Presentation is loading. Please wait.

Presentation is loading. Please wait.

HP Labs Privacy Management Vision, Research and Work

Published byМилош Божић Modified over 6 years ago

Similar presentations

Presentation on theme: "HP Labs Privacy Management Vision, Research and Work"— Presentation transcript:

1 HP Labs Privacy Management Vision, Research and Work
Presentation Title HP Labs Privacy Management Vision, Research and Work Marco Casassa Mont Senior Researcher Trusted Systems Lab HP Labs, Bristol, UK

2 Outline Overview of HP Labs and Privacy Management Group
Key Privacy Concepts HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management Conclusions Presentation Title Outline

3 HP Labs Roles of HP Labs http://www.hpl.hp.com ~600 employees
Presentation Title HP Labs Trusted Systems Laboratory Bristol, UK Bristol China Palo Alto Israel Japan ~600 employees worldwide India HP Labs is worldwide with locations in the U.S., in the U.K., Israel, Japan and more recently India and China. We number about 600; about half of our researchers are PhD-level engineers, computer scientists, physicists and chemists. We operate a diversified research portfolio, with larger investments on present-day strategies and smaller investments on long-term, more speculative projects. Key research strategies are driven by company strategy and customer interaction We have a focused approach to invention, innovating where we can add value, partnering for the rest. HP Labs is tightly aligned with HP strategy – in fact we participate in developing that strategy. We work directly with customers – internal and external – to determine best commercialization paths … and I’ll share examples today. Roles of HP Labs Contribute to HP Strategy Creation Grow HP's Business with Strategically Aligned Technologies Create Technologies that Enable New Opportunities for HP Invest in Fundamental Science in Areas of Interest to HP February 15, 2019

4 HP Labs: Trusted Systems Laboratory Security Research
Presentation Title Mission Research on Trust, Security and Privacy to provide Safe, Simple to own, and Assured Systems, Enabling Confident Participation in the Digital Economy and delivered through HP’s Infrastructures and Infrastructure Services We see from the chart that the number of security breaches is on the increase and we know that the financial impact on industry runs into $Billions each year. At the same time we are using the internet more and more to do business and share sensitive information. TSL is trying to increase peoples confidence in doing business on the internet by deploying technologies that enhance trust and simplify the whole task of managing security. o       SAFE: Compare with locks on the doors and windows, burglar alarms, even neighbourhood watch type schemes. What is the e-equivalent? o       SIMPLE TO OWN: Most people agree these days that security by obscurity is not a good thing, in fact complexity generally make systems less secure. How many of us really understand what security options to set on our web browsers or how to properly configure anti-virus software, personal firewalls, access control lists, password management etc. Most people rely on good defaults, however, out of the box default often leave a lot to be desired. Another analogy – car immobiliser, simple to use if you have the key. Pretty effective too. o       ASSURED: Compare with the building trade. Choosing a builder is always a difficult task – this trade has a bit of a reputation. What do you look for? You get a feel when you see them and speak to them. Preferably you would want recommendations from friends or family. But what about in the electronic world where you don’t deal face to face, and have probably never interacted before. How do you trust a computer rather than a human being? THREAT MANAGEMENT: We’ll say more about this shortly, but the graph has already shown that this problem is on the increase. Attacks are becoming faster, clever and potentially more damaging. Tools are available on the Internet requiring very little technical knowledge to launch some of these attacks. Many of them come through and even though you can constantly tell people not to open attachments from unrecognised senders, people are fallible. Tradition mechanisms to date do not seem to be dealing with this problem adequately. IT Governance: Good IT Governance is becoming increasingly important for many companies – being driven by both the need to get a better return on IT spending and by the need to comply with regulations such as Sarbanes Oxley for financial reporting and HIPPA and others for privacy protection. There are a number of ways that technology can help companies in ensuring there governance requirements are being met by their IT systems. This includes assurance systems showing how the overall IT infrastructure is being run, to tools that help enforce high level policies that are important for maintaining governance. We have research projects that are looking into areas such as Compliance, Privacy Enforcement and Obligation Management, Identity Management. Included here are core competences in cryptography and modelling. TRUSTED Infrastructure: At the end of the day you want to be sure that the platform you are running on will behave exactly as you would expect, running corporate certified software and configurations. Currently this area is being industry led through the Trusted Computing Group, founded by HP, Compaq, Microsoft, Intel and IBM. In addition to trusted hardware, we are researching into Trusted Virtualisation in the context of the Adaptive Enterprise However, security is not just about technology; we have to understand the social science of what is acceptable, concerns re peoples privacy and rights, we need to understand the legal framework that is going to underpin everything, e.g. copyright laws, export laws, key escrow concerns, digital rights management, we need to understand the mathematics to be sure that systems are truly (even provable) safe, and we need to understand how all of this, plus the supporting technologies all come together to create a solution. TSL Privacy Management Group Threat Management IT Governance Trusted Infrastructure Our Vision: Address privacy management Issues with innovative IT technologies and solutions Our Premise: Integrating privacy management into the middleware layer of a data processing system will provide most benefits, e.g., common approach, re-usable software, etc. Our Approach: Design, build and test Proof-of-Concept prototypes February 15, 2019

