GRA, NIEM and XACML Security Profiles July 2012

POLICY CONTROL PROFILES

WITH GRA AND NIEM

James Cabral, David Webber, Farrukh Najmi,

July 2012

EXECUTIVE OVERVIEW

Managing information privacy and access policies has

become a critical need and technical challenge. The

desired solution should be ubiquitous, syntax neutral but a

simple and lightweight approach that meets the legal policy

requirements though the application of clear, consistent

and obvious assertions.

Today we have low-level tools that developers know how to

implement with, and we have legal documents created by

lawyers, but then there is a chasm between these two

worlds.

2

LEGAL AND RULES TECHNOLOGIES

The RuleML community has long understood this and

developed and is developing new and improved methods and

solutions. The challenge is in taking these approaches and

being able to apply these to NIEM XML based information

sources in a high level conceptual way that is accessible to

information analysts and general NIEM practitioners, rather

than the provence of specialized XML-programmers only.

Then we also need these techniques to be broadly

applicable, using existing open public software standards

and tools so we can enable the widest possible adoption

within the NIEM community.

3

APPROACH

The solution we are introducing will:

Provide a clear declarative assertions based method, founded

on policy approaches developed by the rules community,

Leveraging open software standards and tools and

Enabling business information analysts to apply and manage

the policy profiles

Show illustrative design time and run time examples by:

Visually assigning exchange components and rule assertions

Show applying this to retrieval of documents stored with

registry and repository services.

4

APPLICATION SCENARIO OVERVIEW

Electronic Policy Statements 5

Policy Rules

Portal

User Dashboard

1

Apply Policy Rules to Requested Case Content

4

Users see only

information

permitted by

their role and

policy profile

Request

Output Templates

Output Templates Information

Requests

2

Case Management

Registry

Services

3

Output Templates

Output Templates

Case Documents

XML

Response

Output Templates

Output Templates Requested Information

5

User Profiles

PRESENTATION AGENDA

Part 1

Problem introduction and policy methods

overview

Part 2

Design time technical walkthrough of rule

assertions example

Part 3

Run time deployment with registry services

PART 1 – PROBLEM INTRODUCTION

Policy Methods Overview

USE CASE – SAR CASE MANAGEMENT

Three levels of information access

Citizen level reporting - SAR statistics

Local law enforcement officials - case review

State and Federal - case management and

coordination

This means three profiles:

Profile 1 - Registry query - statistics results

Profile 2 - Local staff

Profile 3 - Regional staff

8

SAR – Suspicious Activity Report

POLICY GRANULARITY

Electronic Policy Statements

Coarse-Grained

Role-based authorization of subjects.

Access granted to coarse-grained data objects.

E.g., “Permit law enforcement to access the NCIC Wanted Persons

Database.”

Fine-Grained

Attribute-based authorization of subjects.

Access limited to specific data objects based on attributes.

E.g., “Permit law enforcement to access criminal history records if the records were created by the

requester’s agency.”

9

Actions.

RULE AND CONTEXT METADATA

Electronic Policy Statements 10

Properties of the access rules and environment.

• Conditions.

– Subject.

– Resource.

– Policy.

• Obligations.

Express policies in a structured

language (e.g., XML)

Identify requesters

Compare data collection and

release purposes

Enforce retention rules

Notify data owners and

subscribers

Verify compliance

PRIVACY AND SECURITY ARCHITECTURES

Privacy and Security Architectures 11

MAPPING TO DATA STANDARDS

Privacy and Security Architectures 12

•GFIPM User

Metadata

•NIEM

•GFIPM Content

Metadata

•XACML Actions

Electronic

Policy Statements

A mechanism to

specify policy rules

in unambiguous

terms

XML Access

Control Markup

Language (XACML)

Machine-readable

Supports

federated and

dynamic policies

POLICY AUTHORING LANGUAGE

Privacy and Security Architectures 13

XACML ARCHITECTURE

Privacy and Security Architectures 14

Term Description

PAP Policy Administration Point - Point which manages policies

PDP Policy Decision Point - Point which evaluates and issues authorization decisions

PEP Policy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision.

PIP Policy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information.

http://en.wikipedia.org/wiki/XACML

XACML STATEMENTS

Privacy and Security Architectures 15

PolicySets

Policies

Rules •Obligations

•Functions

Targets •Attributes

Policy Matrix Rule XACML Statement

Party Subject to Rule

Subject Condition(s) Conditions.

Subject(s) Subject(s).

Subject Information Context Subject(s) attributes.

Rule Action Action(s). Action(s) attributes.

Data Resource Subject to Rule

Target Resource(s) Resource(s).

Other Resource Context Resource(s) attributes.

Other Resource Conditions Conditions.

Circumstances in Which the Rule Applies

General or Action Policy Conditions Purpose(s).

Obligations and Environments If [zero or more [Subject(s) Action(s) and/or Resource(s), and/or

Environment(s) attributes) [Condition(s)] are met] with [zero or more

Obligation(s) to be performed].

