Privacy Topics for TAMI/PORTIA Conference

IBM Security Strategy

Privacy Topics for TAMI/PORTIA 04/19/23 © 2004 IBM Corporation

Privacy Topics for TAMI/PORTIA Conference

Calvin [email protected]


© 2004 IBM Corporation2 Privacy Topics for TAMI/PORTIA 04/19/23

Topics

Encryption At Rest



California Bill SB 1386

This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Similar laws being considered at the Federal Level



Motivation for SB 1386

http://www.nwfusion.com/news/2005/0408stolelapto.html?nl



The Bottom Line

Unencrypted data in database files on a hard drive falls under the notification requirements of SB1386

The legal assumption is that data can be accessed directly from the files even when the DB software is not running.

Persisted personal information in data base tables must be encrypted.

The Challenge: Doing this while minimizing the disruption to existing infrastructure

The Challenge: Key Management is always the biggest impediment to encryption use.



Topics

Sticky Policy Paradigm



Relating Policies To Data Base Schema



How Bad Things Happen To Data



The “Sticky Policy Paradigm”

Challenge: How can we do this for all repositories and all types of data flow? And not be completely disruptive.

We can assume non-malicious environments



Topics

Purpose Based Access Control



“Purpose of Usage” is a new element in policy

In the Past

“Members of the marketing dept. are allowed to query the accounting database.”

Today:

“Members of the marketing dept. are permitted to see an individual’s credit score for the purpose of developing a new loan product only if the individual provides explicit authorization.”



Break Down the Policy Into Key ConceptsFrom the human-readable policy, start identifying the Groups,

Purposes and PII types.

Sharing of information with third-parties

Partners: When you buy something from us we may share your name and mailing address with a few carefully selected marketing partners, except for our customers who reside in the states of Vermont and California. When you place your order you will be given a clearly labeled opportunity to opt out of sharing this information. We will never share any telephone numbers, e-mail addresses, or financial information you have given us with any marketing partners.

Credit card companies and Shippers: When you buy something from us we send your credit card information, name, billing address, and the amount of your purchase to your credit card company to verify and authorize your purchase. Your name, telephone number, and shipping information must be provided to third party shippers to deliver your purchase.

In this policy, the Groups are given in generalized terms, as “us” and “we”.



Creating Policy Rules From the Key Concepts

After identifying the basic pieces of the policy statements, we can start to form the policy statements. We can break the text down into

3-4 policy statements that have a structured form.

Widget's Billing Department will use credit card and address information to charge your credit card for the purchases you made.

Widget's Shipping Department will use your address information to ship your order.

If you opt-in, Widget's Shipping Department will use your e-mail address to notify you of your order's shipment status.

Widget's Marketing Department will share your name and mailing address with selected marketing partners unless you opt out or if you live in Vermont or California.



Please Note:

“Purposes” are not “roles”!

– More transaction/unit of work oriented

– The issue is not “what label(s) are attached to your credential” but “what unit of work are you doing with my data.”

Challenge: How can we determine “at run time” what the purpose of a data access or usage is (in an efficient way)?



Topics

Expression of Policies



The Privacy Place Research on Semantic Analysis of Privacy Policies

“Mining Rule Semantics to Understand Legislative Compliance”– T. D. Breaux and A.I. Antón. Accepted to: ACM Workshop on Privacy in Electronic

Society (WPES'05), NCSU CSC Technical Report #TR-2005-31, Alexandria, Virginia, USA, 2005.

– http://www.theprivacyplace.org/papers/TR_2005-31.pdf

Analyzing Goals for Rights, Permissions and Obligations– T. D. Breaux and A.I. Antón. In Proceedings 13th IEEE International Conference on

Requirements Engineering (RE'05), NCSU CSC Technical Report #TR-2005-08, Paris, France, USA, 2005.


Deriving Semantic Models from Privacy Policy Goals,– T. D. Breaux and A.I. Antón. In Proceedings: 6th IEEE International Workshop on

Policies for Distributed Systems and Networks (POLICY'05), NCSU CSC Technical Report #TR-2004-36, Stockholm, Sweden, USA, 2005.


http://www.theprivacyplace.org



Semantics of Business Vocabulary and Business Rules (SBVR) This specification defines the vocabulary and

rules for documenting the semantics of business vocabulary, business facts, and business rules; as well as an XMI schema for the interchange of business vocabularies and business rules among organizations and between software tools.



Why SBVR?

Natural Language Text Representation– Precise, yet reads like natural language text – Important for review by policy makers and subject matter experts for domains – Uses same vocabulary to express domain models and policies on domains– Incorporates the notion of community vocabularies and domains of knowledge

Machine Interpretable Expression – XML/XMI representation of statements – For further transformation into IT domain artifacts

Establishes linkage between the “policy” world and the “IT World”

Challenge: Can SBVR be used to express all the concepts we need for privacy policies?