5 Outline Overview of HP Labs and Privacy Management Group
Key Privacy Concepts HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management Conclusions Presentation Title Key Privacy Concepts Outline

6 Enterprise Privacy Management
Presentation Title Privacy Legislation (EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Impact on Enterprises and Opportunities Personal Data Applications & Services PEOPLE ENTERPRISE Regulatory Compliance Customers’ Satisfaction Positive Impact on Reputation, Brand, Customer Retention Regulations, Standards, Best Practices Enterprise IT Infrastructure IT Alignment Policy Enforcement Development Transparency Monitoring Reporting Effective Enterprise Privacy depends on Good Governance Practices February 15, 2019

7 Privacy For Personal Data: Core Principles
Presentation Title Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specification Privacy Rights Permissions Obligations Privacy Policies February 15, 2019

8 Outline Overview of HP Labs and Privacy Management Group
Key Privacy Concepts HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management Conclusions Presentation Title Outline HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management

9 Privacy Policy Enforcement in Enterprises
Presentation Title How to Enforce Privacy Policies within Enterprises when Accessing and Manipulating Personal Data? How to Enforce User Preferences, e.g. Consent? How to Integrate with Identity Management Solutions? HP Labs R&D Work Privacy-Aware Access Control System for Personal Data Prototype Integrated with HP Select Access HP Business Considering its Productisation in 2006 Regulations, Standards, Best Practices IT Alignment Policy Enforcement Policy Development Enterprise IT Infrastructure Privacy Policy Enforcement February 15, 2019

10 Moving Towards a “Privacy-Aware” Access Control …
Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …” Presentation Title Access Control Privacy Extension Personal Data Purpose Requestor’s Intent Constraints Requestor Actions Rights Owner’s Consent Privacy-Aware Access Control Other… Personal Data Requestor Actions Rights Access Control Traditional Access Control It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … February 15, 2019

11 Enterprise Privacy Policies &
Example: Privacy-aware Access Control with Consent, Purpose and Intent Mgmt Presentation Title Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent T1 HIV Drug Addicted Rob 2 Hepatitis Contagious Illness Julie 3 Cirrhosis Alcoholic Alice 1 Diagnosis Condition Name uid If role==“empl.” and intent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) Else Deny Access T2 2 3 1 Research Marketing Consent x Access Table T1 (SELECT * FROM T1) Intent = “Marketing” Privacy Policy Enforcement Enforcement: Filter data SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES” Hepatitis Contagious Illness - 3 2 Cirrhosis Alcoholism 1 Diagnosis Condition Name uid Filtered data February 15, 2019

12 AccessControl Policies
Privacy Enforcement in HP Select Access Presentation Title HPL Plug-ins Privacy Policy Deployment & Decisions Validator (Policy Decision) Policy Builder AccessControl Policies Audit Repository Enforcer Plug - in Access Request Grant/Deny Web Services Personal Data + Owners’ Consent Applications, Services, Privacy-aware Access to Data HPL Data Enforcer Requestor’s Intent + Request to Access Data Privacy- aware Decision Data Access Privacy- aware Access Request Privacy Policy Enforcement On Personal Data HPL Plug-ins + Privacy Policies (intent, purpose, consent, constraints…) Data Modelling & Privacy Policy Authoring February 15, 2019

13 Effect of applying the privacy policy
Prototype: Demo Snapshots Presentation Title The new customer data is not visible as she gave no consent to use her data for Marketing purposes Effect of applying the privacy policy (data filtering) Effect of enforcing customers’ Consent Rule Editor Purpose-based Decision plug-in Data Filtering plug-in Consent Management plug-in Data Expiration plug-in The new customer data is (partially) visible as she gave consent to use her data for Research purposes Effect of enforcing customers’ Consent Effect of applying the privacy policy (data filtering) Give consent to access data For Declared Purposes e.g. Research Data Retention Preferences February 15, 2019

14 Outline Overview of HP Labs and Privacy Management Group
Key Privacy Concepts HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management Conclusions Presentation Title Outline HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management

