1 / 63

Dealing with Privacy Obligations in Enterprises

Dealing with Privacy Obligations in Enterprises. Marco Casassa Mont marco.casassa-mont@hp.com Trusted Systems Lab Hewlett-Packard Labs, Bristol, UK. 28-30 September 2004 ISSE 2004 Berlin, Germany. Presentation Outline. Setting the Context: Privacy and Privacy Obligations

florencec
Download Presentation

Dealing with Privacy Obligations in Enterprises

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dealing withPrivacy Obligations in Enterprises Marco Casassa Mont marco.casassa-mont@hp.com Trusted Systems Lab Hewlett-Packard Labs, Bristol, UK 28-30 September 2004 ISSE 2004 Berlin, Germany

  2. Presentation Outline • Setting the Context: Privacy and Privacy Obligations • Analysis of Privacy Obligations, Issues and Requirements • Privacy Obligations: Related Work • Privacy Obligations: Our Work • Discussion and Next Steps • Conclusions

  3. Our Approach • Focus on Privacy Obligations for Personal Data • in Enterprises • Explore the problem from a technical angle: • how to Model, Manage, Enforce and Monitor Privacy • Obligations • Recognise it is not only a matter of technology • but also involves laws, legislation, processes and • human intervention. Nevertheless Automation • can help.

  4. Setting the Context: Privacy and Privacy Obligations

  5. Regulatory Compliance (Example of Process) Regulations (incomplete list …) PRIVACY Privacy: an Important Aspect of Regulatory Compliance

  6. Modelling of Privacy Policies, Deployment of Policies, Enforcement, Auditing, … Privacy Analysis, Privacy Policy Formulation, Process Engineering, Policy Lifecycle Mgmt, … Social & Business Aspects People and their Personal Data Privacy Technologies Legislation & Laws Regulatory Compliance Privacy is a very Complex Topic …

  7. Privacy Legislation (EU Laws, HIPPA, COPPA, SOX, GLB, Safe Harbour, …) Internal Guidelines Customers’ Expectations Applications & Services Personal Data PEOPLE ENTERPRISE It is a very complex problem. Any tool that helpsautomating aspects of privacy policy enforcement and reduce involved costs is of primarily importance, especially for enterprises and organisations Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Focus on Management of Privacy for Personal Data within Enterprises

  8. Privacy and Personal Data: Importance of Privacy Laws, Legislation and Guidelines • OECD Privacy Guidelines and Policies • EU Legislation • Various US Laws and Legislations: • HIPPA • COPPA • GLB, etc. • Safe Harbour Policies • Various Local and National Data Protection Initiatives: • http://www.privacyinternational.org/survey/phr2003/ • Organisations and Enterprise Privacy Guidelines/Policies • …

  9. Purpose Specification Consent Limited Collection Limited Use Limited Disclosure Limited Retention Privacy for Personal Data: Principles Privacy Policies

  10. Purpose Specification Consent Limited Collection Limited Use Limited Disclosure Limited Retention Privacy Policies: Rights, Permissions and Obligations Privacy Permissions Privacy Obligations Privacy Rights Privacy Policies

  11. Focus on Privacy Obligations • Focus on Privacy Obligations: Why? • Lot of technical work has already been done • in the space of Privacy Rights and Permissions. • More details will be presented in the Related Work Section … • The overall Management of Privacy Obligations • from a technical perspective, as first-class citizens, • is still a green field and open to research. • Privacy Obligations are a key aspect of • regulatory compliance.

  12. Analysis of Privacy Obligations

  13. 1 2 3 4 Privacy Obligations: Aspects Classifications of Types of Obligations Technologies to deal with Management of Privacy Obligations Management of Obligations: Refinement, Control, Enforcement, Monitoring Privacy Obligations Common Patterns and Requirements

  14. Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act • More refined Privacy Obligations dictate • responsibilities with respect of Personal Information: • Notice Requirements • Enforcement of opt-in/opt-out options • Limits on reuse of Information and Information Sharing • Data Retention limitations …

  15. Privacy Obligations: 1st Classification 1.Transactional Obligations Privacy obligations that are immediately enforced, when interactions/transactions involves PII data e.g. Notify the owner of PII data when someone accesses it (i.e. linked to an access control decision); 2. Data Retention and Handling Obligations Privacy obligations dealing with deletion and management of PII data, usually driven by time-based events e.g. Delete PII data in X hours/days/months/years starting from its disclosure 3. Other event-driven Obligations Privacy obligations triggered by events that relate to contextual and application-relevant data, based on usage of data, trust information, etc. e.g. Delete PII data after it has been accessed X times

  16. Privacy Obligations: 2nd Classification 1. Short-Term Obligations Obligations to be fulfilled immediately or in a short period of time. Their implications in terms of resources needed to fulfill them is limited in time e.g.delete all customer PII data stored in their account after 30 days if the customer does not confirm their registration 2. Long-term Obligations Obligations that might have long term implications in terms of resources needed to fulfill them e.g. delete all PII data of customers after 7 years 3. Ongoing Obligations Obligations that might be short or long termed. They imply an ongoing fulfillment of activities e.g. - every month notify me that you still store my PII data; - notify me every time this data is disclosed to a third party

