Title: Policy Languages and Enforcement
1Policy Languages and Enforcement
4th IAPP Privacy Summit
February 2004
2PORTIA research project
- Sensitive Information in a Wired World
- Team
- Stanford, Yale, Stevens, NYU, UNM,
- Topics
- Privacy-preserving data mining
- Policy languages and enforcement
- Identity theft and identity privacy
- Using trusted platforms
- Contact http//crypto.stanford.edu/portia/
3Enterprise Access Control
Policy
What
When
Who
Where
Why
Joe
can open
financials.xls
using wired SSL
on his laptop
Resource
Resource
User
Who
Right
What
Constraint
When
Where
4Distributed Access Control
Policy
Resource
Policy
Policy
Resource
Resource
Protect distributed resources with distributed
policy
ID
Policy at site A may govern resources at site B
5Decentralized Policy Example
Alice
EPub
Grants access to university students Trusts
universities to certify students Trusts ABU to
certify universities
Alice is a student
StateU
ABU
StateU is a university
6Role-based Trust-management (RT)
RT0 Decentralized Roles
RTD for Selective Use of Role memberships
RTT for Separation of Duties
RT1 Parameterized Roles
RT2 Logical Objects
RT1C structured resources
RT2C structured resources
RTT and RTD can be used (either together or
separately) with any of the five base languages
RT0, RT1, RT2, RT1C, and RT2C
7Policy Management Lifecycle
Plan
Improve
Analyze
Enforce
Measure
8Policy lifecycle issues
- Requirements capture
- What should the policy say?
- Development
- Adapt standard modules build new ones combine
- Evaluation
- Does the policy say what we want?
- Analysis Testing Debugging
- Compliance
- Can the policy be enforced by info system?
- Maintenance
- Change as needed as requirements evolve
9EPAL Concepts
- Condition, ruling, obligations
- If condition then outcome
- Outcome ruling ? obligations
- Ruling yes, no, dont care
- Obligations actions that must occur
- Examples
- If employee owns the file then yes
- If anyone accesses data
- then dont care and log the request
10Policy language design space
Permit / Deny
Permit only
Resolve contradiction
Can be contradictory
EPAL Ordered
11EPAL order priority
- Intuitive ?
- Need to give exception before general case
- Birds can fly
- Penguins cannot fly
- Efficiency
- Cannot evaluate sub-policies in parallel
- Scalability
- How to combine separate sub-policies?
12Some examples
- Unreachable
- If male then yes
- If female then no
- If manager then no
- Inapplicable
- If manager then yes
- If VP then no
- If male then no
- Ineffective
- If VP then run
- If manager
- then run, jump
- Redundant
- If manager
- then run, jump
- If VP then run
A policy editor could detect these situations
13Policy Combination
Denied
Denied
Denied
OK
Permitted
Permitted
Permitted
Denied
Denied
Denied
??
Permitted
Permitted
Permitted
14Policy Language and Deduction
- Specification
- State policy succinctly and directly
- Confident that policy captures intention
- Enforcement
- Deduction, proof of compliance
- Manage policy lifecycle
- Policy development tools
- Safety and availability analysis
15Policy lifecycle issues
- Requirements capture
- What should the policy say?
- Development
- Adapt standard modules build new ones combine
- Evaluation
- Does the policy say what we want?
- Analysis Testing Debugging
- Compliance
- Can the policy be enforced by info system?
- Maintenance
- Change as needed as requirements evolve
16Questions?
- Policy development
- What concepts are important?
- Permissions? Denials? Obligations? Audit trail?
- Enforcement
- IT infrastructure vs Legal structure
- End-to-end privacy infrastructure
- Customer Browser Web site Database
- Outsourcing and institutional partnerships