Privacy regulations - a complex authorization challenge for today's organizations

Webinar:

Privacy regulations – a complex authorization challenge

Webinar:

Privacy regulations – a complex authorization challenge

2:001:591:581:571:561:551:541:531:521:511:501:491:481:471:461:451:441:431:421:411:401:391:381:371:361:351:341:331:321:311:301:291:281:271:261:251:241:231:221:211:201:191:181:171:161:151:141:131:121:111:101:091:081:071:061:051:041:031:021:011:000:590:580:570:560:550:540:530:520:510:500:490:480:470:460:450:440:430:420:410:400:390:380:370:360:350:340:330:320:310:300:290:280:270:260:250:240:230:220:210:200:190:180:170:160:150:140:130:120:110:100:090:080:070:060:050:040:030:020:01NOWthis webinar will start in:

3

Guidelines

You are muted centrally The webinar is recorded Slides available for download Q&A at the end

© 2013 Axiomatics AB 4

Speakers & Agenda

Today’s speakers

Finn Frisch Pablo Giambiagi

Twitter

@axiomatics

#XACML

5

Upcoming webinarEnabling new business opportunities while balancing risks in the financial services industryDecember 5, 2013 – 5 pm CET (11 am EST / 8 am PST)


And now a word from our sponsor


Agenda

Introduction/overview:Axiomatics technology offerings and their objectives

Privacy problem:Overview of the a problem faced by our customers

Technology solution:How multi-factor authorization helps resolve privacy issues Examples

Technology solutions

Axiomatics solutions – objectives

Secure access to sensitive information without sacrificing business agility

Provide accurate identity authorization governance

Enable secure information sharing across your value chain

Improve regulatory compliance readiness

Facilitate efficient software development



Axiomatics technology solutions – issues addressed

Who?

What?

Where?

When?

How?

Why?

Axiomatics technology solutions – what we do

Who?

What?

Where?

When?

How?

Why?


Authorization for applications:

Axiomatics Policy Server (APS)

Authorization for data storage:

Axiomatics Data Access Filter (ADAF)

The privacy problem For efficient collaboration you must share information Information you cannot share is of little use Carelessly sharing PII with unauthorized users is a

privacy infringement



What is privacy?

”Freedom from unauthorized intrusion” (Merriam-Webster)

“A private matter” (Merriam-Webster)

Private sphere – as opposed to public sphere

An essential building block in a democratic society

Private Public State


When quantity becomes quality

Internet users per 100 inhabitants

Original image: Internet users per 100 inhabitants ITU.svgBased on based on data from International Telecommunication Union (ITU) Internet users 2001-2011 and ITU Key Figures 2006-2013Source: http://commons.wikimedia.org/wiki/File:Internet_users_per_100_inhabitants_ITU.svgAuthor: Jeff Ogden

http://www.itu.int/ITU-D/ict/statistics/material/excel/2011/Internet_users_01-11.xls

http://www.itu.int/en/ITU-D/Statistics/Documents/statistics/2012/ITU_Key_2006-2013_ICT_data.xls

http://commons.wikimedia.org/wiki/File:Internet_users_per_100_inhabitants_ITU.svg

1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Källa/Source

: Posten

AB

0

200

400

600

800

1,000

1,200

1,400


When quantity becomes quality

Number of post offices and other outlets in Sweden1996-2012


Technological capacity to process information

With permissions from publisher. Source: Hilbert and Lopez, 2011 http://www.martinhilbert.net/WorldInfoCapacityPPT.html

Storage in optimally compressed MB

http://www.martinhilbert.net/WorldInfoCapacityPPT.html


Privacy regulations


European convention on human rights 1953

Article 8 – Right to respect for private and family life

Everyone has the right to respect for his private and family life, his home and his correspondence.

http://conventions.coe.int/treaty/en/Treaties/Html/005.htm

http://conventions.coe.int/treaty/en/Treaties/Html/005.htm


European Union after the Treaty of Lisbon in 2009

THE TREATY ON THE FUNCTIONING OF THE EUROPEAN UNION 2010Article 16 (ex Article 286 TEC)

Everyone has the right to the protection of personal data concerning them.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0047:0200:en:PDF

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0047:0200:en:PDF


New EU data protection rules

“Brussels, 25 January 2012 – The European Commission has today proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy.”

