780 likes | 800 Views
Privacy Management with HP OpenView Identity Management. Archie Reed Marco Casassa Mont Director of Strategy, Senior Researcher Identity Management, HP TSL, HP Labs, Bristol, UK Tutorial Id: TH-1400/4.
E N D
Privacy Management with HP OpenView Identity Management Archie Reed Marco Casassa Mont Director of Strategy, Senior Researcher Identity Management, HP TSL, HP Labs, Bristol, UK Tutorial Id: TH-1400/4
Privacy for Identity Management: Setting the Context • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
PRIVACY Privacy: An Important Aspect of Regulatory Compliance Regulatory Compliance (Example of Process) Regulations (incomplete list …)
Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Internal Guidelines Customers’ Expectations Applications & Services Personal Data PEOPLE ENTERPRISE Positive Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Impact on Enterprises and Opportunities
Data Governance and Policy Management (Including Privacy Policies): Gaps Policy Development and Modelling Monitoring, Audit, Reporting and Policy Management Data Inventory People/Roles Systems/Applications/Services Gap and Risk Analysis Policy Enforcement Confidential/Personal Data Policy Deployment
Purpose Specification Consent Privacy Permissions Limited Collection Privacy Obligations Privacy Rights Limited Use Limited Disclosure Limited Retention Privacy For Personal Data: Core Principles Privacy Policies
Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
Request for DATA + INTENT Data Subject Data Requestors to access personal data they need to express their INTENT i.e. how they intend to use these data P.S.: INTENT could be hard coded in applications or part of role definitions Personal DATA + CONSENT CONSENT is given by data subjects for the usage of their Personal Data (PII) for predefined PURPOSES Terminology: Consent, Intent, Data Purpose, Privacy Policy Applications & Services Personal Data (PII) + Consent Privacy Office & Privacy Admins PRIVACY POLICIES: How data must be managed. What can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects Definition of the PURPOSES data are collected for ENTERPRISE
Purpose Specification Consent Limited Collection Privacy Enforcement: Access Control Implications Limited Use Limited Disclosure Limited Retention Privacy Policies Privacy Enforcement for Personal Data: Principles and Implications
Rights Actions Requestor Rights Actions Requestor Purpose Requestor’s Intent Access Control Owner’s Consent Access Control Other… Privacy Extension Constraints Personal Data It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … Personal Data Privacy-Aware Access Control Traditional Access Control Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”
Consent Marketing Research uid Name Condition Diagnosis x 1 1 Alice Alcoholic Cirrhosis x x 2 2 Rob Drug Addicted HIV 3 3 Julie Contagious Illness Hepatitis Privacy Policy Enforcement Enforcement: Filter data Access Table T1 (SELECT * FROM T1) Intent = “Marketing” uid Name Condition Diagnosis Filtered data 1 - Alcoholism Cirrhosis 2 - - - 3 - Contagious Illness Hepatitis 2nd Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent T1 If role==“empl.” andintent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent) Else Deny Access T2 SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES”
Privacy Policy Definition and Enforcement Implicit • Embed privacy • policies within • applications, queries, • services/ad-hoc solutions • Simple Approach • It does not scale in terms • of policy management • It is not flexible and • adaptive to changes Implicit Approach to Enforce Privacy Policies: No Flexibility Applications & Services Business logic Privacy policies Personal Data
Privacy Policy Definition and Enforcement Explicit • Fully deployed • Privacy Management • Frameworks • Explicit Management • of Privacy Policies • Might require major • changes to IT and data • infrastructure • Usage of Vertical • Solutions Explicit Approach to Enforce Privacy Policies: Vertical and Invasive Current Approaches IBM Privacy Manager Privacy-aware Hippocratic Databases
HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies Privacy Policy Definition and Enforcement Implicit Explicit • HP Approach • Single solution for • explicit management of • Privacy Policies • Privacy Enforcement by Leveraging • and Extending HP Select Access • Access Control Frameworkand • easy to use management UI • Does not require major changes • to Applications/Services or • Data Repositories
Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act • More refined Privacy Obligations dictate Duties and • Responsibilities with respect of Personal Information: • Notice Requirements • Enforcement of opt-in/opt-out options • Limits on reuse of Information and Information Sharing • Data Retention limitations …
