Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marco Casassa Mont Hewlett-Packard Labs

Published byEgbert Blair Modified over 5 years ago

Similar presentations

Presentation on theme: "Marco Casassa Mont Hewlett-Packard Labs"— Presentation transcript:

1 Marco Casassa Mont marco.casassa-mont@hp.com Hewlett-Packard Labs
On the Need to Explicitly Manage Privacy Obligation Policies as Part of Good Data Handling Practices Marco Casassa Mont Hewlett-Packard Labs

2 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

3 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

4 Privacy: Impact on Users and Enterprises
Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Personal Data Applications & Services PEOPLE ENTERPRISE Regulatory Compliance Customers’ Satisfaction Positive Impact on Reputation, Brand, Customer Retention 6 April, 2019

5 Privacy Policies & Data Handling on PII Data
Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specif. Privacy Rights Permissions Obligations Privacy-aware Access Control Data-Handling Criteria Privacy-aware Information Lifecycle Management 6 April, 2019

6 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

7 Our Position Need to Recognise Complementary Roles of Obligation Policies and Access Control Policies No Subordination of Obligations to Access Control Policies: share Data Handling Criteria Need to Explicitly Represent, Manage and Enforce Obligations Opportunity in defining “Integrated Language” covering both Access Control and Obligation Aspects and Multiple, Specialised Policy Enforcement Solutions Go for Standardisation for Interoperability/Negotiation Keep into account Current Identity Management Solutions … 6 April, 2019

8 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

9 Privacy Obligations Privacy Obligations are Policies that describe Duties and Expectations on how PII Data Should be Managed, in particular by Enterprises (e.g. Deletion, Notifications, Data Transformation ,etc.) They are at the very base of “Privacy-aware Information Lifecycle Management” They can be dictated by Law, Data Subjects’ Preferences and Enterprise Guidelines 6 April, 2019

10 the security and confidentiality of customer information”
Privacy Obligations: Abstract vs. Refined Obligations can be very Abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act More Refined Privacy Obligations dictate Duties and Responsibilities with respect of Personal Information: Notice Requirements Enforcement of opt-in/opt-out options Limits on reuse of Information and Information Sharing Data Retention limitations … 6 April, 2019

11 Privacy Obligations: A Complex Topic …
Short-term Long-term Duration One-time Ongoing Enforcement “Delete Data XYZ after 7 years” “Notify User via 1 If his Data is Accessed” Types Transactional Data Retention & Handling Other Event-driven Obligations Context Dependent on Access Control Independent from Access Data Subject Setting Enterprise “How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions?” 6 April, 2019

12 Privacy Obligations: Key Properties
Timeframe (period of validity) of obligations Events/Conditions that trigger the need to fulfil obligations Target of an obligation (PII data) Actions/Tasks/Workflows to be Enforced Responsible for enforcing obligations Exceptions and special cases 6 April, 2019

13 Privacy Obligation: Conceptual Model
Targeted Personal Data References to stored PII data e.g. Database query, LDAP reference, Files, etc. Privacy Obligation Obligation Identifier Triggering Events One or more Events that trigger different Actions e.g. Event: Time-based events Access-based Context-based On-Going Events Actions: Delete, Notify, … Actions Additional Metadata (Future Extensions) 6 April, 2019

14 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

15 Related Work [1/2] - P3P (W3C):
- Definition of User’s Privacy Expectations - Explicit Declaration of Enterprise Promises - No Framework/definition of Mechanisms for their Enforcement Data Retention Solutions and Document Management Systems. - Limited in terms of expressiveness and functionalities. - Focusing more on documents/files, not really on personal data - Ad-hoc Solutions for Vertical Markets 6 April, 2019

16 Recent relevant Work done in this Space:
Related Work [2/2] Recent relevant Work done in this Space: IBM Enterprise Privacy Architecture, including a policy management system, a privacy enforcement system and audit Initial work on privacy obligations in the context of Enterprise Privacy Authorization Language (EPAL) XACML (OASIS): Access Control-focused standard - No Refined Model of Privacy Obligations - Privacy Obligations Subordinated to AC … 6 April, 2019

17 “Access Control – Centric” Approach (XACML, EPAL, …)
Privacy-Aware Access Control Policy Access Events Target Access Rules based on: {Purposes, Subjects, Credentials, Business Constraints, …} Privacy-Aware Access Control System Actions: Allow/Disallow Acc., ? Obligations: Delete, Notify, etc. 6 April, 2019

18 More “Suitable” Approach …
Privacy-Aware Access Control Policy Privacy Obligation Policy Access Events Target Target Triggering Events {Time, Access, Context, Custom Events, Periodicity, …} Access Rules based on: {Purposes, Subjects, Credentials, Business Constraints, …} Privacy-Aware Access Control System Access, Time, Context, etc. Events AC Actions: Allow/Disallow Acc., Actions: Notify, Deleted, Execute Workflow, Transform data, Obligation Management System 6 April, 2019