Rule Activity

Deny/Permit by Statute/Policy Effect = PERMIT or DENY.

Administrative Information

Precedence PolicyCombiningAlgorithm(s), RuleCombiningAlgorithm(s).

References PolicyID, RuleID.

Linkages PolicyID, RuleID.

Policy Matrix Editors Does not translate to XACML.

ENCODING RULES INTO XACML

Privacy and Security Architectures 16

PART 2 – DESIGN TIME WALKTHROUGH

Design Time Rule Assertions Concepts

USING POLICY TEMPLATES

Traditional NIEM approach focuses on the

information exchange data handling

Uses XSD schema to define content structure

and metadata

Need is for a bridge between the NIEM

schema, the XML information instances and

the XACML rule assertion language

Approach is based on visual content structure

templates with declarative rule assertions

18

D E P L O Y E D

APPROACH IN A NUTSHELL

XACML

Engine

Rule Assertions

P O L I C I E S

Output Templates

Output Templates Exchange Structures

Policy Assertion Template

2

S C H E M A

NIEM

IEPD

1

XACML Generation

Tool

3 XACML

XML Script

4

Rules Asserted to

Nodes in the Exchange

Structure via simple

XPath associations

19

SAR VISUAL TEMPLATE + RULE ASSERTIONS

Rules Assertions

associate and control

access privacy to

specific content areas

in the SAR details

structure

Visual metaphor

allows policy

analysts to verify

directly

20

Rule Assertions

NIEM data flows

NIEM / GRA OPERATIONAL SCENARIO

XACML

Engine

Information Exchange

5

INTERFACES

P O L I C I E S

CAM Editor Visual Designer

Output Templates

Output Templates Exchange Templates

1

Information Exchange

3

INTERFACES

4

S C H E M A

NIEM

IEPD

NIEM

XML

NIEM

XML

Generated XACML Rules

2

21

CAM TOOLKIT + CAMV ENGINE

Open source solutions – designed to

support XML and industry vocabularies

and components for information

exchanges

Implementing the OASIS Content

Assembly Mechanism (CAM) public

standard

CAMV validation framework and test

suite tools

Development sponsored by Oracle

CAM Editor resources site:

http://www.cameditor.org

22

NEXT STEPS

Enhance CAM Editor UI to provide wizards

for policy rule assertion entry

Provide XSLT to generate XACML from

CAM template

Enhance reporting tools to show policy

details in plain English details

Test with sample JPS NIEM exchange

schema

23

PART 3 – DEPLOYMENT WITH REGISTRY

Illustrative deployment with XACML services and application

APPLICATION SCENARIO DETAILS

Electronic Policy Statements 25

Policy Rules

Portal

User Dashboard

1

Apply Policy Rules to

Requested Case Content

(PDP Engine)

4 Users see only information permitted by their role and policy profile

Request

Output Templates

Output Templates Information

Requests

2

Case Management + PAP

Registry

Services

3

Output Templates

Output Templates

Case Documents

XML

Response (PEP)

Output Templates

Output Templates Requested Information

5

User Profiles

XML XML XML XACML

REGISTRY POLICY ENFORCEMENT

Privacy and Security Architectures 26

PAP •Defines policies.

•Monitors compliance.

PDP

•Receives requests from the PEP.

• Identifies policies that match each request.

•Evaluates request and environment attributes.

•Directs the PEP.

PEP

•Discloses or redacts the information or denies the request.

•Logs the request and action.

•Notifies of the request and action.

PRIVACY POLICY TECHNICAL FRAMEWORK

Privacy and Security Architectures 27

PUBLISHING CONTENT (BULK IMPORT TOOL)

Bulk loader will

trawl server and

folder location

for content –

e.g. original

SAR XML

documents

Bulk Publish of SAR documents

28

SAR DISCOVERY AND RETRIEVAL

SAR Discovery

Query (easily

extended / tailored

without code

changes)

allows rapid

prototyping and

verification of

content and

operations

Results returned

digest and content

retrieval options

29

SUMMARY

Review

KEY MESSAGES

Dramatically simpler policies adoption

Can be rapidly developed with existing tools

Can be visually inspected and verified by

policy analysts

Enables use of dynamic contextual policies

Supports international standards work

31

CONTRIBUTORS

James E. Cabral Jr. – IJIS/OASIS and MTGM LLC

David Webber – Oracle Public Sector NIEM team

Farrukh Najmi – OASIS ebXML RegRep, SunXACML

project and Wellfleet Software

32

RESOURCES

OASIS CAM and tools project site

https://www.oasis-open.org/committees/cam

http://cameditor.org (sourceforge.net)

OASIS XACML and tools project site

https://www.oasis-open.org/committees/xacml

http://sunxacml.sourceforge.net/

OASIS ebXML RegRep and Implementing Registry

https://wiki.oasis-open.org/regrep/

http://goo.gl/cEpnC

33