New Regulation (replacing Directive 95/46/EC) “General Data Protection Regulation”

New Directive (replacing Framework Decision 2008/977/JHA)


EU regulation proposal for 2014

A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as

notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.

Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a

requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for

increased responsibility and accountability for those processing personal data.

For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon

as possible (if feasible within 24 hours).

Organisations will only have to deal with a single national data protection authority in the EU country where they have their

main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is

processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it

has to be given explicitly, rather than assumed.

People will have easier access to their own data and be able to transfer personal data from one service provider to another

more easily (right to data portability). This will improve competition among services.

A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if

there are no legitimate grounds for retaining it.

EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their

services to EU citizens.

Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home.

They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million

or up to 2% of the global annual turnover of a company.

A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal

matters. The rules will apply to both domestic and cross-border transfers of data.

Designing for privacyApplication design must cater for privacy requirements


Copyright 2011, Axiomatics AB 22

Privacy – insurance example

Insurance company - claims adjuster

Insurance agent

HR administrator in policyholding entity of whichvictim is an employee

Victim Claim

Name Social Sec Number

Medical data Financial data

John Doe 1976-05-01 Disorder due to work related accident …

28 500 EUR

Insurance

• Privacy classified• Visibility depending on

purpose of use• Context-awareness is key!

Risk-matrix Process-related segregation of duties

Compliance with privacy constraints


Claims workflow sub-processes

Claims Administration

Claims Reserves

Claims Payments

Claims Quality Assurance, monitoring


Sensitive data of mixed types

Table with mixed types of privacy-sensitive data Authorization depends on multiple factors

ID Name Social Security Number

Financial Data

Medical data Com-pany

Unit

1 Alex Jonson 123-45-6789 12000 Sore throat X A1

2 Bob Brown 456-78-9012 11000 Broken leg X A2

3 Cecilia George 789-10-2345 15000 Bleeding nose Y B1

4 David Dargan 234-56-7890 19000 Neurosis due to … Y B2


Multi-factor authorization needed

Souce: International association of privacy professinals (IAPP), Glossary https://www.privacyassociation.org/resource_center/privacy_glossary

Context-aware, multi-factor authorization needed

https://www.privacyassociation.org/resource_center/privacy_glossary


FROM: User-centric:

Role-Based Single-factor:

Who are you?

Authorization logic and rules native to each system

Authorization rules hard-wired into application code

Static & pre-defined

A paradigm shift in Identity and Access Management

TO: Context-aware:

Attribute-Based Multi-factor:

Who? What? Where? When? Why? How?

Centralized policy management using a standard – XACML

Authorization rules externalized from application code

Dynamic at run-time



Financial Data


Unit





Claims Table with privacy filter

RWD RWD RWD

Bob



Financial Data


Unit






R R R

Alice



Financial Data


Unit






RWD RWD RWD

Joe



Financial Data


Unit






R R R

Joe

Joe in a different context

Technology solutionsApplication design for privacy:Axiomatics Policy Server 5.3Axiomatics Data Access Filter (ADAF) 1.0



Axiomatics Policy Server

Authorization services:

PDP - a Policy Decision Point for XACML 3.0 request/response services.

ARQ SQL - an Axiomatics Reverse Query service which applies authorization decisions for database access by returning a proper SQL SELECT statement.