19 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

20 Requirements [1/2] Need for a “Language” to Explicitly Represent Privacy Obligations (Target, Events, Actions, …) Integration with Privacy-aware Access Control Language No Subordination … Being able to use suitable Ontologies whose Semantic is shared with Access Control Constraints Common Data Handling Criteria shared by Access Control and Obligation Policies Possibly Leverage/Extend/Modify Current Standards (XACML, etc.) or Ensure Compatibility/Interoperability  Importance of Standardisation! 6 April, 2019

21 Requirements [2/2] Explicit Association of Obligations to PII Data
Need to Define Enforcement Framework for Obligations (Scheduling, Enforcement, Monitoring)  No Subordination to Access Control Ensure Compatibility with State-of-Art Identity Management Solutions Need to Deal with Negotiation of Data Handling Criteria and Obligations  Do First Steps First i.e. Language & Enforcement Framework 6 April, 2019

22 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

23 EU PRIME Project: Obligation Management
Enabling Privacy-aware Information Lifecycle Management: Obligation Management Framework Obligations Scheduling Enforcement Monitoring Privacy Obligations Privacy Preferences Data Subjects Administrators Personal Data (PII) ENTERPRISE 6 April, 2019

24 Obligations As “Reactive Rules”
Privacy Obligations: Operational View OBLIGATION Oid: TARGETS: TargetRefs WHEN LogicalCombinationOf (EVENTS) EXECUTE CompositionOf (ACTIONS) Obligations As “Reactive Rules” 6 April, 2019

25 EU PRIME Project: (Loosely) Integrated Approach
Obligation Templates Obligation Template: Defines Obligation Structure Defines Types of Privacy Prefs Request to Disclose PII Data & DHC/List of Relevant Obligation Templates Attempt to Access Service Privacy Admins Req. PII Data + DHC/Privacy Prefs. Access Control User PRIME GUI Access Control Policies Disclose PII + DHC/Privacy Prefs. Push Instantiated Obligation Templates (i.e. with Privacy Prefs) Obligation Management System PRIME Toolbox ENTERPRISE 6 April, 2019

26 EU PRIME Project: Key Open Issues
Loose Integration of AC Policies with Obligation Policies  Need for Common Language Obligations Share Data Handling Criteria (DHC). OK! Need to Standardise these Data Handling Criteria for: - Interoperability - Enabling Negotiation (Client/Enterprise, Multi-Party) No Negotiation of Complex DHC … 6 April, 2019

27 Presentation Outline Privacy Concepts and Background Our Position
Privacy Obligations Current Work, Limitations & Suggested Approach Requirements An Example: Work Done in PRIME Proposed Next Steps

28 Proposed Next Steps Consider work Done in PRIME …
Collect Requirements. Gain support from Industry Explore Alternative Approaches to Obligation Management, if required … Analyse and Design Integrated Language to Explicitly Describe both AC Rules and Obligations – Common DHP Standardise this Language and Ensure it can be used by a suitable Enforcement/Management Framework Ensure Compatibility with current Identity Management Initiatives Address Aspects such as Sticky Policies and Negotiation … 6 April, 2019

29 BACK-UP SLIDES 6 April, 2019

30 Open Issues and Next Steps
Current Approach Pros Flexible Language and Approach Extensible and Customisable Cons Large Set of Similar Obligations might be Created Scalability Issues Next Steps Address Scalability Issues Introduce Parametric Obligations Extend Language (Exceptions, more types of Events, Actions, etc.) 6 April, 2019

31 Privacy Obligations: Formal View
Privacy Obligation is a <i,t,L(e),C(a)> tuple <i,t,e,a> <I, 2^T, 2^E, 2^A > i I: set of all unique identifiers t T: set of all possible targets e E: set of all possible events a A: set of all possible actions L(e) : defines a logical combination (AND, OR, NOT) of events C(a) : defines an operational combination of actions, such as a sequence of actions 6 April, 2019

32 Privacy Obligation Examples
Delete PII Data at a Predefined Time 1) OBLIGATION Oid1: TARGETS: t1:< DATABASE=db1, TABLE=customers, Key=CustomerName, KeyValue=abc> WHEN (current_time= date1) EXECUTE <DELETE t1> Notify Users when their PII Data is Accessed 2) OBLIGATION Oid2: TARGETS: t1:< DATABASE=db1, TABLE=customers, Key=CustomerName, KeyValue=abc, ATTRIBUTES=( ) > WHEN (Access_Data_Event AND Access_Data_Event.data = t1) EXECUTE <NOTIFY BY t1. > 6 April, 2019

33 Privacy Obligation Examples
Notify Users and Delete PII Data when it is not Accessed after a Predefined Date 3) OBLIGATION Oid3: TARGETS: t1:< DATABASE=db1, TABLE=customers, Key=CustomerName, KeyValue=abc ATTRIBUTES=(creditcard, )> WHEN (current_time>date1) AND (NOT (Access_Data_Event AND Access_Data_Event.data = t1 )) EXECUTE <NOTIFY BY t1. > <DELETE t1.creditcard> 6 April, 2019

