490 likes | 510 Views
A Systematic Approach to Privacy Enforcement and Policy Compliance Checking in Enterprises. Marco Casassa Mont Siani Pearson Robert Thyne Hewlett-Packard Labs. Presentation Outline. Privacy: Core Concepts and Our Vision Addressed Problems
E N D
A Systematic Approach to Privacy Enforcement and Policy Compliance Checking in Enterprises Marco Casassa Mont Siani Pearson Robert Thyne Hewlett-Packard Labs
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Regulations, Standards, Best Practices Policy Development Effective Enterprise Privacy depends on Good Governance Practices Reporting IT Alignment Transparency Policy Enforcement Monitoring Privacy Legislation (EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …) Internal Guidelines Enterprise IT Infrastructure Customers’ Expectations Applications & Services Impact on Enterprises and Opportunities Personal Data PEOPLE ENTERPRISE Positive Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Enterprise Privacy Management
POLICY • People & Processes • Slow • Expensive • Error-prone • Best-effort compliance GAP Current Approach Example: Personal data should be used only for the purposes for which it was collected. APPLICATION SOFTWARE SYSTEM SOFTWARE & MIDDLEWARE PROCESSORS, NETWORKS & DATA STORES
Seamless, rigorous alignment Transparent, verifiable compliance Our Vision: Model-based, Policy-driven IT POLICY • Models & Automation • Deployment • Enforcement/Execution • Data management • Monitoring/Audit APPLICATION SOFTWARE SYSTEM SOFTWARE & MIDDLEWARE PROCESSORS, NETWORKS & DATA STORES
Purpose Specification Consent Privacy Permissions Limited Collection Privacy Obligations Privacy Rights Limited Use Limited Disclosure Limited Retention Privacy For Personal Data: Core Principles Privacy Policies
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Addressed Problems • How to Automate Privacy Management within Enterprises: • How to Automate Privacy-Aware Access Control • How to Automate Privacy Obligation Mgmt/Enforcement • How to Automate Compliance Checking • How to Do this in a Systematic Way • How to Leverage Current Identity Management Solutions
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Making Privacy Management Easy • Our Viewpoint:- Use a model-based, policy-driven approach to allow access to personal data to be controlled and personal data lifecycle management system actions to be performed in an automated and verifiable manner • Our Solution:- Use privacy policy enforcement technologies to deliver compliance to privacy principles and goals - Use system monitoring technologies to continuously assess their actual performance and ability to deliver Policy enforcement technologies …. …. System monitoring technologies
Self- Registration: Personal Data & Privacy Preferences Privacy Obligations Privacy Admins Consent & Other Prefs. Privacy Policies Privacy-aware Access Control System Policy Compliance Checking System Settings Data Obligation Management System Events Privacy-aware Queries Enterprise Systems Privacy-aware Information Lifecycle Management Privacy Automation for Identity Management:Systematic Approach Access Request To Apps Applications/ Services Web Portal Third Parties Users Employees User Provisioning & Account Management Access Control System Identity Management Middleware Data Repositories ENTERPRISE
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Regulations, Standards, Best Practices Policy Development IT Alignment Privacy Policy Enforcement Policy Enforcement Enterprise IT Infrastructure Privacy-aware Access Control in Enterprises • How to Enforce Privacy Policies within Enterprises when • Accessing and Manipulating Personal Data? • How to Enforce User Preferences, e.g. Consent? • How to Integrate with Identity Management Solutions? • HP Labs R&D Work • Privacy-Aware Access • Control System for • Personal Data • Prototype Integrated • with HP Select Access • To Be Productised • in 2007
Rights Actions Requestor Rights Actions Requestor Purpose Requestor’s Intent Access Control Owner’s Consent Access Control Other… Privacy Extension Constraints Personal Data It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … Personal Data Privacy-Aware Access Control Traditional Access Control Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”
Consent Marketing Research uid Name Condition Diagnosis x 1 1 Alice Alcoholic Cirrhosis x x 2 2 Rob Drug Addicted HIV 3 3 Julie Contagious Illness Hepatitis Privacy Policy Enforcement Enforcement: Filter data Access Table T1 (SELECT * FROM T1) Intent = “Marketing” uid Name Condition Diagnosis Filtered data 1 - Alcoholism Cirrhosis 2 - - - 3 - Contagious Illness Hepatitis Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent T1 If role==“empl.” andintent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent) Else Deny Access T2 SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES”
Privacy Policy Definition and Enforcement Implicit • Embed privacy • policies within • applications, queries, • services/ad-hoc solutions • Simple Approach • It does not scale in terms • of policy management • It is not flexible and • adaptive to changes Implicit Approach to Enforce Privacy Policies: No Flexibility Applications & Services Business logic Privacy policies Personal Data
