350 likes | 372 Views
Explore adaptive privacy enforcement for stored personal data, enabling controlled access based on context, with accountability and incremental disclosure.
E N D
An Adaptive Privacy Management System for Data Repositories Marco Casassa Mont marco_casassa-mont@hp.com Trusted Systems Lab, HP Labs, Bristol, UK
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Privacy: Core Concepts Privacy Management has Strong Implications on how Personal Identifiable Information (PII data) is Managed by Various Parties Accessing these Data … Applications & Services Employees, Partners, Third Parties, Etc. Personal Data PEOPLE Enterprises/Organisations
Privacy Policies: • Laws/Legislations • Guidelines • Preferences • … Personal Data Personal Data And Privacy Policies
Purpose Specification Consent Limited Collection Limited Use Limited Disclosure Limited Retention Privacy for Personal Data: Principles Privacy Policies
Purpose Specification Consent Limited Collection Limited Use Limited Disclosure Limited Retention Privacy Policies: Rights, Permissions and Obligations Privacy Permissions Privacy Obligations Privacy Rights Privacy Policies
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Relevant Scenarios • Enterprise • - Company vs. Private data for Employees • Protection of Customers’ and Employees’ Data • Compliance to Legislation • Health Care • - View on Data dependent upon Requestors’ Roles • - Patients’ Sensitive Data • Federated Identity Management • - Partners and Third Parties should only get • the minimal (required) Personal Information Conflicting Interests, Multiple Views on Data, Accountability We Want to Enable an Incremental Disclosure of Personal Data Driven by Privacy Policies and Current Context
Information Flow Role 3 Role 2 Role 1 Application /Service PEOPLE Personal Data Focus: Enterprise Scenario Enterprise Enterprise
Key Issues • Data might be accessed and manipulated by multiple employees to fulfil tasks and support/provide information to people with different roles (marketing, management, etc.) • These employees actually might not be “entitled” to access these data, due to data sensitivity/privacy policies • However they are the only one that know how to retrieve and manipulate data • Access granted to enable Business Processes vs. Privacy • Data can be disclosed outside the Enterprise. Privacy Policy Enforcement based on Trust (and Contracts …)
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Addressed Problem • Adaptive Privacy Policy Enforcement for • Personal Data Stored in Data Repositories: • How to Allow People with Different Roles to Retrieve • Relevant Data and, at the same time, Enforce • Privacy Policies without Disrupting Business Processes • and Interaction Flows? • How to do it in an Inter-Enterprise Context? • How to have an Adaptive Disclosure of these data • based on the Context? • How to Audit Disclosures and Ensure Accountability?
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Translucent Databases Focus on and Leverage current Data Repositories Based on Encryption and AC • Hippocratic Databases Privacy Management: Flexible and Adaptive to the Context Fine-grained Privacy Policies on Confidential Data - No control after data disclosure - Only RDBMS databases Supports fine-grained Privacy Policies • IBM Tivoli Privacy Manager Incremental disclosure of Confidential Data based on Privacy Policies Product available on the Market - No control after data disclosure - Vertical Approach • DRM Solutions Control after data disclosure Not really for data repositories R&D – Work in Progress Prior Art vs. Our Approach Prior Art Our Approach
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Retrieved Data could still be (partially) Encrypted and Strongly Associated to Privacy Policies Retrieve/ Disclose Privacy Policy Package Encrypted Data Our Approach: Adaptive Privacy Management • Personal Data is Encrypted and Stored in Data Repositories along with Privacy Policies • The actual Visibility (Access) of Encrypted Data is Adaptive, depending on the Requestor, Context, Intent and Purpose Multiple Views on Personal Data Data Repositories
Information Flow Data Structure: View 2 Privacy Virtualization System (PVS) Decryption keys Entity 2 <Access Request: privacy policies, Credentials, Contextual Information> Data Structure: View 1 Privacy Management Service (PMS) Decryption keys Privacy Virtualization System (PVS) <Access Request: privacy policies, Credentials, Contextual Information> Entity 1 Our Adaptive Privacy Model Data Repositories Privacy Policy Package Encrypted Data
Actual Data Stored in the Data repository “Package” Encrypted Encrypted with PMS Public Key: • Symmetric Key used to • Encrypt Personal Data • Hash of Privacy Policy Personal Data: Encryption Privacy Policy Personal Data
Encryption Techniques • Traditional Public Key Cryptography • Enveloping techniques • Symmetric Key Used to Encrypt Personal Data • “Package” Encryption: Public Key of Privacy Management Service • Identifier-based Cryptography (IBE) • Three-players model: Sender, Receiver, Trust Authority • Use directly the “Privacy Policy” (and a Public Detail of the Trust Authority) to Encrypt Personal Data • Alternatively, use Symmetric key (for better performance) • Privacy Management Service is the Trust Authority
