Policy Languages and Enforcement
description
Transcript of Policy Languages and Enforcement
Policy Languages and Enforcement
John MitchellStanford
4th IAPP Privacy Summit
February 2004
PORTIA research project
Sensitive Information in a Wired WorldTeam
- Stanford, Yale, Stevens, NYU, UNM, …Topics
- Privacy-preserving data mining- Policy languages and enforcement- Identity theft and identity privacy-Using trusted platforms
Contact: http://crypto.stanford.edu/portia/
Enterprise Access Control
Policy Who What When Where
Who
What
When
Where
User
Right
Resource
Constraint
Joe can open financials.xls using wired SSLon his laptop
Resource
Why
Policy at site A may govern resources at site B
Protect distributed resources with distributed policy
Distributed Access Control
PolicyResource
PolicyResource
PolicyResource
ID
Decentralized Policy Example
AliceEPub
StateU is a university
Alice is a student
Grants access to university students
Trusts universities to certify students
Trusts ABU to certify universities
StateUABU
Role-based Trust-management (RT)
RT0: Decentralized Roles
RT1: Parameterized Roles
RTT : for Separation of Duties
RTD: for Selective Use of Role memberships
RT2: Logical Objects
RTT and RTD can be used (either together or separately) with any of the five base languages: RT0, RT1, RT2, RT1
C, and RT2
C
RT1C: structured resources
RT2C: structured resources
Plan
Analyze
EnforceMeasure
Improve
Policy Management Lifecycle
Policy lifecycle issues
Requirements capture- What should the policy say?
Development- Adapt standard modules; build new ones; combine
Evaluation- Does the policy say what we want?
Analysis Testing Debugging
Compliance- Can the policy be enforced by info system?
Maintenance- Change as needed as requirements evolve
EPAL Concepts
Condition, ruling, obligations- If condition then outcome-Outcome = ruling obligations-Ruling = { yes, no, don’t care}-Obligations: actions that must occur
Examples- If employee owns the file then yes- If anyone accesses data then don’t care and log the request
Policy language design space
Permitonly
Permit / Deny
Resolve contradiction
Can be contradictory
EPAL
Ordered
EPAL order priority
Intuitive ?-Need to give exception before general
case Birds can fly Penguins cannot fly
Efficiency-Cannot evaluate sub-policies in parallel
Scalability-How to combine separate sub-policies?
Some examples
Unreachable If male then yes If female then no If manager then no
Inapplicable If manager then yes If VP then no If male then no
Ineffective If VP then {run} If manager then {run, jump}
Redundant If manager then {run, jump} If VP then {run}
A policy editor could detect these situations
Policy Combination
Denied
Permitted Permitted
Denied
Permitted
Denied
=+ OK
Denied
Permitted Permitted
Denied
Permitted
Denied
=+??
Policy Language and Deduction
Specification- State policy succinctly and directly-Confident that policy captures intention
Enforcement-Deduction, proof of compliance
Manage policy lifecycle- Policy development tools- Safety and availability analysis
Policy lifecycle issues
Requirements capture- What should the policy say?
Development- Adapt standard modules; build new ones; combine
Evaluation- Does the policy say what we want?
Analysis Testing Debugging
Compliance- Can the policy be enforced by info system?
Maintenance- Change as needed as requirements evolve
Questions?
Policy development-What concepts are important?
Permissions? Denials? Obligations? Audit trail?
Enforcement- IT infrastructure vs Legal structure
End-to-end privacy infrastructure-Customer – Browser – Web site –
Database-Outsourcing and institutional partnerships