Privacy Management in Enterprises for IT Governance

Privacy Management in Enterprises for IT Governance Marco Casassa Mont marco_casassa-mont@hp.com Senior Researcher Trusted Systems Lab, HP Labs, Bristol, UK

Presentation Outline • Privacy for Identity Management: Setting the Context • Important Privacy Aspects to be Addressed: • Privacy Policy Enforcement • Privacy Obligation Management • HP Identity Management Portfolio: • HP Select Access, HP Select Identity, HP Select Federation • Current Support for Privacy • HP Labs Privacy Management work: • Privacy Policy Enforcement for HP Select Access • Obligation Management System and Integration with HP Select Identity • Conclusions

PRIVACY Privacy: An Important Aspect of Regulatory Compliance Regulatory Compliance (Example of Process) Regulations (incomplete list …)

Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Internal Guidelines Customers’ Expectations Applications & Services Personal Data PEOPLE ENTERPRISE Positive Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Impact on Enterprises and Opportunities

Data Governance and Policy Management (Including Privacy Policies) Policy Development and Modelling Monitoring, Audit, Reporting and Policy Management Data Inventory People/Roles Systems/Applications/Services Gap and Risk Analysis Policy Enforcement Confidential/Personal Data Policy Deployment

Gap in Current Solutions Policy Development and Modelling Monitoring, Audit, Reporting and Policy Management Data Inventory People/Roles Systems/Applications/Services Gap and Risk Analysis Policy Enforcement Confidential/Personal Data Policy Deployment

Purpose Specification Consent Privacy Permissions Limited Collection Privacy Obligations Privacy Rights Limited Use Limited Disclosure Limited Retention Privacy For Personal Data: Core Principles Privacy Policies

Request for DATA + INTENT Data Subject Data Requestors to access personal data they need to express their INTENT i.e. how they intend to use these data P.S.: INTENT could be hard coded in applications or part of role definitions Personal DATA + CONSENT CONSENT is given by data subjects for the usage of their Personal Data (PII) for predefined PURPOSES Terminology: Consent, Intent, Data Purpose, Privacy Policy Applications & Services Personal Data (PII) + Consent Privacy Office & Privacy Admins PRIVACY POLICIES: How data must be managed. What can be accessed by requestors, given their INTENT, the PURPOSE of Collecting the Data and CONSENT given by data subjects Definition of the PURPOSES data are collected for ENTERPRISE

Request for DATA + INTENT Privacy Policy Enforcement Data Requestors Actual Accessed Data Terminology: Privacy Policy Privacy Policies Personal DATA + CONSENT Check Requirements (Intent against data Purposes and Consent, etc.) Failure (no access) Data Subject Actions Personal Data and Consent • - Audit • Notification • … Success Dictate Access Constraints • Partial Data Access • (filter Data) • Data Transformation/Encryption • Data Subject’s Constraints • … Actions • - Audit • Notification … ENTERPRISE

Purpose Specification Consent Limited Collection Privacy Enforcement: Access Control Implications Limited Use Limited Disclosure Limited Retention Privacy Policies Privacy Enforcement for Personal Data: Principles and Implications

Rights Actions Requestor Rights Actions Requestor Purpose Requestor’s Intent Access Control Owner’s Consent Access Control Other… Privacy Extension Constraints Personal Data It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … Personal Data Privacy-Aware Access Control Traditional Access Control Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”

uid Name Condition Diagnosis 1 Alice Alcoholic Cirrhosis 2 Rob Drug Addicted HIV 3 Julie Contagious Illness Hepatitis Privacy Policy Enforcement Enforcement: Filter data Access content Table T1 (SELECT * FROM T1) Intent = “Marketing” uid Name Condition Diagnosis Filtered data 1 - Alcoholism Cirrhosis 2 - Drug Addicted HIV 3 - Contagious Illness Hepatitis 1st Example: Privacy-Aware Access Control Purpose and Intent Management Enterprise Privacy Policies/ Guidelines Table T1 with PII Data If role==“empl.” and intent == “Marketing”Then Allow Access (T1.Condition,T1.Diagnosis) Else If intent == “Research”Then Allow Access (T1.Diagnosis) Else Deny Access SELECT “-”,Condition, Diagnosis FROM T1

Consent Marketing Research uid Name Condition Diagnosis x 1 1 Alice Alcoholic Cirrhosis x x 2 2 Rob Drug Addicted HIV 3 3 Julie Contagious Illness Hepatitis Privacy Policy Enforcement Enforcement: Filter data Access Table T1 (SELECT * FROM T1) Intent = “Marketing” uid Name Condition Diagnosis Filtered data 1 - Alcoholism Cirrhosis 2 - - - 3 - Contagious Illness Hepatitis 2nd Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent T1 If role==“empl.” andintent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent) Else Deny Access T2 SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES”

