© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Policy Enforcement in Enterprises with Identity Management Solutions Marco Casassa Mont (1) Robert Thyne (2) (1) Hewlett-Packard Labs, UK (2) Hewlett-Packard, Toronto, Canada

Privacy: Core Concepts and Our Vision Addressed Problems Our Systematic Approach to Privacy in IdM Solutions Our R&D Work: Privacy-Aware Access Control Conclusions Presentation Outline

Privacy: Core Concepts and Our Vision Addressed Problems Our Systematic Approach to Privacy in IdM Solutions Our R&D Work: Privacy-Aware Access Control Conclusions

41 June, 2015 Personal Data Applications & Services PEOPLE ENTERPRISE Privacy Legislation (EU Laws, HIPAA, COPPA,SOX, GLB, Safe Harbour, …) Customers’ Expectations Internal Guidelines Regulatory Compliance Customers’ Satisfaction Positive Impact on Reputation, Brand, Customer Retention Enterprise Privacy Management Impact on Enterprises and Opportunities Regulations, Standards, Best Practices Enterprise IT Infrastructure IT Alignment Policy Enforcement Policy Development Transparenc y Monitoring Reporting Effective Enterprise Privacy depends on Good Governance Practices

51 June, 2015 Current Approach PROCESSORS, NETWORKS & DATA STORES SYSTEM SOFTWARE & MIDDLEWARE APPLICATION SOFTWARE POLICY Example: Personal data should be used only for the purposes for which it was collected. People & Processes Slow Expensive Error-prone Best-effort compliance GAP

61 June, 2015 Our Vision: Model-based, Policy-driven IT Transparent, verifiable compliance Seamless, rigorous alignment PROCESSORS, NETWORKS & DATA STORES SYSTEM SOFTWARE & MIDDLEWARE APPLICATION SOFTWARE POLICY Models & Automation Deployment Enforcement/Execution Data management Monitoring/Audit

71 June, 2015 Privacy Policies Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specification Privacy Rights Privacy Permissions Privacy Obligations Privacy For Personal Data: Core Principles

Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Systematic Approach to Privacy in IdM Solutions Our R&D Work: Privacy-Aware Access Control Conclusions

91 June, 2015 Addressed Problems How to Automate Privacy Management within Enterprises: −How to Automate Privacy-Aware Access Control −How to Automate Obligation Management −How to Automate Compliance Checking How to do this in a Systematic Way How to Leverage Current Identity Management Solutions

101 June, 2015 Privacy Policies & Data Handling on PII Data Privacy Policies Limited Retention Limited Disclosure Limited Use Limited Collection Consent Purpose Specif. Privacy-aware Access Control Privacy Rights Privacy Permissions Privacy Obligations

Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Systematic Approach to Privacy in IdM Solutions Our R&D Work: Privacy-Aware Access Control Conclusions

121 June, 2015 Access Control System ENTERPRISE Obligation Management System Obligation Management System Privacy-aware Access Control System Privacy-aware Access Control System Applications/ Services Web Portal Web Portal Data Repositories Users Access Request To Apps Privacy Obligations Consent & Other Prefs. Third Parties User Provisioning & Account Management Enterprise Systems Employees Privacy-aware Queries Privacy Admins Privacy Policies Identity Management Middleware Privacy-aware Information Lifecycle Management Privacy Automation for Identity Management: Systematic Approach Self- Registration: Personal Data & Privacy Preferences Data Settings Policy Compliance Checking System Events

Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Systematic Approach to Privacy in IdM Solutions Our R&D Work: Privacy-Aware Access Control Conclusions

141 June, 2015 Privacy-aware Access Control in Enterprises Regulations, Standards, Best Practices IT Alignment Policy Enforcement Policy Development Enterprise IT Infrastructure Privacy Policy Enforcement How to Enforce Privacy Policies within Enterprises when Accessing and Manipulating Personal Data? How to Enforce User Preferences, e.g. Consent? How to Integrate with Identity Management Solutions? HP Labs R&D Work Privacy-Aware Access Control System for Personal Data Prototype Integrated with HP OpenView Select Access Plans to Productise it in 2007

