Governance Policies for Privacy Access and their Interactions

1
Governance Policies for Privacy Access and their
Interactions

• Wael Hassan Luigi Logrippo
• School of information technology and engineering

2
Goal

• Detecting policy interactions in privacy
  governance policies
• How
• By using formal models
• Proposing a privacy model

3
Agenda

• Policy Drivers
• Convergence of control and policy systems
• Requirements of new privacy models
• Conflict detection using formal models
• Delegation, separation, alloy
• Proposed process based privacy model
• Evaluation
• Support of existing concepts
• Advantages over existing models
• Verification
• Conclusion

4
Policy Model Drivers

• Convergence of control and policy systems
• From operational to rules of governance
• Activity or trigger based to data based
• Requirements of new privacy models
• Release information based on purpose
• Control flow of information
• Ability to specify separation of concerns

5
Layers
Process Level
Functional Hierarchies (Roles)
Events Transactions
6
Conflicts in Enterprise Governance

• Policies of Access to information are framed by
  their scope
• Logically contradicting policies will interact if
  their scope over lapped.
• A subject roaming in multiple scopes can cause a
  rule conflict
• A subject delegating authority of an object can
  cause a conflict
• An object shared by multiple subjects can cause
  conflict
• Policies of privacy access can interact if the
  reason (purpose) of access is conflicting

7
Overlapping scope (PoliciesxRoles)
Roaming
Delegation
Shared
8
Examples

• Rule An employee cannot have access to both
  customers address and credit card information
  (Card Number, expiry date, PIN, and last 4
  digits on the back of card)
• Process
• one of the tasks of issuing a new card
  (CreateAccount), includes the mailing of the
  credit card to the consumer.
• Result
• Interaction

9
Separation of concerns

• Rule
• No one person is allowed to create and delete
  accounts
• In this instance Alloy was able to detect
  violations of such rule.

10
Delegation Interaction

• Rule Information collected for the purpose of
  credit verification should not be available to
  employees in loan processing
• Loan Processing Process includes Verify Credit
• Employee delegates Role to manager

11
Process Based Governance

• Governance of organizations by
• specifying control of access
• (to information)
• by applying policies
• to processes

12
Process Based Control

• A business process is a unit that can be composed
  of steps and/or processes.
• Steps in a process are sequential

13
Business Process

• In a business process environment it should be
• Easy to tie purposes to actions
• Possible to apply invariants for a complete
  structure
• Easy to trace policy modifications

14
PPM Approach Supports

• Flow of information (Bell Lapadula)
• Separation of concerns (Chinese Wall)

15
Privacy Process Model
Role Hierarchy
Roles
Process Hierarchy
Processes
Users
Permissions
Steps
Operations
Objects
Permission Assignment
16
Two Variations

• The process has all the properties and people are
  simply assigned to steps (activities) as per
  their roles
• Steps retain properties and people are as
  assigned as per their roles

User-Process
User-Step
Process Hierarchy
Process Hierarchy
Processes
Processes
Users
Users
Steps
Steps
17
Privacy Process Model - User-Step
Role Hierarchy
Roles
Process Hierarchy
Processes
Users
Permissions
Steps
Operations
Objects
Permission Assignment
Sequence
18
Privacy Process Model- User-Process
Role Hierarchy
Roles
Process Hierarchy
Processes
Users
Permission Assignment
Permissions
Steps
Operations
Objects
Sequence
19
Information flow

• A part of standard procedures is delegating work
  to others.
• Example delegate meeting announcement to
  secretary
• Using process model
• Action delegate meeting, allowed in a process
• Action meeting cancellation cannot be delegated

20
Separation of Concerns

• In the banking industry, different groups may not
  share access to particular resources.
• Using process model we can set rules to separate
  groups
• Example
• No data that admission and scholarship share
• Finance and Marketing share no information

21
Advantages of PPM

• Captures context
• Simplifies management (privacy)

22
Captures Context

• As a part of credit application process
  (x,y,z,t), an employee A receives access to
  credit information in step z.
• Using standard security model, A can download all
  credit information of all customers on file
• When using a process model,
• access is granted or revoked based on the
  sequence of operations.
• Therefore, under the process model, an employee A
  will only have access If steps x y have been
  performed
• Access will be revoked after operation t is
  completed

23
Simplifies Management

• Privacy is dependent on the application and not
  on the identity
• An identity can have a role which is involved in
  several functions. Its privileges are dependent
  on process.
• Grouping policies per process reduces time and
  management policies that are based on roles.
• Example
• Old
• If rank is General, then grant access
• If rank is secretary and name is Lise then grant
  access
• New
• Secretary allow-access step 3
• General allow-access process change-direction

24
Implementation and Validation

• A validation environment is provided by the
  language Alloy
• A formal language based on set theory and first
  order predicate calculus
• Model analyser
• Consistency checker
• Being developed at MIT

25
PPM implementations

• PPM with non-serialized steps correctly
  implements Bell-Lapadula
• Proven by Hassan using Alloy
• PPM with non-serialized steps correctly
  implements SOD
• Proven by Hassan using Alloy

Next step Extend proofs to include serialization
of steps
26
Alloy

• Signatures or elements are the basic constructs
  of an Alloy model
• they are a cluster of relationships grouped in a
  class like structure.
• Sig abstract enterprise
• root CEO
• lone root

Enterprise
Process

• abstract sig process
• parent lone process,
• composedOf set steps

Policy
abstract sig policy attachedTo lone
process, permitted role -gt process,
denied role -gt process
Facts Rules
no permitted denied
role.permitted in attachedTo role.denied in
attachedTo
27
Alloy Process
28
Architecture
UML Model
Verification
29
Pragmatic Goals

• GUIs to formulate validated policies
• Able to answer questions
• Given an enterprise model and a set of policies
• Who can/cannot and under what circumstances
• Given circumstances, who can/cannot?
• Is there inconsistency ?
• Is the system compliant to a set of Policies?
• Automatic translation between
• GUI representation
• XACML representation
• Formal representation (Alloy or other)

30
Conclusion Future Work

• Privacy requires a native model
• We were able to model system and detect basic
  interactions using a formal tool.
• We plan to use a process based model that
  attaches policies to processes which are composed
  of activities,
• We use Alloy as model analyzer to verify
  properties.

31

• Thanks from
• Wael Hassan, Luigi Logrippo
• wael_at_ieee.org, luigi_at_uqo.ca

32
(No Transcript)
33
Extra

• (Process) CreditCardApp- (Process)
  ReceiveCardApplication, (Process)
  CallCreditCheck, (Process) IssueCard, (Process)
  CreateAccount.
• (Process) CreateAccount- (Step)LeaveTraceInSyste
  m, (Process) CreateCard, (Process) MailCard.
• (Process) DeleteAccount- (Step)LeaveTraceInSystem
  , (Step)RemoveAccount.
• (Process) WithdrawApplication- (Process)
  DeleteAccount, (Step) NotifyClient.