to Enable Privacy-aware SOA L. Bussard European Microsoft - PowerPoint PPT Presentation

Data Privacy Management (DPM’09) September 24, 2009 Obligation Language and Framework to Enable Privacy-aware SOA L. Bussard European Microsoft Innovation Center (joint work with M. Ali and U. Pinsdorf) A research project funded by the European Commission’s 7 th Framework Programme 1

Outlines  PrimeLife  Privacy in Service Oriented Architectures  Shortcoming of State of the Art  Our Solution  Specifying Obligations  Enforcing Obligations  Future Work 2

PrimeLife in a Nutshell  Partners  Technical Goals  Privacy policies and preferences  Anonymous credentials  User experience  http://www.primelife.eu/ 3

Privacy in SOA Policy Pref.  Variety of technologies: mash-ups, workflows, PII orchestrations  Multi-hop data sharing  Multiple trust domains  Data from multiple users may be combined.  Dynamic discovery and binding ?  Persons may consume PII 4

General Scenario User Service Third (data (data Party subject) 1) Policy controller) (downstream data 2) controller) Pref. 3) Can I share? (Matching) 4) PII + SP 5) store 6) Can I use for… ? 7) Obligations Policy’ 8) Can I share? PII + SP’ 5

state of the art: APPEL + P3P + EPAL User Service Third P3P (data (data Party subject) 1) Policy controller) (downstream data 2) controller) Pref. APPEL 3) Can I share? (Matching) 4) PII + SP 5) store Boolean 6) Can I use for… ? 7) Obligations EPAL Policy’ 8) Can I share? PII + SP’ 6

state of the art: PRIME User Service Third (data (data Party subject) 1) Policy controller) (downstream data 2) controller) Pref. 3) Can I share? (Matching) PRIME-DHP 4) PII + SP 5) store 6) Can I use for… ? 7) Obligations PRIME-obligations Policy’ PRIME-AC 8) Can I share? PII + SP’ 7

Shortcoming of state of the art User Service Third (data (data Party subject) 1) Policy controller) (downstream data 2) controller) Pref. 3) Can I share? (Matching) PRIME-DHP 4) PII + SP 5) store 6) Can I use for… ? 7) Obligations PRIME-obligations Policy’ PRIME-AC 8) Can I share? PII + SP’ 8

Our Approach User Service Third Party (data (data (downstream data controller) subject) controller) 1) Policy  Policy Language 2) Pref . 3) Can I share? (Matching)  Rights 4) PII + SP 5) store  Data usage (purpose, etc.) 6) Can I use for… ? 7) Obligations  Data sharing (Access Control, etc.) Policy’  Obligations 8) Can I share? PII + SP’  Triggers + Actions  Examples: Retention, Notification, Log, etc.  Policy Matching  Similar language for policies, preferences, and sticky policies  Policy Enforcement 9

Our Solution Service Privacy Privacy Policy Preferences Policy Matching Engine Rights Rights 1 1 Obligations Obligations 2 Policy Sticky Policy Enforcement Engine 3 Rights Obligations User 4 4 Legacy Legacy system system 10

Applying our solution User Service Third (data (data Party Privacy Privacy Policy Preferences Policy Matching subject) 1) Policy controller) (downstream Engine Rights Rights 1 1 data 2) controller) Pref. Obligations Obligations 3) Can I share? 2 (Matching) Policy Sticky Policy Enforcement Engine 3 Rights 4) PII + SP 5) store Obligations 4 4 Privacy Pref. Privacy Policy of Extern Extern Sticky Policy al al third party Policy Matching syste syste 6) Can I use for… ? Engine m m Rights Rights 5 5 7) Obligations Obligations Obligations 6 Policy’ Policy New Sticky Policy Enforcement Engine 7 8) Can I share? Rights Obligations PII + SP’ 8 8 Externa Externa l l system system 11

Our Solution Service Privacy Privacy Policy Preferences Policy Matching Engine Rights Rights 1 1 Obligations Obligations 2 Policy Sticky Policy Enforcement Engine 3 Rights Obligations User 4 4 Legacy Legacy system system 12

Obligation  We define obligation as: “Promise made by a SUBJECT to be fulfilled through some ACTION under defined TIMELINES and CONDITIONS”  Example:  X Says X will DELETE U’s Data within 6 Months 13

Obligation Requirements Independence from Transport / Storage  Independence from policy language  Independence from data storage  Independence from communication protocols  Extensibility  Support for common obligations  Support for domain specific obligations  Abstraction  Support for abstraction of actions  Support for preventive obligations  Support for abstraction of triggers  Deployments  Support for distributed deployment  Support for different trust models  Auditability  Transparency of data handling  Matching  14

Obligation Structure X Says X will DELETE U’s Data within 6 Months Policy Trigger/ Subject Action Object (Parameter Issuer Condition of Action) Obligation Rule Subject  The entity liable to fulfill obligation  (i.e. the subject of the obligation not the data subject) Action  The activity (or sequence of activities) executed to fulfill obligation  Conditions (Temporal constraints, generic conditions etc)  Constraints on the obligation rule  Triggers  Inward event to trigger execution of obligation rule  Outward Events  Outward notification events  15

Obligation Classification  Trigger-related  Conditional vs. Mandatory  Repeating vs. Non-Repeating  Action-related  Proactive vs. Preventive  Observable vs. Non-observable  Subject-related  Collective vs. Individual  Self Obligation vs. Third Party Obligations 16

Proposed Framework Architecture PII, Obligation Protocols Plug-in Plug-in Obligation Obligation Policy Extractor Parser EE Schedule Scheduler PII Register Obligation Event System Trigger Engine event Plug-in Plug-in Plug-in Plug-in Policy Repository Obligation Engine Actions Plug-in Plug-in Obligation Systems Framework Plug-in Plug-in Legacy Systems action (e.g. DataBase) 17

Setting plug-ins X Says X will DELETE U’s Data within 6 Months delete … Actions Trigger Notify Delete Log time read … Systems Systems SQL- Exchan SQL- Sched … … Server ge Server uler Scheduler Legacy Systems 18

Setting plug-ins X Says X will NOTIFY user U when read U’s Data delete … Actions Trigger Notify Delete Log time read … Systems Systems SQL- Exchan SQL- Sched … … Server ge Server uler Scheduler Legacy Systems 19

Plug-ins in action Policy Repository Obligation Engine Event Engine delete … Actions Triggers Notify Delete Log time read … Systems Systems SQL- Exchan SQL- Sched … … Server ge Server uler Read Scheduler Send e-mail Legacy Systems PII 20

Results  A language to describe obligations  Definition of Triggers  Definition of Actions  Implementation of an enforcement framework  Mechanisms to extend language and enforcement with domain specific obligations 21

Ongoing and Future work  Matching obligations  Semantics of actions and triggers  Policy is-less-permissive-than Preference ? (to appear: PrimeLife document H5.3.2)  Integration with policy languages  XACML-based data handling (to appear: PrimeLife H5.3.2)  SecPAL for Privacy (September’09 MSR report: MSR -TR-2009-128)  Matching behavior (traces) and policies  Checking enforceability of policies 22

Questions? ? Laurent Bussard European Microsoft Innovation Center lbussard@microsoft.com http://research.microsoft.com/en-us/people/lbussard/ 23