Webinar: Privacy regulations – a complex authorization challenge
Jun 14, 2015
Webinar:
Privacy regulations – a complex authorization challenge
Webinar:
Privacy regulations – a complex authorization challenge
2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWthis webinar will start in:
3
Guidelines
You are muted centrally The webinar is recorded Slides available for download Q&A at the end
© 2013 Axiomatics AB 4
Speakers & Agenda
Today’s speakers
Finn Frisch Pablo Giambiagi
@axiomatics
#XACML
5
Upcoming webinarEnabling new business opportunities while balancing risks in the financial services industryDecember 5, 2013 – 5 pm CET (11 am EST / 8 am PST)
© 2013 Axiomatics AB 6
And now a word from our sponsor
© 2013 Axiomatics AB 7
Agenda
Introduction/overview:Axiomatics technology offerings and their objectives
Privacy problem:Overview of the a problem faced by our customers
Technology solution:How multi-factor authorization helps resolve privacy issues Examples
Technology solutions
Axiomatics solutions – objectives
Secure access to sensitive information without sacrificing business agility
Provide accurate identity authorization governance
Enable secure information sharing across your value chain
Improve regulatory compliance readiness
Facilitate efficient software development
© 2013 Axiomatics AB 8
© 2013 Axiomatics AB 9
Axiomatics technology solutions – issues addressed
Who?
What?
Where?
When?
How?
Why?
Axiomatics technology solutions – what we do
Who?
What?
Where?
When?
How?
Why?
© 2013 Axiomatics AB 10
Authorization for applications:
Axiomatics Policy Server (APS)
Authorization for data storage:
Axiomatics Data Access Filter (ADAF)
The privacy problem For efficient collaboration you must share information Information you cannot share is of little use Carelessly sharing PII with unauthorized users is a
privacy infringement
© 2013 Axiomatics AB 11
© 2013 Axiomatics AB 12
What is privacy?
”Freedom from unauthorized intrusion” (Merriam-Webster)
“A private matter” (Merriam-Webster)
Private sphere – as opposed to public sphere
An essential building block in a democratic society
Private Public State
© 2013 Axiomatics AB 13
When quantity becomes quality
Internet users per 100 inhabitants
Original image: Internet users per 100 inhabitants ITU.svgBased on based on data from International Telecommunication Union (ITU) Internet users 2001-2011 and ITU Key Figures 2006-2013Source: http://commons.wikimedia.org/wiki/File:Internet_users_per_100_inhabitants_ITU.svgAuthor: Jeff Ogden
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Källa/Source
: Posten
AB
0
200
400
600
800
1,000
1,200
1,400
© 2013 Axiomatics AB 14
When quantity becomes quality
Number of post offices and other outlets in Sweden1996-2012
© 2013 Axiomatics AB 15
Technological capacity to process information
With permissions from publisher. Source: Hilbert and Lopez, 2011 http://www.martinhilbert.net/WorldInfoCapacityPPT.html
Storage in optimally compressed MB
© 2013 Axiomatics AB 16
Privacy regulations
© 2013 Axiomatics AB 17
European convention on human rights 1953
Article 8 – Right to respect for private and family life
Everyone has the right to respect for his private and family life, his home and his correspondence.
http://conventions.coe.int/treaty/en/Treaties/Html/005.htm
© 2013 Axiomatics AB 18
European Union after the Treaty of Lisbon in 2009
THE TREATY ON THE FUNCTIONING OF THE EUROPEAN UNION 2010Article 16 (ex Article 286 TEC)
Everyone has the right to the protection of personal data concerning them.
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0047:0200:en:PDF
© 2013 Axiomatics AB 19
New EU data protection rules
“Brussels, 25 January 2012 – The European Commission has today proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.”
New Regulation (replacing Directive 95/46/EC) “General Data Protection Regulation”
New Directive (replacing Framework Decision 2008/977/JHA)
© 2013 Axiomatics AB 20
EU regulation proposal for 2014
A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as
notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a
requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for
increased responsibility and accountability for those processing personal data.
For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon
as possible (if feasible within 24 hours).
Organisations will only have to deal with a single national data protection authority in the EU country where they have their
main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is
processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it
has to be given explicitly, rather than assumed.
People will have easier access to their own data and be able to transfer personal data from one service provider to another
more easily (right to data portability). This will improve competition among services.
A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if
there are no legitimate grounds for retaining it.
EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their
services to EU citizens.
Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home.