151 June, 2015 It is not just a matter of traditional access control: need to include data purpose, intent and user’s consent Moving Towards a “Privacy-Aware” Access Control … Personal Data Requestor Actions Rights Access Control Traditional Access Control Access Control Privacy Extension Personal Data Purpose Requestor’s Intent Constraints Requestor Actions Rights Owner’s Consent Privacy-Aware Access Control Other… Privacy Enforcement on Data: Access Control + “Intent, Purpose, Consent, …”

161 June, 2015 Table T1 with PII Data and Customers’ Consent Enterprise Privacy Policies & Customers’ Consent If role==“empl.” and intent == “Marketing” Then Allow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent) Else If intent == “Research” Then Allow Access (T1.Diagnosis) & Enforce (Consent) Else Deny Access ResearchMarketingConsent x x x HIVDrug AddictedRob2 Hepatitis Contagious Illness Julie3 CirrhosisAlcoholicAlice1 DiagnosisConditionNameuid Access Table T1 (SELECT * FROM T1) Intent = “Marketing” Privacy Policy Enforcement Enforcement: Filter data Example: Privacy-aware Access Control Consent, Purpose and Intent Mgmt SELECT “-”,Condition, Diagnosis FROM T1, T2 WHERE T1.uid=T2.Consent AND T2.Marketing=“YES” T1 T2 HepatitisContagious Illness CirrhosisAlcoholism-1 DiagnosisConditionNameuid Filtered data

171 June, 2015 Implicit Privacy Policy Definition and Enforcement Embed privacy policies within applications, queries, services/ad-hoc solutions Simple Approach It does not scale in terms of policy management It is not flexible and adaptive to changes Personal Data Applications & Services Privacy policies Business logic Implicit Approach to Enforce Privacy Policies: No Flexibility

181 June, 2015 Explicit Privacy Policy Definition and Enforcement Fully deployed Privacy Management Frameworks Explicit Management of Privacy Policies Might require major changes to IT and data infrastructure Usage of Vertical Solutions/Focus on RDBMS IBM/Tivoli Privacy Manager Privacy-aware Hippocratic Databases Explicit Approach to Enforce Privacy Policies: Vertical and Invasive Current Approaches

191 June, 2015 Implicit Explicit Privacy Policy Definition and Enforcement HP Approach Single solution for explicit management of Privacy Policies on Heterogeneous Data Repositories Privacy Enforcement by Leveraging and Extending Security/ Access Control Framework and easy to use management UI Does not require major changes to Applications/Services or Data Repositories HP Approach: Adaptive, Integrated and Flexible Enforcement of Privacy Policies

201 June, 2015 Modeling of Personal data Explicit Definition, Authoring and Management of Privacy Policies Extensible Privacy Policies Explicit Deployment and Enforcement of Privacy Policies Integration with traditional Access Control Systems Simplicity of Usage Support for Audit Key Requirements

211 June, 2015 Our Model of Privacy-Aware Access Control Personal Data + Data Subjects’ Consent Data Enforcer Privacy Policy Enforcement Point (PEP) Privacy Policy Decision Point (PDP) Privacy Policy & Data Authoring Tools (PAP) Requestors, Applications, Services, … Access Control + Privacy Policies (intent, purpose, consent, constraints…) Data Repositories Requestor’s Intent + Request to Access Data 1 Access Request 2 Privacy-aware Decision 3 Privacy-aware Access to Data 4 Accessed Data (it could be a subset of the Requested Data) 5

221 June, 2015 Access Control System: Definition, Enforcement and Auditing of Access Control Policies HP OpenView Select Access

231 June, 2015 Validator (Policy Decision) Policy Builder AccessControl Policies Audit Policy Repository Enforcer Plug-in Enforcer Plug-in Enforcer Plug-in Access Request Grant/Deny Web Services Personal Data + Owners’ Consent Applications, Services, … HPL Plug-ins HPL Plug-ins + Privacy Policies (intent, purpose, consent, constraints…) Data Modelling & Privacy Policy Authoring HPL Plug-ins HPL Plug-ins Privacy Policy Deployment & Decisions Privacy-aware Access to Data HPL Data Enforcer Requestor’s Intent + Request to Access Data Privacy- aware Decision Data Access Privacy- aware Access Request Privacy Policy Enforcement On Personal Data Privacy Enforcement in HP OpenView Select Access

