410 likes | 496 Views
Privacy Topics for TAMI/PORTIA Conference. Calvin Powers cspowers@us.ibm.com. Topics. Encryption At Rest. California Bill SB 1386.
E N D
Privacy Topics for TAMI/PORTIA Conference Calvin Powerscspowers@us.ibm.com Privacy Topics for TAMI/PORTIA
Topics • Encryption At Rest Privacy Topics for TAMI/PORTIA
California Bill SB 1386 • This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. • Similar laws being considered at the Federal Level Privacy Topics for TAMI/PORTIA
Motivation for SB 1386 http://www.nwfusion.com/news/2005/0408stolelapto.html?nl Privacy Topics for TAMI/PORTIA
The Bottom Line • Unencrypted data in database files on a hard drive falls under the notification requirements of SB1386 • The legal assumption is that data can be accessed directly from the files even when the DB software is not running. • Persisted personal information in data base tables must be encrypted. • The Challenge: Doing this while minimizing the disruption to existing infrastructure • The Challenge: Key Management is always the biggest impediment to encryption use. Privacy Topics for TAMI/PORTIA
Topics • Sticky Policy Paradigm Privacy Topics for TAMI/PORTIA
Relating Policies To Data Base Schema Privacy Topics for TAMI/PORTIA
How Bad Things Happen To Data Privacy Topics for TAMI/PORTIA
The “Sticky Policy Paradigm” We can assume non-malicious environments Challenge: How can we do this for all repositories and all types of data flow? And not be completely disruptive. Privacy Topics for TAMI/PORTIA
Topics • Purpose Based Access Control Privacy Topics for TAMI/PORTIA
“Purpose of Usage” is a new element in policy • In the Past “Members of the marketing dept. are allowed to query the accounting database.” • Today: “Members of the marketing dept. are permitted to see an individual’s credit score for the purpose of developing a new loan product only if the individual provides explicit authorization.” Privacy Topics for TAMI/PORTIA
Break Down the Policy Into Key Concepts From the human-readable policy, start identifying the Groups, Purposes and PII types. Sharing of information with third-parties Partners: When you buy something from us we may share yourname and mailing addresswith a few carefully selectedmarketingpartners, except for our customers who reside in the states of Vermont and California. When you place your order you will be given a clearly labeled opportunity to opt out of sharing this information. We will never share anytelephone numbers, e-mail addresses, or financial informationyou have given us with any marketing partners. Credit card companies and Shippers: When you buy something from us we send yourcredit card information, name, billing address, and the amount of your purchase to your credit card company to verify and authorize your purchase. Yourname, telephone number, and shipping informationmust be provided to third party shippers todeliver your purchase. In this policy, the Groups are given in generalized terms, as “us” and “we”. Privacy Topics for TAMI/PORTIA
Creating Policy Rules From the Key Concepts After identifying the basic pieces of the policy statements, we can start to form the policy statements. We can break the text down into 3-4 policy statements that have a structured form. Widget's Billing Department will use credit card and address information to charge your credit card for the purchases you made. Widget's Shipping Department will use your address information to ship your order. If you opt-in, Widget's Shipping Department will use your e-mail address to notify you of your order's shipment status. Widget's Marketing Department will share your name and mailing address with selected marketing partners unless you opt out or if you live in Vermont or California. Privacy Topics for TAMI/PORTIA
Please Note: • “Purposes” are not “roles”! • More transaction/unit of work oriented • The issue is not “what label(s) are attached to your credential” but “what unit of work are you doing with my data.” • Challenge: How can we determine “at run time” what the purpose of a data access or usage is (in an efficient way)? Privacy Topics for TAMI/PORTIA
Topics • Expression of Policies Privacy Topics for TAMI/PORTIA
The Privacy Place Research on Semantic Analysis of Privacy Policies • “Mining Rule Semantics to Understand Legislative Compliance” • T. D. Breaux and A.I. Antón. Accepted to: ACM Workshop on Privacy in Electronic Society (WPES'05), NCSU CSC Technical Report #TR-2005-31, Alexandria, Virginia, USA, 2005. • http://www.theprivacyplace.org/papers/TR_2005-31.pdf • Analyzing Goals for Rights, Permissions and Obligations • T. D. Breaux and A.I. Antón. In Proceedings 13th IEEE International Conference on Requirements Engineering (RE'05), NCSU CSC Technical Report #TR-2005-08, Paris, France, USA, 2005. • http://www.theprivacyplace.org/papers/TR_2004-36.pdf • Deriving Semantic Models from Privacy Policy Goals, • T. D. Breaux and A.I. Antón. In Proceedings: 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05), NCSU CSC Technical Report #TR-2004-36, Stockholm, Sweden, USA, 2005. • http://www.theprivacyplace.org/papers/TR_2004-36.pdf http://www.theprivacyplace.org Privacy Topics for TAMI/PORTIA
Semantics of Business Vocabulary and Business Rules (SBVR) • This specification defines the vocabulary and rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools. Privacy Topics for TAMI/PORTIA
