Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont.

Published byBuck Curtis Modified over 5 years ago

Similar presentations

Presentation on theme: "On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont."— Presentation transcript:

1 On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont Hewlett-Packard Labs

2 Presentation Outline Background on Privacy Obligation Management
Addressed Problem and Related Work Scalable Obligation Management Conclusions

3 Presentation Outline Background on Privacy Obligation Management
Addressed Problem and Related Work Scalable Obligation Management Conclusions

4 Privacy: Impact on Users and Enterprises
Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Personal Data Applications & Services PEOPLE ENTERPRISE Regulatory Compliance Customers’ Satisfaction Positive Impact on Reputation, Brand, Customer Retention 16 April, 2019

5 Privacy Obligation Policies
Privacy Obligations are Policies that describe Duties and Expectations on how Personal Data (PII) Should be Managed in Enterprises (e.g. Data Deletion, Retention, Notifications, Data Transformation, …) They dictate “Privacy-aware (Identity) Information Lifecycle Management” They can be defined by Privacy Laws, Data Subjects (Users)’ Preferences and Enterprise Guidelines Privacy Obligations Enterprise Identity Management Solutions Identity Lifecycle Management Enterprise Data Repositories 16 April, 2019

6 Privacy Obligations: A Complex Topic …
Short-term Long-term Duration One-time Ongoing Enforcement Obligation Constraints: Notice Requirements Enforcement of opt-in/opt-out options Limits on reuse of Information and Information Sharing Data Retention limitations … “Delete Data XYZ after 7 years” “Notify User via If his/her Data is Accessed” Types Transactional Data Retention & Handling Other Event-driven Obligations Context Dependent on Access Control Independent from Access Data Subject Setting Enterprise 16 April, 2019

7 Presentation Outline Background on Privacy Obligation Management
Addressed Problem and Related Work Scalable Obligation Management Conclusions

8 Key Research Problems How to Help Enterprises to Handle Obligation Policies: How to Represent Privacy Obligations? How to “Stick” them to Data? How to Manage, Enforce and Monitor Them? How to Leverage Current Identity Management Solutions? How to Achieve this in a Scalable Way, with Very Large Sets of Managed Personal Data (>100K, usually million of records …) 16 April, 2019

9 Technical Work in this Space (Privacy Obligation Management)
- P3P (W3C): - Definition of User’s Privacy Expectations - Explicit Declaration of Enterprise Promises - No Definition of Mechanisms for their Enforcement Data Retention Solutions, Document Management Systems, Ad-hoc Solutions for Vertical Markets - Limited in terms of expressiveness and functionalities. - Focusing more on documents/files not personal data - IBM Enterprise Privacy Architecture, EPAL, XACML … - No Refined Model of Privacy Obligations Privacy Obligations Subordinated to AC. Incorrect … No Focus on Scalability Issue … 16 April, 2019

10 Presentation Outline Background on Privacy Obligation Management
Addressed Problem and Related Work Scalable Obligation Management Conclusions

11 Our Approach (EU PRIME Project)
Privacy Obligations are “First-Class Entities”: No Subordination to Access Control/Authorization View  Explicit Representation, Management and Enforcement of Privacy Obligation Policies Allow Users to Express their Privacy Preferences that are Mapped into Enterprises’ Obligation Policies Scalability to Large data sets (>100K) by means of Parametric Obligation Policies Provide a Solution to Enterprises to Automate the Management 16 April, 2019

12 Our Model: Obligation Management Framework [1/2]
Obligations Scheduling Enforcement Monitoring Parametric Obligations Privacy Preferences Users Administrators Personal Data (PII) & Preferences ENTERPRISE 16 April, 2019

13 (Deletion, Notification,etc.)
Our Model: Obligation Management Framework [2/2] Personal Data + Privacy Preferences Enterprise Identity Management Solutions Parametric Obligation1 Obligations derived from Templates (Admin) Obligation2 Privacy Preferences Obligation Management System (OMS) Personal Data Data Subjects (Users) N:1 Association Privacy Prefs. Personal Data Privacy Preferences (Deletion, Notification,etc.) Enterprise Data Repositories ENTERPRISE 16 April, 2019

14 Parametric (Privacy) Obligation Policies
Parametric Obligation: contains a “parametric definition” of Obligation’s Target, Events, Actions (and On-Violation Actions …) Structure based on Predefined Obligation Templates. Once Instantiated, it contains References to Personal Data and Privacy Preferences References are Resolved at Runtime by OMS PII Data Target Target + References Events Preferences Actions Parametric Obligation (Reactive Rule) FOR: Target WHEN Events(Refs) THEN EXECUTE [Actions(Refs)] ON VIOLATION: EXECUTE [Violation-Actions(Refs)] On Violation Actions Parametric Obligation 16 April, 2019

15 Parametric Obligation: “Simple” XML-based Example …
Timeout Event using the explicit reference Actions involving the Notification and Data Deletion On Violation Actions using the direct value Target with the references description of the databases FOR ALL TARGETED PII DATA + RELATED PREFS WHEN Deletion_Time (Ref) THEN EXECUTE [DELETE CreditCard (Ref) & Notify (Ref)] ON VIOLATION: EXECUTE [Notify(admin)] 16 April, 2019

16 Parametric Obligation: Working with References …
Target Data Model Definition (PII Data, Preferences, etc.) Uses Alias to identify each data model Events Uses the “Alias + References” to get the data to trigger the action Actions Uses the “Alias + References” to acquire additional information to enforce the action Target PrivPref.TimePref > now() Events MyPII.e- Actions Data Models Alias = PrivPref Alias = MyPII PrivPref MyPII Privacy Preferences PII Data 16 April, 2019

