Policy Languages and Enforcement

John MitchellStanford

4th IAPP Privacy Summit

February 2004

PORTIA research project

Sensitive Information in a Wired WorldTeam

- Stanford, Yale, Stevens, NYU, UNM, …Topics

- Privacy-preserving data mining- Policy languages and enforcement- Identity theft and identity privacy-Using trusted platforms

Contact: http://crypto.stanford.edu/portia/

Enterprise Access Control

Policy Who What When Where

Who

What

When

Where

User

Right

Resource

Constraint

Joe can open financials.xls using wired SSLon his laptop

Resource

Why

Policy at site A may govern resources at site B

Protect distributed resources with distributed policy

Distributed Access Control

PolicyResource

PolicyResource

PolicyResource

ID

Decentralized Policy Example

AliceEPub

StateU is a university

Alice is a student

Grants access to university students

Trusts universities to certify students

Trusts ABU to certify universities

StateUABU

Role-based Trust-management (RT)

RT0: Decentralized Roles

RT1: Parameterized Roles

RTT : for Separation of Duties

RTD: for Selective Use of Role memberships

RT2: Logical Objects

RTT and RTD can be used (either together or separately) with any of the five base languages: RT0, RT1, RT2, RT1

C, and RT2

C

RT1C: structured resources

RT2C: structured resources

Plan

Analyze

EnforceMeasure

Improve

Policy Management Lifecycle

Policy lifecycle issues

Requirements capture- What should the policy say?

Development- Adapt standard modules; build new ones; combine

Evaluation- Does the policy say what we want?

Analysis Testing Debugging

Compliance- Can the policy be enforced by info system?

Maintenance- Change as needed as requirements evolve

EPAL Concepts

Condition, ruling, obligations- If condition then outcome-Outcome = ruling obligations-Ruling = { yes, no, don’t care}-Obligations: actions that must occur

Examples- If employee owns the file then yes- If anyone accesses data then don’t care and log the request

Policy language design space

Permitonly

Permit / Deny

Resolve contradiction

Can be contradictory

EPAL

Ordered

EPAL order priority

Intuitive ?-Need to give exception before general

case Birds can fly Penguins cannot fly

Efficiency-Cannot evaluate sub-policies in parallel

Scalability-How to combine separate sub-policies?

Some examples

Unreachable If male then yes If female then no If manager then no

Inapplicable If manager then yes If VP then no If male then no

Ineffective If VP then {run} If manager then {run, jump}

Redundant If manager then {run, jump} If VP then {run}

A policy editor could detect these situations

Policy Combination

Denied

Permitted Permitted

Denied

Permitted

Denied

=+ OK

Denied

Permitted Permitted

Denied

Permitted

Denied

=+??

Policy Language and Deduction

Specification- State policy succinctly and directly-Confident that policy captures intention

Enforcement-Deduction, proof of compliance

Manage policy lifecycle- Policy development tools- Safety and availability analysis

Policy lifecycle issues

Requirements capture- What should the policy say?

Development- Adapt standard modules; build new ones; combine

Evaluation- Does the policy say what we want?

Analysis Testing Debugging

Compliance- Can the policy be enforced by info system?

Maintenance- Change as needed as requirements evolve

Questions?

Policy development-What concepts are important?

Permissions? Denials? Obligations? Audit trail?

Enforcement- IT infrastructure vs Legal structure

End-to-end privacy infrastructure-Customer – Browser – Web site –

Database-Outsourcing and institutional partnerships