A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises

PET 2006, Cambridge, UK A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises Marco Casassa Mont and Robert Thyne marco.casassa-mont@hp.com robert.thyne@hp.com Trusted Systems Lab, HP Labs, Bristol, UK

Presentation Outline Privacy: Core Concepts and Background Addressed Problems Analysis (Issues, Related Work, Requirements): - Privacy-Aware Access Control - Privacy Obligation Management and Enforcement Our Work: - Privacy Automation Context - Privacy-Aware Access Control - Obligation Management and Enforcement Conclusions

PRIVACY Privacy: An Important Aspect of Regulatory Compliance Regulatory Compliance (Example of Process) Regulations (incomplete list …)

Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Internal Guidelines Customers’ Expectations Applications & Services Personal Data PEOPLE ENTERPRISE Positive Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Impact on Enterprises and Opportunities

Data Governance and Policy Management (Including Privacy Policies): Gaps Policy Development and Modelling Monitoring, Audit, Reporting and Policy Management Data Inventory People/Roles Systems/Applications/Services Gap and Risk Analysis Policy Enforcement Confidential/Personal Data Policy Deployment

Purpose Specification Consent Privacy Permissions Limited Collection Privacy Obligations Privacy Rights Limited Use Limited Disclosure Limited Retention Privacy For Personal Data: Core Principles Privacy Policies

Addressed Problems • How to Automate the Enforcement of Privacy Policies within Enterprises: • How to Automate Privacy-Aware Access Control • How to Automate Privacy Obligation Mgmt/Enforcement • How to Do This in a Systemic Way • How to Leverage Current Identity Management Solutions

Purpose Specification Consent Limited Collection Privacy Enforcement: Access Control Implications Limited Use Limited Disclosure Limited Retention Privacy Policies Privacy Enforcement for Personal Data: Principles and Implications

Rights Actions Requestor Rights Actions Requestor Purpose Requestor’s Intent Access Control Owner’s Consent Access Control Other… Privacy Extension Constraints Personal Data It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … Personal Data Privacy-Aware Access Control Traditional Access Control Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”

Consent Marketing Research uid Name Condition Diagnosis x 1 1 Alice Alcoholic Cirrhosis x x 2 2 Rob Drug Addicted HIV 3 3 Julie Contagious Illness Hepatitis Privacy Policy Enforcement Enforcement: Filter data Access Table T1 (SELECT * FROM T1) Intent = “Marketing” uid Name Condition Diagnosis Filtered data 1 - Alcoholism Cirrhosis 2 - - - 3 - Contagious Illness Hepatitis Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent T1 If role==“empl.” andintent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent) Else Deny Access T2 SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES”

Privacy Policy Definition and Enforcement Implicit • Embed privacy • policies within • applications, queries, • services/ad-hoc solutions • Simple Approach • It does not scale in terms • of policy management • It is not flexible and • adaptive to changes Implicit Approach to Enforce Privacy Policies: No Flexibility Applications & Services Business logic Privacy policies Personal Data

Privacy Policy Definition and Enforcement Explicit • Fully deployed • Privacy Management • Frameworks • Explicit Management • of Privacy Policies • Might require major • changes to IT and data • infrastructure • Usage of Vertical • Solutions/Focus on • RDBMS Explicit Approach to Enforce Privacy Policies: Vertical and Invasive Current Approaches IBM/Tivoli Privacy Manager Privacy-aware Hippocratic Databases

HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies Privacy Policy Definition and Enforcement Implicit Explicit • HP Approach • Single solution for explicit • management of Privacy Policies • on Heterogeneous Data Repositories • Privacy Enforcement by Leveraging • and Extending Security/ • Access Control Frameworkand • easy to use management UI • Does not require major changes • to Applications/Services or • Data Repositories

Key Requirements • Modeling of Personal data • Explicit Definition, Authoring and Management • of Privacy Policies • Extensible Privacy Policies • Explicit Deployment and Enforcement of Privacy Policies • Integrationwith traditional Access Control Systems • Simplicity of Usage • Support for Audit

Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act • More refined Privacy Obligations dictate Duties, • Expectations and Responsibilities on How to Handle • Personal Data: • Notice Requirements • Enforcement of opt-in/opt-out options • Limits on reuse of Information and Information Sharing • Data Retention limitations …

