1 / 36

A System for Privacy-Aware Resource Allocation and Data Processing in Dynamic Environments

A System for Privacy-Aware Resource Allocation and Data Processing in Dynamic Environments. Marco Casassa Mont and Siani Pearson marco.casassa-mont@hp.com siani.pearson@hp.com Trusted Systems Lab, HP Labs, Bristol, UK. Presentation Outline. Privacy: Core Concepts and Background

mleonard
Download Presentation

A System for Privacy-Aware Resource Allocation and Data Processing in Dynamic Environments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A System for Privacy-Aware Resource Allocation and Data Processing in Dynamic Environments Marco Casassa Mont and Siani Pearson marco.casassa-mont@hp.com siani.pearson@hp.com Trusted Systems Lab, HP Labs, Bristol, UK

  2. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  3. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  4. Privacy Legislation (EU Laws, HIPAA, COPPA, SOX, GLB, Safe Harbour, …) Internal Guidelines Customers’ Expectations Applications & Services Personal Data PEOPLE ENTERPRISE Positive Impact on Reputation, Brand, Customer Retention Customers’ Satisfaction Regulatory Compliance Privacy: Core Concepts Privacy Management has Strong Implications on how Personal Identifiable Information (PII data) is Managed by Various Parties Accessing these Data …

  5. Privacy Policies: • Laws/Legislations • HIPAA, COPPA, • EU Data Protection Directive, • etc. • Guidelines • OECD, etc. • Privacy Preferences • … Personal Data Personal Data And Privacy Policies

  6. Purpose Specification Consent Limited Collection Limited Use Limited Disclosure Limited Retention Privacy Policies: Rights, Permissions and Obligations Privacy Permissions Privacy Obligations Privacy Rights Privacy Policies

  7. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  8. Some Relevant Scenarios • Enterprise • - Company vs. Private data for Employees • Protection of Customers’ and Employees’ Data • Compliance to Legislation • Health Care • - View on Data dependent upon Requestors’ Roles • - Patients’ Sensitive Data • Federated Identity Management • - Partners and Third Parties should only get • the minimal (required) Personal Information  Conflicting Interests, Multiple Views on Data, Accountability

  9. Locality 2 Locality 3 Locality 1 Dynamically Allocated Set Of Resources Computing Resource Computing Resource Computing Resource Computing Resource Computing Resource Computing Resource Computing Resource Computing Resource Apps/ Services Confidential/ Personal Data Reference Scenario: Dynamic, Distributed and Adaptive Enterprise Distributed, Dynamic Data Center

  10. Impact of Privacy Policies • Policies Describe Constraints on How to Access, Disclose and Process Personal/Confidential Data • Different Policies Might Apply based on Localization and Contextual Information • Importance of Localization of Resources when Processing Personal Data Examples: • Personal Data X can only be Accessed and Processed within EU and US boundaries • Personal Data Y cannot be Stored Outside EU boundaries • Given a Set of Personal Data, only a subset S can be processed and displayed in country C • Personal Data must be Processed on Resources satisfying state-of-the art Security and Management Practices

  11. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  12. Addressed Problem • How to Deal with Privacy-aware Resource Allocation • and Privacy-Aware Processing of Data in Dynamic, • Distributed Environments: • How to Ensure that Personal/Confidential Data is • Processed only on Resources (and in Contexts) • that Satisfy relevant Privacy Policies? • How to Specify, Manage and Enforce these Privacy • Policies? • How to Increase Assurance about the Trustworthiness of • the Involved Computational Resources?

  13. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  14. Our Approach [1] Association of Privacy Policies to Personal Data [2] Allocation of Resources and Disclosure/Access of Data based on Policies [3] Usage of Trusted Infrastructure • Explicit Representation of sets of “Alternative“ Privacy Policies Relevant for Confidential Data • Usage of “Meta-policies” describing Policy Selection Criteria • Privacy Policy + Meta-Policy: Policy Package • Strong Association of Policy Package to Confidential Data • Dynamic Selection of Computing Resources based on these Policies • Locally Enforce Relevant Policies when Accessing Data on Computing Resources. Usage of Trusted Privacy Service • Provide Trusted Information about Computing Resources such as their Location. Usage of Registration Entity and Trusted Localization Provider

  15. Registration Entity Registration Entity Resource Allocation Service Resource Allocation Service Locality 2 Trusted Privacy Service (TPS) Locality 1 Computing Resource Computing Resource Computing Resource Computing Resource Computing Resource TPS Access Module Trusted Localization Provider (Encrypted) Personal Data Policy Package Our Model Distributed Data Center

  16. Privacy Policy set 3 (context dependent) Privacy Policy set 1 (context dependent) Privacy Policy set 2 (context dependent) Privacy Policy set n (context dependent) Policy Package Policy Package Meta-policies (policy to identify relevant privacy policy sets, Based on contextual and location information) Signature (optional) … • Drive Selection Process of Computational Resources • Designate the Right Set of Privacy Policies to be Enforced • (based on Context)

  17. Actual Data Stored in the Data repository “Control” Encrypted Encrypted with TPS Public Key: • Symmetric Key used to • Encrypt Personal Data • Hash of Privacy Policy Sticky Policies Privacy Policy Personal Data

  18. Encryption Techniques • Traditional Public Key Cryptography • Enveloping techniques • Symmetric Key Used to Encrypt Personal Data • “Package” Encryption: Public Key of Privacy Management Service • Identifier-based Cryptography (IBE) • Three-players model: Sender, Receiver, Trust Authority • Use directly the “Privacy Policy” (and a Public Detail of the Trust Authority) to Encrypt Personal Data • Alternatively, use Symmetric key (for better performance) • Privacy Management Service is the Trust Authority

