Governance Policies for Privacy Access and their Interactions ICFI-2005
-
Upload
raphael-hardy -
Category
Documents
-
view
23 -
download
2
description
Transcript of Governance Policies for Privacy Access and their Interactions ICFI-2005
![Page 1: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/1.jpg)
Governance Policies for Privacy Access and their Interactions
ICFI-2005
Waël Hassan1 & Luigi Logrippo2
1 University of OttawaSchool of information technology and engineering
2Université de Québec en OutaouaisDepartment of Computer Science & Engineering
![Page 2: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/2.jpg)
Goal
Detecting policy interactions in privacy governance policies
How
• By using formal models
• Proposing a privacy model
![Page 3: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/3.jpg)
Agenda
• Policy Drivers– Convergence of control and policy systems– Requirements of new privacy models
• Conflict detection using formal models– Delegation, separation, alloy
• Proposed process based privacy model• Evaluation
– Support of existing concepts– Advantages over existing models
• Verification• Conclusion
![Page 4: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/4.jpg)
Policy Model Drivers
• Convergence of control and policy systems– From operational to rules of governance– Activity or trigger based to data based
• Requirements of new privacy models– Release information based on purpose– Control flow of information– Ability to specify separation of concerns
![Page 5: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/5.jpg)
Layers
ActionsFeaturesTransactions
FunctionalHierarchies(Roles)
ProcessLevel
![Page 6: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/6.jpg)
Conflicts in Enterprise Governance
• Policies of Access to information can cause conflict depending on their scope– Logically contradicting policies will interact if their scope over lapped.– A subject roaming in multiple scopes can cause a rule conflict– A subject delegating authority of an object can cause a conflict– An object shared by multiple subjects can cause conflict
• Policies of privacy access can interact if the reason (purpose) of access is conflicting
![Page 7: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/7.jpg)
Overlapping scope (PoliciesxRoles)
CEO
Vice President Sales
Vice President Marketing
Vice President Development
Manager Manager Manager
Vice PresidentOperations
Manager Manager Manager Manager
EmployeeEmployee Employee Employee
RoamingShared Delegation
![Page 8: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/8.jpg)
Examples
• Rule: An employee cannot have access to both customers’ address and credit card information
(Card Number, expiry date, PIN, and last 4 digits on the back of card) ; • Process
– one of the tasks of issuing a new card (CreateAccount), includes the mailing of the credit card to the consumer.
– (Process) CreateAccount:- (Step)LeaveTraceInSystem, (Process) CreateCard, (Process) MailCard.
• Result– Interaction
![Page 9: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/9.jpg)
Separation of concerns• Rule:
– No one person is allowed to create and delete accounts
– (Process) CreditCardApp:- (Process) ReceiveCardApplication, (Process) CallCreditCheck,(Process) IssueCard, (Process) CreateAccount.
– (Process) WithdrawApplication:- (Process) DeleteAccount, (Step) NotifyClient.
In this instance Alloy was able to detect violations of such rule.%
![Page 10: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/10.jpg)
Delegation Interaction
• Rule: Information collected for the purpose of credit verification should not be generally available to employees in loan processing
Loan Processing Process includes Verify Credit
• Employee delegates Role to manager
Loan Processing
Receive Loan Verify Credit Reject Loan
![Page 11: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/11.jpg)
Process Based Governance
Governance of organizations by
specifying control of access
(to information)
by applying policies
to processes
![Page 12: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/12.jpg)
Process Based Control
• A business process is a unit that can be composed of steps and/or processes.
• Steps in a process are sequential
Process
![Page 13: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/13.jpg)
In a business process environment it should be • Easy to tie purposes to actions• Possible to apply invariants for a complete structure• Easy to trace policy modifications
Business Process
Loan Processing
Receive Loan Verify Credit Reject Loan
Verify Credit
Receive Card Application Call CreditCheck Process Answer
Provide FeedbackCreate
CardMail Response
![Page 14: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/14.jpg)
PPM Approach Supports
• Flow of information (Bell Lapadula)
• Separation of concerns (Chinese Wall)
![Page 15: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/15.jpg)
Bell-Lapadula
Intended for military applications,
Flow Based
1. Security Clearances
2. Security Requirement
A can access y iff – clearance of A > requirement of y
A can forward access to y for B iff – clearance of B > requirement of y
A
X
By Level
![Page 16: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/16.jpg)
Bell-Lapadula• Lattice based model
U
C
S
TS
Leq
U Unclassified
C Classified
S Secret
TS Top-Secret
Leq
Leq
Leq
Partial-Order• Reflexive• Transitive• Anti-Symmetric
![Page 17: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/17.jpg)
Chinese Wall
Originally intended for banking applications• Creates separation of concerns groups• Group A & Group B cannot share access to an object
set {x,y,z}
A BX
Y
z
![Page 18: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/18.jpg)
CW / SOD - Separation of duties
User
Role
Role Centric• Irreflexive• User cannot fill two conflicting Roles• Inherit conflict groups
Assigned
User Centric• Irreflexive• 2 conflicting users cannot collectively
fill 2 roles in conflict. • Inherit conflict groups
![Page 19: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/19.jpg)
Privacy Process Model
Users
Roles
Processes
Steps
Permissions
Operations ObjectsPermissionAssignment
Process Hierarchy
Role Hierarchy
![Page 20: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/20.jpg)
Two Variations
• The process has all the properties and people are simply assigned to steps (activities) as per their roles
• Steps retain properties and people are as assigned as per their roles
UsersProcesses
Steps
Process Hierarchy
UsersProcesses
Steps
Process Hierarchy
User-Process User-Step
![Page 21: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/21.jpg)
Privacy Process Model - User-Step
Users
Roles
Processes
Steps
Permissions
Operations ObjectsPermissionAssignment
Process Hierarchy
Role Hierarchy
Sequence
![Page 22: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/22.jpg)
PermissionAssignment
Privacy Process Model- User-Process
Users
Roles
Processes
Steps
Permissions
Operations Objects
Process Hierarchy
Role Hierarchy
Sequence
![Page 23: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/23.jpg)
Information flow
• A part of standard procedures is delegating work to others.– Example: delegate meeting announcement to
secretary
• Using process model– Action delegate meeting, allowed in a process – Action meeting cancellation cannot be
delegated
![Page 24: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/24.jpg)
Separation of Concerns
• In the banking industry, different groups may not share access to particular resources.