Duration Enforcement Long-term Ongoing Short-term Obligations One-time Types Other Event-driven Transactional Data Retention & Handling Dependent on Access Control Independent from Access Control Data Subject Context “Notify User via e-mail1 If his Data is Accessed” “Delete Data XYZ after 7 years” Enterprise “How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions?” Setting Privacy Obligations: A Complex Topic …
Privacy Obligations: Common Aspects • Timeframe(period of validity) of obligations • Events/Contexts that trigger the need to • fulfil obligations • Target of an obligation (PII data) • Actions/Tasks/Workflows to be Enforced • Responsible for enforcing obligations • Exceptions and special cases
Technical Work in this Space [1/2] • Current Approaches to Deal with Privacy Obligations: • - P3P (W3C): • - Definition of User’s Privacy Expectations • - Explicit Declaration of Enterprise Promises • - No Definition of Mechanisms for their Enforcement • Data Retention Solutions and Document Management • Systems. • - Limited in terms of expressiveness and functionalities. • - Focusing more on documents/files not personal data • - Ad-hoc Solutions for Vertical Markets
- No Refined Model of Privacy Obligations • - Privacy Obligations Subordinated to AC. Incorrect … Technical Work in this Space [2/2] • Recent relevant Work done in this Space: • IBM Enterprise Privacy Architecture, including • a policy management system, a privacy enforcement • system and audit • Initial work on privacy obligations in the context of • Enterprise Privacy Authorization Language (EPAL) • lead by IBM • XACML (OASIS): similar standard proposal
Privacy Obligations: Suggested Approach • Deal with Privacy Obligations as “first-class citizens” in the • context of Enterprises and Organisations – recognise its • importance for Regulatory Compliance • Recognise the Importance of Separation of Concerns: • explore how to explicitly represent, manage and • enforce privacy obligations without imposing any dominant • view (for example, the authorization perspective) • Research and Work on Longer-term Issues, such as • accountability, stronger associations of obligations to data, • obligation versioning and tracking
HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
Accounts & Policies HP OpenView Identity Management Registration/ Creation Propagation Compliance Privacy Authentication Authorization Federation Single Sign-On Maintenance/ Management Personalization Termination • HP Select Access • Authentication • Policy-based Access control • Single sign-on • Web Services Security &Access Mgmt • Personalization • HP Select Identity • Cross-enterprise user life-cycle management • Provisioning • Workflow • Password management • Self Service • Delegated administration • HP Select Federation • Open protocol federation • Automated inter-organizational user activation & provisioning • Privacy management • Federation auditing & governance
[1] HP Select Access • Access Control product • Policy Authoring • Policy Decisions • Policy Enforcement • Auditing
[1] HP Select Access Access Control System: Definition, Enforcement and Auditing of Access Control Policies
[1] Policy Builder: Authoring Access Control Constraints High-Level matrix-based UI to set-up access control constrains on resources given users/groups
[1] Rule Editor: fine grained Access Control Rules Rule editor for fine-grained definition of access control policies
[1] HP Select Access: Summary • Access Control System • Fine-grained Policy Authoring, Deployment and • Enforcement • Intuitive and Simple to use GUIs • Enforcement for Web Resources • Auditing
[2] HP Select Identity • Management of Identities in Organisations • Support for Self Registration and User Provisioning • Account Management across Platforms, Applications and Corporate Boundaries
Security & Access Controls Connector Bus Windows Databases H.R. Web SSO Directories Mainframe Identity Management Functions Workflow Policies Notifications Policy &Security BusinessApps [2] HP Select Identity IdM Services BusinessRelationships Identity Store(users) Groups
[2] HP Select Identity: Summary • Centralised Management of Users and Entitlements • User Provisioning: create, update and delete • Administrative Delegation • User Self Service • Approval Workflow • Password & Profile Management • Audit and Reporting
[3] HP Select Federation • Enables web SSO and Cross Domain Federated Identity Management • No need for Centralised Data Repository • Support for Liberty Alliance, SAML, WS Federation
[3] HP Select Federation • Supports multiple federation protocols, including Liberty and SAML • Supports heterogeneous identity management environments • Includes a comprehensive management console • Provides extensive audit capabilities • Enables policy-based privacy management • Enables 1-click smart user activation/provisioning OpenView Select Federation enables secure, cross-enterprise single sign-on and identity data sharing
HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