Involved Aspects Policy Development and Modelling Monitoring, Audit, Reporting and Policy Management People/Roles Data Inventory Systems/Applications/Services Gap and Risk Analysis Policy Enforcement Confidential/Personal Data Policy Deployment

Privacy Policy Definition and Enforcement Implicit • Embed privacy • policies within • applications, queries, • services/ad-hoc solutions • Simple Approach • It does not scale in terms • of policy management • It is not flexible and • adaptive to changes Implicit Approach to Enforce Privacy Policies: No Flexibility Applications & Services Business logic Privacy policies Personal Data

Privacy Policy Definition and Enforcement Explicit • Fully deployed • Privacy Management • Frameworks • Explicit Management • of Privacy Policies • Might require major • changes to IT and data • infrastructure • Usage of Vertical • Solutions Explicit Approach to Enforce Privacy Policies: Vertical and Invasive

HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies Privacy Policy Definition and Enforcement Implicit Explicit • HP Approach • Single solution for • explicit management of • Privacy Policies • Privacy Enforcement by Leveraging • and Extending HP Select Access • Access Control Frameworkand • easy to use management UI • Does not require major changes • to Applications/Services or • Data Repositories

Summary of Requirements • Modeling of Personal data • Explicit Definition, Authoring and Management • of Privacy Policies • Extensible Privacy Policies • Explicit Deployment and Enforcement of Privacy Policies • Integrationwith traditional Access Control Systems • Simplicity of Usage • Support for Audit

1 2 3 4 Privacy Obligations: Aspects Classifications of Types of Obligations Technologies to deal with Management of Privacy Obligations Management of Obligations: Refinement, Control, Enforcement, Monitoring Privacy Obligations Common Patterns and Requirements

Privacy Obligation Refinement: Abstract vs. Refined Obligations can be very abstract: “Every financial institution has an affirmative and continuing obligation to respect customer privacy and protect the security and confidentiality of customer information” Gramm-Leach-Bliley Act • More refined Privacy Obligations dictate • responsibilities with respect of Personal Information: • Notice Requirements • Enforcement of opt-in/opt-out options • Limits on reuse of Information and Information Sharing • Data Retention limitations …

Duration Enforcement Long-term Ongoing Short-term Obligations One-time Types Other Event-driven Transactional Data Retention & Handling Dependent on Access Control Independent from Access Control Data Subject Context “Notify User via e-mail1 If his Data is Accessed” “Delete Data XYZ after 7 years” Enterprise “How Represent Privacy Obligations? How to Stick them to Personal Data? How to Manage, Enforce and Monitor them? How to Integrate them into current IDM solutions?” Setting Privacy Obligations: A Complex Topic …

Privacy Obligations: Common Aspects • Timeframe(period of validity) of obligations • Events/Contexts that trigger the need to • fulfil obligations • Target of an obligation (PII data) • Actions/Tasks/Workflows to be Enforced • Responsible for enforcing obligations • Exceptions and special cases

Technical Work in this Space [1/2] • Current Approaches to Deal with Privacy Obligations: • - P3P (W3C): • - Definition of User’s Privacy Expectations • - Explicit Declaration of Enterprise Promises • - No Definition of Mechanisms for their Enforcement • Data Retention Solutions and Document Management • Systems. • - Limited in terms of expressiveness and functionalities. • - Focusing more on documents/files not personal data • - Ad-hoc Solutions for Vertical Markets

Technical Work in this Space [2/2] • Recent relevant Work done in this Space: • IBM Enterprise Privacy Architecture, including • a policy management system, a privacy enforcement • system and audit • Initial work on privacy obligations in the context of • Enterprise Privacy Authorization Language (EPAL) • lead by IBM • XACML: similar standard proposal • - No Refined Model of Privacy Obligations • - Privacy Obligations Subordinated to AC. Incorrect …

Privacy Obligations: Suggested Approach • Deal with Privacy Obligations as “first-class citizens” in the • context of Enterprises and Organisations – recognise its • importance for Regulatory Compliance • Recognise the Importance of Separation of Concerns: • explore how to explicitly represent, manage and • enforce privacy obligations without imposing any dominant • view (for example, the authorization perspective) • Research and Work on Longer-term Issues, such as • accountability, stronger associations of obligations to data, • obligation versioning and tracking

Summary of Requirements • ExplicitModelingand Representation of privacy obligations • (Strong) Association of obligations to data • Mappingobligations into enforceable actions • Compliance of refined obligations to high-level policies • Tracking the evolution of obligation policies • Dealing with Long-term Obligation aspects • Accountability management and auditing • Monitoring obligations • User involvement • Handling Complexity and Cost of instrumenting Apps and Services

