Marco Casassa Mont - Web Page - HP Labs

Privacy-aware Access Control for Personal Data

This project is about managing and enforcing “privacy-aware” access control on personal and confidential data collected and stored by enterprises.

The goal is to automate privacy management in enterprises to: (1) reduce costs, provide better compliance (to laws, legislations and users' needs) and data governance; (2) ensure that personal data is accessed not only based on security policies but also on privacy policies; (3) leverage current enterprise identity management solutions.

In this context, privacy policies explicitly define the purposes for which personal data can be accessed, how to keep into account users' (privacy) expectations/consent and which actions need to be fulfilled at the access time (filtering-out data, blocking access, logging, etc.).

A framework and a related system have been designed and implemented to: model personal data and privacy policies; author privacy policies; deploy and enforce (at the access time) these privacy policies on personal data, stored in heterogeneous enterprise data repositories (e.g. relational databases, LDAP directories, etc.).

A full working prototype has been developed and integrated (as a proof-of-concept) with HP OpenView Select Access, a “state-of-the-art” HP security-based access control solution. This privacy management technology is currently under productisation by HP Software business. More details follow.

People are usually asked by enterprises and other organizations to disclose their personal information to access web services and engage in business interactions. Enterprises need this information to enable their business processes. This is unlikely to change, at least in the foreseeable future.

When collecting personal data, enterprises must satisfy privacy laws and policies along with addressing people’s expectations on how their data should be handled.  Currently much is done by means of manual processes, in particular in terms of privacy enforcement: these processes are prone to mistakes and hard to comply with. Automation can help enterprises to deal with these privacy management issues, in particular the enforcement of privacy policies on collected personal data.

 Enterprises have already been investing in identity management solutions: they require that approaches to automate privacy management should keep into account and leverage these solutions. My research and development work aims at automating the enforcement of privacy policies in enterprises.

In this project, a model of privacy policy enforcement has been introduced, implemented and demonstrated in a related prototype, integrated (as a proof of concept) with HP OpenView Select Access, a state-of-the-art identity management solution. This technology is currently under productisation.

The (technological) enforcement of privacy permissions and rights (on stored personal data) requires extended access control and authorization mechanisms that check privacy permissions against data requestors’ credentials, check the consistency of data requestors’ Intent (to access personal data) against stated purposes and take into account the consent given by data subjects. Enterprise services or applications that need to access and manipulate personal data for various reasons should be subject to the enforcement of these privacy policies.

Traditional access control systems are necessary but not sufficient to enforce privacy policies on personal data. They are mainly based on “access control lists” and enforcement mechanisms that keep into account only the identities of data requestors, their rights and permissions and the types of actions that are allowed/disallowed on the involved resources. Such systems do not keep into account the following additional aspects relevant to privacy: (1) the stated purposes for collecting data and data subjects’ consent - i.e. properties usually associated to collected data; (2) the Intent of data requestors; (3) any additional enterprise or customized data subjects’ constraints:

To address these issues and move towards privacy-aware access control, it is important to satisfy the following core requirements:

1. Explicit modeling of personal data stored by enterprises;

2. Explicit definition, authoring and lifecycle management of privacy policies;

3. Explicit deployment and enforcement of privacy policies;

4. Integration with current access control and identity management systems;

5. Simplicity of usage of all the involved system;

6. Support for auditing.

Our approach addresses the above points. It is based on a privacy-aware access control model. This model extends traditional access control models (based on users/groups, users’ credentials and rights, access control lists and related policies) by explicitly dealing with the stated purposes for which data is collected, checking - at the access request time - the Intent of requestors against these purposes, dealing with data subjects’ consent and enforcing additional access conditions and constraints on defined by data subjects and/or enterprise administrators:

The main aspects of this model are:

1. A mechanism for the explicit modelling of personal data, subject to privacy policies: this mechanism provides a model/description of the personal data subject to privacy policies, including the type of the data repository (database, LDAP directory, etc.), its location, the schema of these data, types of attributes, etc.;

