T Towards Integrated Policy d I t t d P li Managem ent for - - PowerPoint PPT Presentation

t towards integrated policy d i t t d p li managem ent
SMART_READER_LITE
LIVE PREVIEW

T Towards Integrated Policy d I t t d P li Managem ent for - - PowerPoint PPT Presentation

Feb 04, 2023 18 likes •170 views

T Towards Integrated Policy d I t t d P li Managem ent for Privacy Managem ent for Privacy Dr Nick Papanikolaou e-Security Group International Digital Laboratory WMG, University of Warwick , y http: / / go.warwick.ac.uk/ nikos C

slide-1
SLIDE 1

T d I t t d P li Towards Integrated Policy Managem ent for Privacy Managem ent for Privacy

Dr Nick Papanikolaou e-Security Group International Digital Laboratory WMG, University of Warwick , y http: / / go.warwick.ac.uk/ nikos

slide-2
SLIDE 2

C t t Context

  • Joint work with Marco Casassa Mont &

Siani Pearson [ HP Labs] Sadie Creese Siani Pearson [ HP Labs] , Sadie Creese & Michael Goldsmith [ Warwick IDL] E C R j t

  • EnCoRe project

– http: / / www.encore-project.info p p j – “Ensuring Consent and Revocation” – Goal is to manage and enforce users’ Goal is to manage and enforce users privacy (consent and revocation) preferences in enterprise information preferences in enterprise information systems

2 17 November 2009

W3C Workshop on Access Control Scenarios

slide-3
SLIDE 3

P i P li i Privacy Policies

  • Cannot underestimate importance

f d t i f ti h dli

  • f adequate information handling

practices in enterprises to ensure p p

– Continued ability to collect information P i f i di id l – Privacy of individuals

  • Legal requirements (National EU)
  • Legal requirements (National, EU),

Codes of Practice, Corporate i li i privacy policies

3 17 November 2009

W3C Workshop on Access Control Scenarios

slide-4
SLIDE 4

E f i P i P li i Enforcing Privacy Policies

  • There are many different levels of

requirements and no common requirements and no common representation or consistent means of enforcement across an enterprise

  • Automated enforcement is simple for
  • Automated enforcement is simple for

lowest levels of policy only (e.g. Access control policies)

– Automated enforcement of privacy Automated enforcement of privacy policies not very successful (cf. P3P)

4 17 November 2009

W3C Workshop on Access Control Scenarios

slide-5
SLIDE 5

P li t l l Policy management levels

  • In an enterprise, privacy

requirements will be typically handled requirements will be typically handled at different levels by different experts

L l i t l l t – Legal requirements – legal team – Data access requirements – IT team

  • Hierarchy of policies (privacy

requirements) requirements)

  • There may be overlaps and conflicts

between requirements at different between requirements at different levels

5 17 November 2009

W3C Workshop on Access Control Scenarios

slide-6
SLIDE 6

P li t h Policy management approaches

  • In our view, taking an approach to

d li ith i i t dealing with privacy requirements that is too low level (e.g. focusing only on XACML i f l representation of access control restrictions) restrictions) misses important legal aspects and

  • utcomes of risk assessment

6 17 November 2009

W3C Workshop on Access Control Scenarios

slide-7
SLIDE 7

P li t h Policy management approaches

  • Pragmatic approaches

– Risk assessment (standard business practice) p ) – Typically results in non-reusable solutions solutions

  • Technical approaches

pp

– Focus on designing languages and software tools for policies of a software tools for policies of a particular kind [ only]

7 17 November 2009

W3C Workshop on Access Control Scenarios

slide-8
SLIDE 8

P li L l A h Policy Levels vs. Approaches

8 17 November 2009

W3C Workshop on Access Control Scenarios

slide-9
SLIDE 9

R ili li i t Reconciling policy requirements

  • Low-level approaches have the

d t f t ti advantage of automation

  • High-level approaches account for
  • High level approaches account for
  • verall security concerns, the law,

d h b and the business processes in an enterprise enterprise

  • Can we obtain the benefits of both

by building a conceptual model?

