t towards integrated policy d i t t d p li managem ent
play

T Towards Integrated Policy d I t t d P li Managem ent for - PowerPoint PPT Presentation

T Towards Integrated Policy d I t t d P li Managem ent for Privacy Managem ent for Privacy Dr Nick Papanikolaou e-Security Group International Digital Laboratory WMG, University of Warwick , y http: / / go.warwick.ac.uk/ nikos C


  1. T Towards Integrated Policy d I t t d P li Managem ent for Privacy Managem ent for Privacy Dr Nick Papanikolaou e-Security Group International Digital Laboratory WMG, University of Warwick , y http: / / go.warwick.ac.uk/ nikos

  2. C Context t t • Joint work with Marco Casassa Mont & Siani Pearson [ HP Labs] Sadie Creese Siani Pearson [ HP Labs] , Sadie Creese & Michael Goldsmith [ Warwick IDL] • EnCoRe project E C R j t – http: / / www.encore-project.info p p j – “Ensuring Consent and Revocation” – Goal is to manage and enforce users’ Goal is to manage and enforce users privacy (consent and revocation) preferences in enterprise information preferences in enterprise information systems 17 November 2009 W3C Workshop on Access Control Scenarios 2

  3. P i Privacy Policies P li i • Cannot underestimate importance of adequate information handling f d t i f ti h dli practices in enterprises to ensure p p – Continued ability to collect information – Privacy of individuals P i f i di id l • Legal requirements (National EU) • Legal requirements (National, EU), Codes of Practice, Corporate privacy policies i li i 17 November 2009 W3C Workshop on Access Control Scenarios 3

  4. E f Enforcing Privacy Policies i P i P li i • There are many different levels of requirements and no common requirements and no common representation or consistent means of enforcement across an enterprise • Automated enforcement is simple for • Automated enforcement is simple for lowest levels of policy only (e.g. Access control policies) – Automated enforcement of privacy Automated enforcement of privacy policies not very successful (cf. P3P) 17 November 2009 W3C Workshop on Access Control Scenarios 4

  5. P li Policy management levels t l l • In an enterprise, privacy requirements will be typically handled requirements will be typically handled at different levels by different experts – Legal requirements – legal team L l i t l l t – Data access requirements – IT team • Hierarchy of policies (privacy requirements) requirements) • There may be overlaps and conflicts between requirements at different between requirements at different levels 17 November 2009 W3C Workshop on Access Control Scenarios 5

  6. P li Policy management approaches t h • In our view, taking an approach to dealing with privacy requirements d li ith i i t that is too low level (e.g. focusing only on XACML representation of access control i f l restrictions) restrictions) misses important legal aspects and outcomes of risk assessment 17 November 2009 W3C Workshop on Access Control Scenarios 6

  7. P li Policy management approaches t h • Pragmatic approaches – Risk assessment (standard business practice) p ) – Typically results in non-reusable solutions solutions • Technical approaches pp – Focus on designing languages and software tools for policies of a software tools for policies of a particular kind [ only] 17 November 2009 W3C Workshop on Access Control Scenarios 7

  8. P li Policy Levels vs. Approaches L l A h 17 November 2009 W3C Workshop on Access Control Scenarios 8

  9. R Reconciling policy requirements ili li i t • Low-level approaches have the advantage of automation d t f t ti • High-level approaches account for • High level approaches account for overall security concerns, the law, and the business processes in an d h b enterprise enterprise • Can we obtain the benefits of both by building a conceptual model? 17 November 2009 W3C Workshop on Access Control Scenarios 9

  10. C Conceptual Model for Policies t l M d l f P li i High-level policies European Privacy Corporate Policies, Data Protection Act Codes of Practice Directive ... Conceptual Model Templates for different policy requirements Low-level policies Low level policies Implementable XACML code for Machine-checkable P3P and APPEL, ... policies access control (verifiable) 17 November 2009 W3C Workshop on Access Control Scenarios 10

  11. More about conceptual model M b t t l d l • Conceptual model may take different forms forms – Varying levels of formality can be useful – Just identifying typical clause structures of legal texts can provide clarity of legal texts can provide clarity – More formal models can enable automatic checking that checking that • A lower-level policy satisfies the requirements of a higher level one (policy refinement) of a higher-level one (policy refinement) • Policy statements do not conflict with one another another 17 November 2009 W3C Workshop on Access Control Scenarios 11

  12. E Examples l • In the paper we have considered examples of policy statements e.g. l f li t t t for transborder data flow, ... , • Privacy-aware access control e.g. IF (Data Requestor wants to access personal data D for Purpose P) AND (data subject has given consent for this data) ( j g ) THEN Allow Access ELSE Deny Access 17 November 2009 W3C Workshop on Access Control Scenarios 12

  13. P i Privacy-aware access control t l Database tables w ith PI I data Encoded access-control policy and custom ers consents and custom ers’ consents ( Thi di ( This diagram If role = = “Statistician” & intent = = is courtesy of “Marketing” Marco Casassa uid Nam e Condition Diagnosis Mont, HP Labs) Then 1 Alice Alcoholic Cirrhosis Allow Access (T1.Condition,T1.Diagnosis) T1 & E f & Enforce (Consent) (C ) 2 Rob Drug-addicted HIV Contagious illness 3 Julie Hepatitis Else If role = = “Scientist” & intent = = “Research” Consent Marketing Research Then x 1 T2 Allow Access (T1.Diagnosis) & Enforce (Consent) x x 2 3 Else Deny Access Enforcement: Filter data Privacy Policy SELECT “-”,Condition, Diagnosis Enforcem ent Enforcem ent Access Table T1 bl FROM T1 , T2 (Select ALL from T1) W HERE T1 .uid= T2 .Consent AND T2 .Marketing= “YES” Intent = “Marketing” uid Nam e Condition Diagnosis 1 - Alcoholism Cirrhosis Filtered-out data 2 2 - - - - - - 3 - Contagious Illness Hepatitis 13 1 3 1 7 Novem ber 2 0 0 9 W 3 C W orkshop on Access Control Scenarios 1 3

  14. S Summary of position f iti • Current approaches to policy specification and enforcement are specification and enforcement are either too high-level or too low-level • The EnCoRe project is developing an Th E C R j t i d l i approach that balances risk assessment and high-level requirements with low-level q considerations, esp. what is implementable using current policy implementable using current policy languages and tools 17 November 2009 W3C Workshop on Access Control Scenarios 14

  15. R l t d Related and Future Work d F t W k • We have already considered how privacy policies in P3P may be privacy policies in P3P may be translated to a form suitable for automated verification automated verification – See http: / / go.warwick.ac.uk/ nikos/ publications htt / / i k k/ ik / bli ti • We hope to develop a formal access control model that is designed to express privacy policies at all the p p y p levels that they arise 17 November 2009 W3C Workshop on Access Control Scenarios 15

Recommend


More recommend