Why SBVR? • Natural Language Text Representation • Precise, yet reads like natural language text • Important for review by policy makers and subject matter experts for domains • Uses same vocabulary to express domain models and policies on domains • Incorporates the notion of community vocabularies and domains of knowledge • Machine Interpretable Expression • XML/XMI representation of statements • For further transformation into IT domain artifacts • Establishes linkage between the “policy” world and the “IT World” • Challenge: Can SBVR be used to express all the concepts we need for privacy policies? Privacy Topics for TAMI/PORTIA
Topics • Discovering Risks With Process Modeling Privacy Topics for TAMI/PORTIA
Data Flow and Data Protection in the Jet Blue Case Lesson: How do we make sure that data protection requirements flow with the data as it is disclosed across organizational boundaries?See “The Complexity Underlying JetBlue’s Privacy Policy Violations” <http://www.theprivacyplace.org/papers/tr_2003_21.pdf> Privacy Topics for TAMI/PORTIA
Composite Apps Increase the Risk of Data Theft • Time Warner lost tapes containing social security numbers for over 600,000 employees while in transit to off-site archival facilities. • See “After Data Losses Like Time Warner's, Companies Need To Rethink Tape-Storage Security” <http://www.informationweek.com/shared/printableArticle.jhtml?articleID=162101437> • City National Bank, from Los Angeles California also lost two tapes containing sensitive data, including Social Security numbers and other customer account information. • See “Iron Mountain Loses More Tapes” <http://www.informationweek.com/shared/printableArticle.jhtml?articleID=165701015> • In April, 2005, a laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI was stolen. • See “MCI: Employee Data Was On Stolen Laptop” <http://www.nytimes.com/reuters/business/business-telecoms-mci-theft.html > • A medical group in San Jose California acknowledged that two computers were stolen from the organization's offices from behind locked doors. These computers contained information about 185,000 people, including social security numbers and confidential medical information. • See “Stolen laptops contain medical info on 185,000 patients” <http://www.networkworld.com/news/2005/0408stolelapto.html?nl > • Types of Data Being Stolen • Identity Information (information used in identity theft activities, especially SSNs, individual financial account information, etc. • Bill of materials data for sensitive technology products that can’t be shared with rogue countries. • Trade secret information (formulary information, source code, etc.) • Lesson: Hindsight is 20/20. Why didn’t anyone detect these security exposures before they happened? How do you evaluate the potential risk of customer information on a tape in transit through a courier service? More important: How do you even make sure you think about evaluating the risk? Privacy Topics for TAMI/PORTIA
Problem • How Can I Ensure Customer Information Is Protected? • Objectives: • Customer data must always be encrypted with 56 bit keys or stronger when persisted. • The following text must be in all agreements with business partners if they receive customer information: • “Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor.Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor tyr wuz de ramas cora dola tymon ipso foer tyr wuz de ramas cora dola tymo. Lorem ipso hoccer foer tyr wuz de ras cora dola tymon ipso hoc cer fuz de ramas cora dola tymon ipso hoccer. Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor. . .” Privacy Topics for TAMI/PORTIA
Create a Policy Artifact in the Modeling Tool This policy has two policy artifacts in it which must be implemented in all business processes which handle customer information. -- persisted customer info encrypted with 56 bit keys or stronger? -- customer info protection clause in agreements with business partners? Privacy Topics for TAMI/PORTIA
Attach the Policy To The Customer Information The policy would be attached to the customer information at the point it enters the company. This association of policy to business object is a type of classification. Privacy Topics for TAMI/PORTIA
Policy Flows with Data Automatically Tool could understand how fields from the order request are propagated to other business items in the flow. Privacy Topics for TAMI/PORTIA
Policy Attachment Flows to Sub-processes The policy attached business item from the overall process would get propagated to the flows in the sub process. Tool knows that OrderInfo objects stored in shared database have this policy associated with them. Privacy Topics for TAMI/PORTIA
Policy Attachment Flows Out Of Database Tool knows that OrderInfo objects flowing out of database have the policy attached to them. Privacy Topics for TAMI/PORTIA
What’s Next • Policy Attached Data is Now Mapped through the process • Each Process and Activity Can Be Evaluated Against the Policy Artifacts Privacy Topics for TAMI/PORTIA
The owner of each activity is prompted to document how policy artifacts are implemented. (Or at least state that they are not applicable.) • -- persisted customer info encrypted with 56 bit keys or stronger? • A: No customer information is persisted in this Activity • -- customer info protection clause in agreements with business partners? • A: No customer information is disclosed to business partners in this step. • -- Signed, Bob Smith, Order Fulfillment manager Documentation About Policy Compliance Is Collected (1) Privacy Topics for TAMI/PORTIA