Duration Enforcement Long-term Ongoing Short-term Obligations One-time Types Other Event-driven Transactional Data Retention & Handling Dependent on Access Control Independent from Access Control Data Subject Context “Notify User via e-mail1 If his Data is Accessed” “Delete Data XYZ after 7 years” Enterprise “How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions?” Setting Privacy Obligations: A Complex Topic …

Privacy Obligations: Common Aspects • Timeframe(period of validity) of obligations • Events/Contexts that trigger the need to • fulfil obligations • Target of an obligation (PII data) • Actions/Tasks/Workflows to be Enforced • Responsible for enforcing obligations • Exceptions and special cases

Technical Work in this Space [1/2] • Current Approaches to Privacy Obligations: • - P3P (W3C): • - Definition of User’s Privacy Expectations • - Explicit Declaration of Enterprise Promises • - No Definition of Mechanisms for their Enforcement • Data Retention Solutions and Document Management • Systems. • - Limited in terms of expressiveness and functionalities. • - Focusing more on documents/files not personal data • - Ad-hoc Solutions for Vertical Markets

- No Refined Model of Privacy Obligations - Privacy Obligations Subordinated to AC. Incorrect … Technical Work in this Space [2/2] • Recent relevant Work done in this Space: • IBM Enterprise Privacy Architecture, including • a policy management system, a privacy enforcement • system and audit • Initial work on privacy obligations in the context of • Enterprise Privacy Authorization Language (EPAL) • XACML (OASIS): similar standard proposal

Privacy Obligations: Suggested Approach • Deal with Privacy Obligations as “first-class citizens” in the • context of Enterprises and Organisations – recognise its • importance for Regulatory Compliance • Recognise the Importance of Separation of Concerns: • explore how to explicitly represent, manage and • enforce privacy obligations without imposing any dominant • view (for example, the authorization perspective) • Research and Work on Longer-term Issues, such as • accountability, stronger associations of obligations to data, • obligation versioning and tracking

Key Requirements • ExplicitModelingand Representation of privacy obligations • (Strong) Association of obligations to data • Mappingobligations into enforceable actions • Compliance of refined obligations to high-level policies • Tracking the evolution of obligation policies • Dealing with Long-term Obligation aspects • Accountability management and auditing • Monitoring obligations • User involvement • Handling Complexity and Cost of instrumenting Apps and Services

Self- Registration: Personal Data & Privacy Preferences Privacy Obligations Privacy Admins Control Consent & Other Prefs. Privacy Policies Privacy-aware Access Control System Settings Data Obligation Management System Privacy-aware queries Enterprise Systems Privacy-aware Information Lifecycle Management Privacy Automation for Identity Mgmt Access Request To Apps Applications/ Services Web Portal Third Parties Users Employees User Provisioning & Account Management Access Control System Identity Management Middleware Data Repositories ENTERPRISE

Requestor’s Intent+ Request to Access Data Access Request 1 2 3 5 Access Control + Privacy Policies (intent, purpose, consent, constraints…) Accessed Data (it could be a subset of the Requested Data) Privacy-aware Decision 4 Privacy-aware Access to Data Our Model of Privacy-Aware Access Control Privacy Policy Decision Point Requestors, Applications, Services, … Data Enforcer Privacy Policy Enforcement Point Privacy Policy & Data Authoring Tools Personal Data + Data Subjects’ Consent Data Repositories

HP OpenView Select Access Access Control System: Definition, Enforcement and Auditing of Access Control Policies http://www.openview.hp.com/products/select/

Privacy Policy Enforcement: Core Requirements for HP Select Access Core requirements: 1 Explicit Modelling of Confidential Data Describe Privacy Policy based on the Content of Data, Consent, Intent and Data Purpose Make Decisions based on these Privacy Policies Enforce these Privacy Decisions 2 3 4 • Extend Select Access mainly via its Standard APIs to implement the above requirements

Privacy Policy Deployment & Decisions Access Request Web Services Validator (Policy Decision) Grant/Deny Applications, Services, … Requestor’s Intent+ Request to Access Data Policy Repository HPL Plug-ins Privacy- aware Access Request AccessControl Policies Data Access Privacy- aware Decision Enforcer HPL Data Enforcer Enforcer Enforcer Plug - in + Privacy Policies (intent, purpose, consent, constraints…) Plug - in Plug - in Privacy Policy Enforcement On Personal Data Data Modelling & Privacy Policy Authoring Privacy-aware Access to Data Policy Builder Audit HPL Plug-ins Personal Data + Owners’ Consent Privacy Enforcement in HP Select Access