34 Privacy Obligation Examples
Delete PII Data and De-provision a User Account either after a specified Date Or if PII Data has been Accessed more than n Times 4) OBLIGATION Oid4: TARGETS: t1:< DATABASE=db1, TABLE=customers, Key=CustomerName, KeyValue=abc ATTRIBUTES=(creditcard, )> WHEN (current_time>date1) OR ( (Access_Data_Event AND Access_Data_Event.data = t1 ) AND (Access_Counter>n)) EXECUTE <DELETE t1.creditcard> <RUN WORKFLOW deprovision_user(t1.KeyValue)> 6 April, 2019

35 Privacy Obligation Examples
Notify Users on Ongoing Bases at a Specified Interval of Time 5) OBLIGATION Oid5: TARGETS: t1:< DATABASE=db1, TABLE=customers, Key=CustomerName, KeyValue=abc, ATTRIBUTES=( )> WHEN (current_time < date1) AND (time_counter > time_interval) EXECUTE <NOTIFY BY t1. > <RESET time_counter> 6 April, 2019

36 Privacy Obligation Examples
Encrypt PII Data and Notify the administrator in case of Intrusion 6) OBLIGATION Oid6: TARGETS: t1:< DATABASE=db1, TABLE=customers> WHEN (Event-intrusion_detected) EXECUTE <ENCRYPT t1> <NOTIFY admin> Encrypt PII Data and Notify the administrator in case the System is in an inconsistent/Distrusted state 7) OBLIGATION Oid7: TARGETS: t1:< DATABASE=db1, TABLE=customers> WHEN (Event-system_distrusted) AND (DATABASE.host =system_distrusted.host) EXECUTE <ENCRYPT t1> <NOTIFY admin> 6 April, 2019

37 Privacy Obligation Examples
Encrypt Address Attributes and Delete User Names in Log Files older than 6 months 8) OBLIGATION Oid8: TARGETS: t1:< FILE=../audit_log, ATTRIBUTES=(TimeStamp, UserIPaddress, UserName)> WHEN (time_counter > time_interval) EXECUTE <ENCRYPT t1.UserIpAddress> <DELETE t1.UserName WHERE t1.TimeStamp<= current_time - 6 months> <RESET time_counter> 6 April, 2019

38 PRIME Representation in XML Format
Privacy Obligations: PRIME Representation in XML Format <obligation id=“gfrbg7645gt45"> <target> <database> <dbname>CustomersDB</dbname> <tname>Customers</tname> <locator> <key name=“UserID">oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </database> </target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [creditcard,firstname] at Aug 15 17:26:21 BST 2006.]</description> </metadata> <events> <event> <type>TIMEOUT</type> <date now="no"> <year>2006</year> <month>08</month> <day>15</day> <hour>17</hour><minute>26</minute> </event> </events> <actions> <action> <type>DELETE</type> </action> </actions> </obligationitem> </obligation> 6 April, 2019

39 Setting Privacy Obligations
Obligation Management System (OMS): High Level System Architecture Enforcing Privacy Obligations Applications and Services Data Subjects Privacy-enabled Portal Admins Monitoring Privacy Obligations Setting Privacy Obligations On Personal Data Obligation Monitoring Service Events Handler Monitoring Task Handler Admins Obligation Server Workflows Obligation Scheduler Obligation Enforcer Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data 6 April, 2019

40

Download ppt "Marco Casassa Mont Hewlett-Packard Labs"

Similar presentations

May 24, 2004 SWSL outbrief 1 Outbrief from SWSL group at SWSI F2F May 24, 2004.

May 24, 2004 SWSL outbrief 1 Outbrief from SWSL group at SWSI F2F May 24, 2004.
Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.

Privacy: Accountability and Enforceability Jamie Yoo April 11, 2006 CPSC 457: Sensitive Information in a Wired World.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
Security Controls – What Works

Security Controls – What Works
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.

An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.

Hippocratic Databases Paper by Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu CS 681 Presented by Xi Hua March 1st,Spring05.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
MDC Open Information Model West Virginia University CS486 Presentation Feb 18, 2000 Lijian Liu (OIM:

MDC Open Information Model West Virginia University CS486 Presentation Feb 18, 2000 Lijian Liu (OIM:
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
WP.5 - DDI-SDMX Integration E.S.S. cross-cutting project on Information Models and Standards Marco Pellegrino, Denis Grofils Eurostat METIS Work Session6-8.

WP.5 - DDI-SDMX Integration E.S.S. cross-cutting project on Information Models and Standards Marco Pellegrino, Denis Grofils Eurostat METIS Work Session6-8.
Web Policy Zeitgeist Panel SWPW 2005 – Galway, Ireland Piero Bonatti, November 7th, 2005.

Web Policy Zeitgeist Panel SWPW 2005 – Galway, Ireland Piero Bonatti, November 7th, 2005.

Similar presentations

Ads by Google