Documentation About Policy Compliance Is Collected (2) • -- persisted customer info encrypted with 56 bit keys or stronger? • A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details. • -- customer info protection clause in agreements with business partners? • A: Business Partners do not have access to this database. • -- Signed, Alice Jones, Database Administrator The owner of each activity would be prompted to document how policy artifacts are implemented. (Or at least state that they are not applicable.) Privacy Topics for TAMI/PORTIA
-- persisted customer info encrypted with 56 bit keys or stronger? • A: Customer information is NOT encrypted when written to tape! • -- customer info protection clause in agreements with business partners? • A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005. • -- Signed, Charlie Davis, Archival Administrator Charlie Davis flags this policy artifact as a risk item because it has not been addressed. Documentation About Policy Compliance Is Collected (3) Privacy Topics for TAMI/PORTIA
Process Summary Report To Create Big Picture View • Process Summary as Of September 19, 2005 • Order Fulfillment Process • Update Order Information Activity • Customer Info Protection Policy • Q:persisted customer info encrypted with 56 bit keys or stronger? • A: No customer information is persisted in this Activity • Q: Customer info protection clause in agreements with business partners? • A: No customer information is disclosed to business partners in this step. • Reported and signed by Bob Smith, Order Fulfillment Manager • Place Supplier Order Activity • No Information Available • Place Carrier Order Activity • No Information Available • Order Information Database • Q:persisted customer info encrypted with 56 bit keys or stronger? • A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details. • Q: Customer info protection clause in agreements with business partners? • A: Business Partners do not have access to this database. • Reported and signed by Alice Jones, Database Administrator • Order Archival Process • Extract Orders Older Than 2 Years Activity • No Information Available • Create Archival Tape Activity • No Information Available • Tape Storage Service • Customer Info Protection Policy • Q:persisted customer info encrypted with 56 bit keys or stronger? • A: Customer information is NOT encrypted when written to tape!. • Q: Customer info protection clause in agreements with business partners? • A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005. . • Reported and signed by Charlie Davis, Archival Adminisrator ? ? ? ? Privacy Topics for TAMI/PORTIA
Summary • Process Model Tools Can Understand Data Flow • Policy Should be Attached to Data, Not Systems • Tools Should track the policy attached data through all processes, activities, and services. • Difficult for people to understand flow and track the data. • Each Activity Owner should be responsible for documenting the policy artifact implementation for the processes, activities, and services he/she owns. • Policy artifacts which aren’t implemented should be flagged as risk items for analysis, prioritization, and remediation. • “Roll Up” reports should summarize current state of policy implementation for the processes. • Challenge: How can this be done in an automated way or with minimal work effort? • If automated, how are the policy requirements expressed? Privacy Topics for TAMI/PORTIA
Topics • Hippocratic Database Technology Privacy Topics for TAMI/PORTIA
HDB Active Enforcement Give me the names, incomes & addresses of your clients Database Powered by HDB I can only disclosure incomes & addresses of clients who have given consent Privacy Topics for TAMI/PORTIA
HDB Active Enforcement Installation Policy Parser Negotiation User Preferences and Policy Matching Enforcement Database Query Interface Policy Metadata User Data Database Powered by HDB Privacy Topics for TAMI/PORTIA
Enforcement: Value Proposition • Easy of Integration • Implementation intercepts and rewrites incoming queries to factor in policy, user choices, and context (e.g. purpose). • Fine-Grained • Database-enforced disclosure control at cell-level of an organization’s data policy and user preferences. • Easier Enforcement after Policy Modification • Centralized and seamless policy creation and update. • System Impact • Applications do not require any modification. Privacy Topics for TAMI/PORTIA
Enforcement: Value Proposition: cont’d • Database agnostic • Does not require any change in the database engine. • Reuses current features • Rewritten queries benefit from all the optimizations and performance enhancements provided by underlying engine (e.g. parallelism). • Performance 10 million records Worst Case: Choice Selectivity = 1. Everyone discloses everything. Query processing yields no value. The penalty is 5-15% of the execution time of the original query. Standard Cases: Choice Selectivity varies. In best case, HDB Active Enforcement gives an order of magnitude improvement. Privacy Topics for TAMI/PORTIA
HDB Active Enforcement Core Cell-Level Policy Enforcement Example Scenario For a certain user (data accessor) and purpose, name is allowed under the privacy policy, phone and salary are allowed on an opt-in basis. Privacy Topics for TAMI/PORTIA
HDB Active Enforcement Core Cell-Level Policy Enforcement : cont’d SELECT Name, Phone, Salary FROM Customer Results of query… • Forbidden values covered by null values in resulting tables Privacy Topics for TAMI/PORTIA
Questions? Privacy Topics for TAMI/PORTIA