james cabral, david webber, farrukh najmi, july 2012
Post on 27-Dec-2015
217 Views
Preview:
TRANSCRIPT
EXECUTIVE OVERVIEW
Managing information privacy and access policies has become a critical need and technical challenge. The desired solution should be ubiquitous, syntax neutral but a simple and lightweight approach that meets the legal policy requirements though the application of clear, consistent and obvious assertions.
Today we have low-level tools that developers know how to implement with, and we have legal documents created by lawyers, but then there is a chasm between these two worlds.
2
LEGAL AND RULES TECHNOLOGIES
The RuleML community has long understood this and developed and is developing new and improved methods and solutions. The challenge is in taking these approaches and being able to apply these to NIEM XML based information sources in a high level conceptual way that is accessible to information analysts and general NIEM practitioners, rather than the provence of specialized XML-programmers only.
Then we also need these techniques to be broadly applicable, using existing open public software standards and tools so we can enable the widest possible adoption within the NIEM community.
3
APPROACH
The solution we are introducing will: Provide a clear declarative assertions based
method, founded on policy approaches developed by the rules community,
Leveraging open software standards and tools and Enabling business information analysts to apply and
manage the policy profiles
Show illustrative design time and run time examples by:
Visually assigning exchange components and rule assertions
Show applying this to retrieval of documents stored with registry and repository services.
4
APPLICATION SCENARIO OVERVIEW
Electronic Policy Statements 5
Policy Rules
Portal
User Dashboard
11
Apply Policy Rules to Requested Case Content
44Users see only
information
permitted by
their role and
policy profile
Request
Output Templates
Output TemplatesInformation
Requests
22
Case Management
Registry
Services
33
Output Templates
Output Templates
Case Documents
XML
Response
Output Templates
Output TemplatesRequested Information
55
User Profiles
PRESENTATION AGENDA
Part 1 Problem introduction and policy
methods overview Part 2
Design time technical walkthrough of rule assertions example
Part 3 Run time deployment with registry
services
USE CASE – SAR CASE MANAGEMENT
Three levels of information access Citizen level reporting - SAR statistics Local law enforcement officials - case
review State and Federal - case management
and coordination This means three profiles:
Profile 1 - Registry query - statistics results Profile 2 - Local staff Profile 3 - Regional staff
8
SAR – Suspicious Activity Report
POLICY GRANULARITY
Electronic Policy Statements
Coarse-Grained
Role-based authorization of subjects.
Access granted to coarse-grained data objects.
E.g., “Permit law enforcement to access the NCIC Wanted Persons Database.”
Fine-Grained
Attribute-based authorization of subjects.
Access limited to specific data objects based on attributes.
E.g., “Permit law enforcement to access criminal history records if the records were
created by the requester’s agency.”
9
Actions.
RULE AND CONTEXT METADATA
Electronic Policy Statements 10
Properties of the access rules and environment.
• Conditions.– Subject.– Resource.– Policy.
• Obligations.
Express policies in a structured language (e.g., XML)
Identify requesters Compare data collection
and release purposes Enforce retention rules Notify data owners and
subscribers Verify compliance
PRIVACY AND SECURITY ARCHITECTURES
Privacy and Security Architectures 11
MAPPING TO DATA STANDARDS
Privacy and Security Architectures 12
User Metadata
• GFIPM
Content Metadata
• NIEM• GFIPM
Actions
• XACML
Electronic
Policy Statement
s
A mechanism to specify policy rules in unambiguous terms
XML Access Control Markup Language (XACML) Machine-
readable Supports
federated and dynamic policies
POLICY AUTHORING LANGUAGE
Privacy and Security Architectures 13
XACML ARCHITECTURE
Privacy and Security Architectures 14
Term
Description
PAP Policy Administration Point - Point which manages policies
PDP Policy Decision Point - Point which evaluates and issues authorization decisions
PEPPolicy Enforcement Point - Point which intercepts user's access request to a resource and enforces PDP's decision.
PIPPolicy Information Point - Point which can provide external information to a PDP, such as LDAP attribute information.
http://en.wikipedia.org/wiki/XACML
XACML STATEMENTS
Privacy and Security Architectures 15
PolicySets
Policies
Rules•Obligations•FunctionsTarget
s
Policy Matrix Rule XACML StatementParty Subject to Rule
Subject Condition(s) Conditions.Subject(s) Subject(s).Subject Information Context Subject(s) attributes.
Rule Action Action(s). Action(s) attributes.Data Resource Subject to Rule
Target Resource(s) Resource(s).Other Resource Context Resource(s) attributes.Other Resource Conditions Conditions.
Circumstances in Which the Rule Applies
General or Action Policy Conditions Purpose(s).