  17. Privacy Obligations and Access Control Obligations Contextual to Access Control These obligations include most of the transactional obligations and obligations that can be fulfilled after an authorization decision e.g. - notify me when you access my PII data; - delete my data after accessing it; - check for the trustworthiness of your platform when you access PII data; - log your access and intent in this third party audit server Obligations Unrelated to Access Control These obligations are unrelated to access control decisions. Part of data retention obligations, long-term obligations and ongoing obligations belong to this category e.g. - delete customers’ PII data after 7 years it has been stored – independently by the fact it is accessed - notify me every month if you still have PII data of mine

  18. Who is Setting Privacy Obligations? Obligations can be set by PII Data Subjects or Third Parties on their behalf People usually set privacy obligations that are related to the “visible” and operational aspects of their PII data. They usually dictate constraints on the usage of PII data, required interactions and actions (notifications, deletions, etc.), opt-in/opt-out choices; Obligations can be set byEnterprises or imposed by Legislation Organisations need to support privacy obligations dictated by legislation, laws and internal guidelines. These privacy obligations can be seen as “default” obligations that users are entitled to.

  19. Privacy Obligations: Common Aspects and Requirements

  20. Privacy Obligations: Common Aspects • Timeframe (period of validity) of obligations • Events/Contexts that trigger the need to • fulfil obligations • Target of an obligation (PII data) • Actions/Tasks to be Enforced • Entities responsible for enforcing obligations • Exceptions and special cases

  21. Dealing with Privacy Obligations: Important Issues and Requirements [1/2] • Modelling/Representation of Privacy Obligations • Association of Obligations to Data • Mapping Obligations into Enforceable Actions • Compliance of Refined Policies to high-level Policies • Tracking the evolution of Obligation Policies

  22. Privacy Obligations: Important Issues and Requirements [2/2] • Dealing with long-term Obligation Aspects • Accountability Management • User Involvement • Complexity and Cost of Instrumenting Applications • and Services

  23. Privacy Obligations: Related Work

  24. Technical Work in this Space [1/2] • Technical advancements have been made to deal • with Privacy Rights, Permissions and Obligations: • - Extended access control and authorization mechanisms • built to check and enforce privacy permissions • against users’ rights, data purpose, intents … • Approaches to deal with privacy obligations available for • data retention solutions and document management • systems. • They are very focused and limited in terms of obligation • expressiveness and system functionalities.

  25. Technical Work in this Space [2/2] • Recent important work done in this space: • IBM Enterprise Privacy Architecture, including • a policy management system, a privacy enforcement • system and audit • Initial work on privacy obligations in the context of • Enterprise Privacy Authorization Language (EPAL) • lead by IBM

  26. EPAL and Privacy Obligation Management User, Application, Service, … EPAL-driven Authorization and Enforcement Obligation Management And Enforcement Personal and Private Information Privacy Management Framework

  27. EPAL and Privacy Obligation Management Source: http://www.w3.org/Submission/2003/SUBM-EPAL-20031110/

  28. EPAL and Privacy Obligation Management • EPAL main limitations when dealing with privacy obligations: • EPAL (and related privacy architecture) is focuses on an • authorization and access control perspective of privacy • EPAL does not model or describe obligations: it provides • place-holders for them • Privacy obligations are considered as “second-class” • citizens, as they are only considered in an authorization • context …

  29. Privacy Obligations: Our Technical Work

  30. Privacy Obligations: Our Approach to Address the Problems • Deal with Privacy Obligations as “first-class citizens” in the • context of Enterprises and Organisations – recognise its • importance for Regulatory Compliance • Recognise the importance of separation of concerns: • explore how to explicitly represent, manage and • enforce privacy obligations without imposing any dominant • view (for example, the authorization perspective) • Research and work on longer-term issues, such as • accountability, stronger associations of obligations to data, • obligation versioning and tracking

  31. Obligation Management Framework Obligations Monitoring Obligations Enforcement Obligations Scheduling Data Subjects Administrators Privacy Obligations Personal Data (PII) ENTERPRISE Dealing with Privacy Obligations: Our High Level Model

  32. Privacy Obligations: Our Technical Work • Technical Work and Research on Privacy Obligations: • [1] Modelling and Representation of Obligations • [2] An Obligation Management System (OMS) for • Management, Enforcement and Monitoring • of Obligations • [3] Accountability and Strong Association of • Obligations to Personal Data • [4] Prototype

  33. References to stored PII data e.g. Database query, LDAP reference, etc. Targeted Personal Data Triggering Events One or more Events that trigger different Actions potentially involving changes to PII data e.g. Event: Time-based events Actions: Delete PII, Notify [1] Privacy Obligations: Modelling and Representation Privacy Obligation Obligation Identifier Actions Additional Metadata (Future Extensions)