  19. Registration Entity Registration Entity Resource Allocation Service Resource Allocation Service Locality 2 Trusted Privacy Service (TPS) Locality 1 Computing Resource Computing Resource Computing Resource Computing Resource Computing Resource TPS Access Module Trusted Localization Provider (Encrypted) Personal Data Policy Package Our Model Distributed Data Center

  20. Policy Package 1 Privacy Policy Compliance Checking 3 4 Decryption key disclosure Localization& Context Gathering 2 Interaction Flow: Resource - TPS TPS Access Module Disclosure Monitoring/ Control Disclosure Monitoring/ Control Tracing Auditing Module Comm. Module Policy Engine Comm. Module Policy Engine Crypto Module Crypto Module API Context manager Tamper Resistant Audit Context Local Context Credent. Issuer Credent. Verifier COMM Trusted Privacy Service (TPS) TPM Localization Info and Credential Resource Trusted Localization Provider

  21. Trusted Privacy Service (TPS) Trusted Localization Provider • A trusted “localisation” software layer that certifies and/or provides • localisation information (e.g. MAC or IP address or system information) • about that platform via an API. • A trusted component, such as a TCG-compliant TPM, to provide certified • and trustworthy information so that agreater degree of trust may be • achieved.

  22. Deployment of Our Solution [1/2] • Computing Resources have a TPS Access Module and Localization Provider • Administrators need to: • Create a Model of Managed Types of Data, along with Relevant Policies (Storage: Resource Allocation Service) • Create a Model of Managed Applications/Services, along with the Types of Data they need to Access • Resource Allocation Service allocates Resources based on Apps/Services, Types of Data, Policies

  23. Deployment of Our Solution [2/2] • Data is Stored in Data Repositories. It can be Encrypted along with Associated Policies • Apps/Services will Interact with Data Repositories with Traditional Protocols (e.g. JDBC, LDAP, etc) • Usage of Proxies (containing our TPS Access Module) to Transparently Intercept Queries • Proxy Interactions with TPS Service to get Access to Data

  24. Information Flow Data Structure: View 2 JDBC Proxy (TPS Access Module) Decryption keys Entity 2 <Access Request: privacy policies, Credentials, Contextual Information> Data Structure: View 1 Trusted Privacy Service (TMS) Decryption keys JDBC Proxy (TPS Access Module) <Access Request: privacy policies, Credentials, Contextual Information> Entity 1 Example of Migration of Data Data Repositories Privacy Policy Control Encrypted Data

  25. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  26. Related Work • Work on Sticky Policies (e.g. IBM, HP, etc.) and Cryptographic Mechanisms: RSA enveloping, IBE, etc. • Context-aware Policies (e.g. Microsoft): evaluation of Policies on-the-fly based on Context • Various Work on Privacy-aware Access Control (e.g. EPA/EPAL, PRIME, UniMi, IBM, HP, …) • HP’s Work on Adaptive Privacy Management and Privacy Policy Enforcement on Personal Data • …  Our Approach and Technology Target Dynamic Data Centers/Enterprises  Adaptive Resource Allocation and Data Processing Driven by Privacy Policies  Leveraging Trusted Infrastructure

  27. Presentation Outline Privacy: Core Concepts and Background Scenarios and Key Issues Addressed Problem Our Approach Related Work Current Status and Next Steps Conclusions

  28. Current Status • We Have Implemented Key Components • Sticky Policies by using IBE • TPS service (Trust Authority) based on IBE model • Policy-driven JDBC Proxy to Intercept and Manipulate SQL Queries/Results • We Have the Core Technology (Trusted Computing) to Implement the TLP component • We Still Need to Build a Complete Solutions • It is Work in Progress …

  29. Next Steps • Additional Research and Refinement of our Approach and Technologies • Address Open Issues: • Conflicting Privacy Policies • Scalability Issues with Heterogeneous Data • Implications for Applications and Services • Granularity of Data Associated to Privacy Policies? • Implement a Full, Integrated Prototype in the context of a HP Data Center Infrastructure • Work on Trust Management Aspects in PRIME Project

  30. Presentation Outline Privacy: Core Concepts Scenarios and Key Issues Addressed Problem Our Approach Related Work Discussion, Open Issues and Next Steps Conclusions

  31. Conclusions • Importance of Privacy Management in Dynamic, Distributed System – e.g. Distributed Data Centers • Problem: Allocation of Resources and Processing of Personal Data based on Privacy Policies in this Context • Our Approach: Sticky Policies, Trusted Mediators and Trusted Components to Gather Contextual Information • Developed a few Core Components of Our Technology • A few Open Issues … • Next Steps: build working Prototype. Make Experiment in Real-world Contexts. Do Research in PRIME (Trust) • Work in Progress …

  32. Backup Slides

  33. What is Identifier-based Encryption (IBE)? • It is an Emerging Cryptography Technology • Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) • Same Strength of RSA • Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing … • SW Library and Technology available at HP Laboratories

  34. IBE Core Properties • 1st Property: any kind of “String” (or sequence of bytes) can be used as an IBE encryption key: for example a Role, an e-Mail Address, a Picture, a Disclosure Time, Terms and Conditions, a Privacy Policy … • 2nd Property: the generation of IBE decryption keys can be postponed in time, even long time after the generation of the correspondent IBE encryption key • 3rd Property: reliance on at least a trust authority (trusted third party) for the generation of IBE decryption key

  35. Alice Bob 4 3 2 5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority. 2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 5 6 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message = {E(msg, N, encryption key)} 6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation. Trust Authority 1 1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N 4. Alice Sends the encrypted Message to Bob, along with the Encryption Key IBE Three-Player Model

More Related