvents

HP Labs (Work in Progress): OMS Integration with HP Select Identity

HP

SI

Con

nec

tor

- Integration of User Provisioning and Data Subject’s Preference

Benefits

- Explicit Control, Enforcement and Monitoring of Privacy Obligations

- Explicitly Address Data Subjects’ Preferences and Laws/Enterprise Obligations

Rationalization and Simplification of Management and Enforcement of Obligations

Rationalization and Simplification of Management and Enforcement of Obligations

• Addressing open issues such as obligation life-cycle management, overall efficiency,

stickiness of privacy obligations to PII data

• Further research to be done in the context of the EU PRIME project and HPL (HP Select Identity)

• HPL interest in Collaborations for joint Technology Trials

Next Steps







• Conclusions

• Privacy Management is an Important Aspect of IT Governance and Regulatory Compliance

• Important Privacy Issues that Need to be Addressed by Enterprises:– Privacy Policy Enforcement– Privacy Obligation Management

• Proof of Concepts: HP Labs’ Privacy Extension of HP Select Access (To Be Productised) and coming Extension of HP Select Identity

• HP Labs keen in Collaborations for Technological Trials and to get Requirements

Conclusions

Documents

Marco Casassa Mont [email protected] Trusted Systems Lab, HP Labs, Bristol, UK Privacy Policy Enforcement in Enterprises: Addressing Regulatory