Topics

Discovering Risks With Process Modeling



Data Flow and Data Protection in the Jet Blue Case

Lesson: How do we make sure that data protection requirements flow with the data as it is disclosed across organizational boundaries?

See “The Complexity Underlying JetBlue’s Privacy Policy Violations” <http://www.theprivacyplace.org/papers/tr_2003_21.pdf>



Composite Apps Increase the Risk of Data Theft Time Warner lost tapes containing social security numbers for over 600,000 employees while in

transit to off-site archival facilities. – See “After Data Losses Like Time Warner's, Companies Need To Rethink Tape-Storage Security”

<http://www.informationweek.com/shared/printableArticle.jhtml?articleID=162101437>

City National Bank, from Los Angeles California also lost two tapes containing sensitive data, including Social Security numbers and other customer account information. – See “Iron Mountain Loses More Tapes” <http://www.informationweek.com/shared/printableArticle.jhtml?

articleID=165701015>

In April, 2005, a laptop computer containing the names and Social Security numbers of about 16,500 current and former employees of MCI was stolen. – See “MCI: Employee Data Was On Stolen Laptop” <http://www.nytimes.com/reuters/business/business-

telecoms-mci-theft.html >

A medical group in San Jose California acknowledged that two computers were stolen from the organization's offices from behind locked doors. These computers contained information about 185,000 people, including social security numbers and confidential medical information. – See “Stolen laptops contain medical info on 185,000 patients”

<http://www.networkworld.com/news/2005/0408stolelapto.html?nl >

Types of Data Being Stolen– Identity Information (information used in identity theft activities, especially SSNs, individual financial account

information, etc. – Bill of materials data for sensitive technology products that can’t be shared with rogue countries. – Trade secret information (formulary information, source code, etc.)

Lesson: Hindsight is 20/20. Why didn’t anyone detect these security exposures before they happened? How do you evaluate the potential risk of customer information on a tape in transit through a courier service? More important: How do you even make sure you think about evaluating the risk?



Problem

How Can I Ensure Customer Information Is Protected?

Objectives:

– Customer data must always be encrypted with 56 bit keys or stronger when persisted.

– The following text must be in all agreements with business partners if they receive customer information:

• “Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor.Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor tyr wuz de ramas cora dola tymon ipso foer tyr wuz de ramas cora dola tymo. Lorem ipso hoccer foer tyr wuz de ras cora dola tymon ipso hoc cer fuz de ramas cora dola tymon ipso hoccer. Lorem ipso foer tyr wuz de ramas cora dola tym ipso hor. . .”



Create a Policy Artifact in the Modeling Tool

-- persisted customer info encrypted with 56 bit keys or stronger?

-- customer info protection clause in agreements with business partners?



This policy has two policy artifacts in it which must be implemented in all business processes which handle

customer information.



Attach the Policy To The Customer Information The policy would be attached to the customer information at the point it enters the company.

This association of policy to business object is a type of classification.



Policy Flows with Data AutomaticallyTool could understand how fields from the order request are propagated to other business items in the flow.



Policy Attachment Flows to Sub-processes

The policy attached business item from the overall process would get propagated to the flows in the sub process.

Tool knows that OrderInfo objects stored in shared database have this policy associated with them.



Policy Attachment Flows Out Of Database

Tool knows that OrderInfo objects flowing out of database have the policy attached to them.



What’s Next

Policy Attached Data is Now Mapped through the process

Each Process and Activity Can Be Evaluated Against the Policy Artifacts



Documentation About Policy Compliance Is Collected (1)

The owner of each activity is prompted to document how policy artifacts are implemented. (Or at least state that they are not applicable.)


A: No customer information is persisted in this Activity


A: No customer information is disclosed to business partners in this step.

-- Signed, Bob Smith, Order Fulfillment manager


A: No customer information is persisted in this Activity


A: No customer information is disclosed to business partners in this step.

-- Signed, Bob Smith, Order Fulfillment manager




The owner of each activity would be prompted to document how policy artifacts are implemented. (Or at least state that they are not applicable.)


A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details.


A: Business Partners do not have access to this database.

-- Signed, Alice Jones, Database Administrator


A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli Configuration Manager for more details.


A: Business Partners do not have access to this database.

-- Signed, Alice Jones, Database Administrator





A: Customer information is NOT encrypted when written to tape!


A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005.

-- Signed, Charlie Davis, Archival Administrator


A: Customer information is NOT encrypted when written to tape!


A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005.

-- Signed, Charlie Davis, Archival Administrator

Charlie Davis flags this policy artifact as a risk item because it has not been addressed.