• Using process model we can set rules to separate groups– Example:
• No data that admission and scholarship share• Finance and Marketing share no information
![Page 25: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/25.jpg)
Advantages of PPM
• Captures context
• Simplifies management (privacy)
![Page 26: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/26.jpg)
Captures Context
• As a part of credit application process (x,y,z,t), an employee A receives access to credit information in step z.– Using standard security model, A can download all credit
information of all customers on file
• When using a process model, – access is granted or revoked based on the sequence of
operations. – Therefore, under the process model, an employee A will only
have access If steps x & y have been performed– Access will be revoked after operation t is completed
x y z t
![Page 27: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/27.jpg)
Simplifies Management
• Privacy is dependent on the application and not on the identity
• An identity can have a role which is involved in several functions. However Its privileges are dependent on process.
• Grouping policies per process reduces time and management policies that are based on roles.
• Example:– Old
• If rank is General, then grant access• If rank is secretary and name is Lise then grant access
– New:• Secretary allow-access step 3• General allow-access process change-direction
![Page 28: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/28.jpg)
Implementation and Validation
• A validation environment is provided by the language Alloy
• A formal language based on set theory and first order predicate calculus – Model analyser– Consistency checker– Being developed at MIT
![Page 29: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/29.jpg)
AlloySignatures or elements are the basic constructs of an Alloy model; they are a cluster of relationships grouped in a class like structure.
1. Sig [abstract] enterprise {2. root : CEO3. }{4. [lone] root5. }
1. abstract sig process {2. parent : lone process, 3. composedOf : set steps4. }
Process
abstract sig policy { attachedTo : lone process, permitted: role -> process, denied : role -> process
Policy
Enterprise
}no permitted & denied role.permitted in attachedTo role.denied in attachedTo }
Facts & Rules
![Page 30: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/30.jpg)
Alloy Process
![Page 31: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/31.jpg)
Architecture
UML Model
Verification
Alloy Meta Model
Alloy Policy Specification
TranslationManual Translation
Manual
ManualVerification
XACML
ebXML
ManualVerification
![Page 32: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/32.jpg)
Pragmatic Goals
• GUIs to formulate validated policies• Able to answer questions:
– Given an enterprise model and a set of policies• Who can/cannot and under what circumstances• Given circumstances, who can/cannot?• Is there inconsistency ?• Is the system compliant to a set of Policies?
• Automatic translation between – GUI representation– XACML representation– Formal representation (Alloy or other)
![Page 33: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/33.jpg)
Conclusion & Future Work
Privacy requires a native model; We were able to model system and detect basic
interactions using a formal tool.
We plan to use a process based model that attaches policies to processes which are
composed of activities,
We use Alloy as model analyzer to verify properties.
![Page 35: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/35.jpg)
![Page 36: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/36.jpg)
Extra
• (Process) CreditCardApp:- (Process) ReceiveCardApplication, (Process) CallCreditCheck, (Process) IssueCard, (Process) CreateAccount.
• (Process) CreateAccount:- (Step)LeaveTraceInSystem, (Process) CreateCard, (Process) MailCard.
• (Process) DeleteAccount:- (Step)LeaveTraceInSystem, (Step)RemoveAccount.
• (Process) WithdrawApplication:- (Process) DeleteAccount, (Step) NotifyClient.
![Page 37: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/37.jpg)
Security
• Basic:- – Identity Access Right
• An identity justifies an access-right– Example: given I am a wael, I can access my lab
• Extended:-– Identity1, Identity2 Forwarding Right (object)
• A right is owned and can be forwarded (delegated)– Example: given I am an assistant,
» I own the right to access personal student file,» I can allow Jasmine access to my file
• Combined:-– Identity1, Identity2 Concurrent Access(object)
• Two subjects may be allowed to have concurrent access to an object
![Page 38: Governance Policies for Privacy Access and their Interactions ICFI-2005](https://reader035.fdocuments.in/reader035/viewer/2022062407/56812f4a550346895d94d92f/html5/thumbnails/38.jpg)
Privacy
• Basic:-– Purpose Access-Right (Identity)
• A purpose justifies access-right • Example: To update student profile,
– Jo-Anne needs to have access to accepted student application data
• Extended:- – Step Forwarding Right (Identity1, Identity2)
• A step which can be owned by a person in a process suggests a right, and that right may be forwarded (delegated) iff the recipient has access to the process/step.
– Example: given that Jo-Anne participates in the admissions procedure, » She is assigned access to activity open personal student file,» She can allow Jasmine (another officer) access to the same file as long as
she has the authority and she is assigned to the process
• Combined:-– Process1, Process2 Concurrent Access (object)
• Two subjects participating in two processes may or not have concurrent access to certain objects.