HP IDM Solutions: HPL Privacy Extensions Federated Environments Federated Environments Federated Environments Supported Can Be Extended Not Relevant
HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
HPL Work HP IDM Solutions: HPL Privacy Extensions Federated Environments Federated Environments Federated Environments Supported Can Be Extended Not Relevant
HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions Outline
Privacy Policy Enforcement: Requirements for HP Select Access Core requirements: 1 Explicit Modelling of Confidential Data Describe Privacy Policy based on the Content of Data, Consent, Intent and Data Purpose Make Decisions based on these Privacy Policies Enforce these Privacy Decisions 2 3 4 • Extend Select Access mainly via its Standard APIs to implement the above requirements
Privacy Policy Deployment & Decisions Access Request Web Services Validator (Policy Decision) Grant/Deny Applications, Services, … Requestor’s Intent+ Request to Access Data Policy Repository HPL Plug-ins Privacy- aware Access Request AccessControl Policies Data Access Privacy- aware Decision Enforcer HPL Data Enforcer Enforcer Enforcer Plug - in + Privacy Policies (intent, purpose, consent, constraints…) Plug - in Plug - in Privacy Policy Enforcement On Personal Data Data Modelling & Privacy Policy Authoring Privacy-aware Access to Data Policy Builder Audit HPL Plug-ins Personal Data + Owners’ Consent Privacy Enforcement in HP Select Access
1 Select Access: Privacy Extension [1/4] • Modelling Data Resources in SA Policy Builder: Data Resources Added to Policy Builder
2 Select Access: Privacy Extension [2/4] • Author Privacy Policies in SA Policy Builder via SA Plug-ins: • Add Privacy Constraints on “Data Resources”: • checking Intent vs. Purpose, Consent, etc. • Describe Policies the evaluation of which is: • “Allow Access to Data + Privacy Constraints to be Enforced” Rule Editor Purpose-based Decision plug-in Data Filtering plug-in Consent Management plug-in Data Expiration plug-in • Privacy Constraints: • - Filtering data • - Enforce Consent • - Obfuscating data • - Transformation of Data …
3 Select Access: Privacy Extension [3/4] Request: Data Resource + Intent+ (Parameters) • Privacy Decisions by SA Validator (PDP): • Validator Plug-in makes decisions based on • Privacy Policies • (1-1 correspondence with Policy Builder plug-in) • Decisions must support Privacy-oriented Constraints • (to be enforced): • “Allow Access to Data + Constraints to be Enforced” • (e.g. allow access to table “Patients Details”, but strip-out the • columns “Name, Surname, Address”) • The SA Validator is general purpose. It does not • examine Confidential Data for performance/logistic • reasons. SA Validator Plug-in • Decisions: • NO • YES • YES + Constraints
4 Select Access: Privacy Extension [4/4] Privacy Constraints enforced by a Data Enforcer … • The SA Web Enforcer focuses on Web Resources. • It does not explicitly deal with Data Resources… • Add a SA “Data Enforcer”: • located nearby the Data Repository (performance …) • knows how to access/handle Data and “Queries” • know how to enforce Privacy Constraints • can support “Query rewriting” (i.e. filtering, etc.) • The new SA “Data Enforcer” is designed to have: • A General Purpose Engine • (to interact with SA Validator) • Ad-hoc plug-ins for different Data Sources • to interpret and enforce privacy decisions • (e.g. RDBMS, • LDAP servers, • virtual directories, • meta-directories, …) Data allowed to access Access Request + Intent Enforcer API SA Data Enforcer (Data Proxy) Logic Validator Plug-in Constraint Enforcement Engine Constraint Enforcement Engine Constraint Enforcement Engine LDAP Server Meta Directory RDBMS
SQL Query Transformed by Data Enforcer (Pre-Processing): SELECT PatientRecords.NAME,PatientRecords.DoB,PatientRecords.GENDER,'-‘ AS SSN,PatientRecords.ADDRESS,PatientRecords.LOCATION,PatientRecords.EMAIL, PatientRecords.COMM,PatientRecords.LIFESTYLE,'-' AS GP,'-' AS HEALTH,'-' AS CONSULTATIONS,'-' AS HOSPITALISATIONS,'-' AS FAMILY,'-' AS Username FROM PatientRecords,PrivacyPreferences WHERE PatientRecords.Name=PrivacyPreferences.Name AND PrivacyPreferences.Marketing='Yes'; Data Enforcer SQL Query Transformation Original SQL Query: SELECT * FROM PatientRecords;
Data Enforcer: Performance Based on Type of Queries
Demo: HealthCare Scenario Web Services Accessing PII Data (SQL) SA Web Enforcer LDAP Directories JDBC Proxy Privacy Plug-ins User’s Web Browser Web Portal SA Validator + Privacy plug-ins SA Data Enforcer Privacy Plug-ins SA Policy Builder Personal Data Database
Demo Snapshot Effect of applying the privacy policy (data filtering) Effect of enforcing customers’ consent
Rationalization and Simplification of policy management and enforcement solutions Benefits • Integration of: • - Resource Management: data, IT resources, web resources, … • - Management of Access Control and Privacy Policies • - Policy Authoring and Administration GUI • - Policy Deployment and Enforcement Framework