15 Privacy Obligation Management
Presentation Title Privacy Obligations dictate Duties and Expectations to Enterprises on How to Handle Personal Data: Which Privacy Obligations to Manage? How to Represent them? How to Schedule, Enforce and Monitor Privacy Obligations? How to Integrate with Identity Management Solutions? HP Labs R&D Work Privacy Obligation Management System Prototype Integrated with HP Select Identity Explore its Productisation Research in EU PRIME Project Regulations, Standards, Best Practices IT Alignment Policy Enforcement Policy Development Enterprise IT Infrastructure Enforcement Obligation Privacy Monitoring Reporting Transparency February 15, 2019

16 Obligation Management System (OMS): Model
Presentation Title Obligations can be Very Abstract Personal Data (PII) Data Subjects Administrators ENTERPRISE Obligation Management Framework Obligations Scheduling Enforcement Monitoring More Refined Privacy Obligations dictate Responsibilities and Duties on Personal Information: - Notice Requirements - Enforcement of opt-in/opt-out options - Limits of Reuse - Data Retention - Data Deletion - Data Transformation Privacy Obligations Privacy Obligations are not Subordinated to Access Control February 15, 2019

17 Setting Privacy Obligations
Obligation Management System High Level System Architecture Presentation Title Enforcing Privacy Obligations Applications and Services Data Subjects Privacy-enabled Portal Admins Monitoring Privacy Obligations Setting Privacy Obligations On Personal Data Obligation Monitoring Service Events Handler Monitoring Task Handler Admins Obligation Server Workflows Obligation Scheduler Obligation Enforcer Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data February 15, 2019

18 User Provisioning and Obligation Management
Presentation Title Management of Privacy Obligation in the context of User Provisioning and Account Management: Turn Privacy Preferences into Privacy Obligations Personal Data + Privacy Preferences (e.g. Deletion, Notification) Obligation Management System Self Registration and User Account Management HP Select Identity Connectors Data Subject Privacy Obligation Enforcement & Monitoring Service API User Provisioning Enterprise Data Repositories February 15, 2019

19 Prototype: Demo Snapshots
Presentation Title Privacy Preferences (deletion times of selected attributes and of the entire account) Details of Selected Obligation New Privacy Obligations generated as Effect of provisioning a new User and Handling Privacy preferences (Deletion and Notification) View: Monitored Obligations (enforced obligations) Note: In this example, the last two obligations in the list are in the “Violated” status (RED colour). This status and the details can be logged/audited and reported to the administrator for follow-up actions Privacy Preferences (notification of deletions via ) The new user provisioning request has been successful – User information will also be provisioned via the OMS connector that will cause the creation of new privacy obligations based on previous user’ privacy preferences View: List of Managed Obligations (to be enforced and enforced obligations) Note: in this example all obligations are enforced (status OK or Violated) Obligation Management System - GUI HP Select Identity February 15, 2019

20 Outline Overview of HP Labs and Privacy Management Group
Key Privacy Concepts HP Labs Privacy Management Research and Work: Privacy Policy Enforcement Privacy Obligation Management Conclusions Presentation Title Outline Conclusions

21 Conclusions Presentation Title Privacy Management is a Key Aspect of IT Governance and Regulatory Compliance for Enterprises Key Privacy Management Requirements for Enterprises: Privacy Enforcement Automation and Cost Reduction Integration with Identity Management Solutions HP Labs’ Contributions: - Vision: Address Privacy Management with IT Solutions and Technologies Technology: Privacy Policy Enforcement with HP Select Access Technology: Privacy Obligation Management with HP Select Identity HP Labs keen to Collaborate with Customers for Trials and Requirements More Information: February 15, 2019

22 Presentation Title

Download ppt "HP Labs Privacy Management Vision, Research and Work"

Similar presentations

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.
Security Controls – What Works

Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+

No one questions that Microsoft can write great software. Customers want to know if we can be innovative, scalable, reliable in the cloud. (1996) 450M+
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.

Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.
PO320: Reporting with the EPM Solution Keshav Puttaswamy Program Manager Lead Project Business Unit Microsoft Corporation.

PO320: Reporting with the EPM Solution Keshav Puttaswamy Program Manager Lead Project Business Unit Microsoft Corporation.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
© 2005 IBM Corporation IBM Business-Centric SOA Event SOA on your terms and our expertise Operational Efficiency Achieved through People and SOA Martin.

© 2005 IBM Corporation IBM Business-Centric SOA Event SOA on your terms and our expertise Operational Efficiency Achieved through People and SOA Martin.

Similar presentations

Ads by Google