Process Summary Report To Create Big Picture View Process Summary as Of September 19, 2005

Order Fulfillment Process – Update Order Information Activity

• Customer Info Protection Policy– Q:persisted customer info encrypted with 56 bit keys or stronger?– A: No customer information is persisted in this Activity– Q: Customer info protection clause in agreements with business partners?– A: No customer information is disclosed to business partners in this step. – Reported and signed by Bob Smith, Order Fulfillment Manager

– Place Supplier Order Activity• No Information Available

– Place Carrier Order Activity• No Information Available

– Order Information Database– Q:persisted customer info encrypted with 56 bit keys or stronger?– A: DB2 Table level encryption configuration has been set to x, y, and z to provide the necessary level of encrytion. See XXX in Tivoli

Configuration Manager for more details.– Q: Customer info protection clause in agreements with business partners?– A: Business Partners do not have access to this database. – Reported and signed by Alice Jones, Database Administrator

Order Archival Process– Extract Orders Older Than 2 Years Activity

• No Information Available– Create Archival Tape Activity

• No Information Available– Tape Storage Service

• Customer Info Protection Policy– Q:persisted customer info encrypted with 56 bit keys or stronger?– A: Customer information is NOT encrypted when written to tape!.– Q: Customer info protection clause in agreements with business partners?– A: yes. See business partner agreement with Iron Mountain. Document 12-3456-B last revision January 1, 2005. . – Reported and signed by Charlie Davis, Archival Adminisrator

?

?

?

?



Summary

Process Model Tools Can Understand Data Flow

Policy Should be Attached to Data, Not Systems

Tools Should track the policy attached data through all processes, activities, and services.

– Difficult for people to understand flow and track the data.

Each Activity Owner should be responsible for documenting the policy artifact implementation for the processes, activities, and services he/she owns.

– Policy artifacts which aren’t implemented should be flagged as risk items for analysis, prioritization, and remediation.

“Roll Up” reports should summarize current state of policy implementation for the processes.

Challenge: How can this be done in an automated way or with minimal work effort?– If automated, how are the policy requirements expressed?



Topics

Hippocratic Database Technology



HDB Active Enforcement

Database Powered by HDB

Give me the names, incomes & addresses of your clients

I can only disclosure incomes & addresses of clients who have given consent



InstallationPolicy Parser

NegotiationUser Preferences andPolicy Matching

EnforcementDatabase QueryInterface

Policy Metadata

User Data

Database Powered by HDB

HDB Active Enforcement



Enforcement: Value Proposition

Easy of Integration

– Implementation intercepts and rewrites incoming queries to factor in policy, user choices, and context (e.g. purpose).

Fine-Grained

– Database-enforced disclosure control at cell-level of an organization’s data policy and user preferences.

Easier Enforcement after Policy Modification

– Centralized and seamless policy creation and update.

System Impact

– Applications do not require any modification.



Enforcement: Value Proposition: cont’d

Database agnostic

– Does not require any change in the database engine.

Reuses current features

– Rewritten queries benefit from all the optimizations and performance enhancements provided by underlying engine (e.g. parallelism).

Performance0

50

100150200

250300

0.01 0.1 0.2 0.5 1

Application Selectivity

Qu

ery

Execu

tio

n T

ime

(seco

nd

s)

Original Queries

Rewritten Queries

10 million records

010203040

50607080

0.01 0.1 0.5 0.9 1

Choice Selectivity

Qu

ery

Exe

cuti

on

Tim

e (s

eco

nd

s)

Original Query

Rewritten Query

Worst Case: Choice Selectivity = 1. Everyone discloses everything. Query processing yields no value. The penalty is 5-15% of the execution time of the original query.

Standard Cases: Choice Selectivity varies. In best case, HDB Active Enforcement gives an order of magnitude improvement.



HDB Active Enforcement Core Cell-Level Policy Enforcement

ID NAME PHONE SALARY

1 Alice 111-1111 10,000

2 Bob 222-2222 20,000

3 Carl 333-3333 30,000

4 David 444-4444 40,000

Example Scenario

ID PhoneChoice

SalaryChoice

1 0 1

2 1 0

3 0 0

4 1 1

For a certain user (data accessor) and purpose, name is allowed under the privacy policy, phone and salary are allowed on an opt-in basis.



NAME PHONE SALARY

Alice - 10,000

Bob 222-2222 -

Carl - -

David 444-4444 40,000

• Forbidden values covered by null values in resulting tables

Results of query…

SELECT Name, Phone, SalaryFROM Customer

HDB Active Enforcement Core Cell-Level Policy Enforcement : cont’d



Questions?

Privacy Topics for TAMI/PORTIA Conference

Documents

Transcript of Privacy Topics for TAMI/PORTIA Conference