Obligations and Environments If [zero or more [Subject(s) Action(s) and/or Resource(s), and/or Environment(s) attributes) [Condition(s)] are met] with [zero or more Obligation(s) to be performed].
Rule Activity Deny/Permit by Statute/Policy Effect = PERMIT or DENY.
Administrative Information Precedence PolicyCombiningAlgorithm(s), RuleCombiningAlgorithm(s).
References PolicyID, RuleID.Linkages PolicyID, RuleID.Policy Matrix Editors Does not translate to XACML.
ENCODING RULES INTO XACML
Privacy and Security Architectures 16
USING POLICY TEMPLATES
Traditional NIEM approach focuses on the information exchange data handling
Uses XSD schema to define content structure and metadata
Need is for a bridge between the NIEM schema, the XML information instances and the XACML rule assertion language
Approach is based on visual content structure templates with declarative rule assertions
18
D E P L O Y E D
APPROACH IN A NUTSHELL
XACML
Engine
Rule Assertions
P O L I C I E S
Output Templates
Output TemplatesExchange Structures
Policy Assertion Template
Policy Assertion Template
22
S C H E M A
NIEM
IEPD
11
XACML Generation
Tool
XACML Generation
Tool
33XACML
XML Script
44
Rules Asserted to
Nodes in the Exchange
Structure via simple
XPath associations
19
SAR VISUAL TEMPLATE + RULE ASSERTIONS
Rules Assertions
associate and control
access privacy to
specific content areas
in the SAR details
structure
Visual metaphor
allows policy
analysts to verify
directly
20
Rule Assertions
NIEM data flows
NIEM / GRA OPERATIONAL SCENARIO
XACML
Engine
Information Exchange
55
INTERFACES
P O L I C I E S
CAM Editor Visual Designer
CAM Editor Visual Designer
Output Templates
Output TemplatesExchange Templates
11
Information Exchange
33
INTERFACES
44
S C H E M A
NIEM
IEPD
NIEM
XML
NIEM
XML
Generated XACML Rules
22
21
CAM TOOLKIT + CAMV ENGINE Open source solutions – designed
to support XML and industry vocabularies and components for information exchanges
Implementing the OASIS Content Assembly Mechanism (CAM) public standard
CAMV validation framework and test suite tools
Development sponsored by Oracle
CAM Editor resources site:
http://www.cameditor.org
22
NEXT STEPS Enhance CAM Editor UI to provide
wizards for policy rule assertion entry
Provide XSLT to generate XACML from CAM template
Enhance reporting tools to show policy details in plain English details
Test with sample JPS NIEM exchange schema
23
APPLICATION SCENARIO DETAILS
Electronic Policy Statements 25
Policy Rules
Portal
User Dashboard
11
Apply Policy Rules to
Requested Case Content
(PDP Engine)
44Users see only information permitted by their role and policy profile
Request
Output Templates
Output TemplatesInformation
Requests
22
Case Management + PAP
Registry
Services
33
Output Templates
Output Templates
Case Documents
XML
Response (PEP)
Output Templates
Output TemplatesRequested Information
55
User Profiles
XACML
XMLXMLXML XACML
REGISTRY POLICY ENFORCEMENT
Privacy and Security Architectures 26
PAP
•Defines policies.
•Monitors compliance.
PDP
•Receives requests from the PEP.
•Identifies policies that match each request.
•Evaluates request and environment attributes.
•Directs the PEP.
PEP
•Discloses or redacts the information or denies the request.
•Logs the request and action.
•Notifies of the request and action.
PUBLISHING CONTENT (BULK IMPORT TOOL)
Bulk loader will trawl server and folder location for content – e.g. original SAR XML documents
Bulk Publish of SAR documents
28
SAR DISCOVERY AND RETRIEVAL
SAR Discovery Query (easily extended / tailored without code changes)
allows rapid prototyping and verification of content and operations
Results returned digest and content retrieval options
29
KEY MESSAGES
Dramatically simpler policies
adoption
Can be rapidly developed with
existing tools
Can be visually inspected and
verified by policy analysts
Enables use of dynamic contextual
policies
Supports international standards
work
31
CONTRIBUTORS
James E. Cabral Jr. – IJIS/OASIS and MTGM LLC David Webber – Oracle Public Sector NIEM
team Farrukh Najmi – OASIS ebXML RegRep,
SunXACML project and Wellfleet Software
32
RESOURCES
OASIS CAM and tools project sitehttps://www.oasis-open.org/committees/cam http://cameditor.org (sourceforge.net)
OASIS XACML and tools project sitehttps://www.oasis-open.org/committees/xacml
http://sunxacml.sourceforge.net/
OASIS ebXML RegRep and Implementing Registryhttps://wiki.oasis-open.org/regrep/http://goo.gl/cEpnC
33
top related