They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million
or up to 2% of the global annual turnover of a company.
A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal
matters. The rules will apply to both domestic and cross-border transfers of data.
Designing for privacyApplication design must cater for privacy requirements
© 2013 Axiomatics AB 21
Copyright 2011, Axiomatics AB 22
Privacy – insurance example
Insurance company - claims adjuster
Insurance agent
HR administrator in policyholding entity of whichvictim is an employee
Victim Claim
Name Social Sec Number
Medical data Financial data
John Doe 1976-05-01 Disorder due to work related accident …
28 500 EUR
Insurance
• Privacy classified• Visibility depending on
purpose of use• Context-awareness is key!
Risk-matrix Process-related segregation of duties
Compliance with privacy constraints
Copyright 2011, Axiomatics AB 23
Claims workflow sub-processes
Claims Administration
Claims Reserves
Claims Payments
Claims Quality Assurance, monitoring
© 2013 Axiomatics AB 24
Sensitive data of mixed types
Table with mixed types of privacy-sensitive data Authorization depends on multiple factors
ID Name Social Security Number
Financial Data
Medical data Com-pany
Unit
1 Alex Jonson 123-45-6789 12000 Sore throat X A1
2 Bob Brown 456-78-9012 11000 Broken leg X A2
3 Cecilia George 789-10-2345 15000 Bleeding nose Y B1
4 David Dargan 234-56-7890 19000 Neurosis due to … Y B2
© 2013 Axiomatics AB 25
Multi-factor authorization needed
Souce: International association of privacy professinals (IAPP), Glossary https://www.privacyassociation.org/resource_center/privacy_glossary
Context-aware, multi-factor authorization needed
© 2013 Axiomatics AB 26
FROM: User-centric:
Role-Based Single-factor:
Who are you?
Authorization logic and rules native to each system
Authorization rules hard-wired into application code
Static & pre-defined
A paradigm shift in Identity and Access Management
TO: Context-aware:
Attribute-Based Multi-factor:
Who? What? Where? When? Why? How?
Centralized policy management using a standard – XACML
Authorization rules externalized from application code
Dynamic at run-time
Copyright 2011, Axiomatics AB 27
ID Name Social Security Number
Financial Data
Medical data Com-pany
Unit
1 Alex Jonson 123-45-6789 12000 Sore throat X A1
2 Bob Brown 456-78-9012 11000 Broken leg X A2
3 Cecilia George 789-10-2345 15000 Bleeding nose Y B1
4 David Dargan 234-56-7890 19000 Neurosis due to … Y B2
Claims Table with privacy filter
RWD RWD RWD
Bob
Copyright 2011, Axiomatics AB 28
ID Name Social Security Number
Financial Data
Medical data Com-pany
Unit
1 Alex Jonson 123-45-6789 12000 Sore throat X A1
2 Bob Brown 456-78-9012 11000 Broken leg X A2
3 Cecilia George 789-10-2345 15000 Bleeding nose Y B1
4 David Dargan 234-56-7890 19000 Neurosis due to … Y B2
Claims Table with privacy filter
R R R
Alice
Copyright 2011, Axiomatics AB 29
ID Name Social Security Number
Financial Data
Medical data Com-pany
Unit
1 Alex Jonson 123-45-6789 12000 Sore throat X A1
2 Bob Brown 456-78-9012 11000 Broken leg X A2
3 Cecilia George 789-10-2345 15000 Bleeding nose Y B1
4 David Dargan 234-56-7890 19000 Neurosis due to … Y B2
Claims Table with privacy filter
RWD RWD RWD
Joe
Copyright 2011, Axiomatics AB 30
ID Name Social Security Number
Financial Data
Medical data Com-pany
Unit
1 Alex Jonson 123-45-6789 12000 Sore throat X A1
2 Bob Brown 456-78-9012 11000 Broken leg X A2
3 Cecilia George 789-10-2345 15000 Bleeding nose Y B1
4 David Dargan 234-56-7890 19000 Neurosis due to … Y B2
Claims Table with privacy filter
R R R
Joe
Joe in a different context
Technology solutionsApplication design for privacy:Axiomatics Policy Server 5.3Axiomatics Data Access Filter (ADAF) 1.0
© 2013 Axiomatics AB 31
© 2013 Axiomatics AB 32
Axiomatics Policy Server
Authorization services:
PDP - a Policy Decision Point for XACML 3.0 request/response services.
ARQ SQL - an Axiomatics Reverse Query service which applies authorization decisions for database access by returning a proper SQL SELECT statement.
