1 / 19

Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK

A Privacy Policy Enforcement System. Primelife IFIP Summer School 2010 2-6 August Helsingborg Sweden. Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK. Organization of the presentation. Policy based authorisation system Privacy policy

eudora
Download Presentation

Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Privacy Policy Enforcement System Primelife IFIP Summer School 2010 2-6 August Helsingborg Sweden Kaniz Fatema David Chadwick Stijn Lievens University of KentSchool of ComputingCanterbury, UK

  2. Organization of the presentation • Policy based authorisation system • Privacy policy • 3 Different authors of privacy policy • 4 Special features of the proposed system • The proposed system • Use cases • Conclusions and Future Plans

  3. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans Policy based authorisation system • Access to resource is protected by policy. 1 PEP 4 2 3 PDP Authorisation system

  4. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans Privacy Policy • Not only defined by the organisation holding the personal data but also by the person or data subject who’s privacy is being protected. • It may contain consent, purpose, obligation such as e-mailing the data subject when his/her data is accessed or deleting the data after a certain amount of time.

  5. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans Different Authors of Privacy Policy • Law ex- data protection act. • Issuer ex- The Dr for medical note, University authority is issuer of degree, data subject is the issuer of personal information such as personal choice. • Controller ex- the health insurance company holding medical record of the data subject, the facebook authority. • Data subject ex- who’s data is being accessed

  6. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans Special Features of the proposed system • Multiple Policies • Sticky Policy Paradigm • Obligation enforcement • User Friendly Interface • Distributed Enforcement • Multiple Policy Languages

  7. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans The proposed system

  8. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • Conclusions and Future Plans The Application Independent PEP

  9. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • Conclusions and Future Plans The Credential Validation Service

  10. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans The Master PDP

  11. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans The Master PDP • It knows about what PDPs are there in the system and what language’s they support. • It has a conflict resolution policy to resolve conflicts among the decisions returned by the PDPs.

  12. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans The Master PDP

  13. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans Conflict Resolution Policy (CRP) • Each Conflict Resolution Rule(CRR) has – • A condition • A Decision Combining Rule (DCR) • optionally a precedence rule • an author • a time of creation • Each DCR can have the following value • First applicable • Specific Subject Overrides • Specific Resource Overrides • Deny Overrides • Grant Overrides

  14. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • 7 Conclusions and Future Plans Conflict Resolution Policy (CRP) • Each PDP can return 5 different answers • Grant • Deny • NotApplicable • BTG (Break The Glass) • Indeterminate • The precedence of answers for deny override is Deny>Indeterminate>BTG>Grant>NotApplicable • The precedence of results for grant override is Grant>BTG>Indeterminate>Deny>NotApplicable

  15. Policy based authorisation system • Privacy Policy • 3 Different Authors of Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • Conclusions and Future Plans Obligations Service

  16. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • Conclusions and Future Plans Use cases • The person does registration with a Health Service Provider to get the service. • During registration s/he fills up a form where s/he gives his/her consent about who can access the medical data for what purpose. Also he fills up a tick box for his DCR. This form is application dependent. • The filled form is converted into low level PDP policy and a PDP is started. • When a request comes for seeing the data the CRR defined by authors are consulted one by one. • Law has a CRR saying if resource = medical data, DCR= denyOverrides. • So the DCR is denyOverrides. • All the PDPs are consulted and if any PDP returns deny the final answer is deny.

  17. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • Conclusions and Future Plans Use cases The system is initialised with Law and Controller PDP The Data subject PDP is started with the person’s policy AppDep PEP AppDep PEP AppInd PEP AppInd PEP Master PDP Master PDP Data subject PDP Law PDP Control-ler PDP Law PDP Control-ler PDP

  18. Policy based authorisation system • Privacy Policy • 3 Different Authors of Privacy Policy • 4 Special features of the proposed system • 5 The proposed system • 5.1 The Application Independent PEP • 5.2 The Credential Validation Service • 5.3 The Master PDP • 5.4 Conflict Resolution Policy • 5.5 Obligations Service • 6 Use Cases • Conclusions and Future Plans Conclusions and Future Work • The system is being implemented in Java as part of the EC TAS³ Integrated Project (www.tas3.eu). • The first beta version is available for download from the PERMIS web site http://sec.cs.kent.ac.uk/permis/downloads/Level3/standalone.shtml • Our next step is to implement the complete Master PDP and conflict resolution policy. Also we need to ensure the distributed enforcement of the sticky policy paradigm.

  19. ? Questions please… Thank You

More Related