1 Select Access: Privacy Extension [1/4] • Modelling Data Resources in SA Policy Builder: Data Resources Added to Policy Builder

2 Select Access: Privacy Extension [2/4] • Author Privacy Policies in SA Policy Builder via SA Plug-ins: • Add Privacy Constraints on “Data Resources”: • checking Intent vs. Purpose, Consent, etc. • Describe Policies the evaluation of which is: • “Allow Access to Data + Privacy Constraints to be Enforced” Rule Editor Purpose-based Decision plug-in Data Filtering plug-in Consent Management plug-in Data Expiration plug-in • Privacy Constraints: • - Filtering data • - Enforce Consent • - Obfuscating data • - Transformation of Data …

3 Select Access: Privacy Extension [3/4] Request: Data Resource + Intent+ (Parameters) • Privacy Decisions by SA Validator (PDP): • Validator Plug-in makes decisions based on • Privacy Policies • (1-1 correspondence with Policy Builder plug-in) • Decisions must support Privacy-oriented Constraints • (to be enforced): • “Allow Access to Data + Constraints to be Enforced” • (e.g. allow access to table “Patients Details”, but strip-out the • columns “Name, Surname, Address”) • The SA Validator is general purpose. It does not • examine Confidential Data for performance/logistic • reasons. SA Validator Plug-in • Decisions: • NO • YES • YES + Constraints

4 Select Access: Privacy Extension [4/4] Privacy Constraints enforced by a Data Enforcer … • The SA Web Enforcer focuses on Web Resources. • It does not explicitly deal with Data Resources… • Add a SA “Data Enforcer”: • located nearby the Data Repository (performance …) • knows how to access/handle Data and “Queries” • know how to enforce Privacy Constraints • can support “Query rewriting” (i.e. filtering, etc.) • The new SA “Data Enforcer” is designed to have: • A General Purpose Engine • (to interact with SA Validator) • Ad-hoc plug-ins for different Data Sources • to interpret and enforce privacy decisions • (e.g. RDBMS, • LDAP servers, • virtual directories, • meta-directories, …) Data allowed to access Access Request + Intent Enforcer API SA Data Enforcer (Data Proxy) Logic Validator Plug-in Constraint Enforcement Engine Constraint Enforcement Engine Constraint Enforcement Engine LDAP Server Meta Directory RDBMS

SQL Query Transformed by Data Enforcer (Pre-Processing): SELECT PatientRecords.NAME,PatientRecords.DoB,PatientRecords.GENDER,'-‘ AS SSN,PatientRecords.ADDRESS,PatientRecords.LOCATION,PatientRecords.EMAIL, PatientRecords.COMM,PatientRecords.LIFESTYLE,'-' AS GP,'-' AS HEALTH,'-' AS CONSULTATIONS,'-' AS HOSPITALISATIONS,'-' AS FAMILY,'-' AS Username FROM PatientRecords,PrivacyPreferences WHERE PatientRecords.Name=PrivacyPreferences.Name AND PrivacyPreferences.Marketing='Yes'; Data Enforcer SQL Query Transformation Original SQL Query: SELECT * FROM PatientRecords;

Data Enforcer: Performance Based on Type of Queries

Demo: HealthCare Scenario Web Services Accessing PII Data (SQL) SA Web Enforcer LDAP Directories JDBC Proxy Privacy Plug-ins User’s Web Browser Web Portal SA Validator + Privacy plug-ins SA Data Enforcer Privacy Plug-ins SA Policy Builder Personal Data Database

Next Steps • HP Software Business Considering the Productisation of Privacy Enforcement for HP Select Access • More R&D on Data Enforcers for LDAP Directories, Meta/Virtual Directories • HP interested in “lighthouse” customers for collaborations and joint technological trials

Obligation Management Framework Obligations Monitoring Obligations Enforcement Obligations Scheduling Privacy Preferences Privacy Obligations Personal Data (PII) Obligation Management System (OMS): Model Data Subjects Administrators ENTERPRISE

References to stored PII data e.g. Database query, LDAP reference, Files, etc. Targeted Personal Data Triggering Events One or more Events that trigger different Actions e.g. Event: Time-based events Access-based Context-based On-Going Events Actions: Delete, Notify, … Privacy Obligations: Modelling and Representation Privacy Obligation Obligation Identifier Actions Additional Metadata (Future Extensions)