Accounts & Policies HP OpenView Identity Management Registration/ Creation Propagation Compliance Privacy Authentication Authorization Federation Single Sign-On Maintenance/ Management Personalization Termination • HP Select Access • Authentication • Policy-based Access control • Single sign-on • Web Services Security &Access Mgmt • Personalization • HP Select Identity • Cross-enterprise user life-cycle management • Provisioning • Workflow • Password management • Self Service • Delegated administration • HP Select Federation • Open protocol federation • Automated inter-organizational user activation & provisioning • Privacy management • Federation auditing & governance

[1] HP Select Access • Access Control product • Policy Authoring • Policy Decisions • Policy Enforcement • Auditing HP Select Access

[1] HP Select Access Access Control System: Definition, Enforcement and Auditing of Access Control Policies

[1] Policy Builder: Authoring Access Control Constraints High-Level matrix-based UI to set-up access control constrains on resources given users/groups

[1] Rule Editor: fine grained Access Control Rules Rule editor for fine-grained definition of access control policies

[1] HP Select Access: Summary • Access Control System • Fine-grained Policy Authoring, Deployment and • Enforcement • Intuitive and Simple to use GUIs • Enforcement for Web Resources • Auditing

[2] HP Select Identity • Management of Identities in Organisations • Support for Self Registration and User Provisioning • Account Management across Platforms, Applications and Corporate Boundaries HP Select Identity

Security & Access Controls Connector Bus Databases H.R. Web SSO Directories Windows Mainframe Identity Management Functions Workflow Policies Notifications BusinessApps Policy &Security [2] HP Select Identity IdM Services BusinessRelationships Identity Store(users) Groups

Policy &Security Administration Delegated Admin Self Service Graphical User Interface Directories Mainframe H.R. Databases Windows Messaging Security Layer (Authentication/Authorization/Session) Event Manager Context Engine Context Group User Service Resource Bus. Relationship BusinessApps Identity BP Services job 1 JobProcessor …… Workflow Audit/Report • job 1 tasks: • Create SSO ID • Add user1 NT group • Add portal account Policy Forms Reconciliation Tiered Authority job n Data Services Data Abstraction Transaction Mgr [2] HP Select Identity Context Model Select Identity API’s JCA Connector Bus RDBMS

[2] HP Select Identity: Summary • Centralised Management of Users and Entitlements • User Provisioning: create, update and delete • Administrative Delegation • User Self Service • Approval Workflow • Password & Profile Management • Audit and Reporting

[3] HP Select Federation • Enables web SSO and Cross Domain Federated Identity Management • No need for Centralised Data Repository • Support for Liberty Alliance, SAML, WS Federation HP Select Federation

[3] HP Select Federation • Supports multiple federation protocols, including Liberty and SAML • Supports heterogeneous identity management environments • Includes a comprehensive management console • Provides extensive audit capabilities • Enables policy-based privacy management • Enables 1-click smart user activation/provisioning OpenView Select Federation enables secure, cross-enterprise single sign-on and identity data sharing

HP IDM Solutions: HPL Privacy Extensions Federated Environments Federated Environments Federated Environments Supported Can Be Extended Not Relevant

HPL Work HP IDM Solutions: HPL Privacy Extensions Federated Environments Federated Environments Federated Environments Supported Can Be Extended Not Relevant

Leverage HP Select Access: Privacy Policy Modelling and Enforcement Privacy Policy Development and Modelling Monitoring, Reporting and Policy Management Data Inventory People/Roles Systems/Applications/Services Gap and Risk Analysis Privacy Policy Enforcement Confidential/Personal Data Privacy Policy Deployment

Privacy Policy Enforcement: Requirements for HP Select Access Core requirements: 1 Explicit Modelling of Confidential Data Describe Privacy Policy based on the Content of Data, Consent, Intent and Data Purpose Make Decisions based on these Privacy Policies Enforce these Privacy Decisions 2 3 4 • Extend Select Access mainly via its Standard APIs to implement the above requirements

Privacy Policy Deployment & Decisions Access Request Web Services Validator (Policy Decision) Grant/Deny Applications, Services, … Requestor’s Intent+ Request to Access Data Policy Repository HPL Plug-ins Privacy- aware Access Request AccessControl Policies Data Access Privacy- aware Decision Enforcer HPL Data Enforcer Enforcer Enforcer Plug - in + Privacy Policies (intent, purpose, consent, constraints…) Plug - in Plug - in Privacy Policy Enforcement On Personal Data Data Modelling & Privacy Policy Authoring Privacy-aware Access to Data Policy Builder Audit HPL Plug-ins Personal Data + Owners’ Consent Privacy Enforcement in HP Select Access

Privacy Management in Enterprises for IT Governance