241 June, 2015 Data Resources Added to Policy Builder Modelling Data Resources

251 June, 2015 Privacy Policy Authoring [1/2]

261 June, 2015 Privacy Policy Authoring [2/2] Checking Intent against Purpose Define Data Filtering Criteria Define How to Handle Consent

271 June, 2015 “Data Enforcer”: located nearby the Data Repository (performance …) knows how to access/handle Data and “Queries” know how to enforce Privacy Constraints can support “Query rewriting” (i.e. filtering, etc.) “Data Enforcer” is designed to have: A General Purpose Engine (to interact with SA Validator) Ad-hoc plug-ins for different Data Sources to interpret and enforce privacy decisions (e.g. RDBMS, LDAP servers, virtual directories, meta-directories, …) SA Data Enforcer (Data Proxy) Logic Plug-in Constraint Enforcement Engine Constraint Enforcement Engine Constraint Enforcement Engine RDBMS LDAP Server Meta Directory Access Request + Intent Validator Data allowed to access Enforcer API Data Enforcer: Privacy-aware Policy Enforcement Point

281 June, 2015 JDBC API DATA ENFORCER Parse SQL Query Query Analysis and Transformation Execute Transformed Query Application/Service SQL Query (+ Intent) HP Validator (Policy Decision Point) Object Oriented Data Structure Transformed Privacy-Compliant Query RDBMS database Privacy-Compliant ResultSet Object Example of Data Enforcer: JDBC Proxy

291 June, 2015 Original SQL Query: SELECT * FROM PatientRecords; SQL Query Transformed by Data Enforcer (Pre-Processing): SELECT PatientRecords.NAME, PatientRecords.DoB, PatientRecords.GENDER, '-‘ AS SSN, PatientRecords.ADDRESS, PatientRecords.LOCATION, PatientRecords. , PatientRecords.COMM, PatientRecords.LIFESTYLE, '-' AS GP,'-' AS HEALTH, '-' AS CONSULTATIONS, '-' AS HOSPITALISATIONS, '-' AS FAMILY, '-' AS Username FROM PatientRecords, PrivacyPreferences WHERE PatientRecords.Name=PrivacyPreferences.Name AND PrivacyPreferences.Marketing='Yes'; Data Enforcer: SQL Query Transformation

301 June, 2015 Data Enforcer: Performance Based on Type of Queries

311 June, 2015 Web Portal SA Web Enforcer Web Services Accessing PII Data (SQL) SA Validator + Privacy plug-ins Privacy Plug-ins SA Policy Builder LDAP Directories SA Data Enforcer JDBC Proxy User’s Web Browser Personal Data Database Privacy Plug-ins Demo: HealthCare Scenario

321 June, 2015 Prototype: Demo Snapshots Give consent to access data For Declared Purposes e.g. Research Data Retention Preferences The new customer data is (partially) visible as she gave consent to use her data for Research purposes Effect of enforcing customers’ Consent Effect of applying the privacy policy (data filtering) The new customer data is not visible as she gave no consent to use her data for Marketing purposes Effect of applying the privacy policy (data filtering) Effect of enforcing customers’ Consent Rule Editor Purpose-based Decision plug-in Data Filtering plug-in Consent Management plug-in Data Expiration plug-in

Presentation Outline Privacy: Core Concepts and Our Vision Addressed Problems Our Systematic Approach to Privacy in IdM Solutions Our R&D Work: Privacy-Aware Access Control Conclusions

341 June, 2015 Conclusions Privacy Management is Important for Enterprises. Need to Satisfy Regulatory Compliance Requirements and Users’ Expectations and Needs. Key Enterprise Requirements: - Automation - Systemic Approach that leverages current IdM Solutions Focus on Privacy-aware Access Control HP Labs has developed a Privacy-aware Access Control Solution integrated with HP OpenView Select Access HP keen in Collaborations for Technology Trials and getting further Requirements Privacy Management is Important for Enterprises. Need to Satisfy Regulatory Compliance Requirements and Users’ Expectations and Needs. Key Enterprise Requirements: - Automation - Systemic Approach that leverages current IdM Solutions Focus on Privacy-aware Access Control HP Labs has developed a Privacy-aware Access Control Solution integrated with HP OpenView Select Access HP keen in Collaborations for Technology Trials and getting further Requirements