Privacy Policies • all fields are viewable by members of the customer service department; • the credit card number must be readable only by accredited personnel or • systems within the account department; • the name and address fields may be readable by the advertising department • only if approved in the customer’s data usage preferences Example: Travel Agency [1/3] Customer DB
Privacy Policies • all fields are viewable by members of the customer service department; • the credit card number must be readable only by accredited personnel or • systems within the account department; • the name and address fields may be readable by the advertising department • only if approved in the customer’s data usage preferences Example: Travel Agency [1/3] Customer DB
Access_Granted IF requestor.department = {customer_service } OR IF (requestor.department = {advertising} AND data_usage = “Y”) Example: Travel Agency [2/3] Customer DB
Role: Member of Advertising Department Query: SELECT * FROM customer_table WHERE customer_country = “uk” <extracteddata> <PrivacyManagementService>125.18.219.66</PrivacyManagementService> <mediator>www.policysite.org/mediator.jar</mediator> <record> <customerID>123857841</customerID> <customername>Jane Doe</customername> <customeraddress> <street>123 Long Ave.</street> <city>New York</city> <state>NY</state> <zip>12345-0000</zip> </customeraddress> <customercreditcardnumber> www.policysite.org/12568.pol, MTM0VF9F5E$R96%K#$PCP3$QCP04T#2T </customercreditcardnumber> <customercountry>USA</customercountry> <customerflightpref>Window,Vegitarian</customerflightpref> <customerdatausage>Y</customerdatausage> <customersex>F</customersex> </record> </extracteddata> XML/ DataSet/ ResultSet/, Etc. Example: Travel Agency [3/3] Privacy Management Service Privacy Virtualization System Customer DB
Privacy Management Services Applications People Privacy Policy + Access Request Comms Authentication Privacy Virtualization API Disclosure Management Module Data Mgmt Policy Handler Context Management A P I Encryption Module Decryption Module Comms De- obfuscation Key Privacy Virtualization System Data Repositories Credentials Verification Privacy Policy Engine Audit Module Sensors Gathering of Contextual Information/ Settings Enterprise Polices Audit Logs Privacy Policy Package Encrypted Data System: High Level Architecture
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Discussion • Privacy and Confidentiality are “enforced” even if the Privacy Virtualization System is Bypassed Data are Encrypted • The Privacy Management Service(s) can Act as a Trusted Auditing System for Accountability and Compliance Management Verifications • Once Data are Disclosed they can be Misused …: Auditing as a Risk Mitigation Mechanism • We have all the Technological Components to Build a Prototype: Database Mediator (Proxy), IBE/Crypto Libraries and Auditing Systems
Open Issues and Future Work • Renewal of Encryption Keys/Revocation: Aspect to be fully Explored • Session Keys are transparent to users (but not to PVS …) • Option to change Session Keys every time data is disclosed. • Lifecycle Management of Privacy Policies associated to Data: need for Tools to Simplify their Management and Update • Performance Issues: To be fully Investigated once our Prototype is Available • Future Work: build a Prototype, Research and Explore how to better Address these Open Issues, in Real-World Contexts
Presentation Outline • Privacy: Core Concepts • Scenarios and Key Issues • Addressed Problem • Related Work vs. Our Approach • Our Approach: Adaptive Privacy Management • Discussion and Open Issues • Conclusions
Conclusions • Importance of Enforcing Privacy and, at the same time, enable Business Interactions • We propose a Privacy Management System to enable Adaptive, Incremental Disclosure of Personal Data based on Privacy Policies • All technological components are Available at HPL • Open Issues: Policy and Key Lifecycle Management and Performance • Next Steps: build working Prototype and Make Experiment in Real-world Contexts • It is Work in Progress …
What is Identifier-based Encryption (IBE)? • It is an Emerging Cryptography Technology • Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) • Same Strength of RSA • Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing … • SW Library and Technology available at HP Laboratories
IBE Core Properties • 1st Property: any kind of “String” (or sequence of bytes) can be used as an IBE encryption key: for example a Role, an e-Mail Address, a Picture, a Disclosure Time, Terms and Conditions, a Privacy Policy … • 2nd Property: the generation of IBE decryption keys can be postponed in time, even long time after the generation of the correspondent IBE encryption key • 3rd Property: reliance on at least a trust authority (trusted third party) for the generation of IBE decryption key
Alice Bob 4 3 2 5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority. 2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 5 6 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message = {E(msg, N, encryption key)} 6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation. Trust Authority 1 1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N 4. Alice Sends the encrypted Message to Bob, along with the Encryption Key IBE Three-Player Model