The XACML Architecture

ManagePolicy Administration Point

DecidePolicy Decision Point

SupportPolicy Information PointPolicy Retrieval Point

EnforcePolicy Enforcement Point


The Axiomatics Reverse Query in the architecture

ListReverse Query evaluation

ManagePolicy Administration Point

SupportPolicy Information PointPolicy Retrieval Point

EnforcePolicy Enforcement Point


Axiomatics Data Acces Filter 1.0 - Overview

Authorization on the data layer

PEP or proxy intercepts SQL call to database

ADAF returns conditions allowing PEP or proxy to adapt SQL statement

An example from law enforcement

Resources to protect: Data in the ”Case” table.

Column Name Data Type Description

case_id integer The unique ID of the case

case_narrative varchar A narrative describing the case

case_classification varchar A security classification for the case – can be ‘Confidential’, ‘Secret’, ‘Top Secret’. Default is ‘Confidential’.

responsible_unit integer The ID of the unit that is responsible for the case

case_status varchar ‘Open’ or ‘Closed’.

date_case_closed date The date that the case was closed

High-level privacy policy

A Confidential case is visible to all people assigned to the unit that is responsible for the case

A Secret or Top Secret case is only visible to people who are assigned to the case (via a role assignment)

Resource Attribute Identification

A Confidential case is visible to all users assigned to the unit that is responsible for the case

Resource attribute: case_classification

Column Name Data Type Descriptioncase_id integer The unique ID of the casecase_narrative varchar A narrative describing the casecase_classification varchar A security classification for the case – can be

‘Confidential’, ‘Secret’, ‘Top Secret’. Default is ‘Confidential’.

responsible_unit integer The ID of the unit that is responsible for the casecase_status varchar ‘Open’ or ‘Closed’.date_case_closed date The date that the case was closed

Resource attribute: case_responsible_unit

Privacy protection policy

policy Case_Access {

target clause table_name == "CASE” and column_name == "CASE_NARRATIVE”

// A Confidential case is visible to all users assigned to the unit that is

responsible for the case.

rule {

target clause case_classification == "Confidential"

permit

condition integerOneAndOnly(case_responsible_unit) ==

integerOneAndOnly(unit_id)

}

// A Secret or Top Secret case is only visible to users who are assigned to the case

(via a role assignment)

rule {

target clause case_classification == "Secret" or

case_classification == "Top Secret"

permit

condition integerIsIn(integerOneAndOnly(user_id),

currently_assigned_users_of_case)

}

}

case_responsible_unit ==unit_id

user_id IN currently_assigned_users_of_case

assigned to


Unit and role assignments

User

1005

ConfidentialCase

116

Top SecretCase

118

Top SecretCase

114

ConfidentialCase

112

Unit

4

Unit3

User

1007

assigned to

supervisor

responsible for

responsible for

intelligenceofficer

responsible for

areacommander

assigned to


Case narrative visibility for user 1005

User

1005

ConfidentialCase

116

Top SecretCase

118

Top SecretCase

114

ConfidentialCase

112

Unit

4

Unit3

User

1007

assigned to

supervisor

responsible for

responsible for

intelligenceofficer

responsible for

areacommander


Case narrative visibility for user 1005

DEMO


Axiomatics Data Acces Filter 1.0 – details

Fine-grained data access control Table, row, column and cell levels

Data-masking

Flexible Policy-based authorization Richer than role-based models defined in the SQL standard

Externalized enforcement No need to code and edit VPD functions manually

Declarative policy language (compare with lower-level programming of VPD)

No need to modify the application with the insertion of an XACML PEP

All applications using the database share the same policy and enforcement.


Axiomatics Data Acces Filter 1.0 – details

ADAF currently requires Oracle VPD as the PEP VPD (Virtual Private Database) is a part of Oracle DB

Enterprise Edition, requiring no extra licenses.

For other databases ADAF SDK to connect a SQL proxy to SFS

Conclusions Applications need to be designed for privacy To do that, authorization must be context-aware To achieve context-awareness, you must be able to

consider multiple factors


Questions?

Contact us at [email protected]