Privacy Policy Definition and Enforcement Explicit • Fully deployed • Privacy Management • Frameworks • Explicit Management • of Privacy Policies • Might require major • changes to IT and data • infrastructure • Usage of Vertical • Solutions/Focus on • RDBMS Explicit Approach to Enforce Privacy Policies: Vertical and Invasive Current Approaches IBM/Tivoli Privacy Manager Privacy-aware Hippocratic Databases
HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies Privacy Policy Definition and Enforcement Implicit Explicit • HP Approach • Single solution for explicit • management of Privacy Policies • on Heterogeneous Data Repositories • Privacy Enforcement by Leveraging • and Extending Security/ • Access Control Frameworkand • easy to use management UI • Does not require major changes • to Applications/Services or • Data Repositories
Key Requirements • Modeling of Personal data • Explicit Definition, Authoring and Management • of Privacy Policies • Extensible Privacy Policies • Explicit Deployment and Enforcement of Privacy Policies • Integrationwith traditional Access Control Systems • Simplicity of Usage • Support for Audit
Requestor’s Intent+ Request to Access Data Access Request 1 2 3 5 Access Control + Privacy Policies (intent, purpose, consent, constraints…) Accessed Data (it could be a subset of the Requested Data) Privacy-aware Decision 4 Privacy-aware Access to Data Our Model of Privacy-Aware Access Control Privacy Policy Decision Point Requestors, Applications, Services, … Data Enforcer Privacy Policy Enforcement Point Privacy Policy & Data Authoring Tools Personal Data + Data Subjects’ Consent Data Repositories
HP OpenView Select Access Access Control System: Definition, Enforcement and Auditing of Access Control Policies http://www.openview.hp.com/products/select/
Privacy Policy Deployment & Decisions Access Request Web Services Validator (Policy Decision) Grant/Deny Applications, Services, … Requestor’s Intent+ Request to Access Data Policy Repository HPL Plug-ins Privacy- aware Access Request AccessControl Policies Data Access Privacy- aware Decision Enforcer HPL Data Enforcer Enforcer Enforcer Plug - in + Privacy Policies (intent, purpose, consent, constraints…) Plug - in Plug - in Privacy Policy Enforcement On Personal Data Data Modelling & Privacy Policy Authoring Privacy-aware Access to Data Policy Builder Audit HPL Plug-ins Personal Data + Owners’ Consent Privacy Enforcement in HP Select Access
Modelling Data Resources Data Resources Added to Policy Builder
Privacy Policy Authoring [2/2] Checking Intent against Purpose Define Data Filtering Criteria Define How to Handle Consent
Data Enforcer: Privacy-aware Policy Enforcement Point • “Data Enforcer”: • located nearby the Data Repository (performance …) • knows how to access/handle Data and “Queries” • know how to enforce Privacy Constraints • can support “Query rewriting” (i.e. filtering, etc.) • “Data Enforcer” is designed to have: • A General Purpose Engine • (to interact with SA Validator) • Ad-hoc plug-ins for different Data Sources • to interpret and enforce privacy decisions • (e.g. RDBMS, • LDAP servers, • virtual directories, • meta-directories, …) Data allowed to access Access Request + Intent Enforcer API SA Data Enforcer (Data Proxy) Logic Validator Plug-in Constraint Enforcement Engine Constraint Enforcement Engine Constraint Enforcement Engine LDAP Server Meta Directory RDBMS
SQL Query Transformed by Data Enforcer (Pre-Processing): SELECT PatientRecords.NAME,PatientRecords.DoB,PatientRecords.GENDER,'-‘ AS SSN,PatientRecords.ADDRESS,PatientRecords.LOCATION,PatientRecords.EMAIL, PatientRecords.COMM,PatientRecords.LIFESTYLE,'-' AS GP,'-' AS HEALTH,'-' AS CONSULTATIONS,'-' AS HOSPITALISATIONS,'-' AS FAMILY,'-' AS Username FROM PatientRecords,PrivacyPreferences WHERE PatientRecords.Name=PrivacyPreferences.Name AND PrivacyPreferences.Marketing='Yes'; Data Enforcer: SQL Query Transformation Original SQL Query: SELECT * FROM PatientRecords;
Data Enforcer: Performance Based on Type of Queries
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Regulations, Standards, Best Practices Policy Development Reporting IT Alignment Transparency Obligation Monitoring Privacy Obligation Enforcement Policy Enforcement Monitoring Enterprise IT Infrastructure Privacy Obligation Management • Privacy Obligations dictate Duties and Expectations to Enterprises on How to Handle Personal Data. It is about Privacy-aware Information Lifecycle Mgmt: • Which Privacy Obligations to Manage? How to Represent them? • How to Schedule, Enforce and Monitor Privacy Obligations? • How to Integrate with Identity Management Solutions? • HP Labs R&D Work • Privacy Obligation • Management System • Prototype Integrated • with HP Select Identity • Explore its Productisation • Research in EU PRIME • Project
Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act • More refined Privacy Obligations dictate Duties, • Expectations and Responsibilities on How to Handle • Personal Data: • Notice Requirements • Enforcement of opt-in/opt-out options • Limits on reuse of Information and Information Sharing • Data Retention limitations …