2. An integrated mechanism for authoring privacy policies along with traditional access control policies: it is a Policy Authoring Point (PAP) to allow privacy administrators to describe and author privacy policy constraints and conditions (including how to check consent and data purpose against requestors’ Intent and how to deal with data filtering and transformation, etc.) along with more traditional access control policies based on security criteria (such as who can access which resource, given their roles and permissions);

3. An integrated authorization framework for deploying both access control and privacy-based policies and making related access decisions: it is a privacy-aware Policy Decision Point (PDP);

4. A run-time mechanism - referred here as the “Data Enforcer” - for intercepting attempts to access personal data and enforcing decisions based on privacy policies and contextual information, e.g., Intent of requestors, their roles and identities, etc. It is a privacy-aware Policy Enforcement Point (PEP). This mechanism is in charge (among other things) of dealing with the transformation of queries to access personal data (e.g. SQL queries) and filtering part of the requested data, if their access is not authorised for privacy reasons.

A simple example based on this model is where an enterprise employee makes an an attempt to access personal data stored in an enterprise data repository:

In this example, the employee’s declared Intent (i.e. Marketing) is consistent with the stated purposes for collecting data (Marketing, Research) – declared in the associated privacy policy. However the employee is trying to access – via a SQL query - more data than she is allowed to. The SQL query is intercepted by the enforcement point (Data Enforcer) and transformed on-the-fly (before being submitted to the database) in a way to include constraints based on data subjects’ consent and the filtering of data. The transformed query is then submitted to the database. In this example privacy is achieved by pre-processing and transforming the query before actually interacting with the database. Please notice that this example is for illustration purposes. Our work is not limited to relational databases or to the management of SQL queries: our approach can be applied to a broad variety of data repositories and different types of data retrieval mechanisms.

We implemented our privacy enforcement model in a prototype by leveraging and extending HP Select Access. HP OpenView Select Access  is a leading-edge access control solution:

This work specifically addresses the problem of enforcing privacy policies on personal data stored in a broad variety of data repositories within enterprises. Personal data can be accessed by different types of requestors, including people, applications and services. It includes related aspects of modeling managed data and authoring privacy policies.

Our work aims at not being invasive for applications and services: privacy policies are managed in an explicit way, in conjunction with traditional access control policies and not hard-coded in applications and services. We avoid duplication of effort by providing a single, integrated framework for authoring, administering and enforcing both traditional access control and privacy policies.

Further information and details about this project can be found in the following HPL Technical Reports:

• HPL-2006-72 Marco Casassa Mont, Robert Thyne - Privacy Policy Enforcement in Enterprises with  HP Identity Management Solutions - HPL-2006-72, 2006

• HPL-2006-51 Marco Casassa Mont, Robert Thyne  - A Systemic Approach to Automate Privacy Policy Enforcement  in Enterprises - HPL-2006-51, 2006

• HPL-2006-44 Marco Casassa Mont, Siani Pearson, Robert Thyne - A Systemic Approach to Policy Enforcement and Policy Compliance Checking  in Enterprises - HPL-2006-44, 2006

• HPL-2005-110 Marco Casassa Mont, Robert Thyne, Kwok Chan, Pete Bramhall - Extending HP Identity Management Solutions to Enforce Privacy Policies and Obligations for Regulatory Compliance by Enterprises - HPL-2005-110, 2005

• HPL-2005-10 Marco Casassa Mont, Robert Thyne, Pete Bramhall -  Privacy Enforcement with HP Select Access for Regulatory Compliance - HPL-2005-10, 2005

My Contacts:

Marco Casassa Mont

HP Laboratories

Cloud & Security Lab

Long Down Avenue

Stoke Gifford

Bristol, BS34 8QZ, UK       

TEL: +44-117-3128794
FAX: +44-117-3129250

marco.casassa-mont@hp.com