17 November 2009

W3C Workshop on Access Control Scenarios

9

slide-10
SLIDE 10

C t l M d l f P li i Conceptual Model for Policies

High-level policies

European Privacy Directive Data Protection Act Codes of Practice Corporate Policies, ...

Conceptual Model

Templates for different policy requirements

Low-level policies Low level policies

Implementable policies XACML code for access control P3P and APPEL, ... Machine-checkable (verifiable)

17 November 2009

W3C Workshop on Access Control Scenarios

10

slide-11
SLIDE 11

M b t t l d l More about conceptual model

  • Conceptual model may take different

forms forms

– Varying levels of formality can be useful – Just identifying typical clause structures

  • f legal texts can provide clarity
  • f legal texts can provide clarity

– More formal models can enable automatic checking that checking that

  • A lower-level policy satisfies the requirements
  • f a higher level one (policy refinement)
  • f a higher-level one (policy refinement)
  • Policy statements do not conflict with one

another another

17 November 2009

W3C Workshop on Access Control Scenarios

11

slide-12
SLIDE 12

E l Examples

  • In the paper we have considered

l f li t t t examples of policy statements e.g. for transborder data flow, ... ,

  • Privacy-aware access control e.g.

IF (Data Requestor wants to access personal data D for Purpose P) AND (data subject has given consent for this data) ( j g ) THEN Allow Access ELSE Deny Access

17 November 2009

W3C Workshop on Access Control Scenarios

12

slide-13
SLIDE 13

P i t l Privacy-aware access control

Database tables w ith PI I data and custom ers’ consents Encoded access-control policy

( Thi di

and custom ers consents

If role = = “Statistician” & intent = = “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & E f (C )

Cirrhosis Alcoholic Alice 1

Diagnosis Condition Nam e uid

T1

( This diagram is courtesy of Marco Casassa Mont, HP Labs)

& Enforce (Consent) Else If role = = “Scientist” & intent = = “Research” Then

Research Marketing Consent

HIV Drug-addicted Rob 2 Hepatitis Contagious illness Julie 3

Allow Access (T1.Diagnosis) & Enforce (Consent) Else Deny Access

2 3 1

x x x

T2 bl

Privacy Policy Enforcem ent Enforcement: Filter data

SELECT “-”,Condition, Diagnosis

Access Table T1 (Select ALL from T1) Intent = “Marketing”

Enforcem ent

FROM T1 , T2 W HERE T1 .uid= T2 .Consent AND T2 .Marketing= “YES”

  • 2

Cirrhosis Alcoholism

  • 1

Diagnosis Condition Nam e uid Filtered-out data

1 7 Novem ber 2 0 0 9

W 3 C W orkshop on Access Control Scenarios

1 3 1 3

13

Hepatitis Contagious Illness

  • 3
  • 2
slide-14
SLIDE 14

S f iti Summary of position

  • Current approaches to policy

specification and enforcement are specification and enforcement are either too high-level or too low-level Th E C R j t i d l i

  • The EnCoRe project is developing an

approach that balances risk assessment and high-level requirements with low-level q considerations, esp. what is implementable using current policy implementable using current policy languages and tools

17 November 2009

W3C Workshop on Access Control Scenarios

14

slide-15
SLIDE 15

R l t d d F t W k Related and Future Work

  • We have already considered how

privacy policies in P3P may be privacy policies in P3P may be translated to a form suitable for automated verification automated verification

– See

htt / / i k k/ ik / bli ti http: / / go.warwick.ac.uk/ nikos/ publications

  • We hope to develop a formal access

control model that is designed to express privacy policies at all the p p y p levels that they arise

17 November 2009

W3C Workshop on Access Control Scenarios

15