17 Obligation Processing Workflow (Run-time …)
External Events Happen Parametric Obligation Policy Data Repository Target Identify Relevant Personal Data and Privacy Preferences Events Actions Preference Repository OnViolation Actions Solving the Events References by building dynamically SQL queries Update Stateful Events No Event Trigger a parametric obligation on a given piece of data ? Scalable Obligation Database Yes Enforce the Actions by solving the Actions References building dynamical SQL queries 16 April, 2019

18 Scalable OMS High-Level Architecture
Enforcing Privacy Obligations Applications and Services Data Subjects Setting Parametric Obligations Privacy-enabled Portal Admins Monitoring Privacy Obligations Setting Privacy Preferences on Personal Data Obligation Monitoring Service Events Handler Monitoring Task Handler Admins Obligation Server Workflows Obligation Scheduler Obligation Enforcer Information Tracker ENTERPRISE Action Adaptors Obligation Store & Versioning Confidential Data Privacy Prefs Data Ref. Privacy Preferences Repository Parametric Obligation UID Audit Server Current Status Full working prototype. Tested with Large data sets (>100K) Integrated with HP OpenView Identity Management Solution (HP Select Identity) - Working on further Tests and Analysing them … 16 April, 2019

19 Presentation Outline Background on Privacy Obligation Management
Addressed Problems and Related Work Scalable Obligation Management Conclusions

20 Conclusions Privacy Management is Important for Enterprises
Need to Provide Scalable Solutions to Handle Privacy Obligations Proposed a Scalable Obligation Management Framework and Solution - Explicit Modelling and Management of Obligation Policies - Concept of Parametric Obligation Policies It Works!! Handling Obligations on Large set of PII Data (>100k) Collecting Test Results and more Formal Analysis … R&D Work in Progress: Stickiness of Obligation Policy to Data (subject to change of locations) Management of Obligation Policies in Federated Identity Management Contexts - … 16 April, 2019

21

Download ppt "On Parametric Obligation Policies: Enabling Privacy-aware Information Lifecycle Management in Enterprises IEEE Policy Workshop 2007 Marco Casassa Mont."

Similar presentations

© 2007 IBM Corporation Enterprise Content Management Integrating Content, Process, and Connectivity for Competitive Advantage Malcolm Holden October 2007.

© 2007 IBM Corporation Enterprise Content Management Integrating Content, Process, and Connectivity for Competitive Advantage Malcolm Holden October 2007.
Page 1 Integrating Multiple Data Sources using a Standardized XML Dictionary Ramon Lawrence Integrating Multiple Data Sources using a Standardized XML.

Page 1 Integrating Multiple Data Sources using a Standardized XML Dictionary Ramon Lawrence Integrating Multiple Data Sources using a Standardized XML.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises.
Basic guidelines for the creation of a DW Create corporate sponsors and plan thoroughly Determine a scalable architectural framework for the DW Identify.

Basic guidelines for the creation of a DW Create corporate sponsors and plan thoroughly Determine a scalable architectural framework for the DW Identify.
Lecture 5 Themes in this session Building and managing the data warehouse Data extraction and transformation Technical issues.

Lecture 5 Themes in this session Building and managing the data warehouse Data extraction and transformation Technical issues.
© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE www.visible.com Holistic View of the Enterprise Business Development Operations.

© 2004 Visible Systems Corporation. All rights reserved. 1 (800) 6VISIBLE Holistic View of the Enterprise Business Development Operations.
On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.

On Privacy-aware Information Lifecycle Management (ILM) in Enterprises: Setting the Context Marco Casassa Mont Hewlett-Packard.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Policy Management: An Overview Marco.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Policy Management: An Overview Marco.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Panel: Business Impact of Research.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Panel: Business Impact of Research.
An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.

An Application-led Approach for Security-related Research in Ubicomp Philip Robinson TecO, Karlsruhe University 11 May 2005.
System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan. 1999 - System Engineering Hierarchy - System Modeling - Information.

System Engineering Instructor: Dr. Jerry Gao. System Engineering Jerry Gao, Ph.D. Jan System Engineering Hierarchy - System Modeling - Information.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Process-oriented System Automation Executable Process Modeling & Process Automation.

Process-oriented System Automation Executable Process Modeling & Process Automation.
MDC Open Information Model West Virginia University CS486 Presentation Feb 18, 2000 Lijian Liu (OIM:

MDC Open Information Model West Virginia University CS486 Presentation Feb 18, 2000 Lijian Liu (OIM:
ArcGIS Workflow Manager An Introduction

ArcGIS Workflow Manager An Introduction
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
Demonstration of the Software Prototypes PRIME PROJECT 17 December 2004.

Demonstration of the Software Prototypes PRIME PROJECT 17 December 2004.
1 Introduction to Database Systems. 2 Database and Database System / A database is a shared collection of logically related data designed to meet the.

1 Introduction to Database Systems. 2 Database and Database System / A database is a shared collection of logically related data designed to meet the.
1st Workshop on Intelligent and Knowledge oriented Technologies Universal Semantic Knowledge Middleware Marek Paralič,

1st Workshop on Intelligent and Knowledge oriented Technologies Universal Semantic Knowledge Middleware Marek Paralič,

Similar presentations

Ads by Google