1. Governance Policies for Privacy Access and their Interactions Wael Hassan & Luigi Logrippo
School of information technology and engineering
2. Goal Detecting policy interactions in privacy governance policies
How
By using formal models
Proposing a privacy model
3. Agenda Policy Drivers
Convergence of control and policy systems
Requirements of new privacy models
Conflict detection using formal models
Delegation, separation, alloy
Proposed process based privacy model
Evaluation
Support of existing concepts
Advantages over existing models
Verification
Conclusion
4. Policy Model Drivers Convergence of control and policy systems
From operational to rules of governance
Activity or trigger based to data based
Requirements of new privacy models
Release information based on purpose
Control flow of information
Ability to specify separation of concerns
5. Layers
6. Conflicts in Enterprise Governance Policies of Access to information are framed by their scope
Logically contradicting policies will interact if their scope over lapped.
A subject roaming in multiple scopes can cause a rule conflict
A subject delegating authority of an object can cause a conflict
An object shared by multiple subjects can cause conflict
Policies of privacy access can interact if the reason (purpose) of access is conflicting
7. Overlapping scope (PoliciesxRoles)
8. Examples Rule: An employee cannot have access to both customers’ address and credit card information �(Card Number, expiry date, PIN, and last 4 digits on the back of card) ;
Process
one of the tasks of issuing a new card (CreateAccount), includes the mailing of the credit card to the consumer.
Result
Interaction
9. Separation of concerns Rule:
No one person is allowed to� create and delete accounts
In this instance Alloy was able to detect violations of such rule.
10. Delegation Interaction Rule: Information collected for the purpose of credit verification should not be available to employees in loan processing
Loan Processing Process includes Verify Credit
Employee delegates Role to manager
11. Process Based Governance
Governance of organizations by
specifying control of access
(to information)
by applying policies
to processes
12. Process Based Control
A business process is a unit that can be composed of steps and/or processes.
Steps in a process are sequential
13. In a business process environment it should be
Easy to tie purposes to actions
Possible to apply invariants for a complete structure
Easy to trace policy modifications Business Process
14. PPM Approach Supports
Flow of information (Bell Lapadula)
Separation of concerns (Chinese Wall)
15. Privacy Process Model
16. Two Variations The process has all the properties and people are simply assigned to steps (activities) as per their roles
Steps retain properties and people are as assigned as per their roles
17. Privacy Process Model - User-Step
18. Privacy Process Model- User-Process
19. Information flow A part of standard procedures is delegating work to others.
Example: delegate meeting announcement to secretary
Using process model
Action delegate meeting, allowed in a process
Action meeting cancellation cannot be delegated
20. Separation of Concerns In the banking industry, different groups may not share access to particular resources.
Using process model we can set rules to separate groups
Example:
No data that admission and scholarship share
Finance and Marketing share no information
21. Advantages of PPM
Captures context
Simplifies management (privacy)
22. Captures Context As a part of credit application process (x,y,z,t), an employee A receives access to credit information in step z.
Using standard security model, A can download all credit information of all customers on file
When using a process model,
access is granted or revoked based on the sequence of operations.
Therefore, under the process model, an employee A will only have access If steps x & y have been performed
Access will be revoked after operation t is completed
23. Simplifies Management Privacy is dependent on the application and not on the identity
An identity can have a role which is involved in several functions. Its privileges are dependent on process.
Grouping policies per process reduces time and management policies that are based on roles.
Example:
Old
If rank is General, then grant access
If rank is secretary and name is Lise then grant access
New:
Secretary allow-access step 3
General allow-access process change-direction
24. Implementation and Validation
A validation environment is provided by the language Alloy
A formal language based on set theory and first order predicate calculus
Model analyser
Consistency checker
Being developed at MIT
25. PPM implementations PPM with non-serialized steps correctly implements Bell-Lapadula
Proven by Hassan using Alloy
PPM with non-serialized steps correctly implements SOD
Proven by Hassan using Alloy
26. Alloy
27. Alloy Process
28. Architecture
29. Pragmatic Goals GUIs to formulate validated policies
Able to answer questions:
Given an enterprise model and a set of policies
Who can/cannot and under what circumstances
Given circumstances, who can/cannot?
Is there inconsistency ?
Is the system compliant to a set of Policies?
Automatic translation between
GUI representation
XACML representation
Formal representation (Alloy or other)
30. Conclusion & Future Work Privacy requires a native model;
We were able to model system and detect basic interactions using a formal tool.
We plan to use a process based model that attaches policies to processes which are composed of activities,
We use Alloy as model analyzer to verify properties.
31. Thanks from
Wael Hassan, Luigi Logrippo
wael@ieee.org, luigi@uqo.ca
33. Extra (Process) CreditCardApp:- (Process) ReceiveCardApplication, (Process) CallCreditCheck, (Process) IssueCard, (Process) CreateAccount.�
(Process) CreateAccount:- (Step)LeaveTraceInSystem, (Process) CreateCard, (Process) MailCard.�
(Process) DeleteAccount:- (Step)LeaveTraceInSystem, (Step)RemoveAccount.�
(Process) WithdrawApplication:- (Process) DeleteAccount, (Step) NotifyClient.