- No Refined Model of Privacy Obligations - Privacy Obligations Subordinated to AC. Incorrect … Technical Work in this Space • - P3P (W3C): • - Definition of User’s Privacy Expectations • - Explicit Declaration of Enterprise Promises • - No Definition of Mechanisms for their Enforcement • Data Retention Solutions, Document Management Systems, • Ad-hoc Solutions for Vertical Markets • - Limited in terms of expressiveness and functionalities. • - Focusing more on documents/files not personal data • - IBM Enterprise Privacy Architecture, EPAL, XACML …
Our Approach in PRIME • Privacy Obligations are “First-Class entities”: • No Subordination to Access Control/Authorization View • Explicit Representation, Management • and Enforcement of Privacy Obligations • Allow Data Subjects to Express their Privacy Preferences • that are Mapped into Enterprises’ Obligations • Provide a Solution to Enterprises to Automate the Management • and Enforcement of Privacy Obligations
Obligation Management Framework Obligations Monitoring Obligations Enforcement Obligations Scheduling Privacy Preferences Privacy Obligations Personal Data (PII) Obligation Management System (OMS): Model Data Subjects Administrators ENTERPRISE
Enforcing Privacy Obligations Setting Privacy Obligations On Personal Data Monitoring Privacy Obligations OMS: High Level System Architecture Applications and Services Data Subjects Admins Privacy-enabled Portal Events Handler Obligation Monitoring Service Monitoring Task Handler Admins Obligation Server Workflows Obligation Enforcer Obligation Scheduler Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data
Agents Agents Feedback/Updates HP OpenView Select Identity: User Provisioning and Account Management Administrators • Centralised Management of Identities in an Organisation • Support for Self Registration and User Provisioning • Account Management and Provisioning across Platforms, Applications and Corporate Boundaries JCA Connectors Data Repositories HP Select Identity Admin GUI Personal Data Accounts on Systems Users Legacy Applications and Services Web Service Services, Roles, Entitlements Descr. Provisioning Workflows http://www.openview.hp.com/products/slctid/index.html
OMS Integration with HP Select Identity Explicit Management, Enforcement and Monitoring of Privacy Preferences and Constraints associated to Personal Data and Digital Identities: Turning privacy preferences into Privacy Obligations Self Registration And User Account Management HP Select Identity Personal Data + Privacy Preferences Obligation Management System Connectors Audit Logs Data Subject Privacy Obligation Enforcement & Monitoring Web Service API User Provisioning Enterprise Data Repositories
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Regulations, Standards, Best Practices Policy Development Reporting IT Alignment Transparency SPCC SPCC Policy Enforcement Monitoring Enterprise IT Infrastructure IT System Policy Compliance Checker (SPCC) • How to Verify that the Data Processing System (Platforms, Comms, Services, Applications) is Strong Enough to Automatically Execute the Privacy Policies Reliably? • HP Labs R&D Work • System Policy Compliance • Checker • Initial Prototype Available • Research in EU PRIME • Project
SPCC: Automation of Compliance Automation of Compliance Vision: Audit Process Purpose spec HP Select Access Privacy Manager Using SPCC to: Assess Privacy Enforcement Technologies wrt Providing Compliance + Assess Audit Logs + Cross Check Audit Logs Against Expected Enforcement Consent Use limitation Obligation Management Service Openness …. Accountability Privacy Principles Privacy Enhancing Technologies
Model Based Assurance Framework [1/2] How much is my company compliant? Expert CIO/IT Auditor Business Process and IT Controls interdependencies Are Captured in a Model Drive Analysis Drive Instrumentation Systems/ Infrastructure Models Generated Audit Data Analysis Engine Dashboard-style assurance report
(SAPE = HP Select Access Privacy Extensions; OMS = Obligation Management System)
Expert Model Based Assurance Framework UI Extensions Model Analysis Goal Analysis Report Goal Report Information Information Analysis Generator Definition Engine Policy Interface Store Predefined Policies . . . Agent IT Resource Model Predefined sub trees for E Deployment E top level goals and resources. Framework Model Information Agents Key A A Entities . . . Services Services E Representing OS OS Resources Platform Platform Agent IT Resources A Deployed to Resource Model Based Assurance Framework [2/2]
Example Privacy Model: HP Select Access Privacy Manager/Enforcer OECD principles Information Analysis Technological Input
Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Approach to Privacy Enforcement and Compliance Our R&D Work: - Privacy-Aware Access Control - Obligation Management and Enforcement - Policy Compliance Checking Conclusions
Conclusions • Privacy Management is Important for Enterprises. Need to Satisfy • Regulatory Compliance Requirements and Users’ Expectations and Needs. • Important Aspects for Enterprises: • - Automation • - Systemic Approach that leverages IdM Solutions • Our R&D Focus on: • - Privacy-aware Access Control • - Privacy Obligation Management • - System Policy Compliance Checking • Work still in progress … • HP keen in Collaborations for Technology Trials and getting further Requirements