  34. [1] Privacy Obligations: Format Example <obligation id=“gfrbg7645gt45"> <target> <database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name=“UserID">oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </database> </target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [firstname,surname] at Sat Aug 15 17:26:21 BST 2004.]</description> </metadata> <events> <event> <type>TIMEOUT</type> <date now="no"> <year>2004</year> <month>08</month> <day>14</day> <hour>17</hour><minute>26</minute> </event> </events> <actions> <action> <type>DELETE</type> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </action> </actions> </obligationitem> </obligation>

  35. [2] Our Privacy Obligations Management System (OMS) • Explicit Management of Privacy Obligations • within Enterprises • Core Functionalities: • Processing • Scheduling • Enforcing • Monitoring of Privacy Obligations

  36. Obligation Management System [2] OMS as part of an Identity Management System Model of Identity Management Systems

  37. [2] OMS: High Level System Architecture Applications and Services Data Subjects Admins Privacy-enabled Portal Events Handler Obligation Monitoring Service Monitoring Task Handler Admins Obligation Server Workflows Obligation Enforcer Obligation Scheduler Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data

  38. [2] OMS: High Level System Architecture Applications and Services Data Subjects Privacy-enabled Portal Setting Privacy Obligations On Personal Data Admins Obligation Server Obligation Scheduler ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data

  39. [2] OMS: High Level System Architecture Applications and Services Data Subjects Enforcing Privacy Obligations Admins Events Handler Admins Workflows Obligation Enforcer Information Tracker Obligation Scheduler Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data

  40. [2] OMS: High Level System Architecture Applications and Services Data Subjects Admins Events Handler Obligation Monitoring Service Monitoring Privacy Obligations Monitoring Task Handler Workflows Obligation Enforcer Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data

  41. [3] OMS: Towards Strong Association of Obligations to Data and Accountability Applications and Services Subjects Admins Privacy-enabled Portal Events Handler Obligation Monitoring Service Obligation Server Monitoring Task Handler Admins Workflows Obligation Enforcer Obligation Scheduler Information Tracker Key Mgmt Service Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation encrypted data+ sticky obligation Obligation Store & Versioning Confidential Data Encryption + Sticky Policies: based on IBE crypto or traditional RSA crypto

  42. [4] OMS Prototype: Core System Components

  43. Discussion [1/2] • Our system is an initial step towards the explicit management, enforcement and monitoring of privacy obligations: plenty of space for refinements and improvements • We assume that the enterprise is willing to be compliant to privacy obligations. Additional assurance and accountability can be added by hardening the audit server and involving trusted third parties

  44. Discussion [2/2] • We introduced and discussed a centralised OMS system: potential for bottlenecks. Exploring how to distribute it … • Security is required to control the access to obligations and PII data by Administrators and Users • We did not discuss the implications of long-terms obligation management in terms of requirements for reliability, survivability and longevity of the platforms running our system. Related work can be leveraged in this space

  45. Next Steps • Refinement of our concepts, OMS architecture and further research • Addressing open issues such as obligation life-cycle management, overall efficiency, stickiness of privacy obligations to PII data • Further research to be done in the context of the EU PRIME project

  46. Conclusions • Privacy obligations are a key aspect of privacy. They are “first-class” citizens: need to be explicitly managed • The management of privacy obligations is important for enterprises and organisations as part of the overall Regulatory Compliance • We introduced our research and technical work in the privacy obligation management space. Described an Obligation Management System (OMS) to schedule, enforce and monitor privacy obligations • Open issues: OMS efficiency, scalability, strong association of privacy obligations to data • Our research and work are in progress. Part of this work will be done in the context of the EU PRIME project

  47. BACK-UP SLIDES

  48. Some Privacy Definitions … • “The quality of being secluded from the presence or view of others” • “The right of an individual to be secure from unauthorized disclosure • of information about oneself that is contained in documents and • digital data” • “Ensuring that individuals maintain the right to control what • information is collected about them and how it is used as well” • “For citizens and consumers, freedom from unauthorized intrusion. • For organizations, privacy involves the policies that determine what • information is gathered, how it is used, and how customers are • informed and involved in this process. Privacy is a legal issue, but • it is also an information security issue” • …

  49. Request for DATA + INTENT Applications & Services Data Subject Data Requestors Personal Data (PII) + Consent to access personal data they need to express their INTENT i.e. how they intend to use these data P.S.: INTENT could be hard coded in applications or part of role definitions Personal DATA + CONSENT Definition of the PURPOSES data are collected for Privacy Office & Privacy Admins: CONSENT is given by data subjects for the usage of their Personal Data (PII) for predefined PURPOSES PRIVACY POLICIES: Dictate how data must be managed. At the very base dictate what can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects ENTERPRISE Terminology: Consent, Intent, Data Purpose, Privacy Policy

  50. Terminology: Aspects of Privacy Policy related to Personal Data Privacy Policies Personal DATA + CONSENT Check Requirements (Intent against data Purposes and Consent, etc.) Failure (no access) Actions Data Subject • - Audit • Notification • … Personal Data and Consent Success Dictate Access Constraints • Partial Data Access • (filter Data) • Data Transformation/Encryption • Data Subject’s Constraints • … Request for DATA + INTENT Privacy Policy Enforcement Data Requestors Actions Actual Accessed Data • - Audit • Notification … ENTERPRISE

More Related