Privacy Obligations: Format Example <obligation id=“gfrbg7645gt45"> <target> <database> <dbname>Customers</dbname> <tname>Customers</tname> <locator> <key name=“UserID">oid_a83b8a:fdfc44df3b:-7f9c</key> </locator> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </database> </target> <obligationitem sid="1"> <metadata> <type>LONGTERM</type> <description>Delete [firstname,surname] at Sat Aug 15 17:26:21 BST 2004.]</description> </metadata> <events> <event> <type>TIMEOUT</type> <date now="no"> <year>2004</year> <month>08</month> <day>14</day> <hour>17</hour><minute>26</minute> </event> </events> <actions> <action> <type>DELETE</type> <data attr="part"> <item>creditcard</item> <item>firstname</item> </data> </action> </actions> </obligationitem> </obligation>

Enforcing Privacy Obligations Setting Privacy Obligations On Personal Data Monitoring Privacy Obligations OMS: High Level System Architecture Applications and Services Data Subjects Admins Privacy-enabled Portal Events Handler Obligation Monitoring Service Monitoring Task Handler Admins Obligation Server Workflows Obligation Enforcer Obligation Scheduler Information Tracker Action Adaptors ENTERPRISE Audit Server Data Ref. Obligation Obligation Store & Versioning Confidential Data

HP OpenView Select Identity: User Provisioning and Account Management Administrators • Centralised Management of Identities in an Organisation • Support for Self Registration and User Provisioning • Account Management and Provisioning across Platforms, Applications and Corporate Boundaries JCA Connectors Data Repositories HP Select Identity Admin GUI Personal Data Accounts on Systems Users Legacy Applications and Services Web Service Agents Services, Roles, Entitlements Descr. Provisioning Workflows Agents Feedback/Updates http://www.openview.hp.com/products/slctid/index.html

OMS Integration with HP Select Identity Explicit Management, Enforcement and Monitoring of Privacy Preferences and Constraints associated to Personal Data and Digital Identities: Turning privacy preferences into Privacy Obligations Self Registration And User Account Management HP Select Identity Personal Data + Privacy Preferences Obligation Management System Connectors Audit Logs Data Subject Privacy Obligation Enforcement & Monitoring Web Service API User Provisioning Enterprise Data Repositories

Next Steps • More research in the context of the EU PRIME Project • Addressing open issues such as obligation life-cycle management, overall scalability, stickiness of privacy obligations to PII data • HPL interest in “lighthouse” customers for collaborations and joint technological trials

Conclusions • Privacy Management is Important for Enterprises. Need to Satisfy • Regulatory Compliance Requirements and Users’ Expectations and Needs. • Important Aspects for Enterprises: • - Automation of Privacy Policy Enforcement • - Systemic Approach that leverages IdM Solutions • Focus on: • - Privacy Policy Enforcement • - Privacy Obligation Management • Our Contributions: • Systemic Approach to Privacy based on Middleware Integrated • with IdM Solutions • Proof-of-Concepts by leveraging HP Identity Management Solutions & PRIME • R&D still in progress … • HP keen in Collaborations for Technology Trials and getting further Requirements

A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises

A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises

Presentation Transcript

PRIVACY POLICY

Systemic Approach To Practical Organic Chemistry

Privacy: Understanding the Needs, Policy, and Approach

A SYSTEMIC APPROACH TO EFFECTIVE COMMUNITY SUPERVISION

Privacy: Understanding the Needs, Policy, and Approach

A Systemic Approach to Hazardous Substance Management

Systemic Approach to Answering Questions

A Systemic Approach to Safety Management

Systemic Approach

A Systemic Approach February, 2013

A New Approach to Privacy Protection

Addressing problematic behaviour - a systemic approach

A Systemic Approach to Safety Management

A Cryptography-Flavored Approach to Privacy in Public Databases

HIPAA Privacy Rule Enforcement

End-to-End Privacy Policy Enforcement in Cloud Infrastructure

Privacy Policy in London

Privacy: a liberal approach

A Systematic Approach to Privacy Enforcement and Policy Compliance Checking in Enterprises

Privacy: Understanding the Needs, Policy, and Approach

Enforcement and Policy Challenges in Health Information Privacy

RPA – A New Approach To Automate Your Business Services