© 2013 Axiomatics AB 33
The XACML Architecture
ManagePolicy Administration Point
DecidePolicy Decision Point
SupportPolicy Information PointPolicy Retrieval Point
EnforcePolicy Enforcement Point
Copyright 2013, Axiomatics AB 34
The Axiomatics Reverse Query in the architecture
ListReverse Query evaluation
ManagePolicy Administration Point
SupportPolicy Information PointPolicy Retrieval Point
EnforcePolicy Enforcement Point
© 2013 Axiomatics AB 35
Axiomatics Data Acces Filter 1.0 - Overview
Authorization on the data layer
PEP or proxy intercepts SQL call to database
ADAF returns conditions allowing PEP or proxy to adapt SQL statement
An example from law enforcement
Resources to protect: Data in the ”Case” table.
Column Name Data Type Description
case_id integer The unique ID of the case
case_narrative varchar A narrative describing the case
case_classification varchar A security classification for the case – can be ‘Confidential’, ‘Secret’, ‘Top Secret’. Default is ‘Confidential’.
responsible_unit integer The ID of the unit that is responsible for the case
case_status varchar ‘Open’ or ‘Closed’.
date_case_closed date The date that the case was closed
High-level privacy policy
A Confidential case is visible to all people assigned to the unit that is responsible for the case
A Secret or Top Secret case is only visible to people who are assigned to the case (via a role assignment)
Resource Attribute Identification
A Confidential case is visible to all users assigned to the unit that is responsible for the case
Resource attribute: case_classification
Column Name Data Type Descriptioncase_id integer The unique ID of the casecase_narrative varchar A narrative describing the casecase_classification varchar A security classification for the case – can be
‘Confidential’, ‘Secret’, ‘Top Secret’. Default is ‘Confidential’.
responsible_unit integer The ID of the unit that is responsible for the casecase_status varchar ‘Open’ or ‘Closed’.date_case_closed date The date that the case was closed
Resource attribute: case_responsible_unit
Privacy protection policy
policy Case_Access {
target clause table_name == "CASE” and column_name == "CASE_NARRATIVE”
// A Confidential case is visible to all users assigned to the unit that is
responsible for the case.
rule {
target clause case_classification == "Confidential"
permit
condition integerOneAndOnly(case_responsible_unit) ==
integerOneAndOnly(unit_id)
}
// A Secret or Top Secret case is only visible to users who are assigned to the case
(via a role assignment)
rule {
target clause case_classification == "Secret" or
case_classification == "Top Secret"
permit
condition integerIsIn(integerOneAndOnly(user_id),
currently_assigned_users_of_case)
}
}
case_responsible_unit ==unit_id
user_id IN currently_assigned_users_of_case
assigned to
© 2013 Axiomatics AB 40
Unit and role assignments
User
1005
ConfidentialCase
116
Top SecretCase
118
Top SecretCase
114
ConfidentialCase
112
Unit
4
Unit3
User
1007
assigned to
supervisor
responsible for
responsible for
intelligenceofficer
responsible for
areacommander
assigned to
© 2013 Axiomatics AB 41
Case narrative visibility for user 1005
User
1005
ConfidentialCase
116
Top SecretCase
118
Top SecretCase
114
ConfidentialCase
112
Unit
4
Unit3
User
1007
assigned to
supervisor
responsible for
responsible for
intelligenceofficer
responsible for
areacommander
© 2013 Axiomatics AB 42
Case narrative visibility for user 1005
DEMO
© 2013 Axiomatics AB 43
Axiomatics Data Acces Filter 1.0 – details
Fine-grained data access control Table, row, column and cell levels
Data-masking
Flexible Policy-based authorization Richer than role-based models defined in the SQL standard
Externalized enforcement No need to code and edit VPD functions manually
Declarative policy language (compare with lower-level programming of VPD)
No need to modify the application with the insertion of an XACML PEP
All applications using the database share the same policy and enforcement.
© 2013 Axiomatics AB 44
Axiomatics Data Acces Filter 1.0 – details
ADAF currently requires Oracle VPD as the PEP VPD (Virtual Private Database) is a part of Oracle DB
Enterprise Edition, requiring no extra licenses.
For other databases ADAF SDK to connect a SQL proxy to SFS
Conclusions Applications need to be designed for privacy To do that, authorization must be context-aware To achieve context-awareness, you must be able to
consider multiple factors
© 2013 Axiomatics AB 45